Mailing List Archive: Qmail: users

SMTP AUTH allows any sender via SSL, but only correct auth via non-SSL

Index | Next | Previous | View Threaded

fafaforza at gmail

Apr 23, 2013, 1:05 PM

Post #1 of 5 (388 views)
Permalink

SMTP AUTH allows any sender via SSL, but only correct auth via non-SSL

Hi there, I'm running Qmail on FreeBSD 9.1 (port version qmail-1.03_8)
with the SMTP-AUTH patch from ports. I run it using tcpserver and
daemontools, with the exact file, except the smtps port running through
stunnel.

The non-SSL process does correct user lookups and fails incorrect
authentication.

The SSL one gladly accepts any random string for user and pass and
allows relay. I am running the same commands, only adding stunnel for
the second one. A bit lost as to why this is happening. Below I use the
same base64 encoded string for the login, both attempts from an
untrusted source, not allowed to relay anywhere.

$ perl -MMIME::Base64 -e 'print encode_base64("some-random-string");'
c29tZS1yYW5kb20tc3RyaW5n

$ *telnet mail.server.net 25*
Trying 1.2.3.4...
Connected to mail.server.net .
Escape character is '^]'.
220 mail.server.net ESMTP
*AUTH LOGIN*
334 VXNlcm5hbWU6
*c29tZS1yYW5kb20tc3RyaW5n*
334 UGFzc3dvcmQ6
*c29tZS1yYW5kb20tc3RyaW5n*
535 authorization failed (#5.7.0)
^]

$ *openssl s_client -crlf -connect mail.server.net:465*
<...ssl stuff here...>
220 mail.server.net ESMTP
*AUTH LOGIN*
334 VXNlcm5hbWU6
*c29tZS1yYW5kb20tc3RyaW5n*
334 UGFzc3dvcmQ6
*c29tZS1yYW5kb20tc3RyaW5n*
235 ok, go ahead (#2.0.0)
^]

# *cat /service/qmail-smtpd/run *
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -H -R -l 0 -v \
-x /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd 0 \
/usr/local/vpopmail/bin/vchkpw true 2>&1

# *cat /service/qmail-smtpds/run *
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -H -R -l 0 -v \
-x /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtps \
/usr/local/sbin/stunnel \
-p /opt/ssl/certificate.stunnel.crt \
-A
/opt/ssl/GT_True_BusinessID_and_Enterprise_SSL_Intermediate_bundle.pem \
-l /var/qmail/bin/qmail-smtpd 0 \
/usr/local/vpopmail/bin/vchkpw true 2>&1

Anyone know what I should look at? Let me know if there's any other
info I should provide.

I'm running stunnel 3.x simply for compatibility (4.x doesn't support
command line args). I could upgrade that but doubt this should be my
problem.

--
Thanks,
Darek

kyle-qmail at memoryhole

Apr 23, 2013, 2:01 PM

Post #2 of 5 (379 views)
Permalink

Re: SMTP AUTH allows any sender via SSL, but only correct auth via non-SSL [In reply to]

On Tuesday, April 23 at 04:05 PM, quoth Darek:
>Hi there, I'm running Qmail on FreeBSD 9.1 (port version qmail-1.03_8)
>with the SMTP-AUTH patch from ports. I run it using tcpserver and
>daemontools, with the exact file, except the smtps port running
>through stunnel.

Stunnel is your problem. Essentially, all stunnel connections look, to
qmail, like they're coming from localhost, and localhost is (usually)
allowed to send mail without authenticating.

One solution would be to make it so that localhost cannot send mail
without authenticating, but that can have complications, depending on
what software you use that relies on being able to send email via SMTP
to localhost (e.g. webmail or various mailing list software packages).

Another solution is to use a DIFFERENT way of tunneling SMTPS, such as
mailfront or Frederik Vermeulen's SSL patch to qmail or tcpserver-ssl.

