Package: postfix Version: 2.9.6-2 Severity: important Tags: patch security An unmodified Postfix install can be made to bounce arbitrary content from an arbitrary internal address to an arbitrary external address, by an external sender who has no affiliation with the organization that's running Postfix.
The possibilities for offensive use of this exploit are interesting. Suppose I want to prevent al...@a.com from receiving an important message that I think b...@b.com may be about to send to her. I can take 5,000 randomly selected articles from my local news spool, and cause b.com to bounce all of them from b...@b.com to postmas...@a.com. This will likely cause a.com to block incoming mail from b...@b.com, or from all of b.com... thus blocking Bob's message to Alice. Or if I'm a spammer and I just want to cause trouble for b.com, I can cause b.com to bounce spam to all the addresses in my listwash list. To replicate this exploit, just add a "Delivered-To:" header with the same address you're using as the envelope recipient. Postfix will detect a mail forwarding loop _after_ accepting the message, and then bounce it to the envelope sender. See the discussion at <http://mid.gmane.org/20040917175924.ga30...@ns2.nordita.dk>. In my own copy of Postfix, I have blocked this exploit by intercepting outbound bounces and sending them to the local postmaster instead. (A patch is attached.) If Postfix can't be fixed to reject instead of bounce when it detects a forwarding loop, then I think it would be desirable to have everyone's copy of Postfix behave similarly, possibly switchable by a postconf option for any site admins who actually want their site to send outbound bounces. -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages postfix depends on: ii adduser 3.113+nmu3 ii cpio 2.11+dfsg-0.1 ii debconf [debconf-2.0] 1.5.49 ii dpkg 1.16.12 ii libc6 2.13-38+deb7u1 ii libdb5.1 5.1.29-5 ii libsasl2-2 2.1.25.dfsg1-6+deb7u1 ii libsqlite3-0 3.7.13-1+deb7u1 ii libssl1.0.0 1.0.1e-2+deb7u4 ii lsb-base 4.1+Debian8+deb7u1 ii netbase 5.0 ii ssl-cert 1.0.32 Versions of packages postfix recommends: ii python 2.7.3-4+deb7u1 Versions of packages postfix suggests: ii bsd-mailx [mail-reader] 8.1.2-0.20111106cvs-1 pn dovecot-common <none> ii emacs23 [mail-reader] 23.4+1-4 ii libsasl2-modules 2.1.25.dfsg1-6+deb7u1 ii mutt [mail-reader] 1.5.21-6.2+deb7u2 pn postfix-cdb <none> pn postfix-doc <none> pn postfix-ldap <none> pn postfix-mysql <none> pn postfix-pcre <none> pn postfix-pgsql <none> ii procmail 3.22-20 pn resolvconf <none> pn sasl2-bin <none> pn ufw <none> -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org