Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th December 2013, 20:59
ronee ronee is offline
HowtoForge Supporter
 
Join Date: Oct 2006
Posts: 32
Thanks: 0
Thanked 2 Times in 2 Posts
Default security issue: smtpauth with user@domain when onlyl passwd auth enabled (dovecot)

Hi Guys,

I'm hoping someone has an idea here.

Have something very baffling on a server running centos + ispconfig2 with dovecot.

Essentially this server is configured so all email user accounts are in the format: domain.ext_user (all these accounts are system users)

But somehow, I've got some bad hats managing to authenticate as user@domain.ext

I have no idea how this is being done, I have looked everywhere I can think of for a user account matching the smtp login without success. I've isolated the login in the maillogs that show things like: sasl_username=user@domain.ext
The email address expressed in the sasl username does exist.

I've already done the usual such as changing the password for the user in question that has that email address but somehow the successful authentication continues.

I did find an old ssh enabled user that has a username that matches the user portion of the email address which I've disabled but again my question is how is this authentication possible.

I've checked postfix and saslauthd is the only pwcheck method available.

I've attempted to enable some debug logging to see if that sheds any light but no joy yet.

Any ideas on this would be of great interest.

Thanks
Reply With Quote
Sponsored Links
  #2  
Old 30th December 2013, 17:48
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,792
Thanks: 821
Thanked 5,338 Times in 4,188 Posts
Default

Did you restart dovecot and saslauthd and postfix after the assword change? It sometmes happens that the password is cached so the attackers can still login with the ild password until you restart these 3 services.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 31st December 2013, 10:35
ronee ronee is offline
HowtoForge Supporter
 
Join Date: Oct 2006
Posts: 32
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Thanks Till,

I didn't restart at least right away as you suggested as the user's password did change as evidenced by the fact they had to reconfigure their various email devices.

More to the point, however, is the curiosity of how it was possible for the attacker to authenticate to an account in format user@domain.ext when the usernames are all in format domain.ext_user -- that is what has me rather baffled.

After changing the password for the user in question a couple of times I realized the futility of it -- even though the attacker was authenticating to a username that matched the email address that belonged to the account for which the password I was changing, it was obviously a different account somehow, how I don't know as that version of ispconfig + dovecot used system users only for authentication afaik and there was no such system user possible in format user@domain.ext hence the users are all domain.ext_user due to the @ not being possible in system usernames.

Any ideas would be of great interest.

Thanks.
Reply With Quote
  #4  
Old 31st December 2013, 13:48
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,792
Thanks: 821
Thanked 5,338 Times in 4,188 Posts
Default

There is a workaround for user@domain logins for ispconfig 2 documented here:

http://www.howtoforge.com/forums/sho...+user%40domain

maybe you applied this or a similar solution on your server?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 6th January 2014, 06:12
ronee ronee is offline
HowtoForge Supporter
 
Join Date: Oct 2006
Posts: 32
Thanks: 0
Thanked 2 Times in 2 Posts
 
Default

Thanks Till, sorry for the delay in my reply.

Definitely have not done such a workaround, courier is not installed at all, all users login with a username of domain_user

Any idea how it can be possible for an attacker to authenticate to postfix for outgoing mail using a username of user@domain.ext?

Pretty baffling, have not seen anything else like this.
Reply With Quote
The Following User Says Thank You to ronee For This Useful Post:
Williamsl (8th July 2014)
Reply

Bookmarks

Tags
dovecot, postfix, saslauthd, security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
dovecot (updated) problem marcozeus Installation/Configuration 8 6th August 2011 11:37
server Installation Configuration deco5003 Installation/Configuration 12 5th August 2009 12:00
Uploads timing out Gaartok Server Operation 3 10th May 2009 18:04
proFTPd passive mode problems bisbell Server Operation 8 6th August 2008 21:12
The classic MySQL connect error swggy Installation/Configuration 13 10th April 2008 21:45


All times are GMT +2. The time now is 02:02.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.