Re: Qmail-ldap accepts dash mails.

Mikkel Kruse Johnsen Sun, 30 Apr 2006 23:41:15 -0700
Hi Claudio

Yes that is the case, I have a local user called 'mkj' and have localdelivery on.

Should'nt it only accept mail if the mail address exists ?
I have not compiled with DASH_EXT, isn't it what that does. ?
How do I turn this behavior off ?

How do other people prevent reverse open relay. In my case that means that a spammer could send a email to any local user and add '-something' to the address and then fake the 'mail from:' field to the person he wants to spam. They will get a bounce message with the message in it.

/Mikkel

On Sun, 2006-04-30 at 16:11 +0159, Claudio Jeker wrote:
On Fri, Apr 28, 2006 at 02:33:36PM +0200, Mikkel Kruse Johnsen wrote:
> Hi Claudio
> 
> Just had to switch to a test server, therefore the delay.
> 
> Here it is. First a normal mail send to my account 'mkj' at domain
> 'norrehus.dk'
> 
> ---
> 2006-04-28 14:28:45.855822500 tcpserver: status: 1/40
> 2006-04-28 14:28:45.856021500 tcpserver: pid 11549 from 81.19.227.226
> 2006-04-28 14:28:45.856109500 tcpserver: ok 11549
> 0:80.165.0.78:25 :81.19.227.226::56134
> 2006-04-28 14:28:45.867537500 qmail-smtpd 11549: connection from
> 81.19.227.226 (unknown) to 0
> 2006-04-28 14:28:45.867568500 qmail-smtpd 11549: enabled options:
> sanitycheck returnmxcheck rcptcheck smtp-auth rejectexecutables
> 2006-04-28 14:28:45.876788500 qmail-smtpd 11549: remote ehlo: linet.dk
> 2006-04-28 14:28:45.887383500 qmail-smtpd 11549: mail from:
> [EMAIL PROTECTED]
> 2006-04-28 14:28:45.887385500 qmail-smtpd 11549: SPF not checked
> 2006-04-28 14:28:45.906106500 qmail-smtpd 11549: rcpt to:
> [EMAIL PROTECTED]
> 2006-04-28 14:28:45.906148500 qmail-smtpd 11549: recipient verify,
> recipient not in goodmailaddr
> 2006-04-28 14:28:45.906150500 qmail-smtpd 11549: recipient verify,
> recipient is local
> 2006-04-28 14:28:45.908379500 init_ldap: control/ldapserver:
> 'ldap.orholm.dk'
> 2006-04-28 14:28:45.908404500 init_ldap: control/ldapbasedn:
> dc=orholm,dc=dk
> 2006-04-28 14:28:45.908419500 init_ldap: control/ldapobjectclass:
> qmailuser
> 2006-04-28 14:28:45.908421500 init_ldap: control/ldaptimeout: 30
> 2006-04-28 14:28:45.908437500 init_ldap: control/ldaprebind: 0
> 2006-04-28 14:28:45.908474500 init_ldap: control/ldapdefaultdotmode:
> dotonly
> 2006-04-28 14:28:45.908490500 init_ldap: control/defaultquotasize: 0
> 2006-04-28 14:28:45.908492500 init_ldap: control/defaultquotacount: 0
> 2006-04-28 14:28:45.908508500 init: control/ldaplocaldelivery: 1
> 2006-04-28 14:28:45.908525500 qmail-verfiy: verifying [EMAIL PROTECTED]
> 2006-04-28 14:28:45.934692500 qldap_open: init successful
> 2006-04-28 14:28:45.934724500 qldap_set_option: set referrals successful
> 2006-04-28 14:28:45.936155500 qldap_bind: successful
> 2006-04-28 14:28:45.936194500 ldapfilter:
> '(&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED])))'
> 2006-04-28 14:28:45.936790500 qldap_lookup: search for
> (&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED]))) succeeded
> 2006-04-28 14:28:45.936822500 qldap_get_attr(accountStatus): no such
> attribute
> 2006-04-28 14:28:45.936839500 qmail-smtpd 11549: recipient verify OK
> 2006-04-28 14:28:45.945606500 qmail-smtpd 11549: go ahead
> 2006-04-28 14:28:45.955221500 qmail-smtpd 11549: DDC saved  23 percent
> 2006-04-28 14:28:45.984379500 qmail-smtpd 11549: message queued:
> 1146227325 qp 11551 size 211 bytes
