+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: General discussion (/forum-11.html)
+--- Thread: [split] Security Problem detected (/thread-1277.html)
[split] Security Problem detected - BeNe - 08-18-2007 02:29 AM
Can you Post the mail.log please ?
Greez BeNe
RE: Security Problem detected - joximu - 08-18-2007 06:06 AM
BeNe Wrote:Can you Post the mail.log please ?
Greez BeNe
Why?
The domain alias makes a dns zone "gmx.net" - this alone is not a good thing.
The new mail account test@gmx.net makes postfix to "think" gmx.net is a local domain, the local dns does confirm this... - the second point which is not good.
The catchall (which you only can create if at least one mail account is created) does the rest...
But I can put the logs here, slightly anonymized :-)
Code:
Aug 17 18:10:07 myhost postfix/smtpd[16223]: connect from myhost.mydomain.ch.local[127.0.0.1]
Aug 17 18:10:07 myhost postfix/smtpd[16223]: 9CC0C138933: client=myhost.mydomain.ch.local[127.0.0.1]
Aug 17 18:10:07 myhost postfix/cleanup[16225]: 9CC0C138933: message-id=<60194.123.45.67.89.1187367007.squirrel@admin.myhost.mydomain.ch>
Aug 17 18:10:07 myhost postfix/qmgr[16178]: 9CC0C138933: from=<joximu@mydomain.ch>, size=1031, nrcpt=1 (queue active)
Aug 17 18:10:07 myhost postfix/smtpd[16223]: disconnect from myhost.mydomain.ch.local[127.0.0.1]
Aug 17 18:10:08 myhost postfix/smtp[16226]: 9CC0C138933: to=<joximu@externalhost.de>, orig_to=<jkdfsjghsdjkghdvdf@gmx.net>, relay=mx.externalhost.de[98.76.54.111]:25, delay=1.1, delays=0.
08/0.03/0.83/0.1, dsn=2.0.0, status=sent (250 OK id=1IM4NX-0006VY-00)
Aug 17 18:10:08 myhost postfix/qmgr[16178]: 9CC0C138933: removedhere, my catchall sends all mails to "joximu@externalhost.de"
RE: Security Problem detected - joximu - 08-18-2007 06:44 AM
Try to send a mail to @gmx.net from BeNes ispCP demo server...
RE: Security Problem detected - raphael - 08-18-2007 10:22 AM
I'll try to find out how to make postfix query an external DNS server.
Anyways, admins should read the log emails.
(This reminds me an old idea I had to have an option to prevent adding domains/aliases if they don't point to the server's nameservers)
RE: Security Problem detected - joximu - 08-18-2007 05:23 PM
raphael Wrote:I'll try to find out how to make postfix query an external DNS server.
This is more or less a fix for the mail-hijacking problem.
raphael Wrote:Anyways, admins should read the log emails.
Yes - but sometimes I get the impression that some of the ispCP admins won't do that. Well, I hope the admins of bigger installations will do - but they also need some sleep and I can think about a szenario where some hours are enough for this sort of criminality - and afterwards the customer deletes the domain alias and mail pointings.... ok, we can read log files, but we should not make it to easy for kiddies...
raphael Wrote:(This reminds me an old idea I had to have an option to prevent adding domains/aliases if they don't point to the server's nameservers)
This sounds really good - I thought of it just minutes ago when I stood up :-)
If a domain (or hostname) does not point to the own server then the domain should not be activated - an admin should activate it (or maybe he can allow a reseller to do that, but this depends if the reseller are serious...)
I think the first step - adding a domain alias (which creates the new zone in bind) should be controled in a better way (making a "dig @tld NS" or so)
/Joximu
RE: Security Problem detected - BeNe - 08-18-2007 05:53 PM
joximu Wrote:Try to send a mail to @gmx.net from BeNes ispCP demo server...
This won´t work! I disabled the Mailtraffic
Greez BeNe
RE: Security Problem detected - joximu - 08-18-2007 05:56 PM
BeNe Wrote:joximu Wrote:Try to send a mail to @gmx.net from BeNes ispCP demo server...
This won´t work! I disabled the Mailtraffic
Greez BeNe
ok
- now I can add a domain "security.debian.org". If your server asks the local bind for dns resolving then maybe I could give you some bad "updates"... (well, I dont' have the time for this, but I think this is possible...).
/J
RE: Security Problem detected - BeNe - 08-18-2007 07:35 PM
mmhh, this could maybe work
I try to test it this night, but if so - we need a fix workaround.
Maybe i find something on Mailing list about this problem.
Greez BeNe
RE: Security Problem detected - joximu - 08-18-2007 07:46 PM
IMHO the most important thing is to prevent the creation of "faked domain" zones in bind. But of cource all parts have to be looked at (MTA - local or external delivery).
/J
RE: Security Problem detected - platzwart - 08-18-2007 09:38 PM
the most simple solution:
only resellers can add domain aliases and all problems are solved... ^^
(btw: why not get rid of the alias system right now?!?
)