Possible impersonation backdoor in Exim

ircdirk

Verified User
Joined
Feb 15, 2007
Messages
23
Lets say that one company has site with contact page where emails are shown: [email protected], [email protected].

I have found that Exim from DA (newest, without any customization) enables u to send email from AS [email protected] TO [email protected] without authentification (mail sent from other server/IP).

Such impersonation souldnt be possible.

Code:
telnet mediart.pl 25
Trying 195.242.117.20...
Connected to mediart.pl.
Escape character is '^]'.
220 mail.mediart.pl
EHLO up7.pl
250-mail.mediart.pl Hello mail.mediartcloud.pl [89.40.145.69]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: [email protected]
250 OK
rcpt to: [email protected]
250 Accepted
data
354 Enter message, ending with "." on a line by itself
test
.
250 OK id=1eczXP-0001lt-9G
quit
221 mail.mediart.pl closing connection
Connection closed by foreign host.

Also tested on other hosting companies servers that have DA, same problem every server.
 
Last edited:
Thats a litte weird than no one comments this issue. Lets imagine that i was worker of some company. I know my co-workers emails and my bosses too. I was fired. I dont have access to my email any more but i can send emails impersonating my boss to my co-workers from any IP becouse there is no authentyfiacion required. Only thing that i have to know is theirs email adresses and thats all it takes for it to work.

Thats a huge hole in DA Exim configuration. This should be fixed.
 
Last edited:
Thats a litte weird than no one comments this issue.
Reason might be that it's working as designed, it's not a bug or a hole.
I can send you a mail from [email protected] or anybody I like. It's how mailservers work otherwise mail would never be able to arrive.

Authentication is if the mail is send from the same ip the sender should send from, from a different ip you can't send as anybody to anybody. So if you were sending As contact to support initiating the mail on the server of contact, then there should be an authentication error, if authentication for sending mail is force.

This is why for example SPF records and DKIM are invented. If you're sending mail from other server/ip then your own server would reject the mail (if you check for SPF record) because that other ip is not allowed to send mail in behalve of somecompany.com.

So there is not a huge hole. You might want to learn a bit about the working of MTA's, which is Exim too.
Next to that, if you want more security, use SPF and DKIM, use a Spamblocker.conf exim configuration file and other measures as ESF, Blockcracking and spamassassin.
 
Nope, i think u dont understand the problem:

1) i dont have access to [email protected]
2) i know that the boss email is [email protected]
2) i know co-worker email is [email protected]
3) im connecting to company.com email server on port 25 via telnet from any where i want
4) i can send email as [email protected] to [email protected] without authentification
5) i can send also mail as [email protected] to [email protected] without authentification
6) i could also send email as [email protected] to any *@company.com adress i know it exists

Thats normal? I dont think so. Is like open relay but only for local domains. I shoulnt be able to send emails as [email protected] using company.com mail server without authentification, even to local domains.
 
Last edited:
Richard explained it very well.

There is no way to prevent other people from using your email address. There are no services that can completely prevent spammers from using your email address since they are using a different mail server.

For example spammers forge the “From:” address for the email they send. This technique is referred to as “from spoofing“. An email address isn’t the same as an email account. It’s a trivial matter to send email “from:” an email address without access to the account.

As Richard already mentioned, if you want more security, use SPF and DKIM, use a Spamblocker.conf exim configuration file and other measures as ESF, Blockcracking and spamassassin.
 
Richard explained it very well.

There is no way to prevent other people from using your email address. There are no services that can completely prevent spammers from using your email address since they are using a different mail server.

For example spammers forge the “From:” address for the email they send. This technique is referred to as “from spoofing“. An email address isn’t the same as an email account. It’s a trivial matter to send email “from:” an email address without access to the account.

As Richard already mentioned, if you want more security, use SPF and DKIM, use a Spamblocker.conf exim configuration file and other measures as ESF, Blockcracking and spamassassin.

Im not writing about preventing using my email address, i know thats impossible.

Im writing about sending email without authorization using server on which this domain is located and which is authorative mail server. So thats sending *@company.com emails using company.com which is authorative mail server for company.com (see my example in post #4), not through other open relay server or other method.

Please analyze my problem more carefully step by step.
 
