Jump to content


Photo

LDAP authenticated relay allows email spoofing.

LDAP relay spoof

This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 EDI

EDI
  • Members
  • 4 posts

Posted 05 August 2014 - 03:20 PM

When using configuration described below:

 

https://www.barracud...50160000000GYmF

https://www.barracud...60000000Hu5DAAS

 

(...)As soon as user is authenticated they are allowed to relay anything out that they want.
Unfortunately there is no way to prevent that.(...) - support says:(
 
It's easy to recognise the diffference when looking at email headers:
 
X-Barracuda-Envelope-From: mailto:gbis@suus.comorged@myemailserver.com
X-Barracuda-AUTH-User: mailto:wb@suus.comuthenticatedLDAPUser@myemailserver.com
 
I think that adding the extra LDAP filter setting will do:
a kind of ${sender_email_address}
so LDAP filter should look like:
&(mail=%u)(${sender_email_address}=%u)
or simpler way
checkbox checking whether 
X-Barracuda-Envelope-From==X-Barracuda-AUTH-User
 
Or any other way of preventing the abuse;)
Greg


#2 TeraGo IT

TeraGo IT
  • Members
  • 69 posts

Posted 06 August 2014 - 09:01 AM

I disagree. sometimes there are very valid reasons to send as an email OTHER then the one authenticating. I'd call this "masquerading".

 

A better solution is to implement a check on a domain level or even user level, not the system level. This would allow those that require this ability the option to continue to do so. By default masquerading should not be enabled for any user or domain; which is what you want. However for those that need this, it's a simple option that is toggled on or off to enable it.

 

If enabled, that domain or even that user, can authenticate and be able to change their sender address to whatever they wanted.