[Secure-testing-team] Bug#591678: greylistd-setup-exim4 causes excessive callouts and cause the server to be blacklisted

ylsdd ylsdd at tttan.com
Wed Aug 4 17:00:19 UTC 2010 

Package: greylistd
Version: 0.8.7+nmu1
Severity: grave
Tags: security patch
Justification: renders package unusable


The 'greylistd-setup-exim4' script added a section 'deny' to /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt.

 # Deny if blacklisted by greylist
 deny
   message = $sender_host_address is blacklisted from delivering \\
                     mail from <$sender_address> to <$local_part@$domain>.
   log_message = blacklisted.
   !senders        = :
   !authenticated = *
   verify         = recipient/callout=20s,use_sender,defer_ok
   condition      = ${readsocket{/var/run/greylistd/socket}\\
                                 {--black \\
                                  $sender_host_address \\
                                  $sender_address \\
                                  $local_part@$domain}\\
                                 {5s}{}{false}}

In this added section, recipient/callouts are performed without verifying recipient's hostname. Thus, when spammers send to the hosting server emails with 
recipient refering to other domains that are not relayed, excessive and wrong recipient callouts will be performed. The final results then include

1, high server load due to excessive callouts
2, potential DDOS attack to other domains
3, the hosting server being blocked because of sending callouts to spam-trap addresses
4, complain from ISP and termination of service

A simple fix should be removing the recipient/callout verification in this 'deny' section, since there is NO POINT TO NOT DENY if 
recipient/callout would fail.

The patch is then as following

*** greylistd-0.8.7+nmu1/program/greylistd-setup-exim4	2007-12-02 10:51:35.000000000 -0500
--- greylistd-0.8.7+nmu1.my/program/greylistd-setup-exim4	2010-08-04 12:54:31.802439372 -0400
*************** exim4conf_texts = {
*** 85,91 ****
     log_message = blacklisted.
     !senders        = :
     !authenticated = *
-    verify         = recipient/callout=20s,use_sender,defer_ok
     condition      = ${readsocket{/var/run/greylistd/socket}\\
                                   {--black \\
                                    $sender_host_address \\
--- 85,90 ----



-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages greylistd depends on:
ii  adduser                       3.110      add and remove users and groups
ii  debconf [debconf-2.0]         1.5.24     Debian configuration management sy
ii  python                        2.5.2-3    An interactive high-level object-o

Versions of packages greylistd recommends:
ii  exim4                         4.69-9     metapackage to ease Exim MTA (v4) 

greylistd suggests no packages.

-- debconf information:
  greylistd/autoconfig_notdone:
  greylistd/restartexim: true
* greylistd/autoconfig_notdone_exim4:

More information about the Secure-testing-team mailing list