[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: zmailer smtp information disclosure

To: <zmailer@nic.funet.fi>
Subject: FW: zmailer smtp information disclosure
From: "Anton Shapiro" <ashapiro@bluecatnetworks.com>
Date: Mon, 31 May 2004 10:50:38 -0400
Original-Recipient: rfc822;zmailer-log@nic.funet.fi
Sender: zmailer-owner@nic.funet.fi
Thread-Index: AcQ5JNBW7moCVDp3Rq+5cnl9g9WB7QN8ZkQw
Thread-Topic: zmailer smtp information disclosure


Hi, 

Unfortunately, we also have discovered the same problem, addresses in bcc field are being present in the headers. This is not appear to be a problem in previous versions such as in 2.99.55, but is definitely present in 2.99.56. Could it be a simple mistake in configuration, or a bug in Zmailer 2.99.56 ?

It could be a disaster for our costumers.
Here is the a part of the header, which illustrates this issue mail was bcc'ed to freyk@bluecatnetworks.com   

"IDENT-NONSENSE") by mail.bluecatnetworks.com with SMTP
	id <S289189AbUE1PpG> (ORCPT <rfc822;freyk@bluecatnetworks.com>
	+ 1 other); Fri, 28 May 2004 11:45:06 -0400
Message-ID: 02aa01c444c9$c2364bb0$a50011ac@bluecatnetworks.corp

Any feed back will be appreciated.


Anton Shapiro.

-----Original Message-----
From: 	zmailer [mailto:zmailer@lists.com.ar] 
Sent:	Thursday, May 13, 2004 3:58 PM
To:	'zmailer@nic.funet.fi'
Subject:	zmailer smtp information disclosure


Hi,

I have the following setup:

Internet -> zmailer gateway (ZG) -> internal mail server (IM)
ZG is the MX for example.com and using routes/smtp delivers messages to IM.
The problem is that if a message is generated from
for example Hotmail or another zmailer to
u1@example.com and Bcc to u2@example.com 
the headers in the mail which u1 receives are:
Received: from somehost ([29.9.24.28]:52383 "EHLO
somehost") by ZG. with ESMTP
id S1245225AbUEMS32 (ORCPT <rfc822;u2@example.com>
+ 1 other); Thu, 13 May 2004 15:29:28 -0300
disclosing the bcc destination.
I think that this is wrong.
This was tested, with equal results on Fedora linux
CVS 30/11/2003 and CVS 12/03/2004


The same situation was verified from a local zmailer to some remote location using:
mail a@dom.com -b b@dom.com 
and a@dom.com received a header saying that ORCPT was b.com + 1 other
Regards,

Nico
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi


-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi

Follow-Ups:
- Re: FW: zmailer smtp information disclosure
  - From: Matti Aarnio <mea@nic.funet.fi> (Wed, 2 Jun 2004 13:40:16 +0300)

Prev by Date: Re: [SOLVED] Re: Strange policydb corruption
Next by Date: SMTP AUTH policy
Prev by thread: zmailer smtp information disclosure
Next by thread: Re: FW: zmailer smtp information disclosure
Index(es):
- Date
- Thread