Re: Customize log messages?

> On Dec 4, 2016, at 12:58 AM, @lbutlr wrote: > >> MAIL FROM<"> type='text/javascript'>alert('xss');"@example.com> > > That result in "501 5.5.4 Syntax: MAIL FROM:" There's a missing ":" after FROM. In any case, even if a particular exploit mechanism fails, or even all

Re: Customize log messages?

On 12/3/16 2:57 PM, Wietse Venema wrote: Proof of concept: MAIL FROM<"alert('xss');"@example.com> That result in "501 5.5.4 Syntax: MAIL FROM:"

Re: Customize log messages?

Wietse Venema: > @ lbutlr: > > > Careful with that. To easy to create a script injection vector. Bash is > > > not > > > a good language in which to construct safely quoted remote content for > > > injection > > > into a suitable HTML skeleton. > > > > Injection from where? the script is only

Re: Customize log messages?

@ lbutlr: > > Careful with that. To easy to create a script injection vector. Bash is > > not > > a good language in which to construct safely quoted remote content for > > injection > > into a suitable HTML skeleton. > > Injection from where? the script is only accessible to the root user on

Re: Prevention of sending authentication via plaintext on port 25.

rich.gre...@hushmail.com: > $ telnet example.com 25 > Trying 87.138.xxx.yyy... > Connected to example.com. > Escape character is '^]'. > 220 example.com ESMTP Postfix (Ubuntu) > ehlo example.com > 250-example.com > 250-PIPELINING > 250-SIZE 1024 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-AUTH

Re: Prevention of sending authentication via plaintext on port 25.

rich.gre...@hushmail.com: > I suspected that was a typo. I figured it out. > > I made those changes, when I attempt an AUTH LOGIN, I get back "535 5.7.8 > Error: authentication failed: UGFzc3dvcmQ6" which seems to be appropriate. You still have AUTH enabled on port 25. Wietse

Re: Prevention of sending authentication via plaintext on port 25.

On 12/3/2016 at 10:45 AM, "John Fawcett" wrote: > >On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote: >> Here I am, replying to my own post again. What I said in the >prior post wasn't entirely true. I realized that I used the wrong >password in my prior attempt.

Re: Prevention of sending authentication via plaintext on port 25.

El 03/12/16 a las 17:25, rich.gre...@hushmail.com escribió: > So I'm somewhat confused how to prevent/discourage users from sending > their authentication detail in the clear when there are secure methods > that exist (such as, $ openssl s_client -starttls smtp -connect > example.com:587) We

Re: Customize log messages?

On 12/3/16 9:53 AM, Bastian Blank wrote: On Sat, Dec 03, 2016 at 09:44:03AM -0700, @lbutlr wrote: Injection from where? the script is only accessible to the root user on the mail server and only checks /var/log/maillog (or the log specified at the top of the script). There's no remote content

Re: Customize log messages?

On Sat, Dec 03, 2016 at 09:44:03AM -0700, @lbutlr wrote: > Injection from where? the script is only accessible to the root user > on the mail server and only checks /var/log/maillog (or the log > specified at the top of the script). There's no remote content > involved. The contents of the log

Re: Prevention of sending authentication via plaintext on port 25.

correcting my own typo now On 12/03/2016 05:44 PM, John Fawcett wrote: > On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote: >> Here I am, replying to my own post again. What I said in the prior post >> wasn't entirely true. I realized that I used the wrong password in my prior >>

Re: Prevention of sending authentication via plaintext on port 25.

On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote: > Here I am, replying to my own post again. What I said in the prior post > wasn't entirely true. I realized that I used the wrong password in my prior > attempt. I am still granted access to the SMTP service after authenticating > in

Re: Customize log messages?

On 12/3/16 1:48 AM, Viktor Dukhovni wrote: On Dec 2, 2016, at 1:30 AM, @lbutlr wrote: I have a bash script that does it, and when a user wants this, I simply set up a crontab for them. Usually after a week or so they want it turned off. The script sends them a lightly

Re: TLS issue

On 12/2/16 12:16 PM, Wietse Venema wrote: With 'no shared ciphers' happening frequently, do we want to set up a TLS troubleshooting document, or is the decision tree too complex for such a document to be useful? Considering how often the question is asked, probably. However, I think the error

Re: Azure Active Directory

On 12/2/16 4:32 PM, Petri Riihikallio wrote: As long as saslauthd can bind against it like a regular Active Directory (=LDAP) server, it should work without special configuration inside postfix. Does Azure AD support LDAP? Yes.

Re: What is the number means?

On 12/2/16 2:34 PM, Michael Munger wrote: Linux man page numbers. The man page numbers have nothing to do with Linux.

Re: Prevention of sending authentication via plaintext on port 25.

Here I am, replying to my own post again. What I said in the prior post wasn't entirely true. I realized that I used the wrong password in my prior attempt. I am still granted access to the SMTP service after authenticating in plaintext on port 25. So I'm somewhat confused how to

Re: Prevention of sending authentication via plaintext on port 25.

I suspected that was a typo. I figured it out. I made those changes, when I attempt an AUTH LOGIN, I get back "535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6" which seems to be appropriate. So the user is no longer rewarded with access to the SMTP services when they attempt to connect

Re: Prevention of sending authentication via plaintext on port 25.

John Fawcett: > On 12/03/2016 04:10 PM, Wietse Venema wrote: > > rich.gre...@hushmail.com: > >> There are ports that exist for encrypted transfer of this data > >> (such as 465, 587). What is the current state of the art for > >> preventing the user's client software from being able to do this >

Re: Prevention of sending authentication via plaintext on port 25.

On 12/03/2016 04:10 PM, Wietse Venema wrote: > rich.gre...@hushmail.com: >> There are ports that exist for encrypted transfer of this data >> (such as 465, 587). What is the current state of the art for >> preventing the user's client software from being able to do this >> (sending their

Re: Prevention of sending authentication via plaintext on port 25.

rich.gre...@hushmail.com: > There are ports that exist for encrypted transfer of this data > (such as 465, 587). What is the current state of the art for > preventing the user's client software from being able to do this > (sending their authentication details plaintext)? Is it safe to > simply

Re: Customize log messages?

Viktor Dukhovni: > > > On Dec 2, 2016, at 1:30 AM, @lbutlr wrote: > > > > I have a bash script that does it, and when a user wants this, I simply set > > up a crontab for them. Usually after a week or so they want it turned off. > > The script sends them a lightly styled

Prevention of sending authentication via plaintext on port 25.

I love to go and see what I can get away with using telnet. I decided to send and check email from the command line. Since I consider my test location to be low risk, I decided to try to send my password plaintext over port 25. I was a moderately surprised that it did work, as seen below in

Re: Customize log messages?

> On Dec 2, 2016, at 1:30 AM, @lbutlr wrote: > > I have a bash script that does it, and when a user wants this, I simply set > up a crontab for them. Usually after a week or so they want it turned off. > The script sends them a lightly styled HTML table in the email. > >