[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] POP before SMTP, Open relay still open

Subject: RE: [cobalt-users] POP before SMTP, Open relay still open
From: "Dean Hall" <dean@xxxxxxxxx>
Date: Thu Jul 5 08:12:42 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Solution at the bottom.
> 
> I realize that open relays are a common question on the list 
> and I have searched the archives, but I am still lost as to 
> why my testing shows that relay is still open after having 
> installed and turned on the POP before SMTP pkg. Here are the 
> appropriate lines from my maillog:
> 
> Jul  5 17:28:14 xxxx sendmail[18370]: RAA18370: from=<NONE>, 
> size=0, class=0, pri=0, nrcpts=0, proto=SMTP, 
> relay=members.iinet.net.au [203.59.24.150] 
> 
> Jul  5 17:28:15 xxxx sendmail[18371]: RAA18371: 
> ruleset=check_mail, arg1=<spamtest>, 
> relay=members.iinet.net.au [203.59.24.150], reject=553 
> <spamtest>... Domain name required 
> 
> Jul  5 17:28:15 xxxx sendmail[18371]: RAA18371: 
> from=<spamtest>, size=0, class=0, pri=0, nrcpts=0, 
> proto=SMTP, relay=members.iinet.net.au [203.59.24.150] 
> 
> Jul  5 17:28:17 xxxx sendmail[18372]: RAA18372: from=<>, 
> size=704, class=0, pri=30704, nrcpts=1, 
> msgid=<rlytest-994368338-28086@xxxxxxxxxxxxxxxxxx>,
> proto=SMTP, relay=members.iinet.net.au [203.59.24.150]
> 
> Jul  5 17:28:18 xxxx sendmail[18373]: RAA18372: 
> to=xxxx@xxxxxxxx, delay=00:00:02, xdelay=00:00:01, 
> mailer=esmtp, relay=xxxx.xxxx.xxxx.com. [xxx.xxx.xxx.xxx], 
> stat=Sent (2.0.0 f65LSLj27651 Message accepted for
> delivery)
> 
> As you can see one is rejected and the next method is 
> accepted and delivered. Does the window for SMTP stay open 
> for anyone until the timeout is reached? Or is it only open 
> for that IP that the pop login is from?


If I'm correct, this is really quite amusing.  I believe you have
inadvertantly used the lastest pop-before-smtp vulnerability to allow
the relay you were trying to block.

Your first attempt to relay caused a reject=553 message to be placed in
the log.  The pop-before-smtp code looks for a particular formatted
string in the log and if found, assumes it was from a successful pop
login.  It so happens the formatted string is contained within the 553
message, so once the error is generated, subsequent attempts to email
will be successfully authenticated.

Either yesterday or even earlier today, a hack was posted to close the
vulnerability.  You should find it here:
http://list.cobalt.com/pipermail/cobalt-security/2001-July/002689.html

  
---- 
Dean Hall at Tactix ReEngineering ( dean@xxxxxxxxxx ) 
503 520-9699  http://www.tactix.com

Follow-Ups:
- RE: [cobalt-users] POP before SMTP, Open relay still open
  - From: J. Patrick Lanigan

References:
- [cobalt-users] POP before SMTP, Open relay still open
  - From: J. Patrick Lanigan

Prev by Date: [cobalt-users] Automatic System Updates
Next by Date: Re: [cobalt-users] testing virtual domain before cutover
Previous by thread: [cobalt-users] POP before SMTP, Open relay still open
Next by thread: RE: [cobalt-users] POP before SMTP, Open relay still open

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index