The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

another little warning from me - BIG bug(or not) in smtp

Discussion in 'E-mail Discussions' started by naox, May 24, 2005.

  1. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    We'll this one quite obvious. Guess what. Any of your coustomers can send email as you! for example admin@domain.com and this email will be originating from your server, and in all aspects look like it was writen by you - so spf or not spf - its yours :)

    You ask how? Sure. Youre a customer. You got a mailbox whatever@something.domain.com and you want to send email as admin@domain.com with a domain.com server. Thats easy. Just make email with custom From field. How? For example outlook express > accout properties > Email adress (or just prepare your own mime code). Woila. You can send emails as your admin for example.


    How programes should fix it? that also quite obvious. Cpanel smtp sould check from field and verify that owner of email there is an person authorising thour smtp autorisation. Well.. Thats the purpose of smtp autorisation, isint it? :eek: If he is not an owner smtp should return 553 response 0x800CCC79

    Well smtp autorization isint only met to be open-relay blocking thing, but also permission checking for senders of emails (as given in mime)
     
    #1 naox, May 24, 2005
    Last edited: May 24, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's not a bug, it's how the SMTP protocol works. It's the risk you run providing web hosting and SMTP access to clients and there's little that you can do about it. If you don't trust your hosting clients, you shouldn't be hosting them.
     
  3. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    How can you trust tousands of people? Cpanel is for small hosting companies now?
    If customer could do damage and knew how, only thing making him not to do so, is that he can loose more than gain. But what when he have almost nothing to loose? Like when he is and end of his payment pedroind, and dont want to pay further, or he just dont like you anymore

    I know that the way of smtp, however smtp autorization is that tweak that enables checking of permisions. I tested this issue on popular mailserver and all of them returned:

    Sender address rejected: not owned by user naox', Port: 25, Secure(SSL): No, Server Error: 553, Error Number: 0x800CCC79

    So cpanels smtp should have build in permission checking for outgoing emails! Thats more that NECESSARY!
     
    #3 naox, May 24, 2005
    Last edited: May 24, 2005
  4. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    This is "normal" operation for SMTP servers. The customer has already authenticated with the server (either by picking up POP3 mail or via the "My outgoing mailserver requires authentication" option) so they are allowed to send through that server - but it does not make any restrictions as to the header information. This is ideal if you authenticate personally (such as my richyc@...) account, but need to send out "role" emails (such as webmaster@...)
     
  5. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    thats also more than insecure in shared hosting enviroment.. and I think thats is cpanel role hmm.

    Like I said above smtp auth sould have permisions checking for given senders domain in header of mime
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No it shouldn't. This is normal and how the SMTP protocol works.

    If you do not trust your hosting clients, don't allow them to relay through your server. Force them to use their local ISP.

    This has nothing to do with cPanel and has everything to do with who you allow to host on your servers.
     
  7. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6

    I absolutly cant agree with you. If you trust your customers then why build any secure systems. Just give them a root acces, and say them 'host yourself'. There are biliards of pages how to secure apache, php, linux, and EXIM etc. Why ppl bother with securing.. stragne isint it

    Your customers will not make damage (if they could) only when they think they might loose more that gain. Also you cant accuse someone of deliberate damange in most cases, so thats why systems are made to be foolpoof + 'hole proof'

    I thing it has all to do with a lack of basic algoritm of smtp autorization in cpanels smtp
     
    #7 naox, May 24, 2005
    Last edited: May 24, 2005
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    We'll have to agree to disagree then.

    As a customer on a shared hosting system I can wreak as much damage as I like, never mind smtp, I can DOS other servers I can crash the server I'm hosted on, I can probably get root access and I can almost certainly read all the files in other peoples accounts and may be able to write to them too. I can do all that on a cPanel server and most other shared web hosting servers, it's not difficult - changing the way the SMTP protocol should work is the least of your worries.

    Welcome to shared hosting - it is entirely based on trust. As I said, if you don't trust them, don't host them, that is what your AUP is for.
     
