[8813] in bugtraq
Re: Claimed Postfix Vulnerabilities
daemon@ATHENA.MIT.EDU (bobk)
Thu Dec 24 18:51:29 1998
Date: Wed, 23 Dec 1998 15:29:37 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: bobk <bobk@SINISTER.COM>
To: BUGTRAQ@NETSPACE.ORG
This is a public letter, not a 'submission to IBM', therefore IBM does not
own these comments (If this confuses anybody, please read the postfix
license agreement).
On Mon, 21 Dec 1998, Wietse Venema wrote:
> First I'd like to emphasize that the primary objective of Postfix
> was to protect the local system. With today's protocols that lack
> any form of strong authentication, I make no promise that Postfix
> can be made immune against DNS spoofing, IP address spoofing, or
> SMTP sender address spoofing.
>
> Secondly, all topics of controversy are the result of deliberate
> design decisions, not accidental properties of the implementation.
> I suppose that one man's bug is another man's feature.
How is this vulnerability a feature?
> By default, Postfix relays mail from sites within the local domain
> or subnetwork.
If the default is to accept mail from the local domain, what is to prevent
a PTR to a host in the local domain from being spoofed? If this can be
done, the PTR vulnerability will be present on many more systems than the
sentence below implies.
> In addition, the system administrator can set up
> access controls on the basis of client host names/addresses, and
> on names or mail addresses that are exchanged via SMTP commands.
> 1 - Claim: Postfix relay restrictions can be bypassed with forged
> PTR records.
>
> Response: in my opinion, the current measures raise the bar to
> a sufficient level.
'Raise the bar' - I.E. you don't think spammers will have control of
their own in-addr.arpa. While it is true that a large NUMBER of spammers
use a dialup modem for which the have no in-addr control, a large QUANTITY
of spam comes from co-located spam-servers which often DO have control
over their own IP.
Someone pointed out that gethostbyaddr() may have been avoided
for performance reasons. I can understand the need for performance. A way
to have both performance and security might be to allow any client
to connect, and then simultaneously DNS authenticate the client while
accepting mail. By the time the mail was processed and the client ready to
disconnect, hopefully the DNS work would be done and mail accepted or
rejected based on the fully authenticated source. If it wasn't done, it
could be dumped after a determined timeout.
Robert Keyes
Security Consultant
Cambridge Massachusetts
