Vulmon
On Thu, Apr 23, 2020 at 07:03:14PM +0300, PromiseLabs Pentest Research wrote:
You mean the MAIL FROM aka envelope-from.
I actually meant probing via the "Sender address rejected: not logged
in" messages, which while delivered in response to a RCPT TO depend on
the MAIL FROM address. However, as Wietse tells us this merely probes
the smtpd_sender_login_maps table, so is very limited and
configuration-specific. Besides, as Wietse and you correctly remind us,
the possibility to probe for valid addresses via RCPT TO is in practice
unavoidable on modern Internet. So the point of blocking probing of
which sender addresses can vs. can not (do not need to) authenticate is
moot given that in typical setups those addresses are also potential
recipient addresses and thus could also be probed via RCPT TO.
What you reported originally, where you bypass something that just
happens that way in some configurations and wasn't meant to provide any
security against sender address spoofing, looks like even less of an
issue to me.
Does anyone see any reasonable action on these (non-)issues? If not, I
think the CVE should be rejected. It's a case of "works as intended."
Alexander