#1  
Old 12th October 2010, 12:50
dar_ek dar_ek is offline
Junior Member
 
Join Date: Oct 2010
Posts: 17
Thanks: 1
Thanked 3 Times in 2 Posts
Default Email Routing: Unsecure.

I found that "Email Routing" is very insecure. It's possible to take over an email from other clients on our server.

example:
We have two clients on one server: VIP and SMARTGUY
VIP client have a domain: vip.com
and mailboxes eg: boss@vip.com, ...

When SMARTGUY have a "Email Routing" enabled in his ISP panel he can redirect all VIP emails to his outside mail server.

All he has to do is:
1. Configure his outside mailserver to accept emails from "vip.com" (and configure mailboxes, or some catchall).
2. Configure in panel on his account "SMARTGUY" in "Email Routing":
- Domain: vip.com
- Destination: smartguymailserv.com (or simply "*"!)

And all emails for vip.com are redirected to his SMARTGUY server.

"Email Routing" is disabled in default client templates, but some admins may it enable and may not be aware of the danger.
Reply With Quote
Sponsored Links
  #2  
Old 12th October 2010, 16:23
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 34,647
Thanks: 794
Thanked 5,003 Times in 3,912 Posts
Default

This is not insecure, its the purpose of this function to redirect any kind of email address, protocol or domain to any other destination. So the function can not be restricted without loosing its functionality. If a admin does not know what the function is for, he shall not enable it. If ISPConfig disables a function in its defaults then there are good reasons too do that.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 12th October 2010, 18:45
dar_ek dar_ek is offline
Junior Member
 
Join Date: Oct 2010
Posts: 17
Thanks: 1
Thanked 3 Times in 2 Posts
Default

I think that the function can be restricted by check that domain is/or isnt used by any client. Only for listed in "Relay Recipients" menu.

best regards.
Reply With Quote
  #4  
Old 12th October 2010, 20:00
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 34,647
Thanks: 794
Thanked 5,003 Times in 3,912 Posts
 
Default

This functions is not just for domains. So the value can be anything incl. custom transports defined in main.cf, so checking for a domain will not work. Thst why we decided to disable it as default.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
email routing / mail relay acumen General 1 16th June 2010 01:05
Advanced Email Routing Nikola Installation/Configuration 10 23rd February 2010 09:12
Email routing questions Gimly General 1 7th July 2009 12:15
hotmail rejects outgoing email nzimas Server Operation 3 1st May 2009 03:39
email forwarding locally consumes all resources rdells General 20 1st May 2006 19:43


All times are GMT +2. The time now is 09:17.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.