> 2006-04-28 14:28:46.011376500 qmail-smtpd 11549: quit, closing
> connection
> 2006-04-28 14:28:46.011630500 tcpserver: end 11549 status 0
> 2006-04-28 14:28:46.011633500 tcpserver: status: 0/40
> ---
> 
> 
> Now send to 'mkj' dash something:
> 
> ---
> 2006-04-28 14:29:12.081165500 tcpserver: status: 1/40
> 2006-04-28 14:29:12.081362500 tcpserver: pid 11555 from 81.19.227.226
> 2006-04-28 14:29:12.081454500 tcpserver: ok 11555
> 0:80.165.0.78:25 :81.19.227.226::56141
> 2006-04-28 14:29:12.083662500 qmail-smtpd 11555: connection from
> 81.19.227.226 (unknown) to 0
> 2006-04-28 14:29:12.083667500 qmail-smtpd 11555: enabled options:
> sanitycheck returnmxcheck rcptcheck smtp-auth rejectexecutables
> 2006-04-28 14:29:12.093757500 qmail-smtpd 11555: remote ehlo: linet.dk
> 2006-04-28 14:29:12.104566500 qmail-smtpd 11555: mail from:
> [EMAIL PROTECTED]
> 2006-04-28 14:29:12.104569500 qmail-smtpd 11555: SPF not checked
> 2006-04-28 14:29:12.114418500 qmail-smtpd 11555: rcpt to:
> [EMAIL PROTECTED]
> 2006-04-28 14:29:12.114485500 qmail-smtpd 11555: recipient verify,
> recipient not in goodmailaddr
> 2006-04-28 14:29:12.114488500 qmail-smtpd 11555: recipient verify,
> recipient is local
> 2006-04-28 14:29:12.116658500 init_ldap: control/ldapserver:
> 'ldap.orholm.dk'
> 2006-04-28 14:29:12.116685500 init_ldap: control/ldapbasedn:
> dc=orholm,dc=dk
> 2006-04-28 14:29:12.116701500 init_ldap: control/ldapobjectclass:
> qmailuser
> 2006-04-28 14:29:12.116704500 init_ldap: control/ldaptimeout: 30
> 2006-04-28 14:29:12.116705500 init_ldap: control/ldaprebind: 0
> 2006-04-28 14:29:12.116751500 init_ldap: control/ldapdefaultdotmode:
> dotonly
> 2006-04-28 14:29:12.116768500 init_ldap: control/defaultquotasize: 0
> 2006-04-28 14:29:12.116770500 init_ldap: control/defaultquotacount: 0
> 2006-04-28 14:29:12.116786500 init: control/ldaplocaldelivery: 1
> 2006-04-28 14:29:12.116803500 qmail-verfiy: verifying
> [EMAIL PROTECTED]
> 2006-04-28 14:29:12.117289500 qldap_open: init successful
> 2006-04-28 14:29:12.117317500 qldap_set_option: set referrals successful
> 2006-04-28 14:29:12.118064500 qldap_bind: successful
> 2006-04-28 14:29:12.118095500 ldapfilter:
> '(&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED])))'
> 2006-04-28 14:29:12.118682500 qldap_lookup: search for
> (&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED]))) succeeded
> 2006-04-28 14:29:12.118713500 qldap_lookup: Nothing found
> 2006-04-28 14:29:12.118715500 ldapfilter:
> '(&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED])))'
> 2006-04-28 14:29:12.119252500 qldap_lookup: search for
> (&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED]))) succeeded
> 2006-04-28 14:29:12.119262500 qldap_lookup: Nothing found
> 2006-04-28 14:29:12.120204500 qmail-smtpd 11555: recipient verify OK
> 2006-04-28 14:29:12.129278500 qmail-smtpd 11555: go ahead
> 2006-04-28 14:29:12.138673500 qmail-smtpd 11555: DDC saved  24 percent
> 2006-04-28 14:29:12.142821500 qmail-smtpd 11555: message queued:
> 1146227352 qp 11557 size 226 bytes
> 2006-04-28 14:29:12.151964500 qmail-smtpd 11555: quit, closing
> connection
> 2006-04-28 14:29:12.152525500 tcpserver: end 11555 status 0
> 2006-04-28 14:29:12.152528500 tcpserver: status: 0/40
> ---
> 

I bet you have a local mkj account on your mailserver and lcoaldelivery is
turned on so the mail is accepted because qmail-verify does not check if
the local user has a .qmail-whatever file.


