[BlueOnyx:24253] Security Update: 5207R, 5208R, 5209R, 5210R
Michael Stauber
mstauber at blueonyx.it
Mon Sep 7 23:25:07 -05 2020
Hi all,
The HTML version of this email is available here:
https://www.blueonyx.it/news/272/15/Security-Update-5207R-5208R-5209R-5210R/
A potential security flaw that affects non-standard configurations of
BlueOnyx (all versions) was found today in the module base-email. If the
MTA was Sendmail and the "Delivery Schedule" was NOT set to the default
value of "Immediate" in the GUI (as shown in the attached image), then a
sender of emails was potentially able to bypass SMTP-Auth as well as
certain access restrictions. This might have allowed unauthenticated
relaying of emails through affected BlueOnyx servers.
However, BlueOnyx 5210R ships with Postfix as default MTA (not affected)
and all versions of BlueOnyx have the default "Delivery Schedule" set to
"Immediate" (which is safe). But if you manually had changed the
"Delivery Schedule" to anything else but "Immediate", then BlueOnyx
servers with Sendmail running were affected by this issue. The presence
of the AV-SPAM and an enabled Milter-Greylist had the side effect of
preventing the issue, though.
Permanent mitigation: YUM updates have been released today (2020-09-06)
which fix the problem. These updates remove all "Delivery Schedules" but
the safe "Immediate" from the GUI and revert any affected server back to
a safe Sendmail configuration.
Many thanks to Rodrigo Ordonez from xnet.com.mx for reporting the issue!
--
With best regards
Michael Stauber
-------------- next part --------------
A non-text attachment was scrubbed...
Name: base-emailX.png
Type: image/png
Size: 62522 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20200907/5c4d87cb/attachment.png>
More information about the Blueonyx
mailing list