Subject: re: there is no localhost mail security hole
To: NetBSD security list <tech-security@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 06/29/2003 04:00:46
[ On Sunday, June 29, 2003 at 15:12:28 (+1000), matthew green wrote: ]
> Subject: re: localhost security hole
>
> no. any address of the form "user@host." is invalid. eg, postfix
> tells me:
>
> <root@localhost.>: bad host/domain syntax: "localhost."
>
> i believe it is RFC required.
There's been a quandry over the trailing dot for many years, and even
RFC 1123 is of two minds about it. RFC 822 does not allow trailing dots
on domain names by strict interpretation of the BNF, but then again the
BNF allows silly things like "host.[127.0.0.1]", and 822 alone would
also allow things banned elsewhere, such as underscores.
In the mean time RFC 1123 says that the DNS allows for the use of
abbreviations for host domain names but requires some way to indicate
that a name is already fully qualified and suggests the use of the
trailing dot as a common way of implementing this.
RFC 2822 fixes the placement of domain-literal in the syntax, but still
strictly denies trailing dots. RFC 2822 also allows underscores and
other things not allowed in host domain names!
Note that strictly RFC 1123 only allows abbreviations for "interfaces"
(i.e. for domain names that expand to addresses) and it also requires
that domain name abbreviations be expanded only once and in the context
in which the name was entered. However in the discussion about
abbreviations e-mail to an abbreviated domain name is used as an example
and thus this implies that trailing dots must be allowed by the mailer
in environments where abbreviations are allowed and where the trailing
dot is used to indicated a fully qualified name.
What this all boils down to is that trailing dots are not allowed in
SMTP envelope addresses, but they may be used in command-line
parameters, provided that they are expanded immediately and stored in
the queue file as fully qualified domain names. For localhost this
means "sendmail root@localhost." is acceptable and will avoid the
default qualification with the domain from /etc/resolv.conf, provided
the trailing dot is stripped immediately. Similar rules should apply
for 'sendmail -t' and addresses in the headers, though in theory (and
especially in sendmail I suppose) the trailing dot should be removed
from the addresses in the headers too.
The next trick is what to do with mail to "user@localhost". Obviously
it should be interpreted as being directed at the mailbox for the local
user "user". I don't know how you do that in sendmail or postfix, but
it's trivial to set up this way in Smail (and it works either with or
without the trailing dot). :-)
What this means is that no domain name lookups should be necessary for
"localhost" whatsoever (to deliver mail to "user@localhost") -- not from
the DNS, nor from /etc/host, regardless of how you've got
/etc/nsswitch.conf set up. If sendmail needs to do MX or A RR lookups
for local hostnames, especially for mail from the command-line, then
sendmail is broken.
The final issue is what to do about mail to root vs. the ownership of
/var/mail/root. In theory this is a problem for the LDA, not sendmail
itself (i.e. mail.local). The LDA has to have superuser privileges to
write to normal /var/mail mailboxes anyway, so actually this shouldn't
be an issue at all.
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>