[BlueOnyx:21689] Re: mailserver; possible security issue?

Thu Jan 25 10:03:50 -05 2018

On a non blueonyx server i tested it and that server also accepted the message
This server is using postfix

The fix for it was to add
mysql:/etc/postfix/mysql-virtual_domains_inverted.cf
In front of 
check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
in main.cf

the code in the file is:
user = xxx
password = xxx
dbname = xxx
hosts = 127.0.0.1
query = SELECT 'REJECT' FROM mail_domain WHERE domain = '%d' AND active = 'y'
require_result_set = no

You only need the be shure that no contactforms from another separate server is using this server without autorisation.
Or add that server o the mynetwork settings

mayby this is possible to blueonyx?

Steffan

On 25/1/18, 11:07 pm, "Blueonyx on behalf of Dirk Estenfeld" <blueonyx-bounces at mail.blueonyx.it on behalf of dirk.estenfeld at blackpoint.de> wrote:

    Hello,

    we have one customer who was victim of a CEO fraud.
    Some of his employees got a message from the email address of the CEO with the order to send xx money to a specific bank account. He did :(

    Now we found out that it is possible to send email with sendmail at centos/blueonyx (also other distributions) from an existing email address to an existing email address.

    Example:
    telnet 208.77.xx.xx 25
    Trying 208.77.xx.xx...
    Connected to 208.77.xx.xx
    Escape character is '^]'.
    220 sol ESMTP Sendmail Ready; Thu, 25 Jan 2018 06:37:59 -0500
    EHLO blackpoint.de
    250-sol.xxx Hello ns3.xxx [xx.xx.xx.xx], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-AUTH LOGIN PLAIN
    250-STARTTLS
    250-DELIVERBY
    250 HELP
    MAIL FROM:mstxxx at solxxx.net
    250 2.1.0 mstxxx at solxxx.net... Sender ok
    RCPT TO: mstxxx at solxxx.net
    451 4.7.1 Greylisting in action, please come back later
    RCPT TO: mstxxx at solxxx.net
    250 2.1.5 mstxxx at solxxx.net... Recipient ok
    DATA
    354 Enter mail, end with "." on a line by itself
    Some content for example send money to yx
    .
    250 2.0.0 w0PBbxN1026335 Message accepted for delivery
    QUIT
    221 2.0.0 sol.xxx closing connection
    Connection closed by foreign host.

    Unfortunately it is not only possible from the same to the same user. It is also possible from an (at the server existing) email address to an (at the server existing) email address.

    Does someone else did see something similar.
    In my opinion in days with CEO fraud it is a security issue.
    Do someone know how to change settings in sendmail to prevent this behaviour?

    Best regards,
    Dirk Estenfeld

    ---

    blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel

    _______________________________________________
    Blueonyx mailing list
    Blueonyx at mail.blueonyx.it
    https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%7C56e10a12e452489a42a508d563ec26b1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524788260239525&sdata=tl8seiVBMOO9wh%2FP4m26lvJXDYDddKjSdZI9UsY29DE%3D&reserved=0

_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx