Bugtraq mailing list archives
Re: NTmail exploit
From: John Stanners <john.stanners () GORDANO COM>
Date: Mon, 18 Sep 2000 18:34:15 +0100
I saw someone report an exploit for NTmail version 3 and just wanted to post that it's possible to use this againt NTmail version 5e and 5g as well. Basically the exploit is this, NTmail has a "local mail only" feature where either the from or to address must be a locally hosted address. This feature is totally broken in that if you use mail from; <-note semi-colon instead of colon NTmail will pass the mail with a non-local TO address and in doing so totally hoses up the from address. What this means is that every NTmail server on the net that is not limited by an IP address range is a wide open relay. Cure: Open the web configuration interface, go to "incoming" then to the "redirect" tab and add a new rule. In the "mail clause" field type in "from;*" without the quotes and then set it to either refuse or redirect the mail as you like. I tried to post this to the NTmail support list but it is a moderated list and Gordano refuses to allow the message to pass in order to warn all NTmail admins. So I'm posting this to the security lists in order to get notification of the exploit and at least one possible fix out to as many people as possible. I'm still talking to Gordano but at this time it doesn't look like they are going to fix this. Geo.
I would just like to point out that Geo is running NTMail in a non standard configuration, he has specifically set it up so that all that is required to allow relay through his server is that either one of the MAIL or RCPT clauses is local and as he was passing in a local address (no domain part) the mail was allowed to relay. By default, NTMail comes with relay disabled, only those users from within a defined Local IP range are allowed to relay external mail through the server. To cater for those users that are outside of this Local IP range NTMail also supports Authenticated SMTP and POP-before-SMTP. Yours John Stanners ----------------------------------------------------------------- Gordano Ltd Tel UK: +44 1275 340151 PO Box 79, Clevedon, UK, BS21 7EF Fax UK: +44 1275 340056 All quotes valid for 28 days. Tel USA: +1 900 226 4632 URL: http://www.ntmail.co.uk EMail: support () gordano com -----------------------------------------------------------------
Current thread:
- NTmail exploit Geo. (Sep 18)
- <Possible follow-ups>
- Re: NTmail exploit John Stanners (Sep 18)