Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mail relay issue

From: cokane () cokane org
Date: Tue, 2 Sep 2003 16:21:09 -0400 (EDT)
I would guess that after it goes into the local mail spool at test.local
the @test.local gets split off and then test.local spools it for
user () norelay com and connects to norelay.com's MX and dumps it into the
SMTP server. Who then locally delivers it to user after stripping off the
@.* from the end.


Hi,

This is not really a vulnerability "per se". I came across with a weird
open relay situation, hopefully someone here might now why
this happens.

Consider the following:
A) Microsoft Exchange SMTP server
B) Sendmail that trusts "A"

Server "A" appends a default domain, if one is not given on the RCPT TO
command, for example:
RCPT TO: fubar
250 2.1.5 fubar@test.local

Server "A" is configured to deliver all mail to "test.local" to server
"B".

If I send an email to server A issuing rcpt to as:
RCPT TO: "user () norelay com"
The exchange server will append the domain test.local and deliver it to
server B, as in:
RCPT TO: "user () norelay com"@test.local

Now, server B (sendmail), apparently understands this sintax
("user () norelay com"@test.local) as an SMTP route and delivers the email
into norelay.com's MX.

So, basicaly, in a somewhat "strange" way, this system is in fact an
open relay.
What i'm trying to understand, is why does sendmail understand this as a
route rcpt. I took a brief look on the RFC and it says:
<quote>
The forward-path may be a source route of the form
"@ONE,@TWO:JOE@THREE", where ONE, TWO, and THREE are hosts.
(...)
 For example, mail received at relay host A with arguments
 FROM:<USERX () HOSTY ARPA>
 TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC () HOSTD ARPA>
 will be relayed on to host B with arguments
 FROM:<@HOSTA.ARPA:USERX () HOSTY ARPA>
 TO:<@HOSTB.ARPA:USERC () HOSTD ARPA>.
</quote>

This is not quite the same as "one@two"@three.

Anyone care to comment?

Thanks in advance,

Joao Gouveia






-------------------------------------
Web Based Mail Provided By Domain-it!
=-=-=- http://www.domainit.com -=-=-=
Previous By Date Next
Previous By Thread Next

Current thread: