North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Why do so few mail providers support Port 587?

  • From: Todd Vierling
  • Date: Thu Feb 17 07:50:38 2005

On Wed, 16 Feb 2005 [email protected] wrote:

> > Um, you actually have to work somewhat to get sendmail to support
> > unauthenticated submission on port 587.  The default configuration
> > is that port 25 is unauthenticated (albeit with some restrictions
> > on relaying (only for local clients)) and port 587 is authenticated.
> >
> > As such, I'm not sure why you seem to think that sendmail on port 587
> > is unauthenticated.
> Umm.. because the Sendmail 8.13.3 tree has this:

>         DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')

Yup.  I posted to another NANOG thread a little while ago about when I
mentioned this failure of security to the Sendmail folks and was shot down
voraciously by Claus and argued into oblivion by Neil.  They don't see this
as a security threat for some blissfully ignorant reason.

I'm still sitting on a m4 patch that, by default, disallows MSA submission
from any party not also permitted to *relay* (this means that IP list based
auth works, not just SMTP AUTH).  It uses a new DaemonPortOptions flag, and
adds three ruleset lines.

Here's the actual message in which I proposed this and provided the diff.
The only thing missing here is one more doc fix, but it's fuctionally
correct.  The patch still works on 8.13.x.


Date: Wed, 16 Jun 2004 22:29:12 -0400 (EDT)
From: Todd Vierling <[email protected]>
To: [email protected]
Subject: MSA-not-like-MTA diff deux

On Wed, 16 Jun 2004, Neil W Rickert wrote:

> >   Relay permission is already logically necessary for legitimate users of
> >   the MSA port, so this aspect can and should be enforced as mandatory.
> If "Relay permission is already logically necessary" then what we are
> already doing must meet your requirements.

Except that currently, the following part is not enforced:

>3. MTAs should never contact the MSA port for anonymous mail delivery
>   injection.

because remote systems are indeed being allowed to inject mail anonymously,
so long as the RHS of the RCPT TO is "local".

> You would have done better to just submit a patch with a brief
> explanation, and without the bogus claim that there is a security
> hole.

Those of us who are deluged by a flood by wormspew, and fighting back
against it fiercely, consider this to be a huge security hole.  Sendmail is
[when using the default out-of-the-box settings] allowing at least one worm
so far to propagate beyond the realm of port-25 filtering.

This is why I started by asking a question about it in a security context,
and was rather taken aback by what appeared (to me) to be denial of the
problem's existence.  Rather, it only appears to be that the members of the
Sendmail author team haven't -- yet -- seen the detrimental effects of a
MTA-as-MSA port to quite the degree that some others of us already have.

I apologize for my misinterpretation.  To level the issue a bit:

> Maybe at this stage you should extend the patch to cover the
> documentation (cf/README and maybe doc/op/ (for the proposed new
> modifier for DaemonPortOptions).  Then resubmit and see what Claus
> decides to do with it.

Attached below.  Diff is against 8.12.11.

I used modifier `L' as a "not Local" meaning, given that the other uppercase
letters mean "not Something", but maybe that's not so intuitive?[*] If you
think it should use a different option letter, let me know and I'll re-roll
the diff.

[*] As if rulesets are intuitive.  But then, I did write a text search algo
    in m4 some ages ago....  8-)


--- doc/op/	Wed Jun 16 22:01:02 2004
+++ doc/op/	Wed Jun 16 22:11:05 2004
@@ -6457,11 +6457,15 @@
 A	disable AUTH (overrides 'a' modifier)
 C	don't perform hostname canonification
 E	disallow ETRN (see RFC 2476)
+L	treat all mail as nonlocal; require relay permission (.cf)
 O	optional; if opening the socket fails ignore it
 S	don't offer STARTTLS
-That is, one way to specify a message submission agent (MSA) that
-always requires authentication is:
+The standard message submission agent (MSA) uses the ``L''
+modifier to restrict message submission only to clients that have
+mail relaying permission.
+A way to specify a message submission agent (MSA) that
+always requires SMTP AUTH based authentication is:
 O DaemonPortOptions=Name=MSA, Port=587, M=Ea
@@ -6471,8 +6475,8 @@
 .b ${daemon_flags} .
 Notice: Do
 .b not
-use the ``a'' modifier on a public accessible MTA!
-It should only be used for a MSA that is accessed by authorized
+use the ``a'' and/or ``L'' modifiers on a publicly accessible MTA!
+They should only be used for a MSA that is accessed by authorized
 users for initial mail submission.
 Users must authenticate to use a MSA which has this option turned on.
 The flags ``c'' and ``C'' can change the default for
--- cf/m4/proto.m4.orig	Sun Jan 11 12:54:06 2004
+++ cf/m4/proto.m4	Wed Jun 16 22:00:47 2004
@@ -347,7 +347,7 @@
 ifelse(defn(`_DPO_'), `',
 `ifdef(`_NETINET6_', `O DaemonPortOptions=Name=MTA-v4, Family=inet
 O DaemonPortOptions=Name=MTA-v6, Family=inet6',`O DaemonPortOptions=Name=MTA')', `_DPO_')
-ifdef(`_NO_MSA_', `dnl', `O DaemonPortOptions=Port=587, Name=MSA, M=E')
+ifdef(`_NO_MSA_', `dnl', `O DaemonPortOptions=Port=587, Name=MSA, M=EL')

 # SMTP client options
 ifelse(defn(`confCLIENT_OPTIONS'), `', `dnl',
@@ -2041,6 +2041,10 @@
 ifelse(defn(`_NO_UUCP_'), `r',
 `R$* ! $* < @ $* >	$: <REMOTE> $2 < @ BANG_PATH >
 R$* ! $* 		$: <REMOTE> $2 < @ BANG_PATH >', `dnl')
+# do not implicitly trust local recipients on MSA port(s)
+R$*			$: $&{daemon_flags} $| $1
+R$* LL $* $| $*		[email protected] NO
+R$* $| $*		$: $2
 # anything terminating locally is ok
 ifdef(`_RELAY_ENTIRE_DOMAIN_', `dnl
 R$+ < @ $* $=m >	[email protected] RELAY', `dnl')
--- cf/README.orig	Wed Jun 16 21:58:42 2004
+++ cf/README	Wed Jun 16 21:59:46 2004
@@ -1345,7 +1345,7 @@
 		follow the colon.

 no_default_msa	Don't generate the default MSA daemon, i.e.,
-		DAEMON_OPTIONS(`Port=587,Name=MSA,M=E')
+		DAEMON_OPTIONS(`Port=587,Name=MSA,M=EL')
 		To define a MSA daemon with other parameters, use this
 		FEATURE and introduce new settings via DAEMON_OPTIONS().

@@ -4055,7 +4055,7 @@
 If DAEMON_OPTIONS is not used, then the default is

 	DAEMON_OPTIONS(`Port=smtp, Name=MTA')
-	DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')
+	DAEMON_OPTIONS(`Port=587, Name=MSA, M=EL')

 If you use one DAEMON_OPTIONS macro, it will alter the parameters
 of the first of these.  The second will still be defaulted; it
@@ -4072,7 +4072,7 @@
 using the default SMTP port, use
-	DAEMON_OPTIONS(`Port=987, Name=MSA, M=E')
+	DAEMON_OPTIONS(`Port=987, Name=MSA, M=EL')

 Note that if the first of those DAEMON_OPTIONS lines were omitted, then
 there would be no listener on the standard SMTP port.

-- Todd Vierling <[email protected]> <[email protected]>