[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] RaQ550: Potential open relay - even with POP-before-SMTP
- Subject: RE: [cobalt-security] RaQ550: Potential open relay - even with POP-before-SMTP
- From: "Graeme Fowler" <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Wed, 27 Aug 2003 09:38:46 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Howdy
I've just *got* to respond with an "i'm going to defend Cobalt a little
here, believe it or not" style email...
On 26 August 2003 22:46, Michael Stauber wrote:
> This RaQ550 used to have the IP address 62.138.160.164 and the netmask
> 62.138.160.224. However, some time ago the IP address was changed to
> 192.168.9.1 and the netmask to 255.255.0.0 as the box was moved
> behind a firewall.
What on *earth* is that first netmask? Surely, surely that's a typo...
if not, then the Cobalt GUI should never have accepted it in the first
place (one point to Michael).
However - if someone was dumb enough to put a broadcast address in the
netmask box (and the system let them get away with it) then it comes as
no surprise that the mail "access" file contains some weirdness:
> # Cobalt Access Section Begin
> 62.138 RELAY
> smd.net RELAY
> 192.168 RELAY
OK, so let's go through the analysis:
> 1) It appears that the GUI interface of the RaQ550 allows relaying
> for network address ranges instead of single IP addresses.
It always has done. This is because it "mirrors" the functionality of
sendmail's access file, which allows the same thing. (one point to
Cobalt)
> It also appears that the decission as to which network address ranges
> are used is based on the netmask you specify in "System Settings" /
> "TCP/IP".
Correct; this is probably by design and is absolutely normal operation
for a great many GUI admin or control panel bolt-ons to UNIX systems
(one more point to Cobalt).
> I checked with a couple of RaQ550s and some allow to relay for the
> entire Class C network they belong to. Some allow the entire Class B
> network to which they belong. And the craziest case I had is a
> customers box which allows an entire Class A network to relay and all
> domains of the DE domain (DE = Germany).
Hmm... this sounds Just Plain Wrong. I've just checked a couple of 550s
I have here, and - to my horror - they are on a /24 network and allow
relaying for that entire /24 (one more point to Michael).
> 2) Why does the GUI not purge network settings which are no longer in
> use from /etc/mail/access? After all, the RaQ's primary IP address is
> now 192.168.9.1 with the netmask 255.255.0.0. So as soon as the
> network settings of the RaQ were changed the old entry concerning the
> 62.138 network should have been removed from /etc/mail/access when
> the network settings were changed.
I'd check that there's no interface aliases left hanging around if I
were you. Unfortunately I'm looking at a customer machine so I cannot go
adding/removing IP addresses!
<snip>
> Depending on the netmask you specified it is possible that entire
> Class A, Class B or Class C networks are allowed to relay email
> through your box. Regardless if you are using "POP Authenticated
> Relaying" or not.
As you point out, "depending on the netmask". If that netmask you quoted
at the start is real, then whoever set that machine up needs a good
talking to. If it's the broadcast, then something else is wrong.
> FIX:
One more point to Michael...
On balance, it's Michael 3 - Cobalt 2.
Graeme - now going to check all the other customer 550's I have access
to :(