Last edited:
Okay, maybe I read it too fast. But as far as I know it is protected in Exim by this rules in Exim.conf
Code:
#EDIT#25:
acl_check_helo:

  .include_if_exists /etc/exim.acl_check_helo.pre.conf

  # accept mail originating on this server unconditionally
  accept  hosts = @[] : @
  # deny if the HELO pretends to be this host
    deny message = HELO_HOST_IMPERSANATION
      condition = ${if or { \
                            {eq{$sender_helo_name}{$smtp_active_hostname}} \
                            {eq{$sender_helo_name}{[$interface_address]}} \
                          } {true}{false} }
  # deny if the HELO is an IP address
    deny message = HELO_IS_IP
         condition   = ${if eq{$interface_port}{25}}
         condition   = ${if isip{$sender_helo_name}}
  # deny if hostname if ylmf-pc, which accounts for a HUGE percentage of BF attacks
    deny message = HELO_BLOCKED_FOR_ABUSE
         condition   = ${if eq{$sender_helo_name}{ylmf-pc}}
  # deny if the HELO pretends to be one of the domains hosted on the server
    deny message = HELO_IS_LOCAL_DOMAIN
        condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
        hosts = ! +relay_hosts
        
  .include_if_exists /etc/exim.acl_check_helo.post.conf

  accept

I tried to reproduce what you did using telnet port 25, but without success. I always would advice to close port 25 or if you are using CSF set SMTP_BLOCK = "1". Maybe other people can take a better look to this?
 
Please analyze my problem more carefully step by step.
I did. But it might also be wise to analyze your problem stating more carefully, because this is what you stated in your first message:
(mail sent from other server/IP).

And now your stating:
I'm writing about sending email without authorization using server on which this domain is located
Which is a completely different statement.

However, it doesn't matter, it's still working as designed because on both cases you're using the local mailserver for local delivery. Local delivery is not checked against smtp authentication which is still working as designed.
There is a solution but it's strongly advised not to do that.

If you want the same story explained, check this thread:
http://forum.directadmin.com/showthread.php?t=29903

The only way to prevent this telnet abuse is to enforce encryption. However, when using piece of software like a mail client to spoof the emails, it's still possible.

@Awd: I wonder what you did then, because it's possible on all servers. You can't close port 25 otherwise other mailservers can't connect to your mailserver anymore.
SMTP_BLOCK=1 in CSF is good practice.
Also check SMTP_ALLOWLOCAL = "1", unless you don't want scripts to use the php mail function and all have to use smtp authentication.
 
By using telnet im reproducing connecting from desktop client and in this way i should always be authorized to be allowed to send emails as local domains. If that wherent the case open relay and authorization wouldnt be needed. The IP from im connecting to company.com authorized server doesnt matter becouse client can be everywhere in the world and i did used 4 diffrent IPs to test this.

When im connecting by telnet and i would like to send email as local domain to not local domain i need authorization (preventing open relay):

1. i dont have access to [email protected] but
2. im connecting to company.com authorized email server on port 25 via telnet from any where i want
3. setting HELO to other host than company.com
4. im trying to send email to [email protected] from [email protected]
5. getting message: authorization required

The same should be for local domains to local domains.

#################################################

Another example for Polish hosting company HEKKO.pl using DA. I dont have any email there:

telnet mail.hekko.pl 25
Trying 188.116.32.112...
Connected to mail.hekko.pl.
Escape character is '^]'.
220 hekko.pl ESMTP Exim 4.80.1 Tue, 23 Jan 2018 06:49:35 +0100
HELO mediart.pl
250 hekko.pl Hello mail.mediart.pl [195.242.117.20]
mail from: [email protected]
250 OK
rcpt to: [email protected]
250 Accepted
data
354 Enter message, ending with "." on a line by itself
test
.
250 OK id=1edrTB-0007Pk-0H

BUT FOR SENDING to other host than local domain:

telnet mail.hekko.pl 25
Trying 188.116.32.112...
Connected to mail.hekko.pl.
Escape character is '^]'.
220 hekko.pl ESMTP Exim 4.80.1 Tue, 23 Jan 2018 06:51:21 +0100
HELO mediart.pl
250 hekko.pl Hello mail.mediart.pl [195.242.117.20]
mail from: [email protected]l
250 OK
rcpt to: [email protected]
550 authentication required
 
Last edited:
Found sollution:

Added /etc/exim.acl_check_recipient.mid.conf with:

Code:
deny message = AUTH_REQUIRED
    domains = +local_domains
    sender_domains = +local_domains
    verify = recipient
    !authenticated = *

Now local domains cant send emails to local domains without authentification.

Code:
telnet mediart.pl 25
Trying 195.242.117.20...
Connected to mediart.pl.
Escape character is '^]'.
220 mail.mediart.pl
EHLO up7.pl
250-mail.mediart.pl Hello mail.mediartcloud.pl [89.40.145.69]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: [B][email protected][/B]
250 OK
rcpt to: [U][B][email protected][/B][/U]
[B][COLOR="#FF0000"]550 authentication required[/COLOR][/B]

telnet mediart.pl 25
Trying 195.242.117.20...
Connected to mediart.pl.
Escape character is '^]'.
220 mail.mediart.pl
EHLO up7.pl
250-mail.mediart.pl Hello mail.mediartcloud.pl [89.40.145.69]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: [B][email protected][/B]
250 OK
rcpt to: [U][B][email protected][/B][/U]
[B][COLOR="#FF0000"]550 authentication required[/COLOR][/B]

Tested all works fine:
- all mails from external domains are delivered fine (no authorization here)
- mails between local domains are delivered fine because they are authentificted (desktop/mobile clients use authentification to send emails)
- mails from local domains to external domains are delivered fine because they are also authentificated (desktop/mobile clients use authentification to send emails)
- mails from PHP mail() are delivered fine.

I dont know if this is right configuration, i may be missing something, but something like this should be added to default DA Exim configuration.
 
Last edited:
Except if they are to be delivered to local domains. ;)

Just tested, works ok, no authentification required, for local domains with PHP mail(). There must be some rule (accept) for this in exim.conf that overrides my added acl.

Edit:
There must be another rule for this because PHP mail() uses sendmail to send emails, so i did also tested sending mails from console and it also works without authentification:

Code:
echo "test mail" | sendmail -f [email protected] [email protected]
 
Last edited:
Ah, in that case it might be a solution, I'm not sure about this, or if it can break other things like local mail from DA, not sure if that's send via sendmail too.

I'll ask DA support to comment on this if they have time, to get clarification if that is the correct way of implementing it and if it won't break anything else. Because in that case this can be interesting indeed.
 
Ah, in that case it might be a solution, I'm not sure about this, or if it can break other things like local mail from DA, not sure if that's send via sendmail too.

I'll ask DA support to comment on this if they have time, to get clarification if that is the correct way of implementing it and if it won't break anything else. Because in that case this can be interesting indeed.

There may be other way to do it, im not expert in Exim. Anyway thanks.

Edit:
Local mail from DA is working fine.
 
Last edited:
Hello,

Reported to Directadmin developers via tickets system. So let's see what John will say.

p.s. Ticket #9925
 
Reported to Directadmin developers via tickets system. So let's see what John will say.
As stated before, I already send an email to them, requesting if John could read this and comment on it here on the forums.
However I did state that it had no hurry, but yes, usually he will be answering in the forums.
 
As stated before, I already send an email to them, requesting if John could read this and comment on it here on the forums.
However I did state that it had no hurry, but yes, usually he will be answering in the forums.

Im not hurrying up anyone, just want to know. Thanks.
 
It's actually not exim's task to deny these type of mails. These mails should be denied using the SPF '-all' setting and antispam software that checks SPF dns records. This prevents non-registered external mailservers to send mail using the companies domainname.

Using this in the eximconf will get you into trouble if e.g. an employee or subdivision of the company uses another mail server. s/he might have authorised at that server and that server wil forward the mail to the companies main mailserver. But, even though this second mailserver might be listed in the SPF as an authorised sender, the main mailserver will still deny the mail because the remote mailserver did not login at the main mail server.... am I making sense?
 
Using this in the eximconf will get you into trouble if e.g. an employee or subdivision of the company uses another mail server. s/he might have authorised at that server and that server wil forward the mail to the companies main mailserver. But, even though this second mailserver might be listed in the SPF as an authorised sender, the main mailserver will still deny the mail because the remote mailserver did not login at the main mail server.... am I making sense?

Im not sure but we can add +relay_host condition to my config? Or something similar.
 
Last edited:
Back
Top