BlockCracking 1.7 released

[DirectAdmin Support]

Hello,

BlockCracking 1.7 has been released.
It's purpose is to block any script from using a current working directory of / or /home from sending emails.

Note that this does not apply to Users listed in

BC_UNLIMITED_USERNAMES = root : cron : mail : diradmin

so they can still send from anywhere.

Scripts must not and try to fool the system by changing their sending path. Exim still knows which User it is by means of the UID, but the above ends up blocking / which we don't as that would prevent everyone from sending emails.

This also removes the non-required log notice:

2017-09-26 18:01:24 1dwyqv-0004YY-UI acl_m_script_path '' is empty, skipping script path check.

in regards to the report here:
https://forum.directadmin.com/showthread.php?t=53760

John

 

[Richard G]

I'm not native English so I don't fully understand this:

It's purpose is to block any script from using a current working directory of / or /home from sending emails.

So this is only the root of / and /home, not for /home/username, so a script in /home/username still can send mail, correct?

 

[DirectAdmin Support]

Correct, /home/username will still work.
But if you login to ssh, as username, and type:

cd /
exim [email protected]

type in a subject, press enter twice, body, followed by a line with just a dot, then the mail will be blocked.

John

 

[Richard G]

Ok that's a good think. Thank you!

 

[Tafaz]

Hi, i'm facing some problems with bounces and this new acl in blockcracking, seems that bounces are blocked because script path is /

2017-10-06 09:10:08 [44359] 1e0Mlm-000BNr-E1 ** [email protected] F=<[email protected]> P=<[email protected]> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [74.125.133.27]:25 I=[543.873.831.457]:51950 X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com": SMTP error from remote mail server after RCPT TO:<[email protected]>: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 https://support.google.com/mail/?p=NoSuchUser k73si795627wrc.84 - gsmtp
2017-10-06 09:10:08 [44401] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1e0Mlm-000BNr-E1
2017-10-06 09:10:08 [44401] 1e0Mls-000BY9-FJ acl_m_script_path '/' is never allowed for Users.
2017-10-06 09:10:08 [44401] 1e0Mls-000BY9-FJ <= <> R=1e0Mlm-000BNr-E1 U=mail P=local S=2965 M8S=0 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-06 09:10:08 [44401] 1e0Mls-000BY9-FJ => blackhole (non-SMTP ACL discarded recipients)
2017-10-06 09:10:08 [44401] 1e0Mls-000BY9-FJ Completed
2017-10-06 09:10:08 [44359] 1e0Mlm-000BNr-E1 Process failed (1) when writing error message to [email protected] (frozen)

 

[Richard G]

I can confirm the issue, having the same problem here:

2017-10-07 18:16:22 1dzehs-0002yD-7y Process failed (1) when writing error message to [email protected] (frozen)
2017-10-07 18:16:22 1dzTpG-00049j-5f cancelled by timeout_frozen_after
2017-10-07 18:16:22 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1dzTpG-00049j-5f
2017-10-07 18:16:22 1e0rm2-0002zG-7E acl_m_script_path '/' is never allowed for Users.
2017-10-07 18:16:22 1e0rm2-0002zG-7E <= <> R=1dzTpG-00049j-5f U=mail P=local S=12723 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-07 18:16:22 1e0rm2-0002zG-7E => blackhole (non-SMTP ACL discarded recipients)
2017-10-07 18:16:22 1e0rm2-0002zG-7E Completed

Also when I send from my own domain to a non existing address:

2017-10-07 18:19:38 1e0rpB-00033V-Gg ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [64.233.162.26] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1  https://support.google.com/mail/?p=NoSuchUser f63si2146139lje.450 - gsmtp
2017-10-07 18:19:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1e0rpB-00033V-Gg
2017-10-07 18:19:38 1e0rpC-00033Z-4K acl_m_script_path '/' is never allowed for Users.
2017-10-07 18:19:38 1e0rpC-00033Z-4K <= <> R=1e0rpB-00033V-Gg U=mail P=local S=2680 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-07 18:19:38 1e0rpC-00033Z-4K => blackhole (non-SMTP ACL discarded recipients)
2017-10-07 18:19:38 1e0rpC-00033Z-4K Completed

And I don't receive the "non existing user" message on my email address... Something really going wrong here.
The bounced mail with the notice "user does not exists" get's frozen in the mailqueue instead of getting delivered to the sender (local or external does not make any difference, they all get frozen).

 

[DirectAdmin Support]

Thanks for the reports... A few things:
1) If this init.d or systemd? I've yet to be able to generate the error, sending from a script to a remote non-existent address.

2) if you can duplicate it consistently, try:

cd /
service exim restart
#test1 to see if it triggers.
cd /var/spool/exim
service exim restart
#test2 to see if it triggers

basically, just to know if it's based on where the daemon is running from

3) To test if the message ID is set, please edit:

/etc/exim.blockcracking/script.conf

and change the logwrite line for the discard on the acl_m_script_path check to look like this (include the message id):

 logwrite = acl_m_script_path '$acl_m_script_path' is never allowed for Users id='$message_exim_id' caller_uid='$caller_uid' originator_uid='$originator_uid'..

I'm *hoping* that the case we don't want to check will have a blank message ID, or can see if caller_uid is mail or the User, which can be added as an extra condition to not do the check without a message ID, or specific UID.

---

And let me know if I'm missing something in terms of duplicating it. Doing so on an init.d system (CentOS 6), tried #2, but all bounces went through normally.

I think this might also be catching cron output for / even when crond is restarted from a different path, and I have not been able to catch a variable that lets us know it's a cron.
Even had exim run "pwd", but that always returns /var/spool/exim, no matter where anything is started from.

So we may need to remove this check on / if the above doesn't get us any useful info.

----------------------

After more debugging, I might have found a solution, to check for the HOME variable.. but doing that needs a new default exim.variables.conf to update the keep_environment, and new exim.pl to read it (didn't have much luck with the exim ${env{HOME}{}{}} function). I believe this can create the unique check we need.. as it seems to be blank for crons.... but not sure about your other bounce case, which I'm still not able to trigger...

Let me know

John

 

[Richard G]

I can duplicate it consistently.

1.) In my case it's init.d I guess since I'm using Centos 6.
However, my email (the second code part) was not send from a script but from my Outlook 2013 email client, via my server to a non existing gmail address. Which I did to test.

2.) I tested the first, again send from my Outlook client, not from some script, again generating the same error.
Seems exim itselfs cwd's to /var/spool exim if I can believe this exim mainlog:

2017-10-08 01:50:22 cwd=/var/spool/exim 2 args: /usr/sbin/exim -qG
2017-10-08 01:50:53 1e0yrs-0006aZ-Sa <= [email protected] H=54xxxx.cm-5-7b.dynamic.ziggo.nl (HSTFN01) [84.xx.xx.xx] P=esmtpa A=login:[email protected] S=689 [email protected] T="test 1" from <[email protected]> for [email protected]
2017-10-08 01:50:53 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1e0yrs-0006aZ-Sa
2017-10-08 01:50:53 1e0yrs-0006aZ-Sa ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [64.233.162.26] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1  https://support.google.com/mail/?p=NoSuchUser h13si2085684lfg.251 - gsmtp
2017-10-08 01:50:53 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1e0yrs-0006aZ-Sa
2017-10-08 01:50:53 1e0yrt-0006ah-OM acl_m_script_path '/' is never allowed for Users.
2017-10-08 01:50:53 1e0yrt-0006ah-OM <= <> R=1e0yrs-0006aZ-Sa U=mail P=local S=2687 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-08 01:50:53 1e0yrt-0006ah-OM => blackhole (non-SMTP ACL discarded recipients)
2017-10-08 01:50:53 1e0yrt-0006ah-OM Completed

Second way to test gave also an error, but a bit different output, this time the "frozen" notice appears too:

2017-10-08 01:56:22 cwd=/var/spool/exim 2 args: /usr/sbin/exim -qG
2017-10-08 01:56:58 1e0yxm-0006oB-Ht <= [email protected] H=541exxx.cm-5-xx.dynamic.ziggo.nl (HSTFN01) [84.xx.xx.xx] P=esmtpa A=login:[email protected] S=691 [email protected] T="Test 2" from <[email protected]> for [email protected]
2017-10-08 01:56:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1e0yxm-0006oB-Ht
2017-10-08 01:56:59 1e0yxm-0006oB-Ht ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [64.233.162.27] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1  https://support.google.com/mail/?p=NoSuchUser b74si2516326ljf.464 - gsmtp
2017-10-08 01:56:59 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1e0yxm-0006oB-Ht
2017-10-08 01:56:59 1e0yxn-0006oF-C4 acl_m_script_path '/' is never allowed for Users.
2017-10-08 01:56:59 1e0yxn-0006oF-C4 <= <> R=1e0yxm-0006oB-Ht U=mail P=local S=2684 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-08 01:56:59 1e0yxn-0006oF-C4 => blackhole (non-SMTP ACL discarded recipients)
2017-10-08 01:56:59 1e0yxn-0006oF-C4 Completed
2017-10-08 01:56:59 1e0yxm-0006oB-Ht Process failed (1) when writing error message to [email protected] (frozen)

3.) When doing it with the change mentioned in 3, the acl script line looks like this:

2017-10-08 02:05:10 1e0z5i-0007AX-B0 acl_m_script_path '/' is never allowed for Users id='1e0z5i-0007AX-B0' caller_uid='8' originator_uid='8'..

And I checked, uid 8 = mail.

 

[DirectAdmin Support]

Ok, I've released 1.8 with more checks to prevent certain blocks:
http://forum.directadmin.com/showthread.php?t=55387

The / and /home paths are now only blocked if:

1. $caller_id is not User "mail" (bounces flip to mail, should be allowed)
2. $message_exim_id is not blank (possible for sender verify checks, not applicable to the block)
3. HOME env var is not blank (blank in crons). Imperfect check, but better than a false positive.

John

 

[Richard G]

Failure to install v1.8 and no exim.pl version 23 available, see 1.8 announce thread.