|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: "mail forwarding loop" exploit?
From: Victor Duchovni (Victor.Duchovni
MorganStanley.com)
Date: Tue Oct 05 2004 - 11:45:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Oct 05, 2004 at 10:26:04AM -0400, Rob Foehl wrote:
> On Tue, 5 Oct 2004, Pierre Fortin wrote:
>
> >Oct 4 18:08:25 bones postfix/local[27027]: BDC00C553:
> >to=<pfortinpfortin.com>, relay=local, delay=5, status=bounced (mail
> >forwarding loop for pfortinpfortin.com)
> [...]
> >Is this an indication of a possible exploit..?
>
> No, it's an indication of a forwarding loop. Provide postconf -n and
> details on where you expect the above address to be delivered (aliases,
> etc).
>
Not necessarily. The "Delivered-To:" header can be forged. Whether
protecting against this "attack" warrants new code is not quite clear yet.
The attacker could for example push the mailbox over quota, and then send
a flood of mail that will bounce. Postfix would then need an over quota
cache that rate limits over-quota bounces to 1 per TTL (with rejects
between TTL expiration). This would (hypothetically) work with local(8)
but cannot solve over-quota problems with 3rd party MDAs, because there
is no standard (sysexits.h) error code for mailbox over quota.
So if someone is hell-bent on getting your system to generate a bounce,
they can probably find a way to do it... If this becomes a major problem,
defending against it requires more than just "fixing" Delivered-To.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]