Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[Solved] [Postfix] SASL authentication with bogus username
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
PostPosted: Wed Apr 02, 2014 12:22 pm    Post subject: [Solved] [Postfix] SASL authentication with bogus username Reply with quote
Today I recieved an abuse notice from my ISP. Apparently, spam was send from my IP-address. I asked for some extra info and started digging through the logfiles. And to my astonishment, someone was connection to my mailserver, authenticating with a bogus username agains SASL and sending emails through my server.

How is this even possible?

Here is a snippet from the logs

Code:

Apr  1 10:39:23 mail postfix/smtpd[29028]: warning: hostname static-198-124.softronics.ch does not resolve to address 94.242.198.124: Name or service not known
Apr  1 10:39:23 mail postfix/smtpd[29028]: connect from unknown[94.242.198.124]
Apr  1 10:39:23 mail postfix/smtpd[29028]: 709CC41E259: client=unknown[94.242.198.124], sasl_method=LOGIN, sasl_username=fax@mydomain.com
Apr  1 10:39:23 mail postfix/cleanup[29170]: 709CC41E259: message-id=<eb03a1f320b5a7b250080622b32f3901@mydomain.com>
Apr  1 10:39:24 mail postfix/qmgr[29581]: 709CC41E259: from=<fax@mydomain.com>, size=5040, nrcpt=1 (queue active)
Apr  1 10:39:24 mail postfix/smtpd[29028]: disconnect from unknown[94.242.198.124]
Apr  1 10:39:25 mail postfix/smtpd[29055]: connect from mail.mydomain.com[127.0.0.1]
Apr  1 10:39:25 mail postfix/smtpd[29055]: 6CBE141E599: client=mail.mydomain.com[127.0.0.1]
Apr  1 10:39:25 mail postfix/cleanup[28957]: 6CBE141E599: message-id=<eb03a1f320b5a7b250080622b32f3901@mydomain.com>
Apr  1 10:39:25 mail postfix/smtpd[29055]: disconnect from mail.mydomain.com[127.0.0.1]
Apr  1 10:39:25 mail postfix/qmgr[29581]: 6CBE141E599: from=<fax@mydomain.com>, size=5509, nrcpt=1 (queue active)
Apr  1 10:39:25 mail postfix/smtp[28574]: 709CC41E259: to=<mrincodex2003@yahoo.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.8/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6CBE141E599)
Apr  1 10:39:25 mail postfix/qmgr[29581]: 709CC41E259: removed
Apr  1 10:39:26 mail postfix/smtp[28710]: 6CBE141E599: to=<mrincodex2003@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=0.92, delays=0.2/0/0.1/0.63, dsn=2.0.0, status=sent (250 ok dirdel)
Apr  1 10:39:26 mail postfix/qmgr[29581]: 6CBE141E599: removed


* We do not use the full email-address to authenticate, only the username.
* The user fax, or the email-address fax@mydomain.com, doesn't even exist.
* How could someone authenticate himself as fax@mydomain.com, succeed at this and start sending emails?
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all.

Last edited by mariourk on Wed Apr 02, 2014 12:53 pm; edited 1 time in total
Back to top
View user's profile Send private message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
PostPosted: Wed Apr 02, 2014 12:53 pm    Post subject: Reply with quote
I figured it out, I hope. this thread explained what was going on. After checking again, it turned out the user fax did in fact exist. Somehow I missed that. I think the account didn't have a password, thus allowing easy acces. Since I didn't use it anymore, I deleted it.

Anyway, a lesson learned. In a few weeks we get a new mailserver. I already decided I was going to use virtual users this time. This experience only confirmed that is probably the best way to deal with email-accounts.
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 9884
Location: almost Mile High in the USA
PostPosted: Thu Apr 03, 2014 12:11 am    Post subject: Reply with quote
I fear this greatly... Glad you got this worked out.

Linux is not necessarily secure by default, simple mistakes can wreak havoc.

Personally I finally got mail forwarding working, it was very annoying an still not exactly the way I want it to work but think it's acceptable and hacks everywhere. I'm using sendmail. For default SMTP connections to or from my local network will get forwarded. But if the user connects via SSL and authenticates by SASL then you can relay, which is very similar. I still worry about holes, the only way I can tell if a hole was made is monitoring the logfiles... Ugh.

I suspect most people use different servers for relaying and mail reception, but I was short on IP addresses.

Just feels a little safer when I see a lot of "Relaying Denied" in my logfiles.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy