This is a public letter, not a 'submission to IBM', therefore IBM does not own these comments (If this confuses anybody, please read the postfix license agreement). On Mon, 21 Dec 1998, Wietse Venema wrote: > First I'd like to emphasize that the primary objective of Postfix > was to protect the local system. With today's protocols that lack > any form of strong authentication, I make no promise that Postfix > can be made immune against DNS spoofing, IP address spoofing, or > SMTP sender address spoofing. > > Secondly, all topics of controversy are the result of deliberate > design decisions, not accidental properties of the implementation. > I suppose that one man's bug is another man's feature. How is this vulnerability a feature? > By default, Postfix relays mail from sites within the local domain > or subnetwork. If the default is to accept mail from the local domain, what is to prevent a PTR to a host in the local domain from being spoofed? If this can be done, the PTR vulnerability will be present on many more systems than the sentence below implies. > In addition, the system administrator can set up > access controls on the basis of client host names/addresses, and > on names or mail addresses that are exchanged via SMTP commands. > 1 - Claim: Postfix relay restrictions can be bypassed with forged > PTR records. > > Response: in my opinion, the current measures raise the bar to > a sufficient level. 'Raise the bar' - I.E. you don't think spammers will have control of their own in-addr.arpa. While it is true that a large NUMBER of spammers use a dialup modem for which the have no in-addr control, a large QUANTITY of spam comes from co-located spam-servers which often DO have control over their own IP. Someone pointed out that gethostbyaddr() may have been avoided for performance reasons. I can understand the need for performance. A way to have both performance and security might be to allow any client to connect, and then simultaneously DNS authenticate the client while accepting mail. By the time the mail was processed and the client ready to disconnect, hopefully the DNS work would be done and mail accepted or rejected based on the fully authenticated source. If it wasn't done, it could be dumped after a determined timeout. Robert Keyes Security Consultant Cambridge Massachusetts
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:08 PDT