'TCP maps security risks & mitigations; Trualias alias mapping'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    TCP maps security risks & mitigations; Trualias alias mapping
From:       Fred Morris <m3047 () m3047 ! net>
Date:       2019-10-21 16:32:19
Message-ID: 49c8f7d8-4688-47fb-9f2b-fa15d44490cf () m3047 ! net
[Download RAW message or body]

Hello everyone, and the 10 people who care. On Friday I wrote hoping for
contact with someone interested in discussing security risks pertaining
to TCP maps and there's been no response.

Let me offer you some Monday morning entertainment with this:

    # postmap -q "foo-mtausers-0t3" tcp:athena.m3047.net:3047
    foo
    # postmap -q "foo-postfix-0f2" tcp:athena.m3047.net:3047
    foo
    # postmap -q "griselda-postfix-xip" tcp:athena.m3047.net:3047
    foo
    # postmap -q "postfixismymta.75" tcp:athena.m3047.net:3047
    baz

(I don't promise to leave that running on the internet forever, but
there it is for now.) It's running https://github.com/m3047/trualias and
in particular the rules defined in python/trualias.conf.sample.

As you've probably figured out, this is a service which converts aliases
into delivery accounts with some kind of alias validation, as opposed to
stemming accounts or wildcarding an entire domain. (Although it supports
that too, read the docs.)

Instructions on how to recompile local(8) without the security
restrictions which prevent the use of TCP maps for alias lookups are
also provided.

From an opsec perspective I wouldn't recommend running a service which
enumerates accounts and email aliases for all the world to see,
encrypted or not. However the risks and mitigations of doing so on
loopback or in a VPC are fairly well understood, moreso by people who
architect with such information available by design as a matter of course.

What's the chief security concern with TCP tables, and does the
operational environment impact it? Is there an underlying vulnerability
in postfix itself, or is it a general allergy to running unencrypted
internet services even on loopback?

Respectfully...

--

Fred Morris



[Attachment #3 (text/html)]

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hello everyone, and the 10 people who care. On Friday I wrote
      hoping for contact with someone interested in discussing security
      risks pertaining to TCP maps and there's been no response.</p>
    <p>Let me offer you some Monday morning entertainment with this:</p>
    <blockquote>
      <p># postmap -q "foo-mtausers-0t3" tcp:athena.m3047.net:3047<br>
        foo<br>
        # postmap -q "foo-postfix-0f2" tcp:athena.m3047.net:3047<br>
        foo<br>
        # postmap -q "griselda-postfix-xip" tcp:athena.m3047.net:3047<br>
        foo<br>
        # postmap -q "postfixismymta.75" tcp:athena.m3047.net:3047<br>
        baz<br>
      </p>
    </blockquote>
    <p>(I don't promise to leave that running on the internet forever,
      but there it is for now.) It's running <a moz-do-not-send="true"
        href="https://github.com/m3047/trualias">https://github.com/m3047/trualias</a>
      and in particular the rules defined in <tt>python/trualias.conf.sample</tt>.</p>
    <p>As you've probably figured out, this is a service which converts
      aliases into delivery accounts with some kind of alias validation,
      as opposed to stemming accounts or wildcarding an entire domain.
      (Although it supports that too, read the docs.)</p>
    <p>Instructions on how to recompile <tt>local(8)</tt> without the
      security restrictions which prevent the use of TCP maps for alias
      lookups are also provided.<br>
    </p>
    <p>From an opsec perspective I wouldn't recommend running a service
      which enumerates accounts and email aliases for all the world to
      see, encrypted or not. However the risks and mitigations of doing
      so on loopback or in a VPC are fairly well understood, moreso by
      people who architect with such information available by design as
      a matter of course.<br>
    </p>
    <p>What's the chief security concern with TCP tables, and does the
      operational environment impact it? Is there an underlying
      vulnerability in postfix itself, or is it a general allergy to
      running unencrypted internet services even on loopback?</p>
    <p>Respectfully...</p>
    <p>--</p>
    <p>Fred Morris</p>
    <p><br>
    </p>
  </body>
</html>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic