Current time: 11-25-2024, 08:23 PM Hello There, Guest! (LoginRegister)


Post Reply 
[split] Security Problem detected
Author Message
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #11
RE: Security Problem detected
Domain Alias is ok but maybe should be discussed.
eg. you have 2 domains and want to shoe the same website then this is an alias. If a second domains shows a completly different website (and you can create completly defferent mailboxes) then it's more a second domain which should - IMHO - be created by the reseller.
08-18-2007 09:57 PM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #12
RE: Security Problem detected
Quote:If a domain (or hostname) does not point to the own server then the domain should not be activated - an admin should activate it (or maybe he can allow a reseller to do that, but this depends if the reseller are serious...)
yup, some 'toapprove' status and display it to the resellers;

Anyways... I'm disabling local DNS look ups
08-19-2007 07:53 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #13
RE: Security Problem detected
raphael Wrote:
Quote:If a domain (or hostname) does not point to the own server then the domain should not be activated - an admin should activate it (or maybe he can allow a reseller to do that, but this depends if the reseller are serious...)
yup, some 'toapprove' status and display it to the resellers;

better: the admin can give the reseller a right to approve such things (or not) - I as a admin won't even trust a "reseller", because the reseller doesn't have the technical knowledge/background what risk a "false" domain can be...
So: maybe a check if the domain is already active *and* a approvement from the reseller with a comment for the reseller that the domain already is active at another hoster...
This would be fine. Of course a mail to the admin :-)

raphael Wrote:Anyways... I'm disabling local DNS look ups

Maybe a good start: the setup routine should not write 127.0.0.1 into resolve.conf - see Post #8 http://www.isp-control.net/forum/securit...ml#pid9592

IMHO postfix does not need a domain lookup - it's enough if the domain is in the "/etc/postfix/ispcp/domains"-file (and mailboxes of course).

/Joximu
08-19-2007 08:28 AM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #14
RE: Security Problem detected
Quote:Maybe a good start: the setup routine should not write 127.0.0.1 into resolve.conf - see Post #8 http://www.isp-control.net/forum/securit...ml#pid9592
that's what I said... 'disabling' means not including any extra nameserver in /etc/resolv.conf
08-19-2007 10:47 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #15
RE: Security Problem detected
raphael Wrote:
Quote:Maybe a good start: the setup routine should not write 127.0.0.1 into resolve.conf - see Post #8 http://www.isp-control.net/forum/securit...ml#pid9592
that's what I said... 'disabling' means not including any extra nameserver in /etc/resolv.conf

Ok, but it's still possible to hijack the mails because postfix has the domain in his local domain list. So to really fix this we need some type of double check... or control for new domains...

Thanx Raphael
08-19-2007 07:25 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #16
RE: Security Problem detected
The REAL solution regarding DNS hijacking is to separate the resolver from the DNS cache server (the one in /etc/resolv.conf). See http://cr.yp.to/djbdns/separation.html for reference.
08-20-2007 08:01 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #17
RE: Security Problem detected
kilburn Wrote:The REAL solution regarding DNS hijacking is to separate the resolver from the DNS cache server (the one in /etc/resolv.conf). See http://cr.yp.to/djbdns/separation.html for reference.

I think this is done by what Raphael did: taking the 127.0.0.1 out of resolve.conf - well someone can put it back, but this is another problem...

What I mean: even if you separate the DNS thing, its possible to hijack mails for the domains since the configuration of the MTA says the domain is local (the MTA does not need to ask a DNS).

/Joximu
08-20-2007 08:37 AM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #18
RE: Security Problem detected
I'll see what I can do
08-20-2007 10:05 AM
Visit this user's website Find all posts by this user Quote this message in a reply
hjansen Offline


Posts: 3
Joined: May 2007
Reputation: 0
Post: #19
RE: Security Problem detected
What about checking the ip adress of the domain that will be added. If it is one of the servers ip adress -> adding will be allowed
If not it will be denied.
From my point of view it would not make any sense to add a domain that is not pointing to the server ...
When Domain Management will be redsigned in the next version there could be also something like a regular check for a new added domains. For example if a domain is being new registered and the dns entrys aren't allready pointing at the ip adresses that it will recheck the ip adress regulary and add it finally with all the needed entrys.
The domain could just stay in the status "toadd" until everything is fine ...
(This post was last modified: 09-02-2007 06:03 PM by hjansen.)
09-02-2007 05:59 PM
Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #20
RE: Security Problem detected
the main problem ATM is that the dns-entry is added on installing domain. There are no further nameserver needed - we have to redesign this.
09-02-2007 06:08 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)