[split] Security Problem detected

[BeNe]

Can you Post the mail.log please ?

Greez BeNe

[joximu]

BeNe Wrote:Can you Post the mail.log please ?

Greez BeNe

Why?

The domain alias makes a dns zone "gmx.net" - this alone is not a good thing.

The new mail account test@gmx.net makes postfix to "think" gmx.net is a local domain, the local dns does confirm this... - the second point which is not good.
The catchall (which you only can create if at least one mail account is created) does the rest...


But I can put the logs here, slightly anonymized :-)

Code:

Aug 17 18:10:07 myhost postfix/smtpd[16223]: connect from myhost.mydomain.ch.local[127.0.0.1]
Aug 17 18:10:07 myhost postfix/smtpd[16223]: 9CC0C138933: client=myhost.mydomain.ch.local[127.0.0.1]
Aug 17 18:10:07 myhost postfix/cleanup[16225]: 9CC0C138933: message-id=<60194.123.45.67.89.1187367007.squirrel@admin.myhost.mydomain.ch>
Aug 17 18:10:07 myhost postfix/qmgr[16178]: 9CC0C138933: from=<joximu@mydomain.ch>, size=1031, nrcpt=1 (queue active)
Aug 17 18:10:07 myhost postfix/smtpd[16223]: disconnect from myhost.mydomain.ch.local[127.0.0.1]
Aug 17 18:10:08 myhost postfix/smtp[16226]: 9CC0C138933: to=<joximu@externalhost.de>, orig_to=<jkdfsjghsdjkghdvdf@gmx.net>, relay=mx.externalhost.de[98.76.54.111]:25, delay=1.1, delays=0.
08/0.03/0.83/0.1, dsn=2.0.0, status=sent (250 OK id=1IM4NX-0006VY-00)
Aug 17 18:10:08 myhost postfix/qmgr[16178]: 9CC0C138933: removed

here, my catchall sends all mails to "joximu@externalhost.de"

[joximu]

Try to send a mail to @gmx.net from BeNes ispCP demo server...

[raphael]

I'll try to find out how to make postfix query an external DNS server.

Anyways, admins should read the log emails.

(This reminds me an old idea I had to have an option to prevent adding domains/aliases if they don't point to the server's nameservers)

[joximu]

raphael Wrote:I'll try to find out how to make postfix query an external DNS server.

This is more or less a fix for the mail-hijacking problem.

raphael Wrote:Anyways, admins should read the log emails.

Yes - but sometimes I get the impression that some of the ispCP admins won't do that. Well, I hope the admins of bigger installations will do - but they also need some sleep and I can think about a szenario where some hours are enough for this sort of criminality - and afterwards the customer deletes the domain alias and mail pointings.... ok, we can read log files, but we should not make it to easy for kiddies...

raphael Wrote:(This reminds me an old idea I had to have an option to prevent adding domains/aliases if they don't point to the server's nameservers)

This sounds really good - I thought of it just minutes ago when I stood up :-)
If a domain (or hostname) does not point to the own server then the domain should not be activated - an admin should activate it (or maybe he can allow a reseller to do that, but this depends if the reseller are serious...)

I think the first step - adding a domain alias (which creates the new zone in bind) should be controled in a better way (making a "dig @tld NS" or so)

/Joximu

[BeNe]

joximu Wrote:Try to send a mail to @gmx.net from BeNes ispCP demo server...

This won´t work! I disabled the Mailtraffic


Greez BeNe

[joximu]

BeNe Wrote:

joximu Wrote:Try to send a mail to @gmx.net from BeNes ispCP demo server...

This won´t work! I disabled the Mailtraffic

Greez BeNe

ok
- now I can add a domain "security.debian.org". If your server asks the local bind for dns resolving then maybe I could give you some bad "updates"... (well, I dont' have the time for this, but I think this is possible...).

/J

[BeNe]

mmhh, this could maybe work
I try to test it this night, but if so - we need a fix workaround.
Maybe i find something on Mailing list about this problem.

Greez BeNe

[joximu]

IMHO the most important thing is to prevent the creation of "faked domain" zones in bind. But of cource all parts have to be looked at (MTA - local or external delivery).

/J

[platzwart]

the most simple solution:

only resellers can add domain aliases and all problems are solved... ^^

(btw: why not get rid of the alias system right now?!? )