Vulnerability Development mailing list archives
Mail relay issue
From: tharbad () kaotik org
Date: Sat, 30 Aug 2003 00:24:48 +0100
Hi, This is not really a vulnerability "per se". I came across with a weird open relay situation, hopefully someone here might now why this happens. Consider the following: A) Microsoft Exchange SMTP server B) Sendmail that trusts "A" Server "A" appends a default domain, if one is not given on the RCPT TO command, for example: RCPT TO: fubar 250 2.1.5 fubar@test.local Server "A" is configured to deliver all mail to "test.local" to server "B". If I send an email to server A issuing rcpt to as: RCPT TO: "user () norelay com" The exchange server will append the domain test.local and deliver it to server B, as in: RCPT TO: "user () norelay com"@test.local Now, server B (sendmail), apparently understands this sintax ("user () norelay com"@test.local) as an SMTP route and delivers the email into norelay.com's MX. So, basicaly, in a somewhat "strange" way, this system is in fact an open relay. What i'm trying to understand, is why does sendmail understand this as a route rcpt. I took a brief look on the RFC and it says: <quote> The forward-path may be a source route of the form "@ONE,@TWO:JOE@THREE", where ONE, TWO, and THREE are hosts. (...) For example, mail received at relay host A with arguments FROM:<USERX () HOSTY ARPA> TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC () HOSTD ARPA> will be relayed on to host B with arguments FROM:<@HOSTA.ARPA:USERX () HOSTY ARPA> TO:<@HOSTB.ARPA:USERC () HOSTD ARPA>. </quote> This is not quite the same as "one@two"@three. Anyone care to comment? Thanks in advance, Joao Gouveia
Attachment:
_bin
Description:
Current thread:
- Mail relay issue tharbad (Aug 30)