|
News News regarding BSD and related. |
|
Thread Tools | Display Modes |
|
|||
RCE bug in OpenSMTPD email server
Quote:
New Critical RCE Bug in OpenBSD SMTP Server Threatens Linux Distros Quote:
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
|||
The attack vector is somewhat "original", What do you think?
|
|
|||
Quote:
Quote:
They just had a vulnerability too. Doesn't seem like that audit is working for an operating system whose claim to fame is security. |
|
|||
Quote:
Thus, if what I have read is true, the statement still stands. |
|
|||
I realize that will be their stock answer, but that is just ridiculous. What good is a computer if you can't use it? It would be like a 1981 computer that just sits there and impresses people who see it.
Every operating system can be considered secure then, even Windows, if you don't connect it to the internet or enable anything. The default install is secure! But you can't do anything with it. |
|
|||
It happens to them all one way or another.....
i.e. https://www.forbes.com/sites/zakdoff.../#21bab0dcb232 |
|
|||
I'm only an enthusiast and new to OpenBSD, but while the default install* of OpenSMTP includes sending outbound mail, I don't see anything on the server configured to send outbound mail. I do wonder if the OpenBSD project is perhaps trolling with that statement on their home page.
However, with a default install of OpenBSD I have at the very least a SOCKS proxy; an actually useful tool. I could also argue that Windows is useful for word processing, spreadsheets and other tasks without being connected to teh interwebs. Issues regarding the utility of a computer ca. 1981 are related to available software and capabilities of the hardware. By modern standards, you couldn't even open an empty spreadsheet (.xlsx or .ods). * So far I have only been learning with the Vultr image. I don't know how or if they have modified the OS. |
|
||||
This is what you should see in /etc/mail/smtpd.conf with a default install of 6.6-release. It is the action to relay which opens an SMTP session with other servers:
Code:
# $OpenBSD: smtpd.conf,v 1.12 2019/07/24 15:31:53 kmos Exp $ # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. table aliases file:/etc/mail/aliases # To accept external mail, replace with: listen on all # listen on lo0 action "local_mail" mbox alias <aliases> action "outbound" relay # Uncomment the following to accept external mail for domain "example.org" # # match from any for domain "example.org" action "local_mail" match for local action "local_mail" match for any action "outbound"
Last edited by jggimi; 29th February 2020 at 03:35 PM. Reason: typo, clarity |
|
|||
Geez, I just figured out that the mail command can be used to send email to remote servers, so they do need to update their home page. On my first install I immediately installed mutt, so I didn't really play around with default mail.
Thank you for the install tip on Vultr. I'll use that for new servers from now on. |
|
||||
I think you're confusing a mail user agent (MUA) with a mail transfer agent (MTA). The first is for use by human beings, the latter are to transfer mail between servers. As examples, mutt, mail(1), Thunderbird, and Outlook are MUAs, while smtpd(8), sendmail, Postfix, and Exchange are MTAs.
|
|
|||
While I'm very far from anything close to an expert on any of this stuff, I've been self-hosting personal mail servers for going on 7 years now*, although a few years ago I ditched self-configuring for Mail-in-a-Box for time reasons. (o:
My previous post was intended to communicate that even with OpenSMTPD being configured to support sending outbound mail, if there isn't anything on the default install that actually tells OpenSMTPD to send outbound mail, then the statement on the project's homepage could still be correct. I posted the followup because I discovered that the mail command can use OpenSMTPD to send outbound mail. I suspect the confusion you are seeing may be due to how I worded the post, suggesting that I may perceive mail or mutt to be communicating directly with external servers. That wasn't my intent. * I originally learned how to configure a mail server through this excellent Ex Ratione tutorial. It was originally very deep in search results, though this and later articles on the same site are now at the top of many search queries. This series of mail tutorials are the best I ever found because of the amount of time taken to explain many of the key elements of the configuration, as well as stressing how important it is to review project documentation to better understand the tools as well as to continue to do one's own configuring (which is what i did): https://www.exratione.com/2012/05/a-...dovecot-mysql/ |
|
||||
Quote:
That's not the issue, at least to me. The crux of matter to me is that the default configuration of the MTA is provisioned to send mail via an SMTP session to any remote server defined by MX domain resolution. That presented a previously unrecognized and unanticipated attack surface, provably successful. The RCE error has now been fixed. Whether the Project chooses to update their website is up to them. Last edited by jggimi; 1st March 2020 at 03:22 PM. Reason: clarity |
Tags |
email, opensmtpd, rce |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
FreeBSD email server ? | roundkat | FreeBSD General | 1 | 30th March 2017 03:08 PM |
Most Secure Email Server Package | EverydayDiesel | OpenBSD Security | 5 | 24th July 2013 05:18 AM |
OpenSMTPD incoming mail server | gpatrick | OpenBSD General | 2 | 9th August 2011 10:19 AM |
OpenSMTPD | gpatrick | OpenBSD General | 1 | 23rd February 2011 01:01 AM |
Anyone running an OpenBSD email server ? | roundkat | OpenBSD General | 9 | 10th May 2008 03:08 AM |