Pegasus Mail & Mercury

Welcome to the Community for Pegasus Mail and
The Mercury Mail Transport System, the Internet's longest-serving PC e-mail system!
Welcome to Pegasus Mail & Mercury Sign in | Join | Help
in
Home Blogs Forums Downloads Pegasus Mail Overview Mercury Overview Wiki

A Significant issue involving EHLO [127.0.0.1]

Last post 04-11-2017, 21:01 by jbanks. 6 replies.
Sort Posts: Previous Next
  •  03-01-2017, 15:32

    • AmyS is not online. Last active: 03-07-2017, 12:25 AmyS
    • Not Ranked
    • Joined on 12-21-2008
    • Member
    • Points 75

    Crying [:'(] A Significant issue involving EHLO [127.0.0.1]

    The way I have Pegasus/Mercury set up for my client is that no one can send email outside the system. I have it set that 2 IP addresses within the system can send to/through Mercury (a backup and the voicemail system} without a password. This has worked perfectly for the 18 years I've used the system...until now. What I have discovered is if someone outside the system announces themselves as EHLO [127.0.0.1] and the actual connecting IP isn't on a blacklist, they can spoof and send mail on behalf of an actual user through Mercury to their heart's content. I've applied the bandage of putting the domain on the kill list as I've not figured out how to stop it at the transaction level, but I think this is a HUGE exploit that needs a plug immediately.

    Here's a log entry:

    170227 172635 589df79e Connection from 1.255.70.123
    T 20170227 172636 589df79e EHLO [127.0.0.1]
    T 20170227 172637 589df79e RSET
    T 20170227 172638 589df79e MAIL FROM:<user@ourcompany.com> <--Changed to protect domain
    E 20170227 172639 589df79e Host 1.255.70.123 blocked by abuseseat - message rejected.

    Here's one that went through:

    170227 185114 589df7d2 Connection from 77.201.28.3
    T 20170227 185117 589df7d2 EHLO [127.0.0.1]
    T 20170227 185121 589df7d2 RSET
    T 20170227 185123 589df7d2 MAIL FROM:<user@ourcompany.com> <-- Changed to protect domain
    T 20170227 185125 589df7d3 Connection from 216.228.237.32
    T 20170227 185126 589df7d3 EHLO mail63.morningstar.net
    T 20170227 185131 589df7d2 RCPT TO:<user@posterman.top>
    T 20170227 185132 589df7d2 DATA
    E 20170227 185132 589df7d2 Closed by GrayWall.
    T 20170227 185132 589df7d2 Connection closed with 77.201.28.3, 18 sec. elapsed.
    E 20 

    Sadly, hundreds of these went through before I was alerted to the issue. 

  •  03-01-2017, 16:17

    • Greenman is not online. Last active: 20 Oct 2017, 10:15 Greenman
    • Top 10 Contributor
    • Joined on 07-19-2007
    • UK
    • SuperStar
    • Points 12,480

    Re: A Significant issue involving EHLO [127.0.0.1]

    On the General tab of the SMTP module you should have the relaying controls checked. On the Compliance tab edit the transaction file and add the line

    H, "*127.0.0.1*", R, "554"

     

    See how that works.

    Do you use a mail filtering service? If so, you can add a line that will only accept connections from that filtering service's address. 

  •  03-01-2017, 19:06

    • AmyS is not online. Last active: 03-07-2017, 12:25 AmyS
    • Not Ranked
    • Joined on 12-21-2008
    • Member
    • Points 75

    Re: A Significant issue involving EHLO [127.0.0.1]

    Thanks! The expression worked. I simply do not want to allow any outside relaying of email.  I still think this is a hole that needs plugged.
  •  03-01-2017, 22:05

    • Rolf Lindby is not online. Last active: 2017-10-19, 1:15 Rolf Lindby
    • Top 10 Contributor
    • Joined on 05-08-2007
    • Stockholm, Sweden
    • SuperStar
    • Points 25,535
    • BetaTeam Moderator SystemAdministrator

    Re: A Significant issue involving EHLO [127.0.0.1]

    According to the log excerpt the second connection was closed by GrayWall, but perhaps the sender retried until it was accepted.

    The main thing is to make sure relaying settings and connection control entries in MercuryS configuration limit relaying the way you want it. Connection control checks the connecting IP address, and it won't make any difference what the HELO/EHLO greeting says.

  •  03-02-2017, 2:12

    • AmyS is not online. Last active: 03-07-2017, 12:25 AmyS
    • Not Ranked
    • Joined on 12-21-2008
    • Member
    • Points 75

    Re: A Significant issue involving EHLO [127.0.0.1]

    As I stated in my original post, I do not allow relaying outside of the network at all. No one can send email through POP3 or IMAP. I don't allow offsite relaying. Period. Two IP addresses in the NAT are allowed to send email through Mercury bypassing Pegasus, but they are Pegasus users. I've been using this setup for 18 years (Mercury for far longer) with this particular client with no one defeating it and I'm telling you the EHLO [127.0.0.1] with a local user email address defeats the system. Yes, Graywall did shut this particular attempt down, but I have HUNDREDS that I pulled from the queue that were persistent enough and not on abuseat that did get through. I think the 127.0.0.1 coupled with an actual local user is causing a problem because Mercury thinks the connection is local.

    Setup

  •  03-02-2017, 19:01

    • Rolf Lindby is not online. Last active: 2017-10-19, 1:15 Rolf Lindby
    • Top 10 Contributor
    • Joined on 05-08-2007
    • Stockholm, Sweden
    • SuperStar
    • Points 25,535
    • BetaTeam Moderator SystemAdministrator

    Re: A Significant issue involving EHLO [127.0.0.1]

    You should check at least "Use strict local relaying restrictions", and you should probably consider checking "Only Authenticated SMTP connections may relay mail". See Mercury help for more information about these options!

     

  •  04-11-2017, 21:01

    • jbanks is not online. Last active: 10-17-2017, 15:42 jbanks
    • Top 75 Contributor
    • Joined on 06-09-2007
    • Prince Edward Island, Canada
    • Member
    • Points 1,170

    Re: A Significant issue involving EHLO [127.0.0.1]

    You should check all the boxes and that will only allow users that have a password to send email.   The only hole in the system (might be) that they are not all checked by default.
View as RSS news feed in XML

Contact | Advertise | Host provider: PraktIT | Terms of Use | Privacy Statement
Copyright © 2007-2011 David Harris / Peter Strömblad. | Pegasus Mail Home Page