Current time: 11-22-2024, 08:55 PM Hello There, Guest! (LoginRegister)


Post Reply 
[split] Security Problem detected
Author Message
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #1
[split] Security Problem detected
Can you Post the mail.log please ?

Greez BeNe
08-18-2007 02:29 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #2
RE: Security Problem detected
BeNe Wrote:Can you Post the mail.log please ?

Greez BeNe

Why?

The domain alias makes a dns zone "gmx.net" - this alone is not a good thing.

The new mail account test@gmx.net makes postfix to "think" gmx.net is a local domain, the local dns does confirm this... - the second point which is not good.
The catchall (which you only can create if at least one mail account is created) does the rest...


But I can put the logs here, slightly anonymized :-)

Code:
Aug 17 18:10:07 myhost postfix/smtpd[16223]: connect from myhost.mydomain.ch.local[127.0.0.1]
Aug 17 18:10:07 myhost postfix/smtpd[16223]: 9CC0C138933: client=myhost.mydomain.ch.local[127.0.0.1]
Aug 17 18:10:07 myhost postfix/cleanup[16225]: 9CC0C138933: message-id=<60194.123.45.67.89.1187367007.squirrel@admin.myhost.mydomain.ch>
Aug 17 18:10:07 myhost postfix/qmgr[16178]: 9CC0C138933: from=<joximu@mydomain.ch>, size=1031, nrcpt=1 (queue active)
Aug 17 18:10:07 myhost postfix/smtpd[16223]: disconnect from myhost.mydomain.ch.local[127.0.0.1]
Aug 17 18:10:08 myhost postfix/smtp[16226]: 9CC0C138933: to=<joximu@externalhost.de>, orig_to=<jkdfsjghsdjkghdvdf@gmx.net>, relay=mx.externalhost.de[98.76.54.111]:25, delay=1.1, delays=0.
08/0.03/0.83/0.1, dsn=2.0.0, status=sent (250 OK id=1IM4NX-0006VY-00)
Aug 17 18:10:08 myhost postfix/qmgr[16178]: 9CC0C138933: removed

here, my catchall sends all mails to "joximu@externalhost.de"
(This post was last modified: 08-18-2007 06:06 AM by joximu.)
08-18-2007 06:06 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #3
RE: Security Problem detected
Try to send a mail to @gmx.net from BeNes ispCP demo server...
08-18-2007 06:44 AM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #4
RE: Security Problem detected
I'll try to find out how to make postfix query an external DNS server.

Anyways, admins should read the log emails.

(This reminds me an old idea I had to have an option to prevent adding domains/aliases if they don't point to the server's nameservers)
08-18-2007 10:22 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #5
RE: Security Problem detected
raphael Wrote:I'll try to find out how to make postfix query an external DNS server.

This is more or less a fix for the mail-hijacking problem.

raphael Wrote:Anyways, admins should read the log emails.

Yes - but sometimes I get the impression that some of the ispCP admins won't do that. Well, I hope the admins of bigger installations will do - but they also need some sleep and I can think about a szenario where some hours are enough for this sort of criminality - and afterwards the customer deletes the domain alias and mail pointings.... ok, we can read log files, but we should not make it to easy for kiddies...

raphael Wrote:(This reminds me an old idea I had to have an option to prevent adding domains/aliases if they don't point to the server's nameservers)

This sounds really good - I thought of it just minutes ago when I stood up :-)
If a domain (or hostname) does not point to the own server then the domain should not be activated - an admin should activate it (or maybe he can allow a reseller to do that, but this depends if the reseller are serious...)

I think the first step - adding a domain alias (which creates the new zone in bind) should be controled in a better way (making a "dig @tld NS" or so)

/Joximu
08-18-2007 05:23 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #6
RE: Security Problem detected
joximu Wrote:Try to send a mail to @gmx.net from BeNes ispCP demo server...

This won´t work! I disabled the Mailtraffic Wink


Greez BeNe
08-18-2007 05:53 PM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #7
RE: Security Problem detected
BeNe Wrote:
joximu Wrote:Try to send a mail to @gmx.net from BeNes ispCP demo server...

This won´t work! I disabled the Mailtraffic Wink

Greez BeNe

ok
- now I can add a domain "security.debian.org". If your server asks the local bind for dns resolving then maybe I could give you some bad "updates"... (well, I dont' have the time for this, but I think this is possible...).

/J
08-18-2007 05:56 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #8
RE: Security Problem detected
mmhh, this could maybe work Rolleyes
I try to test it this night, but if so - we need a fix workaround.
Maybe i find something on Mailing list about this problem.

Greez BeNe
08-18-2007 07:35 PM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #9
RE: Security Problem detected
IMHO the most important thing is to prevent the creation of "faked domain" zones in bind. But of cource all parts have to be looked at (MTA - local or external delivery).

/J
08-18-2007 07:46 PM
Visit this user's website Find all posts by this user Quote this message in a reply
platzwart Offline
Junior Member
*

Posts: 100
Joined: Mar 2007
Reputation: 1
Post: #10
RE: Security Problem detected
the most simple solution:

only resellers can add domain aliases and all problems are solved... ^^

(btw: why not get rid of the alias system right now?!? Rolleyes )
08-18-2007 09:38 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)