Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Hardening Postfix Against FTP Relay Attacks

Published: 2017-02-20
Last Updated: 2017-02-20 19:16:14 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Yesterday, I read an interesting blog post about exploiting XXE (XML eXternal Entity) flaws to send e-mails [1]. In short: It is possible to trick the application to connect to an FTP server, but since mail servers tend to be forgiving enough, they will just accept e-mail if you use the FTP client to connect to port 25 on a mail server. The mail server will of course initially see the "USER" and "PASS" commands, but it will ignore them.

Initially, I considered this a lesser issue. A similar attack has been used in the past via HTTP proxies. HTTP proxies can also connect to port 25, and relay mail connections that way. But from my experience, mail servers tend to ignore them. For example:

220 mail.dshield.org ESMTP
GET
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.

However, (and thanks to Alexander, the author of the blog for pointing this out), it looks like the list of blocked command is limited to HTTP verbs:

smtpd_forbidden_commands (default: CONNECT, GET, POST)

List of commands that cause the Postfix SMTP server to immediately terminate the session with a 221 code. This can be used to disconnect clients that obviously attempt to abuse the system. In addition to the commands listed in this parameter, commands that follow the "Label:" format of message headers will also cause a disconnect.

This feature is available in Postfix 2.2 and later.

Only CONNECT, GET, and POST will be blocked by default. To extend the list, use the following line in your main.cf file for postfix:

smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS

I don't think either USER or PASS is ever used legitimately in SMTP. Instead, SMTP uses "AUTH" to log in a user. To test, just connect to the mail server via telnet or netcat:

$ nc localhost 25
220 mail.dshield.org ESMTP
USER
221 2.7.0 Error: I can break rules, too. Goodbye.

 [1] https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Brazilian malspam sends Autoit-based malware
Feb 18th 2017
3 days ago by Brad (1 comment)

RTRBK - Router / Switch / Firewall Backups in PowerShell (tool drop)
Feb 18th 2017
3 days ago by Rob VandenBrink (6 comments)

AVM Private Key Leak Puts Cable Modems Worldwide At Risk
Feb 18th 2017
3 days ago by Johannes (0 comments)

OpenSSL 1.1.0e Update: No need to panic #openssl
Feb 18th 2017
3 days ago by Johannes (0 comments)

Microsoft February Patch Tuesday Now Rolled into March Update
Feb 18th 2017
3 days ago by Johannes (4 comments)

How was your stay at the Hotel La Playa?
Feb 18th 2017
3 days ago by Xme (4 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
3 days ago by Johannes (7 comments)

View All Diaries →

Latest Discussions

Platform Markings on Headlines
created Feb 9th 2017
1 week ago by Anonymous (0 replies)

Automation Software, Consultant or Both?
created Jan 25th 2017
3 weeks ago by Anonymous (1 reply)

Importance of File Integrity Monitoring software
created Jan 18th 2017
1 month ago by Promisec (0 replies)

New Incident Response/Forensics tool : srum-dump.exe
created Jan 12th 2017
1 month ago by Mark (1 reply)

How to make the social media accounts safe from hacking?
created Jan 6th 2017
1 month ago by Brad4333 (5 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Dyn.com DDoS Attack
Oct 21st 2016
4 months ago by Johannes (9 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
3 days ago by Johannes (7 comments)

Critical Vulnerability in Cisco WebEx Chrome Plugin
Jan 24th 2017
3 weeks ago by Johannes (10 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
2 months ago by Johannes (21 comments)

Quick Analysis of Data Left Available by Attackers
Feb 1st 2017
2 weeks ago by Xme (2 comments)