[BlueOnyx:21687] Re: mailserver; possible security issue?
Rickard Osser
rickard.osser at bluapp.com
Thu Jan 25 09:29:58 -05 2018
Hi Brian,
you don't need to log in to an smtp server on port 25 to send to a
local address. The server thinks you're a server and will receive mails
for the domains and users it handles.Also remember, there is really no
checking on mails at all if the mail-addresses are valid. SPF can help
because that will tell the server you're not on a mail-server but if
you log in to the mail-server first and then do a telnet to localhost
on port 25 it will let you through anyway.
I use this all the time to test mail-server setups.
Best regards,
Rickard
On Thu, 2018-01-25 at 14:21 +0000, Fungal Style wrote:
> Dirk,
>
> Good to see I am not the only one thinking SPF.
>
> I note that your test, if I read it right, you are logging in via
> telnet as if you were a mail client, you are authenticating to start
> with.
>
> So you are saying, as an example….
>
> The fake user is logging in as user at company.com and then saying the
> sender email address is ceo at company.com ?
>
> Also you are saying is you have selected to enable “Enable SMTP Auth”
> in the basic tab of “Email”? If so my understanding would be the user
> would need to authenticate in order to be able to send an email which
> they could say have an email client to log in with the credentials
> for the username of (to use the above example):
> user
>
> Entering the password etc, but configure the email client to say the
> email is from ceo at company.com and not user at company.com (which was
> used to authenticate for sending email), is this what you mean?
>
> The question would be then if the above is true then as to if the
> email originated from your (in this case, your customer’s) mail
> server, and if so they may have a compromised email account as you
> needed to log in to send email.
>
> Hope that makes as much sense as I think it does as it is nearly
> 1:#0am here… ☺
>
> Regards
> Brian
>
>
> On 26/1/18, 1:06 am, "Blueonyx on behalf of Ken Hohhof" <blueonyx-bou
> nces at mail.blueonyx.it on behalf of khohhof at kwom.com> wrote:
>
> Dirk, I am not understanding the issue. Mailservers will
> generally accept messages from anyone for a local mailbox, that is
> their purpose.
>
> Is the issue that the mailserver is accepting external mail from
> a sender address at a domain local to the mailserver? Maybe you are
> wanting something like SPF to specify the official mailserver for
> that domain and force all senders to authenticate and relay via the
> official mailserver?
>
> Or is the issue that the CEO was fired and his/her email address
> deleted, yet the mailserver accepted messages from a sender address
> at a local domain that it should have known was an invalid user at
> that domain? If I handle mail for a domain, and I receive a message
> purporting to be from a user at that domain, yet there is no such
> user (or alias) at that domain, maybe the SMTP session should fail as
> soon as I receive the sender data.
>
>
> -----Original Message-----
> From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On
> Behalf Of Dirk Estenfeld
> Sent: Thursday, January 25, 2018 7:19 AM
> To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Subject: [BlueOnyx:21683] Re: mailserver; possible security
> issue?
>
> Hello Brian,
>
> thank you for your email.
> Yes, I am aware of this. But in this case some of your
> suggestions are not applicable.
> For example for an official mailserver it makes no sense to limit
> the ip address for port 25.
> Yes smtp_auth is enabled at the server of course. But you can
> try. It is not working if you use an email address which is existing
> at the server and the recipient address also.
>
> I did also try with an exchange server and this was working. Also
> with a sendmail at freebsd. So it seems to be a more or less general
> "feature" which in my opinion is a security issue in our days.
>
> Best regards
> Dirk
>
>
> ---
>
> blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel
>
> Tel.: +49 6101 65788 20
> Fax: +49 6101 65788 99
> eMail: dirk.estenfeld at blackpoint.de
>
> Vertretungsberechtigt Dirk Estenfeld und Mario Di Rienzo HRB
> 50093 Frankfurt am Main USt.-IdNr. de210106871
>
> CRM on Demand – eine gute Idee
>
> Besuchen Sie uns im Internet unter https://eur01.safelinks.protec
> tion.outlook.com/?url=www.blackpoint.de&data=02%7C01%7C%7C36366dc2b29
> c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63
> 6524859652034695&sdata=bWIlht1JFRmSyh6wn%2FkIkGqRKVCQK1pnRXIUtBt21Ms%
> 3D&reserved=0 Problemlos Domains registrieren: https://eur01.safelink
> s.protection.outlook.com/?url=www.edns.de&data=02%7C01%7C%7C36366dc2b
> 29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C
> 636524859652034695&sdata=4Efqsh0RIXt0N2WfDz07Snpn%2F6ER5J6bDvvEoeszuI
> o%3D&reserved=0 Einfach und günstig Daten sichern: https://eur01.safe
> links.protection.outlook.com/?url=www.back2web.de&data=02%7C01%7C%7C3
> 6366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C
> 1%7C0%7C636524859652034695&sdata=vGRCVMYcBo7w52dupmwceIktkBKNYBV0bNe6
> lVEwZQY%3D&reserved=0 Mitglied im:
>
>
>
>
> Confidentiality Notice:
> This e-mail message, including any attachments,is for the sole
> use of the intended recipient(s) and may contain confidential and
> privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient,
> please contact the sender by reply e-mail and destroy all copies of
> the original message.
>
>
> -----Ursprüngliche Nachricht-----
> Von: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] Im
> Auftrag von Fungal Style
> Gesendet: Donnerstag, 25. Januar 2018 13:55
> An: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Betreff: [BlueOnyx:21682] Re: mailserver; possible security
> issue?
>
> Hi Dirk,
>
> Well, there are often a few things that can be done, although
> normally you need to also consider email is one of the (if not the)
> most insecure methods of communication.
>
> Simple things which some you may have enabled already include:
> - Limiting the IP ranges that can send email (of course can be
> spoofed, but it requires more work from the scammer side)
> - Authenticated sending (to ensure they do not send via your
> server, if they do then look for the account being exploited)
> - SPF records can help a little too I believe (have nto played
> too much with them)
>
>
> Note: I am no expert myself but the above should get you pointed
> in the right direction to start with.
>
> I am sure there are other ways to harden the security like with
> RBLs, SPAM filetering such as SPAM ASSASIN, etc. I suppose some geo
> blocking may also help, which would go more hand in hand with the
> initial comment on limiting the IP ranges.
>
> As always, staff training on cyber threats in invaluable.
>
> Hope this helps for the future.
>
> I suspect someone with more knowledge will reply also soon
> enough, but thought this may provide a little light reading to start
> with.
>
> Regards
> Brian
>
>
> On 25/1/18, 11:07 pm, "Blueonyx on behalf of Dirk Estenfeld" <blu
> eonyx-bounces at mail.blueonyx.it on behalf of dirk.estenfeld at blackpoint
> .de> wrote:
>
> Hello,
>
> we have one customer who was victim of a CEO fraud.
> Some of his employees got a message from the email address of
> the CEO with the order to send xx money to a specific bank account.
> He did :(
>
> Now we found out that it is possible to send email with
> sendmail at centos/blueonyx (also other distributions) from an
> existing email address to an existing email address.
>
> Example:
> telnet 208.77.xx.xx 25
> Trying 208.77.xx.xx...
> Connected to 208.77.xx.xx
> Escape character is '^]'.
> 220 sol ESMTP Sendmail Ready; Thu, 25 Jan 2018 06:37:59 -0500
> EHLO blackpoint.de
> 250-sol.xxx Hello ns3.xxx [xx.xx.xx.xx], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-AUTH LOGIN PLAIN
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
> MAIL FROM:mstxxx at solxxx.net
> 250 2.1.0 mstxxx at solxxx.net... Sender ok
> RCPT TO: mstxxx at solxxx.net
> 451 4.7.1 Greylisting in action, please come back later
> RCPT TO: mstxxx at solxxx.net
> 250 2.1.5 mstxxx at solxxx.net... Recipient ok
> DATA
> 354 Enter mail, end with "." on a line by itself
> Some content for example send money to yx
> .
> 250 2.0.0 w0PBbxN1026335 Message accepted for delivery
> QUIT
> 221 2.0.0 sol.xxx closing connection
> Connection closed by foreign host.
>
> Unfortunately it is not only possible from the same to the
> same user. It is also possible from an (at the server existing) email
> address to an (at the server existing) email address.
>
> Does someone else did see something similar.
> In my opinion in days with CEO fraud it is a security issue.
> Do someone know how to change settings in sendmail to prevent
> this behaviour?
>
> Best regards,
> Dirk Estenfeld
>
>
> ---
>
> blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2
> F%2Fmail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%
> 7C56e10a12e452489a42a508d563ec26b1%7C84df9e7fe9f640afb435aaaaaaaaaaaa
> %7C1%7C0%7C636524788260239525&sdata=tl8seiVBMOO9wh%2FP4m26lvJXDYDddKj
> SdZI9UsY29DE%3D&reserved=0
>
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F
> mail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%7C36
> 366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1
> %7C0%7C636524859652034695&sdata=soBUgsasZESh3HSkL6QPB3VyDjzGSFs8y%2Fq
> sSKseLNo%3D&reserved=0
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F
> mail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%7C36
> 366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1
> %7C0%7C636524859652034695&sdata=soBUgsasZESh3HSkL6QPB3VyDjzGSFs8y%2Fq
> sSKseLNo%3D&reserved=0
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F
> mail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%7C36
> 366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1
> %7C0%7C636524859652034695&sdata=soBUgsasZESh3HSkL6QPB3VyDjzGSFs8y%2Fq
> sSKseLNo%3D&reserved=0
>
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
--
Bluapp AB
Rickard Osser
CTO
Solberga Ängsväg 3
125 44 Älvsjö
Sweden
Web: http://www.bluapp.com
Mail: rickard.osser at bluapp.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20180125/b599a457/attachment.html>
More information about the Blueonyx
mailing list