Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] [Postfix] SASL authentication with bogus username
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands

PostPosted: Wed Apr 02, 2014 12:22 pm    Post subject: [Solved] [Postfix] SASL authentication with bogus username Reply with quote

Today I recieved an abuse notice from my ISP. Apparently, spam was send from my IP-address. I asked for some extra info and started digging through the logfiles. And to my astonishment, someone was connection to my mailserver, authenticating with a bogus username agains SASL and sending emails through my server.

How is this even possible?

Here is a snippet from the logs

Code:

Apr  1 10:39:23 mail postfix/smtpd[29028]: warning: hostname static-198-124.softronics.ch does not resolve to address 94.242.198.124: Name or service not known
Apr  1 10:39:23 mail postfix/smtpd[29028]: connect from unknown[94.242.198.124]
Apr  1 10:39:23 mail postfix/smtpd[29028]: 709CC41E259: client=unknown[94.242.198.124], sasl_method=LOGIN, sasl_username=fax@mydomain.com
Apr  1 10:39:23 mail postfix/cleanup[29170]: 709CC41E259: message-id=<eb03a1f320b5a7b250080622b32f3901@mydomain.com>
Apr  1 10:39:24 mail postfix/qmgr[29581]: 709CC41E259: from=<fax@mydomain.com>, size=5040, nrcpt=1 (queue active)
Apr  1 10:39:24 mail postfix/smtpd[29028]: disconnect from unknown[94.242.198.124]
Apr  1 10:39:25 mail postfix/smtpd[29055]: connect from mail.mydomain.com[127.0.0.1]
Apr  1 10:39:25 mail postfix/smtpd[29055]: 6CBE141E599: client=mail.mydomain.com[127.0.0.1]
Apr  1 10:39:25 mail postfix/cleanup[28957]: 6CBE141E599: message-id=<eb03a1f320b5a7b250080622b32f3901@mydomain.com>
Apr  1 10:39:25 mail postfix/smtpd[29055]: disconnect from mail.mydomain.com[127.0.0.1]
Apr  1 10:39:25 mail postfix/qmgr[29581]: 6CBE141E599: from=<fax@mydomain.com>, size=5509, nrcpt=1 (queue active)
Apr  1 10:39:25 mail postfix/smtp[28574]: 709CC41E259: to=<mrincodex2003@yahoo.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.8/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6CBE141E599)
Apr  1 10:39:25 mail postfix/qmgr[29581]: 709CC41E259: removed
Apr  1 10:39:26 mail postfix/smtp[28710]: 6CBE141E599: to=<mrincodex2003@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=0.92, delays=0.2/0/0.1/0.63, dsn=2.0.0, status=sent (250 ok dirdel)
Apr  1 10:39:26 mail postfix/qmgr[29581]: 6CBE141E599: removed


* We do not use the full email-address to authenticate, only the username.
* The user fax, or the email-address fax@mydomain.com, doesn't even exist.
* How could someone authenticate himself as fax@mydomain.com, succeed at this and start sending emails?
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all.


Last edited by mariourk on Wed Apr 02, 2014 12:53 pm; edited 1 time in total
Back to top
View user's profile Send private message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands

PostPosted: Wed Apr 02, 2014 12:53 pm    Post subject: Reply with quote

I figured it out, I hope. this thread explained what was going on. After checking again, it turned out the user fax did in fact exist. Somehow I missed that. I think the account didn't have a password, thus allowing easy acces. Since I didn't use it anymore, I deleted it.

Anyway, a lesson learned. In a few weeks we get a new mailserver. I already decided I was going to use virtual users this time. This experience only confirmed that is probably the best way to deal with email-accounts.
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7256
Location: almost Mile High in the USA

PostPosted: Thu Apr 03, 2014 12:11 am    Post subject: Reply with quote

I fear this greatly... Glad you got this worked out.

Linux is not necessarily secure by default, simple mistakes can wreak havoc.

Personally I finally got mail forwarding working, it was very annoying an still not exactly the way I want it to work but think it's acceptable and hacks everywhere. I'm using sendmail. For default SMTP connections to or from my local network will get forwarded. But if the user connects via SSL and authenticates by SASL then you can relay, which is very similar. I still worry about holes, the only way I can tell if a hole was made is monitoring the logfiles... Ugh.

I suspect most people use different servers for relaying and mail reception, but I was short on IP addresses.

Just feels a little safer when I see a lot of "Relaying Denied" in my logfiles.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum