On 12/6/2022 12:56 PM, Bob Proulx wrote:
# LIST: "| /opt/majordomo/wrapper resend -C /opt/majordomo/DOMAIN.cf -l LIST -h
DOMAIN LIST-outgoing"
# LIST-outgoing: :include:/opt/majordomo/lists/DOMAIN/LIST,
If someone knows that LIST-outgoing exists then it can be abused by
sending there directly. Suggestion: Attempt to avoid that possibility
by using a random string in replacement for "outgoing" in
LIST-outgoing making that abuse more difficult.
LIST-zcSoC90h: :include:/opt/majordomo/lists/DOMAIN/LIST,
This is not perfect because it shows up in Delivered-To: but it
prevents a blind guessing attack of a well known address. And it can
always be spun and rotated at any time if it becomes abused since it
is not a public interface.
Years ago Wietse helped me setup my configuration to block that
potential exploit directly without hoping to hide behind obscurity:
smtpd_recipient_restrictions =
check_recipient_access pcre:/etc/postfix/smtpd_access.pcre
smtpd_access.pcre is:
# Protect outgoing majordomo exploders
/^(.*)-mj-incoming@(.*)/ 550 Use ${1}@lists.mydomain instead
/^(.*)-mj-outgoing@(.*)/ 550 Use ${1}@lists.mydomain instead
The incoming and outgoing expanders are accessed by majordomo running on
the server, so the submission does not come in via smtpd.
