Paul Makepeace wrote: > Spot the bug in the following line, and how to exploit it:
>
> server_condition = ${if eq{$3}{${lookup {$2} cdb {/etc/mail/smtpauth.cdb}{$value}}}{yes}{no}}
>
> The exploit is that empty passwords given during the AUTH phase match
> nicely with non-existent users in the CDB file.
>
> Instead,
>
> server_condition = ${if and { {!eq {$2}{}} {eq{$2}{${lookup {$1} cdb {/etc/mail/smtpauth.cdb}{$value}}}} } {yes}{no}}
>
> which ensures there's a password in there. I wonder how many other
> checks let an empty password slip by? Seems an easy mistake to make.
>
> Unfortunately this error was spotted by a spammer who AUTH LOGIN'ed as
> webmaster with no password, and effectively turned one of my MTAs into
> an open relay. Fortunately I caught it as spamassassin tripped a load
> meter but it was still an ugly scene. I haven't fully analyzed it yet
> but the spamming seemed distributed - all sorts of IPs "realized" the
> situation at once.
This is a known missconfiguration, there was a thread today about it.
I suggest to use:
