Hi,
I've run into what appears to be an OpenSMTPD bug that I can reproduce
in OpenSMTPD 7.4.0 (on OpenBSD 7.4) and OpenSMTPD 7.6.0 (on OpenBSD 7.6).
When accepting incoming mail from external sources for local users, it
appears that, if the recipient is an alias in the aliases file (and that
alias points to a full email address rather than just a username), the
email will then match "match" statements that contain "match from local"
(despite the fact that the email did not come from a local source).
For example, if the aliases file contains `aliasname: username`, that
will NOT lead to this issue, but if it contains `aliasname:
[email protected]`, that WILL lead to this issue.
I discovered this because I relay outbound email through dkimproxy
(https://dkimproxy.sourceforge.net/) using a "match from local"
statement to DKIM-sign it before delivering it, and found that external
incoming mail to my server was being relayed through dkimproxy if the
recipient of the email was an alias pointing to a full email address. In
most cases, this is harmless (since dkimproxy won't sign emails if the
"from" address doesn't match the server's domain); however, if a
malicious server sends an email to an alias of a local user where the
"from" address is spoofed to be an address on my server's domain, this
will cause the email to be relayed through dkimproxy (because it
mistakenly matches "from local"), and it will be DKIM-signed as though
it originated from my server, making it appear as non-spoofed to the
local recipient.
To reproduce, this is my smtpd.conf:
table aliases file:/etc/mail/aliases
listen on socket
listen on lo0
listen on egress
# Outbound email that has been DKIM-signed will be relayed from
# dkimproxy back to us here.
listen on lo0 port 10028 tag DKIM_OUT
action "local_mail" mbox alias <aliases>
action "outbound" relay
action "relay_dkimproxy" relay host smtp://127.0.0.1:10027
# For any mail from a local source that has not yet been DKIM-
# signed, relay it through dkimproxy. (NOTE: This is the "match"
# statement that is being hit unexpectedly for external incoming
# mail to an alias.)
match ! tag DKIM_OUT from local for any action "relay_dkimproxy"
# Handle mail destined for a local address. (Any local-to-local
# mail will have been DKIM-signed by this point.)
match from any for domain "mydomain.net" action "local_mail"
match from local for local action "local_mail"
# Relay outgoing mail to non-local destinations that has been
# DKIM-signed.
match tag DKIM_OUT for any action "outbound"
And this is my /etc/mail/aliases file:
# Sending to this alias does NOT reproduce the issue:
alias1: username
# However, sending to this alias DOES reproduce the issue:
alias2: [email protected]
From another machine, if I send an email to the machine running that
OpenSMTPD configuration to "[email protected]", it will end up hitting
the `match ! tag DKIM_OUT from local for any action "relay_dkimproxy"`
line, and mistakenly relayed through dkimproxy. (If I send an email
directly to "[email protected]" or "[email protected]", then this
issue does NOT occur.)
For now, I have worked around this by explicitly tagging local sources:
listen on socket tag ACTUALLY_FROM_LOCAL
listen on lo0 tag ACTUALLY_FROM_LOCAL
and matching that tag instead of using "from local" in the "match"
statement:
match tag ACTUALLY_FROM_LOCAL for any action "relay_dkimproxy"
Although this fixes the issue for me, I figured it was worth reporting
since the original behavior is unexpected to me and feels like a bug.
Please let me know what you think, or if you need any more info from me.
Thanks,
Jake Hartz
P.S. I originally addressed this to "[email protected]" as per the
instructions on https://opensmtpd.org/list.html but got an automated
reply saying that my email had been rejected for not being addressed to
"[email protected]", hence why I'm now sending this email to that list.