~Kyle
--
As far as the laws of mathematics refer to reality, they are not
certain, and as far as they are certain, they do not refer to reality.
-- Albert Einstein

uffe at uffe

Apr 23, 2013, 2:23 PM

Post #3 of 5 (381 views)
Permalink

Re: SMTP AUTH allows any sender via SSL, but only correct auth via non-SSL [In reply to]

On 2013-04-23 22:05, Darek wrote:
> Hi there, I'm running Qmail on FreeBSD 9.1 (port version qmail-1.03_8)
> with the SMTP-AUTH patch from ports. I run it using tcpserver and
> daemontools, with the exact file, except the smtps port running through
> stunnel.
>
> The non-SSL process does correct user lookups and fails incorrect
> authentication.
>
> The SSL one gladly accepts any random string for user and pass and
> allows relay. I am running the same commands, only adding stunnel for
> the second one. A bit lost as to why this is happening. Below I use the
> same base64 encoded string for the login, both attempts from an
> untrusted source, not allowed to relay anywhere.
>

I would look at in the cdb file /usr/local/vpopmail/etc/tcp.smtp.cdb

# cat /usr/local/vpopmail/etc/tcp.smtp.cdb | cdbdump;

I would guess that RELAYCLIENT is set for the source ip of your stunnel
(or something like that)

/Uffe

fafaforza at gmail

Apr 23, 2013, 2:31 PM

Post #4 of 5 (370 views)
Permalink

Re: SMTP AUTH allows any sender via SSL, but only correct auth via non-SSL [In reply to]

On 4/23/2013 5:01 PM, Kyle Wheeler wrote:
> On Tuesday, April 23 at 04:05 PM, quoth Darek:
>> Hi there, I'm running Qmail on FreeBSD 9.1 (port version
>> qmail-1.03_8) with the SMTP-AUTH patch from ports. I run it using
>> tcpserver and daemontools, with the exact file, except the smtps port
>> running through stunnel.
>
> Stunnel is your problem. Essentially, all stunnel connections look, to
> qmail, like they're coming from localhost, and localhost is (usually)
> allowed to send mail without authenticating.
>
> One solution would be to make it so that localhost cannot send mail
> without authenticating, but that can have complications, depending on
> what software you use that relies on being able to send email via SMTP
> to localhost (e.g. webmail or various mailing list software packages).
>
> Another solution is to use a DIFFERENT way of tunneling SMTPS, such as
> mailfront or Frederik Vermeulen's SSL patch to qmail or tcpserver-ssl.

Ah, makes sense. patching tcpserver would likely be easier than
rebuilding qmail, and whatever else would need to be redone.

Thanks a million!

--
Darek

>
> ~Kyle

fafaforza at gmail

Apr 23, 2013, 4:56 PM

Post #5 of 5 (370 views)
Permalink

Re: SMTP AUTH allows any sender via SSL, but only correct auth via non-SSL [In reply to]

On 4/23/2013 5:01 PM, Kyle Wheeler wrote:
> Another solution is to use ... Frederik Vermeulen's SSL patch to ...
> tcpserver-ssl.

Would you look at this:

Apr 23 19:42:01 mailsystem vpopmail[1806]: vchkpw-smtps: vpopmail user
not found some-random-string@:4.5.6.7

Before, I wasn't getting any of these in the logs. I run a bruteforce
script and it was only matching non-SSL attempts.

For posterity, this is what I changed my 'run' file to:

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -H -R -l 0 *-s* -v \
-x /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
*-n /opt/ssl/wildcard.isp.net.pem* \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtps \
/var/qmail/bin/qmail-smtpd 0 \
/usr/local/vpopmail/bin/vchkpw true 2>&1

Not too much documentation with the patch. To avoid reading the source:

*-s* tells it to use SSL/TLS, -S tells it not to. Without either, it's
just plain SMTP

*-n* points to the cert/private key file. This is a concatenation of
both files in the form of

-----BEGIN CERTIFICATE-----
MIIEgbCCA2ugAwIBAgIDAPfjEA0GCSqGSIb3DQEBBEUAMEAxCzAEBgNVBAYTAlVT
...
9ywP7t3dWky5kgSZwoOZ+dGadsa7Web9mZcqp0RJq24Ihblcp5XF4Avlabcu+szj
qmEtiQ5bKQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAEEAvalP8x2zQITBg/8GYAP/NEPyMMthM4S9IEBbyOmtpA75ZtLo
...
nqQxEYSso+WE0hZI7P2cTckyv5J6H4WE7vxUA0XU324AQbbcP2gN
-----END RSA PRIVATE KEY-----

Thanks again.
Darek

>
> ~Kyle

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads