Mailing List Archive

On Sat, Mar 09, 2024 at 09:26:39PM +0000, Julian Bradfield via Exim-users wrote:

> Secondly, is there really any reason nowadays for restricting % and ! ?
>
> The last time I saw a % address was in 1995, and the last time I saw a
> ! address was in 1994. (And of course, when I did see them, they had
> the original interpretations.) What is the kind of attack that could
> nowadays be prevented by restricting these characters in outgoing
> email?

When Exim or any other MTA relays mail with "%" or "!" addresses to an
internal MTA, that MTA might be configured to support legacy address
syntax forms. The combined front-end + internal system becomes an
open relay.

And by the way, by default Postfix still supports % and ! addresses:

https://www.postfix.org/postconf.5.html#allow_percent_hack
https://www.postfix.org/postconf.5.html#swap_bangpath

--
Viktor.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 09.03.24 um 22:26 schrieb Julian Bradfield via Exim-users:
> Following an idle-moment post on mailop, I wonder:
>
> From the default config:
>
> ---
> acl_check_rcpt:
>
> accept hosts = :
>
> deny domains = +local_domains
> local_parts = ^[.] : ^.*[@%!/|]
> message = Restricted characters in address
>
> deny domains = !+local_domains
> local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
> message = Restricted characters in address

@Jeremy:

Why aren't the extended restrictions for the "$run{}" attack the new
defaults?

          local_parts   = ^[.] : ^.*[\$@%!/|] : ^.*x24 : ^.*0.44
          local_parts   = ^[./|] : ^.*[\$@%!] : ^.*/\\.\\./ : ^.*x24 :
^.*0.44

Doesn't it make sense to have two barriers in the way and not relaying
on only one defense line(the patched string expand flaw) ?

This does not costs us anything besides some cpu cycles. Existing
configs won't get changed by new defaults for new installations. It
could be changed with a new major release i.e. 4.98 .

>
> Firstly, I don't understand the logic of accepting any address from an
> stdio submission, while applying the restriction to a localhost tcp
> submission.

Simple: on multiuser systems you never know who got hacked, has
malicouse intents or uses faulty webapps. X

>
> Secondly, is there really any reason nowadays for restricting % and !
> ?
>
> The last time I saw a % address was in 1995, and the last time I saw a
> ! address was in 1994. (And of course, when I did see them, they had

As may imagined: hackers do not care when it was used last. They care,
if it triggers something they can leverage.



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2024-03-10, Viktor Dukhovni via Exim-users <exim-users@lists.exim.org> wrote:
> On Sat, Mar 09, 2024 at 09:26:39PM +0000, Julian Bradfield via Exim-users wrote:
> When Exim or any other MTA relays mail with "%" or "!" addresses to an
> internal MTA, that MTA might be configured to support legacy address
> syntax forms. The combined front-end + internal system becomes an
> open relay.

That would be a configuration problem for that site - not a reason to
stop your users replying to perfectly valid addresses.

> And by the way, by default Postfix still supports % and ! addresses:
>
> https://www.postfix.org/postconf.5.html#allow_percent_hack
> https://www.postfix.org/postconf.5.html#swap_bangpath

But it doesn't route them.

https://www.postfix.org/postconf.5.html#allow_untrusted_routing

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2024-03-10, Cyborg via Exim-users <exim-users@lists.exim.org> wrote:
>> Firstly, I don't understand the logic of accepting any address from an
>> stdio submission, while applying the restriction to a localhost tcp
>> submission.
>
> Simple: on multiuser systems you never know who got hacked, has
> malicouse intents or uses faulty webapps. X

On a multiuser system, anybody can pipe a message into exim, can't
they?

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2024-03-10, Cyborg via Exim-users <exim-users@lists.exim.org> wrote:
>> The last time I saw a % address was in 1995, and the last time I saw a
>> ! address was in 1994. (And of course, when I did see them, they had
>
> As may imagined: hackers do not care when it was used last. They care,
> if it triggers something they can leverage.

Anybody who has an open relay because of supporting a
30-year-obsolete (and non-RFC) facility is asking for trouble.
(I also haven't seen such attempts in my logs.)


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 10/03/2024 08:51, Cyborg via Exim-users wrote:
>
> @Jeremy:

Was that aimed at me? There is no "@" in my name.

> Why aren't the extended restrictions for the "$run{}" attack the new defaults?

Because nobody thinks it useful enough?


(I suspect it was one of the attacks that led to the introduction
of taint-tracking, for which a shedload of people bitched and
moaned, and worked hard on identifying ways to evade. I think
I saw a grand total of one approving comment).


But, hey, it's a part of the configuration that is under your
control. You want something there, you can add it.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, Mar 10, 2024 at 09:53:09AM +0000, Julian Bradfield via Exim-users wrote:

> > Simple: on multiuser systems you never know who got hacked, has
> > malicouse intents or uses faulty webapps. X

> On a multiuser system, anybody can pipe a message into exim, can't
> they?

Not necessarily, in particular not on my servers. The submission agent
can be a different program.

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, Mar 10, 2024 at 09:49:14AM +0000, Julian Bradfield via Exim-users wrote:

> That would be a configuration problem for that site - not a reason to
> stop your users replying to perfectly valid addresses.
>
> > And by the way, by default Postfix still supports % and ! addresses:
> >
> > https://www.postfix.org/postconf.5.html#allow_percent_hack
> > https://www.postfix.org/postconf.5.html#swap_bangpath
>
> But it doesn't route them.
>
> https://www.postfix.org/postconf.5.html#allow_untrusted_routing

You missed an important qualifier "from untrusted clients", if the
forwarded messages is from a peer system listed in $mynetworks, then
the message will be (source) routed.

- The edge system adccepts <user%remote@internal>.
- The internal MTA does not restrict relaying by the edge system.
- The message is ultimately forwarded to <user@remote>.

This is why "allow_untrusted_routing" is set to no, Postfix does rely on
the internal (relay destination) system to not be an open relay for
messages it forwards.

And to detect that this could be an issue, the parsing of "%" and "!"
addresses as potential source routes needs to remain enabled.

I understood the topic under discussion to be enforcement of similar
rules in Exim. Apologies if I got the wrong end of the stick.

--
Viktor.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2024-03-10, Viktor Dukhovni via Exim-users <exim-users@lists.exim.org> wrote:
>> https://www.postfix.org/postconf.5.html#allow_untrusted_routing
>
> You missed an important qualifier "from untrusted clients", if the
> forwarded messages is from a peer system listed in $mynetworks, then
> the message will be (source) routed.
>
> - The edge system adccepts <user%remote@internal>.
> - The internal MTA does not restrict relaying by the edge system.
> - The message is ultimately forwarded to <user@remote>.

Good point.
Of course, there is still the question as to why any form of source
routing should be enabled in a default configuration of anything,
given its almost total obsoleteness.
(I could imagine source routing being useful to communicate from an
isolated network that connects to the outside world only via one very
tied down mail relay, but I wonder if anybody does that.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, Mar 10, 2024 at 07:53:40PM +0000, Julian Bradfield via Exim-users wrote:

> Of course, there is still the question as to why any form of source
> routing should be enabled in a default configuration of anything,
> given its almost total obsoleteness.
> (I could imagine source routing being useful to communicate from an
> isolated network that connects to the outside world only via one very
> tied down mail relay, but I wonder if anybody does that.

It is difficult to determine when safety measures are no longer needed.
The code is already there, and not obviously doing any harm, or requires
much upkeep, we keep it around.

--
Viktor.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/