https://bugs.exim.org/show_bug.cgi?id=2188
Bug ID: 2188
Summary: Moving recipient check last to mitigate brute-force
address scan
Product: Exim
Version: N/A
Hardware: x86
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: ACLs
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Created attachment 1047
--> https://bugs.exim.org/attachment.cgi?id=1047&action=edit
patch to move recipient check down
This recently came up in Exim logs:
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<[email protected]>
rejected RCPT <[email protected]>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<[email protected]>
rejected RCPT <[email protected]>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<[email protected]>
rejected RCPT <[email protected]>: Unrouteable address
....
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<[email protected]>
rejected RCPT <[email protected]>: SPF check failed.
An attacker successfully found a valid local address using brute-force scan.
This was only possible because recipient verification happens early (in this
case before SPF check).
In order to mitigate this kind of attack, we moved recipient verification down
so that it happens after all other checks that could potentially cause a deny.
I think the Exim default config could be improved likewise, by moving sender
verification down after DNSBL checks.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
