re: Mail Server problem / query

["Mel Drews" <flyingdervish () hotmail com>]

When I discovered a client who had a server allowing this kind of forwarding 
I flagged it as a vulnerability.  Our staff CISSP said not to worry about 
it, that most mail servers do this.  I tested our own (Postfix) and found 
that it was doing the same.  Found a way in postfix to change this.  It does 
require having 2 mail servers.  One is your filtering system that performs 
virus and spam checks; the other is your internal system.  This is best 
practice anyway.  Every network should either have 2 mail servers or a 
hosted mail service.  We'll call the external facing system that does the 
scanning the "relay server".  Make a change to postfix's main.cf file 
specifying a check_sender_access table.  The table you create will list all 
of your internal users' legitimate email addresses.  Hash tables are fairly 
easy to deal with but may not be suitable for larger networks.  There are a 
variety of different kinds and I am not an expert on this topic.  But at 
least this may point you in a direction to investigate.  One solution I have 
seen involved pulling a list of internal email addresses from the internal 
mail server via ldap query and parsing the list into a hash table with a 
perl script.  With this configuration, the internal mail server will still 
accept mail from internal users, but the relay server will only accept mail 
from external users.

For more info, see the section re: check_sender_access in the postfix 
configuration documentation at postfix.org
http://www.postfix.org/postconf.5.html

Further information: With MS Exchange, there does not appear to be any way 
to shut off this behavior.  With Exchange 2003 and Outlook 2003 combination, 
there's at least a half-assed effort to alert users to the problem.  With 
older versions, Exchange automatically resolves the purported sender address 
to the internal Global Address List user display name if the purported 
sender is internal.  With the new combination, if the message was sent from 
an external IP, the name will not be resolved.  So the user sees the mail 
from: address as the raw smtp address instead.  Of course, how many users 
will pick up on that?

Hope this helps


m_davison () talk21 com wrote:
---------------------------------------------------------
Hi all, I hope you can help with this. I have been
testing a server for open-relay and found that I could
connect from an external machine and send mails using
a MAIL FROM (the local domain) and a RCPT TO (the
local domain) - now this may seem fine as internal
users will need to send mail to other internal users
but my query is whether there are mail servers which
can be configured to recognise that the connection was
an external address and therefore that the MAIL FROM
address was invalid. eg I can send a mail from the CEO
of the company to his own secretary asking her to copy
his hotmail address on all future mails and to the
secretary, this mail seems perfectly valid yet me
(prospective attacker) outside the comapany may now
receive loads of sensitive mails (assuming the
secretary is the type who doesn't like to query things
and ask questions) - thanks in advance.

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/