This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail to Postmaster with forged sender Adress from own Domain is accepted

By default the UTM accepts email to postmaster@* without any checks in place.

This includes SPF, Blacklisting, DKIM and so on.

SPF should NEVER be excluded on checks.

We got an E-Mail today that was sent from postmaster@our-domain to postmaster@our-domain and it marched right through the UTM not triggering any checks at all.

This is an absolutly dangerous behavior on the UTM side. At least minimal checks like SPF and Virus checks should always be performed.

RFC 5321 states in 4.5.1:

   SMTP systems are expected to make every reasonable effort to accept
   mail directed to Postmaster from any other system on the Internet.
   In extreme cases -- such as to contain a denial of service attack or
   other breach of security -- an SMTP server may block mail directed to
   Postmaster.  However, such arrangements SHOULD be narrowly tailored
   so as to avoid blocking messages that are not part of such attacks.

Forging the sender address to our own postmaster address from our own domain i do consider "breach of security".

The following log was actually me testing this behaviour of the UTM.

The Testserver is NOT listed in the SPF entry so should be rejected.

All IPs and Hostnames are redacted for security reasons.

2021:07:08-21:50:00 gw-2 exim-in[15320]: 2021-07-08 21:50:00 SMTP connection from [my-test-server]:44502 (TCP/IP connection count = 1)
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 [my-test-server] F=<postmaster@mydomain> R=<postmaster@mydomain> Accepted: to postmaster
2021:07:08-21:50:00 gw-1 exim-out[18999]: 2021-07-08 21:50:00 Start queue run: pid=18999
2021:07:08-21:50:00 gw-1 exim-out[18999]: 2021-07-08 21:50:00 End queue run: pid=18999
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 1m1a24-0000sh-1J Greylisting: my-test-server is a known retry host
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 1m1a24-0000sh-1J <= postmaster@mydomain H=my-test-server [my-test-server]:44502 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=1308
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 SMTP connection from my-test-server [my-test-server]:44502 closed by QUIT
2021:07:08-21:50:01 gw-2 smtpd[15312]: QMGR[15312]: 1m1a24-0000sh-1J moved to work queue
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: 1m1a2E-0000v8-6J <= postmaster@mydmain R=1m1a24-0000sh-1J P=INPUT S=5
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="my-test-server" from="postmaster@mydomain" to="postmaster@mydomain" subject="Test" queueid="1m1a2E-0000v8-6J" size="5"
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: 1m1a24-0000sh-1J => work R=SCANNER T=SCANNER
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: 1m1a24-0000sh-1J Completed
2021:07:08-21:50:10 gw-2 exim-out[3546]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J [internal-exchange] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=xxxxxxx
2021:07:08-21:50:10 gw-2 exim-out[3546]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J [internal-exchange] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=xxxxxxx
2021:07:08-21:50:10 gw-2 exim-out[3545]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J => postmaster@mydomain P=<postmaster@mydomain> R=static_route_hostlist T=static_smtp H=internal-exchange [internal-exchange]:25 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no C="250 2.6.0 <0982173c-d3f9-46ce-a1c7-a31af0a496aa@internal-exchange> [InternalId=884763263009, Hostname=internal-exchange] 2940 bytes in 0.103, 27,750 KB/sec Queued mail for delivery"
2021:07:08-21:50:10 gw-2 exim-out[3545]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J Completed

Therefore the UTM exim.conf should be designed in such a way that at least basic checks like anti virus or SPF checks are always performed before the postmaster validation. This would tremendously help customers not voiding their warranty if they edit the file themselfes to secure a "security" product...



This thread was automatically locked due to age.
Parents
  • And before anybody chimes in "oh its JUST the postmaster..."

    Its the postmaster that usually goes to some IT Department/Guy. Combine that with an "on Display" Exploit in Outlook (which aren't that uncommon...) on an IT Workstation and you are begging for a desaster to happen.

Reply
  • And before anybody chimes in "oh its JUST the postmaster..."

    Its the postmaster that usually goes to some IT Department/Guy. Combine that with an "on Display" Exploit in Outlook (which aren't that uncommon...) on an IT Workstation and you are begging for a desaster to happen.

Children
No Data