> Finally a test send to a non existing user:
> 
> ---
> 2006-04-28 14:29:44.284641500 tcpserver: status: 1/40
> 2006-04-28 14:29:44.285273500 tcpserver: pid 11562 from 81.19.227.226
> 2006-04-28 14:29:44.285356500 tcpserver: ok 11562
> 0:80.165.0.78:25 :81.19.227.226::56145
> 2006-04-28 14:29:44.287479500 qmail-smtpd 11562: connection from
> 81.19.227.226 (unknown) to 0
> 2006-04-28 14:29:44.287484500 qmail-smtpd 11562: enabled options:
> sanitycheck returnmxcheck rcptcheck smtp-auth rejectexecutables
> 2006-04-28 14:29:44.296241500 qmail-smtpd 11562: remote ehlo: linet.dk
> 2006-04-28 14:29:44.307531500 qmail-smtpd 11562: mail from:
> [EMAIL PROTECTED]
> 2006-04-28 14:29:44.307533500 qmail-smtpd 11562: SPF not checked
> 2006-04-28 14:29:44.316910500 qmail-smtpd 11562: rcpt to:
> [EMAIL PROTECTED]
> 2006-04-28 14:29:44.316947500 qmail-smtpd 11562: recipient verify,
> recipient not in goodmailaddr
> 2006-04-28 14:29:44.316951500 qmail-smtpd 11562: recipient verify,
> recipient is local
> 2006-04-28 14:29:44.319131500 init_ldap: control/ldapserver:
> 'ldap.orholm.dk'
> 2006-04-28 14:29:44.319156500 init_ldap: control/ldapbasedn:
> dc=orholm,dc=dk
> 2006-04-28 14:29:44.319159500 init_ldap: control/ldapobjectclass:
> qmailuser
> 2006-04-28 14:29:44.319215500 init_ldap: control/ldaptimeout: 30
> 2006-04-28 14:29:44.319217500 init_ldap: control/ldaprebind: 0
> 2006-04-28 14:29:44.319233500 init_ldap: control/ldapdefaultdotmode:
> dotonly
> 2006-04-28 14:29:44.319249500 init_ldap: control/defaultquotasize: 0
> 2006-04-28 14:29:44.319251500 init_ldap: control/defaultquotacount: 0
> 2006-04-28 14:29:44.319253500 init: control/ldaplocaldelivery: 1
> 2006-04-28 14:29:44.319269500 qmail-verfiy: verifying
> [EMAIL PROTECTED]
> 2006-04-28 14:29:44.319766500 qldap_open: init successful
> 2006-04-28 14:29:44.319794500 qldap_set_option: set referrals successful
> 2006-04-28 14:29:44.320539500 qldap_bind: successful
> 2006-04-28 14:29:44.320572500 ldapfilter:
> '(&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED])))'
> 2006-04-28 14:29:44.321168500 qldap_lookup: search for
> (&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED]))) succeeded
> 2006-04-28 14:29:44.321201500 qldap_lookup: Nothing found
> 2006-04-28 14:29:44.321202500 ldapfilter:
> '(&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED])))'
> 2006-04-28 14:29:44.321741500 qldap_lookup: search for
> (&(objectClass=qmailuser)(|([EMAIL PROTECTED])([EMAIL PROTECTED]))) succeeded
> 2006-04-28 14:29:44.321745500 qldap_lookup: Nothing found
> 2006-04-28 14:29:44.323092500 qmail-smtpd 11562: bad recipient:
> [EMAIL PROTECTED]
> 2006-04-28 14:29:44.323096500 qmail-smtpd 11562: message denied: Sorry,
> no mailbox here by that name. (#5.1.1)
> 2006-04-28 14:29:44.332185500 qmail-smtpd 11562: quit, closing
> connection
> 2006-04-28 14:29:44.332989500 tcpserver: end 11562 status 0
> 2006-04-28 14:29:44.332992500 tcpserver: status: 0/40
> ---
> 
> Hope this help.
> 
> /Mikkel
> 
> 
> On Wed, 2006-04-26 at 13:56 +0200, Claudio Jeker wrote:
> 
> > On Wed, Apr 26, 2006 at 01:09:15PM +0200, Mikkel Kruse Johnsen wrote:
> > > Hej Claudio
> > > 
> > > I'm using the newest 20060201 patch.
> > > 
> > > /Mikkel
> > > 
> > > Just to verify that I have processed the tcprules, as you can see it
> > > works for non existing users.
> > > 
> > 
> > Can you build a qmail-ldap version with DEBUG and send me the output of
> > qmail-smtpd when run with LOGLEVEL 255 (you only need to replace
