Development

Wiki Start
Wishlist
Timeline
Roadmap
Browse Source
New Ticket
View Tickets

Ticket #573 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

customer possible to catch all mails for severall domains

Reported by: joximu Assigned to:
Priority: critical Milestone: ispCP ω 1.0.0 - RC3
Component: Backend (Engine) Version: ispCP ω 1.0.0 - RC2
Severity: Keywords: security, catchall for foreign domains
Cc:

Description

Customer can add domain-alias, then can add mail account for this (alias)domain and then can add catch all for the domain.

lats set: domain = gmx.net or gmail.com or whatever...

all mails to gmx.net (gmail.com) which are going over the ispcp server are redirected to the catchall account of the one customer...

not good...

thanx to Platzwart who mentioned this!

Attachments

573.patch (24.2 kB) - added by Breaki on 09/20/07 17:49:15.

Change History

08/17/07 23:14:12 changed by joximu

the discussion: http://www.isp-control.net/forum/security-problem-detected-t-1178.html

08/19/07 00:04:15 changed by raphael

  • status changed from new to closed.
  • resolution set to fixed.

Fixed in r750

08/19/07 11:27:46 changed by joximu

  • status changed from closed to reopened.
  • resolution deleted.

Not fully closed: it's still possible to hijack mails.

The fix in r750 adresses hijacking of other services which resolved the names on the local bind.

09/02/07 21:45:33 changed by joximu

I think we have to check if a "domain alias" requested by a user is valid or not. This can be done manually (to be approved by reseller or admin) or automatically (check the registrar...??). Meanwhile I'd disable domain aliases.

09/11/07 12:49:23 changed by rats

  • priority changed from major to critical.

by petzsch: If a reseller adds a public/common domain for instance web.de or gmx.de to his account and sets up a catchall for the emails of this domain, than all mail send from other users on the same server to those mail adresses get deliverd locally and can therefore be intercepted.

Is there a possibility to configure Postfix to first check DNS resolution before atempting to deliver mail localy?

09/11/07 14:47:24 changed by petzsch

Sorry for the double post before.

But I don't think it's fixed by adding non local nameservers to resolv.conf. I'm allready using the caching nameservers of my carrier, but mails still get first deliverd by local accounts before even checking what DNS says about message destination. I'm still convinced that it's rather a postfix configuration issue.

Will lett you know if I find anything out.

09/20/07 17:49:15 changed by Breaki

  • attachment 573.patch added.

09/20/07 21:56:13 changed by rats

  • status changed from reopened to closed.
  • resolution set to fixed.

fixed in r811

Add/Change #573 (customer possible to catch all mails for severall domains)




Action