Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 May 2014 21:57:30 -0400 (EDT)
Subject: Re: Postfix bounces arbitrary content

Hash: SHA1

> take 5,000 randomly selected articles from my local news spool, and
> cause to bounce all of them from to
> This will likely cause to block incoming mail from,
> or from all of

It seems more likely that the default configuration would produce
bounce messages with a header From: address starting with
"MAILER-DAEMON@" and an empty envelope-sender address. In that case,
blocking mail from wouldn't accomplish anything. But it's
conceivable that the administrator would start blocking the IP
address of the SMTP server.

That's a detail that doesn't have much effect on the CVE inclusion

Originating a new message to report non-delivery is valid according to
RFC 2821 section 6.1. It's not really the case that there's inherently
an integrity impact.

There could be a Postfix developer announcement that, according to
their security policy, this is unintended behavior with an integrity
impact. A CVE assignment would be possible in that case.

(To summarize: just because the RFC 2821 section 6.1 behavior is
allowed doesn't mean that it's a good idea. An SMTP server should
minimize the situations in which outsiders can trigger an arbitrary
volume of outbound SMTP traffic to arbitrary destination IP addresses.
Non-deliverability should be detected within the original SMTP dialog,
and this case of the Delivered-To: header doesn't seem impossible to
detect. However, there might be some type of architectural motivation
for not checking the Delivered-To: header within the original SMTP
dialog. Even if it was originally intentional, the developer might
accept a feature request to change it.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