Re: [Exim] Relay exploit in 3.36

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: list-exim-users
CC: exim-users
Subject: Re: [Exim] Relay exploit in 3.36
On Thu, 5 Sep 2002, list-exim-users wrote:

> [There must be a less intrusive method to submit potential bug


As it says in the Exim manual:

------------------------------------------------------------------------
1.3 Bug reports

Reports of obvious bugs should be emailed to "bugs@???". However, if you
are unsure whether some behaviour is a bug or not, the best thing to do is to
post a message to the exim-users mailing list and have it discussed.
------------------------------------------------------------------------

At present, that address just gets forwarded to me.

> It appears there is an exploit in Exim concerning allowing relaying to
> external SMTP servers.
>
> Our "local_domains" directive looks like this:


OK, so we're dealing with Exim 3 ...

> local_domains = localhost:a-local-domain.com:mysql;select domain_name from domain
> where domain_name='$key'
>
> Now, this should allow relaying to domains that are hosted by our
> system, or that we specifically want to relay to and it does do that.


Don't understand your use of the word "relay" here. Local domains are
usually delivered locally, not relayed somewhere else. In Exim 3,
domains for relaying are normally defined by relay_domains.

> However, it also allows relaying to servers we do not want to send to.
>
> Here's a concrete, tested example on our system:
>
> A local domain, 'local-domain.com'[edited], is on our system but has no email
> capabilities. It is simply active as an HTTP property. Now, when
> sending an email with this as the To: field -->
>
> [Edited from real, concrete example address that was causing problems]
>
> "non-local@???" <anything@???>
> (please do not contact the email address above, as it is one of our
> clients)
>
> The email is relayed to 'non-local-domain.com'[edited] which we do NOT
> want to relay to. It does this because apparently it looks at the
> 'local-domain.com'[edited]
> portion and decides that the email address is local, but it uses the
> non-local "non-local@???"[edited] email address for
> sending.


No, I'm afraid you are confused here. Exim doesn't look at the To:
header line at all when deciding how to deliver a message. It looks at
the recipient address in the *envelope*, which is separate to the text
of the message. The question is therefore, what was the envelope of this
message? Or, to put it another way, how was this message passed to Exim?
The method of passing determines how the envelope is passed.

What did you see on the Exim log? Did you try doing this with debugging
turned on?

> Thanks for any help that you may be able to provide, and thank you for
> Exim, great software!


I'm glad you like the software.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.