  9. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    So you thing you can do anyting? Thats your problem. I'm not quite convinced. I always said that you know everyting only when you know what you can't do (and what you cant do depends what other ppl can do, so you never will know everything as you will never know everybody).
    But let's leave the matter of smtp to some cpanel programer

    Summary for some cpanel programmer

    Cpanel's smtp authorization is lacking algorithm that should check if senders adress (in header of email) is one of email accounts owned by by user authorizating to smtp. Current state: Any cpanel smtp user can send emails as any existing email account on the server
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  11. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    No if statement here? I think that would depend of cpanel server configuration, and your permissions on it. How do you execute code when you got no shell, cgi, php acces. How to you execute system code on well secured cgi, php. Only way would be cpanel bug which no one knows about.. or some other not jailed server bug. Bugs happen on complex server aplications and usualy are removed quickly after been discovered (does not include cpanel)
     
    #11 naox, May 24, 2005
    Last edited: May 24, 2005
  12. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Even if CPanel did have some way of implementing an authorization check. Nothing is going to prevent John Doe from running his own mail server on his own local network, and sending out e-mail using a from address that is your company's name or any name. The only way around this would be to reconfigure all SMTP servers around the world to somehow verify the address in the From field is actually who the message is from.
     
  13. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6

    of coruse we know about it. However it will not originate from your server IP, so spf records checking mechanism or smart ppl wont even accept idea of reading it as it were writen by you.

    Even full STMP server is not required for task you described. Just some MTA, and surely any 'local network' isint too. Just standart pc with any internet connection

    and thats the purpose of spf records (almost that). but thats another topic
     
    #13 naox, May 24, 2005
    Last edited: May 24, 2005
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I qualified all I needed to in my post and the issues have been discussed in the past.

    I've told you how to request an enhancement if you want one, but it's certainly not a bug.
     
  15. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    You don't even need OE to start sending mail as someone else.
    Webmail with "Profile Creation" would also allow you to do this. Sending mails with from being just about anybody. This is because profile creation has no checks for validating a profile before it becomes useable.

    So domain1 domain2 hosted on same server with published spf records.

    someone@domain1.tld creates a profile in webmail as somebody@domain2.tld and achive the same objective ... this time around even spf check would say mails are genuine

    It's just myopic view with which the designers put in the "Profile Options" into their webmail scripts. No checks for validating ... just create a Profile with "From not being your domain email address" and take off :)

    This has always been a debated topic and it took us one year to convince a commercial webmail script company to understand that they need to have some checks for validating the From Address when profiles are created. They pooh poohed it for more than 9 months as usual.

    Thanks
    Anup
     
  16. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6

    well it isint fault of Profile Options. You can always send email with custom From header one way or another, using webmail, client, or custom mime and mta.

    I dont know much about mail stuff, however those webmail things uses IMAP to send it to server, and there it is simple mta I think. So some mta level of protection would do for bug with email or outside connections to smtp (outlook etc). And I remind that we are not talking about anytjing new here!!! Those systems are used on every well secured mail server around the world
     
  17. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet

    Though still in early days, but are you referring to something like following:

    http://www.simplicato.com/?s=aa

    Anup
     
  18. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    this is why I tell people to use AOL. AOL is the best email service there is, because there is no way you can send mail pretending to be someone else. It always will be user@aol.com.

    See... AOL had it right all the time. We were all just too dumb to realize it.

    I'm gonna tell all my customers to switch to AOL, and not to worry about others spoofing their addresses since all it takes to check on validity of an email address is to check the headers... which everyone does by default. especially AOL users... yup, they always check headers. :D
     
  19. naox

    naox Well-Known Member

    Joined:
    Mar 23, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    and you dont understand basics of smtp. You can send any header you want with any smtp. If targeted email account does not implement spf chcecks (most servers in the world dont and will not), or emails sender domains did not published spf then email will be accepted
     
  20. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    In a perfect world, we would all have dedicated servers with dedicated IP addresses, for each domain. Only then will we be able to verify an address to perfection. Until the server is hacked, which never happens in this perfect world.

    And Chocolate will be engineered to give your body exactly what it needs, when it needs it, and no more. So we can walk around eating nothing but Hershey bars and be fit as a fiddle. And all our 'special parts' will become the perfect size. (which will finally put an end to those pesky emails promising perfect size.)
     
Loading...

Share This Page