Mail relay issue

[tharbad () kaotik org]

Hi,

This is not really a vulnerability "per se". I came across with a weird
open relay situation, hopefully someone here might now why
this happens.

Consider the following:
A) Microsoft Exchange SMTP server
B) Sendmail that trusts "A"

Server "A" appends a default domain, if one is not given on the RCPT TO
command, for example:
RCPT TO: fubar
250 2.1.5 fubar@test.local

Server "A" is configured to deliver all mail to "test.local" to server
"B".

If I send an email to server A issuing rcpt to as:
RCPT TO: "user () norelay com"
The exchange server will append the domain test.local and deliver it to
server B, as in:
RCPT TO: "user () norelay com"@test.local

Now, server B (sendmail), apparently understands this sintax
("user () norelay com"@test.local) as an SMTP route and delivers the email
into norelay.com's MX.

So, basicaly, in a somewhat "strange" way, this system is in fact an
open relay.
What i'm trying to understand, is why does sendmail understand this as a
route rcpt. I took a brief look on the RFC and it says:
<quote>
The forward-path may be a source route of the form
"@ONE,@TWO:JOE@THREE", where ONE, TWO, and THREE are hosts.
(...)
 For example, mail received at relay host A with arguments
 FROM:<USERX () HOSTY ARPA>
 TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC () HOSTD ARPA>
 will be relayed on to host B with arguments
 FROM:<@HOSTA.ARPA:USERX () HOSTY ARPA>
 TO:<@HOSTB.ARPA:USERC () HOSTD ARPA>.
</quote>

This is not quite the same as "one@two"@three.

Anyone care to comment?

Thanks in advance,

Joao Gouveia

Attachment: _bin
Description: