re: Mail Server problem / query

From: Mel Drews (flyingdervish@hotmail.com)
Date: Thu Apr 14 2005 - 14:03:10 EDT


When I discovered a client who had a server allowing this kind of forwarding
I flagged it as a vulnerability. Our staff CISSP said not to worry about
it, that most mail servers do this. I tested our own (Postfix) and found
that it was doing the same. Found a way in postfix to change this. It does
require having 2 mail servers. One is your filtering system that performs
virus and spam checks; the other is your internal system. This is best
practice anyway. Every network should either have 2 mail servers or a
hosted mail service. We'll call the external facing system that does the
scanning the "relay server". Make a change to postfix's main.cf file
specifying a check_sender_access table. The table you create will list all
of your internal users' legitimate email addresses. Hash tables are fairly
easy to deal with but may not be suitable for larger networks. There are a
variety of different kinds and I am not an expert on this topic. But at
least this may point you in a direction to investigate. One solution I have
seen involved pulling a list of internal email addresses from the internal
mail server via ldap query and parsing the list into a hash table with a
perl script. With this configuration, the internal mail server will still
accept mail from internal users, but the relay server will only accept mail
from external users.

For more info, see the section re: check_sender_access in the postfix
configuration documentation at postfix.org
http://www.postfix.org/postconf.5.html

Further information: With MS Exchange, there does not appear to be any way
to shut off this behavior. With Exchange 2003 and Outlook 2003 combination,
there's at least a half-assed effort to alert users to the problem. With
older versions, Exchange automatically resolves the purported sender address
to the internal Global Address List user display name if the purported
sender is internal. With the new combination, if the message was sent from
an external IP, the name will not be resolved. So the user sees the mail
from: address as the raw smtp address instead. Of course, how many users
will pick up on that?

Hope this helps

m_davison@talk21.com wrote:
---------------------------------------------------------
Hi all, I hope you can help with this. I have been
testing a server for open-relay and found that I could
connect from an external machine and send mails using
a MAIL FROM (the local domain) and a RCPT TO (the
local domain) - now this may seem fine as internal
users will need to send mail to other internal users
but my query is whether there are mail servers which
can be configured to recognise that the connection was
an external address and therefore that the MAIL FROM
address was invalid. eg I can send a mail from the CEO
of the company to his own secretary asking her to copy
his hotmail address on all future mails and to the
secretary, this mail seems perfectly valid yet me
(prospective attacker) outside the comapany may now
receive loads of sensitive mails (assuming the
secretary is the type who doesn't like to query things
and ask questions) - thanks in advance.

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:19 EDT