[Exim] Relay exploit in 3.36

Top Page
Delete this message
Reply to this message
Author: list-exim-users
Date:  
To: exim-users
Subject: [Exim] Relay exploit in 3.36
Hello exim-users,

[There must be a less intrusive method to submit potential bug
reports. I know you have to be active in the community, but joining a
mailing list simply to submit a potential bug report? It's so
intrusive on this end and likely we're missing a lot of bugs doing
this way from people who would otherwise submit to perhaps a web
forum? I find that less intrusive. It takes quite a number of steps to
get to this point.]

At any rate, here's a message I sent to the Postmaster(no other
contact addresses) who directed me here. After shirking the idea off
for a day I felt it necessary to go to the lengths to setup to receive
this mailing list. Sheesh.

------------------------------------------------------------------------
Apologies if this is not the correct address. If it is not, could you
please forward this to the correct one? Thank you.

It appears there is an exploit in Exim concerning allowing relaying to
external SMTP servers.

Our "local_domains" directive looks like this:

local_domains = localhost:a-local-domain.com:mysql;select domain_name from domain
where domain_name='$key'

Now, this should allow relaying to domains that are hosted by our
system, or that we specifically want to relay to and it does do that.
However, it also allows relaying to servers we do not want to send to.

Here's a concrete, tested example on our system:

A local domain, 'local-domain.com'[edited], is on our system but has no email
capabilities. It is simply active as an HTTP property. Now, when
sending an email with this as the To: field -->

[Edited from real, concrete example address that was causing problems]

"non-local@???" <anything@???>
(please do not contact the email address above, as it is one of our
clients)

The email is relayed to 'non-local-domain.com'[edited] which we do NOT want to relay
to. It does this because apparently it looks at the
'local-domain.com'[edited]
portion and decides that the email address is local, but it uses the
non-local "non-local@???"[edited] email address for
sending.

Is this a known exploit and is there a way around it? I didn't see any
mention in the FAQs concerning it.

Thanks for any help that you may be able to provide, and thank you for
Exim, great software!
------------------------------------------------------------------------

Any ideas on this? Am I doing something wrong or is this an actual
exploit?

--
Best regards,
 list-exim-users                          mailto:list-exim-users@archrival.net