[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: TCP maps security risks & mitigations; Trualias alias mapping
From: Fred Morris <m3047 () m3047 ! net>
Date: 2019-10-21 16:32:19
Message-ID: 49c8f7d8-4688-47fb-9f2b-fa15d44490cf () m3047 ! net
[Download RAW message or body]
Hello everyone, and the 10 people who care. On Friday I wrote hoping for
contact with someone interested in discussing security risks pertaining
to TCP maps and there's been no response.
Let me offer you some Monday morning entertainment with this:
# postmap -q "foo-mtausers-0t3" tcp:athena.m3047.net:3047
foo
# postmap -q "foo-postfix-0f2" tcp:athena.m3047.net:3047
foo
# postmap -q "griselda-postfix-xip" tcp:athena.m3047.net:3047
foo
# postmap -q "postfixismymta.75" tcp:athena.m3047.net:3047
baz
(I don't promise to leave that running on the internet forever, but
there it is for now.) It's running https://github.com/m3047/trualias and
in particular the rules defined in python/trualias.conf.sample.
As you've probably figured out, this is a service which converts aliases
into delivery accounts with some kind of alias validation, as opposed to
stemming accounts or wildcarding an entire domain. (Although it supports
that too, read the docs.)
Instructions on how to recompile local(8) without the security
restrictions which prevent the use of TCP maps for alias lookups are
also provided.
From an opsec perspective I wouldn't recommend running a service which
enumerates accounts and email aliases for all the world to see,
encrypted or not. However the risks and mitigations of doing so on
loopback or in a VPC are fairly well understood, moreso by people who
architect with such information available by design as a matter of course.
What's the chief security concern with TCP tables, and does the
operational environment impact it? Is there an underlying vulnerability
in postfix itself, or is it a general allergy to running unencrypted
internet services even on loopback?
Respectfully...
--
Fred Morris
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello everyone, and the 10 people who care. On Friday I wrote
hoping for contact with someone interested in discussing security
risks pertaining to TCP maps and there's been no response.</p>
<p>Let me offer you some Monday morning entertainment with this:</p>
<blockquote>
<p># postmap -q "foo-mtausers-0t3" tcp:athena.m3047.net:3047<br>
foo<br>
# postmap -q "foo-postfix-0f2" tcp:athena.m3047.net:3047<br>
foo<br>
# postmap -q "griselda-postfix-xip" tcp:athena.m3047.net:3047<br>
foo<br>
# postmap -q "postfixismymta.75" tcp:athena.m3047.net:3047<br>
baz<br>
</p>
</blockquote>
<p>(I don't promise to leave that running on the internet forever,
but there it is for now.) It's running <a moz-do-not-send="true"
href="https://github.com/m3047/trualias">https://github.com/m3047/trualias</a>
and in particular the rules defined in <tt>python/trualias.conf.sample</tt>.</p>
<p>As you've probably figured out, this is a service which converts
aliases into delivery accounts with some kind of alias validation,
as opposed to stemming accounts or wildcarding an entire domain.
(Although it supports that too, read the docs.)</p>
<p>Instructions on how to recompile <tt>local(8)</tt> without the
security restrictions which prevent the use of TCP maps for alias
lookups are also provided.<br>
</p>
<p>From an opsec perspective I wouldn't recommend running a service
which enumerates accounts and email aliases for all the world to
see, encrypted or not. However the risks and mitigations of doing
so on loopback or in a VPC are fairly well understood, moreso by
people who architect with such information available by design as
a matter of course.<br>
</p>
<p>What's the chief security concern with TCP tables, and does the
operational environment impact it? Is there an underlying
vulnerability in postfix itself, or is it a general allergy to
running unencrypted internet services even on loopback?</p>
<p>Respectfully...</p>
<p>--</p>
<p>Fred Morris</p>
<p><br>
</p>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic