[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: zmailer smtp information disclosure

On Mon, May 31, 2004 at 10:50:38AM -0400, Anton Shapiro wrote:
> Unfortunately, we also have discovered the same problem, addresses in 
> bcc field are being present in the headers. This is not appear to be a 
> problem in previous versions such as in 2.99.55, but is definitely 
> present in 2.99.56. Could it be a simple mistake in configuration, or a 
> bug in Zmailer 2.99.56 ?
> 
> It could be a disaster for our costumers.
> Here is the a part of the header, which illustrates this issue mail was 
> bcc'ed to freyk@bluecatnetworks.com   
> 
> "IDENT-NONSENSE") by mail.bluecatnetworks.com with SMTP
> 	id <S289189AbUE1PpG> (ORCPT <rfc822;freyk@bluecatnetworks.com>
> 	+ 1 other); Fri, 28 May 2004 11:45:06 -0400
> Message-ID: 02aa01c444c9$c2364bb0$a50011ac@bluecatnetworks.corp
> 
> Any feed back will be appreciated.

It is a semi-bug.  Current behaviour is intentional, although
not all that well thought out for certain odd corner cases.

The problem in there is namely, that there are more than one
recipient thru same SMTP connection, and for trace purposes
(at vger.kernel.org) we added for-clause-like presentation
to be written at list fanout.

There is a way to disable this, though.  See   SiteConfig.in file
for:

#<VAR><NAME>NORECEIVEDFORCLAUSE</NAME><DESC>
# Existence NORECEIVEDFORCLAUSE ZENV variable forbids the transport
# agents from adding '(ORCPT <...> ...)' or  'for <...> ' clauses
# to the top-most "Received:" header.
#</DESC></VAR>
#NORECEIVEDFORCLAUSE=1

Thus adding

   NORECEIVEDFORCLAUSE=1

into your  zmailer.conf   file will disable it for all outputs
in that system instance.


> Anton Shapiro.

  /Matti Aarnio


> -----Original Message-----
> From: 	zmailer [mailto:zmailer@lists.com.ar] 
> Sent:	Thursday, May 13, 2004 3:58 PM
> To:	'zmailer@nic.funet.fi'
> Subject:	zmailer smtp information disclosure
> 
> 
> Hi,
> 
> I have the following setup:
> 
> Internet -> zmailer gateway (ZG) -> internal mail server (IM)
> ZG is the MX for example.com and using routes/smtp delivers messages to IM.
> The problem is that if a message is generated from
> for example Hotmail or another zmailer to
> u1@example.com and Bcc to u2@example.com 
> the headers in the mail which u1 receives are:
> Received: from somehost ([29.9.24.28]:52383 "EHLO
> somehost") by ZG. with ESMTP
> id S1245225AbUEMS32 (ORCPT <rfc822;u2@example.com>
> + 1 other); Thu, 13 May 2004 15:29:28 -0300
> disclosing the bcc destination.
> I think that this is wrong.
> This was tested, with equal results on Fedora linux
> CVS 30/11/2003 and CVS 12/03/2004
> 
> 
> The same situation was verified from a local zmailer to some remote location using:
> mail a@dom.com -b b@dom.com 
> and a@dom.com received a header saying that ORCPT was b.com + 1 other
> Regards,
> 
> Nico
> -
> To unsubscribe from this list: send the line "unsubscribe zmailer" in
> the body of a message to majordomo@nic.funet.fi
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe zmailer" in
> the body of a message to majordomo@nic.funet.fi

-- 
/Matti Aarnio	<mea@nic.funet.fi>
FUNET:  Finnish Academic and Research Network
	Network Information/Software Archival Service
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi