Package: greylistd
Version: 0.8.7+nmu1
Severity: grave
Tags: security patch
Justification: renders package unusable
The 'greylistd-setup-exim4' script added a section 'deny' to
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt.
# Deny if blacklisted by greylist
deny
message = $sender_host_address is blacklisted from delivering \\
mail from <$sender_address> to <$local_p...@$domain>.
log_message = blacklisted.
!senders = :
!authenticated = *
verify = recipient/callout=20s,use_sender,defer_ok
condition = ${readsocket{/var/run/greylistd/socket}\\
{--black \\
$sender_host_address \\
$sender_address \\
$local_p...@$domain}\\
{5s}{}{false}}
In this added section, recipient/callouts are performed without verifying
recipient's hostname. Thus, when spammers send to the hosting server emails
with
recipient refering to other domains that are not relayed, excessive and wrong
recipient callouts will be performed. The final results then include
1, high server load due to excessive callouts
2, potential DDOS attack to other domains
3, the hosting server being blocked because of sending callouts to spam-trap
addresses
4, complain from ISP and termination of service
A simple fix should be removing the recipient/callout verification in this
'deny' section, since there is NO POINT TO NOT DENY if
recipient/callout would fail.
The patch is then as following
*** greylistd-0.8.7+nmu1/program/greylistd-setup-exim4 2007-12-02
10:51:35.000000000 -0500
--- greylistd-0.8.7+nmu1.my/program/greylistd-setup-exim4 2010-08-04
12:54:31.802439372 -0400
*************** exim4conf_texts = {
*** 85,91 ****
log_message = blacklisted.
!senders = :
!authenticated = *
- verify = recipient/callout=20s,use_sender,defer_ok
condition = ${readsocket{/var/run/greylistd/socket}\\
{--black \\
$sender_host_address \\
--- 85,90 ----
-- System Information:
Debian Release: 5.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages greylistd depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii python 2.5.2-3 An interactive high-level object-o
Versions of packages greylistd recommends:
ii exim4 4.69-9 metapackage to ease Exim MTA (v4)
greylistd suggests no packages.
-- debconf information:
greylistd/autoconfig_notdone:
greylistd/restartexim: true
* greylistd/autoconfig_notdone_exim4:
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
