Bug#880905: exim4-config: Sender verification could be exploited for brute-force scan

Paul Graham debianbts at omega-software.com
Sun Nov 5 14:29:07 UTC 2017 

Package: exim4-config
Version: 4.90~RC1-1
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

This recently came up in Exim logs:

2017-11-03 16:22:39 H=(ws2008) [10.20.30.40] F=<test1 at omega-software.com> rejected RCPT <attacker at gmail.com>: Sender verify failed
2017-11-03 16:22:39 H=(ws2008) [10.20.30.40] F=<test2 at omega-software.com> rejected RCPT <attacker at gmail.com>: Sender verify failed
2017-11-03 16:22:40 H=(ws2008) [10.20.30.40] F=<test3 at omega-software.com> rejected RCPT <attacker at gmail.com>: Sender verify failed
....
2017-11-03 16:22:42 H=(ws2008) [10.20.30.40] F=<validaddress at omega-software.com> rejected RCPT <attacker at gmail.com>: relay not permitted

It reveals that an attacker took advantage that sender verification happens before relay checks to perform a brute force scan that revealed valid addresses in our domain.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

We moved sender verification so that it happens after relay check.

   * What was the outcome of this action?

After this change, it's no longer possible for an attacker to use this technique to extract information. All their attempts would result in "relay not permitted" regardless of sender address.

I'm attaching a patch. Note our server runs 4.86 on Ubuntu but the patch is for exim 4.90~RC1-1.

*** End of the template - remove these template lines ***


-- Package-specific info:
Exim version 4.86_2 #2 built 03-Jun-2017 05:07:28
Copyright (c) University of Cambridge, 1995 - 2015
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2015
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-37-generic (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages exim4-config depends on:
ii  adduser                3.113+nmu3ubuntu4
ii  debconf [debconf-2.0]  1.5.58ubuntu1

exim4-config recommends no packages.

exim4-config suggests no packages.

-- Configuration Files:
/etc/email-addresses changed [not included]
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt changed [not included]
/etc/exim4/conf.d/acl/40_exim4-config_check_data changed [not included]
/etc/exim4/conf.d/auth/30_exim4-config_examples changed [not included]
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions changed [not included]
/etc/exim4/exim4.conf.template changed [not included]

-- debconf information excluded
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sender-relay-debian.patch
Type: text/x-diff
Size: 2558 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20171105/91308d40/attachment.patch>

More information about the Pkg-exim4-maintainers mailing list