Re: mail log oddity

[Niklas]

I'm curious what this would actually accomplish on a vulnerable server.

There's no path or executable its trying to find in its iterations. This looks 
more like an arbitrary shell command meant to act as a scan/test to find 
vulnerable servers without fully leveraging the exploit.

If you had the IP it originates from it could tell you a lot.On Jun 10, 2020 
8:08 PM, Ryan Kavanagh  wrote:
>
> On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: 
> > Saw this in the maillog today. Any ideas what they are trying to do? 
> > 
> >  249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 
> >3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid 
> >command: Must issue an AUTH command first" 
>
> My guess is that they're trying to exploit CVE-2020-7247. Search the 
> advisory text for that command: 
>
> https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt 
>
> Best, 
> Ryan 
>

OpenSMTPd LDAP

[Niklas]

I'm looking to dive into an LDAP setup for OpenSMTPd. Gilles says there is a 
third party extension, which I presume is the Opensmtpd-extras-* packages that 
no longer appear in ports.

I would just like some clarification on what I'm actually looking for, there 
doesn't appear to be any other thrid party extension that accomplishes this - 
Is this supposed to be installed and compiled from source at this point?

Thanks