Penetration Testing mailing list archives
re: Mail Server problem / query
From: "Mel Drews" <flyingdervish () hotmail com>
Date: Thu, 14 Apr 2005 11:03:10 -0700
When I discovered a client who had a server allowing this kind of forwarding I flagged it as a vulnerability. Our staff CISSP said not to worry about it, that most mail servers do this. I tested our own (Postfix) and found that it was doing the same. Found a way in postfix to change this. It does require having 2 mail servers. One is your filtering system that performs virus and spam checks; the other is your internal system. This is best practice anyway. Every network should either have 2 mail servers or a hosted mail service. We'll call the external facing system that does the scanning the "relay server". Make a change to postfix's main.cf file specifying a check_sender_access table. The table you create will list all of your internal users' legitimate email addresses. Hash tables are fairly easy to deal with but may not be suitable for larger networks. There are a variety of different kinds and I am not an expert on this topic. But at least this may point you in a direction to investigate. One solution I have seen involved pulling a list of internal email addresses from the internal mail server via ldap query and parsing the list into a hash table with a perl script. With this configuration, the internal mail server will still accept mail from internal users, but the relay server will only accept mail from external users.
For more info, see the section re: check_sender_access in the postfix configuration documentation at postfix.org
http://www.postfix.org/postconf.5.htmlFurther information: With MS Exchange, there does not appear to be any way to shut off this behavior. With Exchange 2003 and Outlook 2003 combination, there's at least a half-assed effort to alert users to the problem. With older versions, Exchange automatically resolves the purported sender address to the internal Global Address List user display name if the purported sender is internal. With the new combination, if the message was sent from an external IP, the name will not be resolved. So the user sees the mail from: address as the raw smtp address instead. Of course, how many users will pick up on that?
Hope this helps m_davison () talk21 com wrote: --------------------------------------------------------- Hi all, I hope you can help with this. I have been testing a server for open-relay and found that I could connect from an external machine and send mails using a MAIL FROM (the local domain) and a RCPT TO (the local domain) - now this may seem fine as internal users will need to send mail to other internal users but my query is whether there are mail servers which can be configured to recognise that the connection was an external address and therefore that the MAIL FROM address was invalid. eg I can send a mail from the CEO of the company to his own secretary asking her to copy his hotmail address on all future mails and to the secretary, this mail seems perfectly valid yet me (prospective attacker) outside the comapany may now receive loads of sensitive mails (assuming the secretary is the type who doesn't like to query things and ask questions) - thanks in advance. _________________________________________________________________Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Current thread:
- Mail Server problem / query Marc Davison (Apr 13)
- RE: Mail Server problem / query Joe_Wulf (Apr 14)
- <Possible follow-ups>
- Re: Mail Server problem / query Prashant Gawade (Apr 14)
- re: Mail Server problem / query Mel Drews (Apr 17)
- RE: Mail Server problem / query Michael Scheidell (Apr 22)