[ On Friday, September 28, 2001 at 10:02:33 (+0100), Peter Galbavy wrote: ]
> Subject: Re: [Exim] Question about rbl and host_accept_relay handling
>
> > The fault here is with the expectation that relay_domains_include_local_mx
> > can ever be used safely on a public network. It cannot. It causes your
> > mailer to trust data received from the network (unless you externally
> > filter all bogus unauthorised MXs from public DNS responses, I guess).
>
> Sorry, but I don't understand. I thought the whole point of using this
> setting is that you can choose to accept mail to be relayed *to* any domain
> who lists your host as an MX. NOT relay *from*. Where is the attack ? If
> anyone wants to list me as an MX for their domain, they get what they
> deserve.
I don't really know what it does, but from your description of the
effect it had, it might be the other way around. Maybe there's a logic
bug somewhere?
The Exim HOWTO about relaying warns you of the minor danger of becoming
an unauthorised secondary MX:
2. Any domains that are not finally handled by the local exim, but can
legitmately be relayed through (ie domains you act as backup MX
for) should be specified in the relay_domains, although a short cut
for doing this is setting relay_domains_include_local_mx which can
be used to abuse your mail server by adding MXes pointing at you,
but raises the bar so much higher than it is normally good enough.
From the more detailed description of relay_domains_include_local_mx in
the manual it's not clear whether or not the MX pointing to the local
host has be a "secondary" MX (i.e. with a higher priority value) or
not. In theory this is covered by the fact that if the MX for the local
host has the lowest value then Exim will consider the delivery
destination to be local and thus relaying is not of any concern.
Note that even if there's not a logic bug in Exim, there's still a
fairly mechanical way (i.e. cracker tools exist and indeed papers have
been written about how) to trick many nameservers into accepting a bogus
record, and it might not be that difficult for an attacker to cause your
cache servers to see one or more forged MX RRs -- they just have to feed
you a forged NS or otherwise trick the nameserver yours will query into
accepting a bogus MX. In order to block such attacks you'd have to add
filtering to your nameserver to block all replies from the public
network which contain MXs that point to your zone and then instead load
it directly with authoritative copies of all authorised zones which
contain any authorised MXs pointing to your server (eg. by making it a
blind secondary of those zones). You should do this last part anyway,
but it would be much easier to properly set "relay_domains" than it
would be to add ACL mechanisms this complex to named.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@???> <woods@???>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>