[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
There is just a single site on that box - the primary site: merkava.smd.net
In the GUI Interface "Email Server Settings" / "Advanced" there were never
made any additions or changes with the exception of the activation of "POP
Authenticated Relaying" to dissalow unwanted relaying.
Now take a look at /etc/mail/access - which was never edited manually:
------------------------------------------------------------------------------------------------
#
# /etc/mail/access
#
# This file is automatically generated
# Please put custom changes at the end
# Cobalt Networks 1999
# Put custom additions below (Do not change/remove this line).
# Cobalt Access Section Begin
62.138 RELAY
smd.net RELAY
192.168 RELAY
# Cobalt Access Section End
------------------------------------------------------------------------------------------------
Regardless if you use "POP Authenticated Relaying" or not, this setting allows
anyone from the Subnets 62.138.0.0/16 and 192.168.0.0/16 to relay email
through this box.
Sorry, but THIS is madness.
Isolation of the problem:
===================
1) It appears that the GUI interface of the RaQ550 allows relaying for network
address ranges instead of single IP addresses.
It also appears that the decission as to which network address ranges are used
is based on the netmask you specify in "System Settings" / "TCP/IP".
I checked with a couple of RaQ550s and some allow to relay for the entire
Class C network they belong to. Some allow the entire Class B network to
which they belong. And the craziest case I had is a customers box which
allows an entire Class A network to relay and all domains of the DE domain
(DE = Germany).
2) Why does the GUI not purge network settings which are no longer in use from
/etc/mail/access? After all, the RaQ's primary IP address is now 192.168.9.1
with the netmask 255.255.0.0. So as soon as the network settings of the RaQ
were changed the old entry concerning the 62.138 network should have been
removed from /etc/mail/access when the network settings were changed.
For comparance lets check a RaQ4:
==============================
Here an /etc/mail/access from a RaQ4:
------------------------------------------------------------------------------------------------
#
# /etc/mail/access
#
# This file is automatically generated
# Please put custom changes at the end
# Cobalt Networks 1999
smd.net RELAY
www.smd.net RELAY
192.168.10.2 RELAY
192.168.10.3 RELAY
# Put custom additions below (Do not change/remove this line).
------------------------------------------------------------------------------------------------
As you can see, each individual IP address which the virtual sites use is
listed individually and is individually allowed to relay. Combined with
POP-before-SMTP this pretty much locks down Sendmail and stops most forms of
unwanted relaying.
IMPLICATIONS:
=============
If you operate a RaQ550 on a public IP address, then there is the high
potential risk that your server allows more hosts and networks to relay email
through you than desired.
Depending on the netmask you specified it is possible that entire Class A,
Class B or Class C networks are allowed to relay email through your box.
Regardless if you are using "POP Authenticated Relaying" or not.
That's the definition of an open relay.
FIX:
====
/usr/sausalito/handlers/base/email/access.pl needs a serious overhaul.
It should no longer allow relaying based on the netmask.
Instead relaying should only be allowed for those individual IP addresses
which were assigned to both the primary site as well as the virtual sites.
Furthermore upon the change of an IP address of a virtual site or the change
of the primary IP address old entries should be purged from /etc/mail/access
--
With best regards,
Michael Stauber