> > qmail-verify with a debug version).
> > 
> > > --
> > > 2006-04-26 13:07:00.738381500 tcpserver: pid 31358 from 130.226.47.171
> > > 2006-04-26 13:07:00.738383500 tcpserver: ok 31358
> > > 0:192.38.9.203:25 :130.226.47.171::42908
> > > 2006-04-26 13:07:00.740976500 qmail-smtpd 31358: connection from
> > > 130.226.47.171 (unknown) to 0
> > > 2006-04-26 13:07:00.740981500 qmail-smtpd 31358: enabled options:
> > > sanitycheck returnmxcheck spfbehavior-fail(3) rblcheck rcptcheck
> > > smtp-auth rejectexecutables
> > > 2006-04-26 13:07:00.743433500 qmail-smtpd 31358: remote ehlo:
> > > mail.cbs.dk
> > > 2006-04-26 13:07:00.745881500 qmail-smtpd 31358: mail from:
> > > [EMAIL PROTECTED]
> > > 2006-04-26 13:07:00.753028500 qmail-smtpd 31358: SPF checking comleted
> > > 2006-04-26 13:07:00.914284500 qmail-smtpd 31358: RBL check with
> > > 'sbl.spamhaus.org': no match found, continue.
> > > 2006-04-26 13:07:00.967662500 qmail-smtpd 31358: RBL check with
> > > 'relays.ordb.org': no match found, continue.
> > > 2006-04-26 13:07:01.014700500 qmail-smtpd 31358: RBL check with
> > > 'list.dsbl.org': no match found, continue.
> > > 2006-04-26 13:07:01.062368500 qmail-smtpd 31358: RBL check with
> > > 'bl.spamcop.net': no match found, continue.
> > > 2006-04-26 13:07:01.066974500 qmail-smtpd 31358: RBL check with
> > > 'relays.ordb.org': no match found, continue.
> > > 2006-04-26 13:07:01.197600500 qmail-smtpd 31358: RBL check with
> > > 'spamguard.leadmon.net': no match found, continue.
> > > 2006-04-26 13:07:01.197633500 qmail-smtpd 31358: RBL checking completed
> > > 2006-04-26 13:07:01.258659500 qmail-smtpd 31358: rcpt to:
> > > [EMAIL PROTECTED]
> > > 2006-04-26 13:07:01.258708500 qmail-smtpd 31358: recipient verify,
> > > recipient not in goodmailaddr
> > > 2006-04-26 13:07:01.258735500 qmail-smtpd 31358: recipient verify,
> > > recipient is local
> > > 2006-04-26 13:07:01.288559500 qmail-smtpd 31358: bad recipient:
> > > [EMAIL PROTECTED]
> > > 2006-04-26 13:07:01.288609500 qmail-smtpd 31358: message denied: Sorry,
> > > no mailbox here by that name. (#5.1.1)
> > > 2006-04-26 13:07:01.289293500 qmail-smtpd 31358: 'rcpt to' first
> > > 2006-04-26 13:07:01.462654500 qmail-smtpd 31358: quit, closing
> > > connection
> > > 2006-04-26 13:07:01.463029500 tcpserver: end 31358 status 0
> > > --
> > > 2006-04-26 13:08:29.624461500 tcpserver: pid 31366 from 130.226.47.171
> > > 2006-04-26 13:08:29.624463500 tcpserver: ok 31366
> > > 0:192.38.9.203:25 :130.226.47.171::42924
> > > 2006-04-26 13:08:29.624466500 qmail-smtpd 31366: connection from
> > > 130.226.47.171 (unknown) to 0
> > > 2006-04-26 13:08:29.624469500 qmail-smtpd 31366: enabled options:
> > > sanitycheck returnmxcheck spfbehavior-fail(3) rblcheck rcptcheck
> > > smtp-auth rejectexecutables
> > > 2006-04-26 13:08:29.625531500 qmail-smtpd 31366: remote ehlo:
> > > mail.cbs.dk
> > > 2006-04-26 13:08:29.628063500 qmail-smtpd 31366: mail from:
> > > [EMAIL PROTECTED]
> > > 2006-04-26 13:08:29.635120500 qmail-smtpd 31366: SPF checking comleted
> > > 2006-04-26 13:08:29.640110500 qmail-smtpd 31366: RBL check with
> > > 'sbl.spamhaus.org': no match found, continue.
> > > 2006-04-26 13:08:29.693464500 qmail-smtpd 31366: RBL check with
> > > 'relays.ordb.org': no match found, continue.
> > > 2006-04-26 13:08:29.740485500 qmail-smtpd 31366: RBL check with
> > > 'list.dsbl.org': no match found, continue.
> > > 2006-04-26 13:08:29.775458500 qmail-smtpd 31366: RBL check with
> > > 'bl.spamcop.net': no match found, continue.
