Spot the bug in the following line, and how to exploit it:
server_condition = ${if eq{$3}{${lookup {$2} cdb {/etc/mail/smtpauth.cdb}{$value}}}{yes}{no}}
The exploit is that empty passwords given during the AUTH phase match
nicely with non-existent users in the CDB file.
Instead,
server_condition = ${if and { {!eq {$2}{}} {eq{$2}{${lookup {$1} cdb {/etc/mail/smtpauth.cdb}{$value}}}} } {yes}{no}}
which ensures there's a password in there. I wonder how many other
checks let an empty password slip by? Seems an easy mistake to make.
Unfortunately this error was spotted by a spammer who AUTH LOGIN'ed as
webmaster with no password, and effectively turned one of my MTAs into
an open relay. Fortunately I caught it as spamassassin tripped a load
meter but it was still an ugly scene. I haven't fully analyzed it yet
but the spamming seemed distributed - all sorts of IPs "realized" the
situation at once.
Paul
--
Paul Makepeace .......................................
http://paulm.com/
"If I gave out fish, then I am a girl."
--
http://paulm.com/toys/surrealism/
