Re: Mail relay issue

["Dick St.Peters" <stpeters () NetHeaven com>]

This relaying can be prevented by the addition of just two rule lines
in sendmail.cf[*].

I've appended patches to add the lines to proto.m4 for sendmail 8.12
and 8.11 (specifically 8.12.9 and 8.11.6).  I've tested and am using
the 8.12 patch, but the 8.11 patch is completely untested.  It is
basically the same change and should work.

[*] I think it could be done with just one earlier dequote rule, but
I'm going with what I tested.

--
Dick St.Peters, stpeters () NetHeaven com 

> I would guess that after it goes into the local mail spool at test.local
> the @test.local gets split off and then test.local spools it for
> user () norelay com and connects to norelay.com's MX and dumps it into the
> SMTP server. Who then locally delivers it to user after stripping off the
> @.* from the end.
>
> > Hi,
> >
> > This is not really a vulnerability "per se". I came across with a weird
> > open relay situation, hopefully someone here might now why
> > this happens.
> >
> > Consider the following:
> > A) Microsoft Exchange SMTP server
> > B) Sendmail that trusts "A"
> >
> > Server "A" appends a default domain, if one is not given on the RCPT TO
> > command, for example:
> > RCPT TO: fubar
> > 250 2.1.5 fubar@test.local
> >
> > Server "A" is configured to deliver all mail to "test.local" to server
> > "B".
> >
> > If I send an email to server A issuing rcpt to as:
> > RCPT TO: "user () norelay com"
> > The exchange server will append the domain test.local and deliver it to
> > server B, as in:
> > RCPT TO: "user () norelay com"@test.local
> >
> > Now, server B (sendmail), apparently understands this sintax
> > ("user () norelay com"@test.local) as an SMTP route and delivers the email
> > into norelay.com's MX.
> >
> > So, basicaly, in a somewhat "strange" way, this system is in fact an
> > open relay.
> > What i'm trying to understand, is why does sendmail understand this as a
> > route rcpt. I took a brief look on the RFC and it says:
> > <quote>
> > The forward-path may be a source route of the form
> > "@ONE,@TWO:JOE@THREE", where ONE, TWO, and THREE are hosts.
> > (...)
> >  For example, mail received at relay host A with arguments
> >  FROM:<USERX () HOSTY ARPA>
> >  TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC () HOSTD ARPA>
> >  will be relayed on to host B with arguments
> >  FROM:<@HOSTA.ARPA:USERX () HOSTY ARPA>
> >  TO:<@HOSTB.ARPA:USERC () HOSTD ARPA>.
> > </quote>
> >
> > This is not quite the same as "one@two"@three.
> >
> > Anyone care to comment?
> >
> > Thanks in advance,
> >
> > Joao Gouveia

NOTE: The patches below have tabs in them.  sendmail requires the tabs

Tested patch for sendmail 8.12.9

--- proto.m4-dist       Fri Mar 28 12:20:53 2003
+++ proto.m4    Thu Sep  4 09:26:40 2003
@@ -983,6 +983,9 @@
 R$* < @ . $* > $*      $#error $@ 5.1.2 $: "_CODE553 Invalid host name"
 R$* < @ $* .. $* > $*  $#error $@ 5.1.2 $: "_CODE553 Invalid host name"
 dnl no a@b@
+R$- < $* >             $: $(dequote $1 $) < $2 >
+R$* $=O $* < $* >      $#error $@ 5.1.2 $: "_CODE553 Invalid route address"
+dnl no "a@b"@c
 R$* < @ $* @ > $*      $#error $@ 5.1.2 $: "_CODE553 Invalid route address"
 dnl no a@b@c
 R$* @ $* < @ $* > $*   $#error $@ 5.1.3 $: "_CODE553 Invalid route address"

UNTESTED patch for sendmail 8.11.6

--- proto.m4-dist       Tue Jul 31 18:25:49 2001
+++ proto.m4    Thu Sep  4 09:44:33 2003
@@ -880,6 +880,8 @@
 R$* < @ . $* > $*      $#error $@ 5.1.2 $: "CODE553 Invalid host name"
 R$* < @ $* .. $* > $*  $#error $@ 5.1.2 $: "CODE553 Invalid host name"
 dnl comma only allowed before @; this check is not complete
+R$- < $* >             $: $(dequote $1 $) < $2 >
+R$* $=O $* < $* >      $#error $@ 5.1.2 $: "CODE553 Invalid route address"
 R$* , $~O $*           $#error $@ 5.1.2 $: "CODE553 Invalid route address"
 
 # now delete the local info -- note $=O to find characters that cause forwarding

NOTE REPEAT: The patches have tabs in them.  sendmail requires the
tabs