> > > 2006-04-26 13:08:29.780042500 qmail-smtpd 31366: RBL check with
> > > 'relays.ordb.org': no match found, continue.
> > > 2006-04-26 13:08:29.784725500 qmail-smtpd 31366: RBL check with
> > > 'spamguard.leadmon.net': no match found, continue.
> > > 2006-04-26 13:08:29.784756500 qmail-smtpd 31366: RBL checking completed
> > > 2006-04-26 13:08:29.811783500 qmail-smtpd 31366: rcpt to:
> > > [EMAIL PROTECTED]
> > > 2006-04-26 13:08:29.811823500 qmail-smtpd 31366: recipient verify,
> > > recipient not in goodmailaddr
> > > 2006-04-26 13:08:29.811850500 qmail-smtpd 31366: recipient verify,
> > > recipient is local
> > > 2006-04-26 13:08:29.850975500 qmail-smtpd 31366: bad recipient:
> > > [EMAIL PROTECTED]
> > > 2006-04-26 13:08:29.851027500 qmail-smtpd 31366: message denied: Sorry,
> > > no mailbox here by that name. (#5.1.1)
> > > 2006-04-26 13:08:29.851717500 qmail-smtpd 31366: 'rcpt to' first
> > > 2006-04-26 13:08:30.037195500 qmail-smtpd 31366: quit, closing
> > > connection
> > > 2006-04-26 13:08:30.037567500 tcpserver: end 31366 status 0
> > > 2006-04-26 13:08:30.037569500 tcpserver: status: 0/40
> > > --
> > > 
> > > 
> > > On Wed, 2006-04-26 at 12:24 +0200, Claudio Jeker wrote:
> > > 
> > > > On Wed, Apr 26, 2006 at 08:59:11AM +0200, Claudio Jeker wrote:
> > > > > On Wed, Apr 26, 2006 at 08:49:27AM +0200, Mikkel Kruse Johnsen wrote:
> > > > > > Hi
> > > > > > 
> > > > > > I have a problem, have just been pointed out that my qmail ldap is an
> > > > > > reverse open relay, meaning that sending a mail to a non existing user
> > > > > > on my domain will result i a bounce to the "mail from:" address and that
> > > > > > can be faked.
> > > > > > 
> > > > > > So adding "RCPTCHECK" to the environment should do it. 
> > > > > > 
> > > > > >     :allow,SMTPAUTH="",RETURNMXCHECK="",SANITYCHECK="",RCPTCHECK="",REJECTEXEC="",QHPSI="/usr/bin/clamdscan",QHPSIARG1="--no-summary",LOGLEVEL="4"
> > > > > > 
> > > > > > That will make the SMTP connection disconnect if the user is not in the
> > > > > > LDAP.
> > > > > > 
> > > > > > But sending a mail to a valid user with "-something" after like
> > > > > > "[EMAIL PROTECTED]" will get accepted. I have compiled without
> > > > > > DASH_EXT.
> > > > > > 
> > > > > > What could be the problem ?
> > > > > > 
> > > > > 
> > > > > Hmpf. Smells like a bug. I'll have a look at it.
> > > > > 
> > > > 
> > > > I can not reproduce it.
> > > > 
> > > > 250 ok
> > > > rcpt to: <[EMAIL PROTECTED]>
> > > > qmail-smtpd 20924: rcpt to: [EMAIL PROTECTED]
> > > > qmail-smtpd 20924: recipient verify, recipient not in goodmailaddr
> > > > qmail-smtpd 20924: recipient verify, recipient is local
> > > > qmail-smtpd 20924: bad recipient: [EMAIL PROTECTED]
> > > > qmail-smtpd 20924: message denied: Sorry, no mailbox here by that name. (#5.1.1)
> > > > 554 Sorry, no mailbox here by that name. (#5.1.1)
> > > > 
> > > > What version of qmail-ldap are you using?
> > > > 
> > > 
> > > Mikkel Kruse Johnsen
> > > Linet
> > > Ørholmgade 6 st tv
> > > 2200 København N
> > > 
> > > Tlf: +45 2128 7793
> > > email: [EMAIL PROTECTED]
> > > www: http://www.linet.dk
> > 
> 
> Med Venlig Hilsen
> 
> Linet
> Tlf:
> 21287793
> Mikkel Kruse Johnsen
> Direkte: 
> 21287793
> Ørholmgade 6 st. tv
> email:
> [EMAIL PROTECTED]
> DK-2200 København N
> web:
> http://www.linet.dk
> 
>
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: [EMAIL PROTECTED]
www: http://www.linet.dk
Re: Qmail-ldap accepts dash mails.

Reply via email to
