[split] Security Problem detected

[joximu]

Domain Alias is ok but maybe should be discussed.
eg. you have 2 domains and want to shoe the same website then this is an alias. If a second domains shows a completly different website (and you can create completly defferent mailboxes) then it's more a second domain which should - IMHO - be created by the reseller.

[raphael]

Quote:If a domain (or hostname) does not point to the own server then the domain should not be activated - an admin should activate it (or maybe he can allow a reseller to do that, but this depends if the reseller are serious...)

yup, some 'toapprove' status and display it to the resellers;

Anyways... I'm disabling local DNS look ups

[joximu]

raphael Wrote:

Quote:If a domain (or hostname) does not point to the own server then the domain should not be activated - an admin should activate it (or maybe he can allow a reseller to do that, but this depends if the reseller are serious...)

yup, some 'toapprove' status and display it to the resellers;

better: the admin can give the reseller a right to approve such things (or not) - I as a admin won't even trust a "reseller", because the reseller doesn't have the technical knowledge/background what risk a "false" domain can be...
So: maybe a check if the domain is already active *and* a approvement from the reseller with a comment for the reseller that the domain already is active at another hoster...
This would be fine. Of course a mail to the admin :-)

raphael Wrote:Anyways... I'm disabling local DNS look ups

Maybe a good start: the setup routine should not write 127.0.0.1 into resolve.conf - see Post #8 http://www.isp-control.net/forum/securit...ml#pid9592

IMHO postfix does not need a domain lookup - it's enough if the domain is in the "/etc/postfix/ispcp/domains"-file (and mailboxes of course).

/Joximu

[raphael]

Quote:Maybe a good start: the setup routine should not write 127.0.0.1 into resolve.conf - see Post #8 http://www.isp-control.net/forum/securit...ml#pid9592

that's what I said... 'disabling' means not including any extra nameserver in /etc/resolv.conf

[joximu]

raphael Wrote:

Quote:Maybe a good start: the setup routine should not write 127.0.0.1 into resolve.conf - see Post #8 http://www.isp-control.net/forum/securit...ml#pid9592

that's what I said... 'disabling' means not including any extra nameserver in /etc/resolv.conf

Ok, but it's still possible to hijack the mails because postfix has the domain in his local domain list. So to really fix this we need some type of double check... or control for new domains...

Thanx Raphael

[kilburn]

The REAL solution regarding DNS hijacking is to separate the resolver from the DNS cache server (the one in /etc/resolv.conf). See http://cr.yp.to/djbdns/separation.html for reference.

[joximu]

kilburn Wrote:The REAL solution regarding DNS hijacking is to separate the resolver from the DNS cache server (the one in /etc/resolv.conf). See http://cr.yp.to/djbdns/separation.html for reference.

I think this is done by what Raphael did: taking the 127.0.0.1 out of resolve.conf - well someone can put it back, but this is another problem...

What I mean: even if you separate the DNS thing, its possible to hijack mails for the domains since the configuration of the MTA says the domain is local (the MTA does not need to ask a DNS).

/Joximu

[raphael]

I'll see what I can do

[hjansen]

What about checking the ip adress of the domain that will be added. If it is one of the servers ip adress -> adding will be allowed
If not it will be denied.
From my point of view it would not make any sense to add a domain that is not pointing to the server ...
When Domain Management will be redsigned in the next version there could be also something like a regular check for a new added domains. For example if a domain is being new registered and the dns entrys aren't allready pointing at the ip adresses that it will recheck the ip adress regulary and add it finally with all the needed entrys.
The domain could just stay in the status "toadd" until everything is fine ...

[RatS]

the main problem ATM is that the dns-entry is added on installing domain. There are no further nameserver needed - we have to redesign this.