Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 23 Apr 2020 12:46:10 -0400 (EDT)
From: Wietse Venema <wietse@...cupine.org>
To: Solar Designer <solar@...nwall.com>
CC: oss-security@...ts.openwall.com, 
 PromiseLabs Pentest Research <pentest@...miselabs.net>, 
 Wietse Venema <wietse@...cupine.org>
Subject: Re: spoofing of local email sender via a
 homoglyph attack

Solar Designer:
> On Thu, Apr 23, 2020 at 05:32:15PM +0300, PromiseLabs Pentest Research wrote:
> > To follow up on your questions:
> 
> Thanks!  Now this is specific.
> 
> > The current configuration actually blocks any non-authorized requests as 
> > explained in the description. The use-case of this (from my perspective) 
> > is that it could be used to advance a social-engineer attack into 
> > tricking the recipients believing that they are getting an email from a 
> > high-level position at the company.
> > 
> > It's related to the from header.
> > 
> > Issuing a regular unauthenticated request, trying to send an email from 
> > john.doe, which is a high-level user at the company:
> > $ nc -v *** OMITTED *** 25
> > Connection to *** OMITTED *** 25 port [tcp/smtp] succeeded!
> > 220 *** OMITTED *** ESMTP Postfix
> > mail from: john.doe@...ver.com
> > 250 2.1.0 Ok
> > rcpt to: existing.user@...ver.com
> > 553 5.7.1 <john.doe@...ver.com>: Sender address rejected: not logged in
> > 
> > As you can see, the mail server rejects the request as the existing user 
> > hasn't authenticated himself.

There is only one place on Postfix that says "Sender address
rejected: not logged in". See code at end; it has not changed
in a decade.

Yoour Postfix SMTP server has been configured to require that an
SMTP client can send mail with envelope sender john.doe@...ver.com
ONLY if the client is logged in as the 'owner' of that address.

/etc/postfix/main.cf:
    smtpd_sender_login_maps = hash:/etc/postfix/sender_login

/etc/postfix/sender_login:
    # sender address    authorized logins
    john.doe@...ver.com sasluser1, sasluser2, ...

Sending email with a different envelope sender address, not in the
above table, would not be blocked by the smtpd_sender_login_maps
feature (but might still be blocked for other reasons).

So your concern has nothing to do with whether the addess
john.doe@...ver.com is a valid email address. Instead you're
probing the smtpd_sender_login_maps table.

Additionally, Postfix will reply with 5.1.1 User unknown if a local
recipient address is known to not exist. This is because the
alternative would be to accept all such email and silently discard
it, which violates RFCs, violates legislation in some countries
where rejecting email is allowed but accept+discard is not, and
which would saturate everyone's network with a continuous flood of
bogus email.

	Wietse

static int reject_unauth_sender_login_mismatch(SMTPD_STATE *state, const char *sender)
{
    const RESOLVE_REPLY *reply;

    /*
     * Reject if the client is not logged in and the sender address has an
     * owner.
     */
    if (smtpd_sender_login_maps && !state->sasl_username) {
        reply = smtpd_resolve_addr(state->recipient, sender);
        if (reply->flags & RESOLVE_FLAG_FAIL)
            reject_dict_retry(state, sender);
        if (check_mail_addr_find(state, sender, smtpd_sender_login_maps,
                                 STR(reply->recipient), (char **) 0) != 0)
            return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, "5.7.1",
                   "<%s>: Sender address rejected: not logged in", sender));
    }
    return (SMTPD_CHECK_DUNNO);
}

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.