Re: [magicmail-users] % in rcpt to addr (relay attempt)

[Bart <bart@wizard.ca>]

Hi,

It's good to hear that you got this problem solved for your use, however this 
is something that we would rather see implemented in the user checking 
script. Since the percent sign in usernames does actually have a valid use 
for relaying email, it would not be favourable to disable this feature in the 
smtp code in case anybody would like to use it. There should be no problems 
in modifying the user checking script to reject emails with whichever 
characters you may find unacceptable.

Bart

On September 5, 2004 02:06 pm, walnut wrote:
> hi.
> i wrote the list a little while ago about the %, @ and ! symbols being
> used as exploits during relay attempts.
> a few of the relay tests i've tried were able to get qmail (and the
> magic-mail server) to accept mail for non-existant users with these
> exploits. while the mail isn't ever delivered, it does generate a bounce
> and it also has the potential to get a server listed (as irresponsible
> as that may seem).
>
> the test servers are:
> http://members.iinet.net.au/~remmie/relay/
> http://www.antispam-ufrj.pads.ufrj.br/test-relay.html
>
> there are several other relay tests online that test for the same hack.
>
> i'm writing the list because i found a patch for qmail that prevents
> these exploits:
> http://www.qmail.org/qmail-smtpd-relay-reject
>
> and i've copied that patch's logic and diff'd magic-smtpd to do the
> same. my patch works, however i'm just wondering if i've applied the
> change in the appropriate place. here's my patch:
>
> --- orig/magic-smtpd.c    2004-05-03 14:18:36.000000000 -0700
> +++ magic-smtpd.c    2004-09-05 13:54:56.655246432 -0700
> @@ -1209,6 +1209,21 @@
>      if (in_rcpt_hosts) {
>          retval = 0;
>
> +        int j;
> +        char *buffer;
> +        buffer = LM_STRING_BUFFER(rcptaddr);
> +        j = strlen(buffer);
> +        while(--j >= 0)
> +          if (buffer[j] == '@') break;
> +        if (j < 0) j = strlen(buffer);
> +        while(--j >= 0) {
> +          if (buffer[j] == '@' || buffer[j] == '%' || buffer[j] == '!') {
> +            fprintf(stdout, "553 we don't relay (#5.7.1)\r\n");
> +            fflush(stdout);
> +            return -1;
> +          }
> +        }
> +
>          /*  Check to see if the rcpt address is a valid user */
>          if ((!rcpt_bracket_ip_flag) && (config.check_valid_users != 0)) {
>              retval = msd_check_rcpt_user(&addr, &spamdir);
>
> thanks for your help, and please let me know if this is useful.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: magicmail-users-unsubscribe@linuxmagic.com
> For additional commands, e-mail: magicmail-users-help@linuxmagic.com

-- 
Bart Trzeciak - Jr. Consultant

LinuxAdministration - Internet Services

NetworkServices - Programming - Security

Wizard IT Services http://www.wizard.ca <http://www.wizard.ca/> 

Linux Support Specialist - http://www.linuxmagic.com
<http://www.linuxmagic.com/> 

LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

--------------------------------------------------------

(604)589-0037 Beautiful British Columbia, Canada

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed. If you have received this email in error please notify
the system manager. Please note that any views or opinions presented in
this email are solely those of the author and do not necessarily
represent those of the company.