Community discussions

MikroTik App
  4. RouterOS
  5. General

Intercept SMTP-auth Traffic

Post Reply
 
User avatar
eugenevdm
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa
Contact:
Contact eugenevdm

Intercept SMTP-auth Traffic

Mon Jan 11, 2010 1:19 pm

Hello,

I would like to know if it's possible to intercept SMTP auth traffic. We use a standard intercept rule like this:
4 ;;; Send to internal SMTP
chain=dstnat action=dst-nat to-addresses=192.168.20.57 to-ports=25 protocol=tcp dst-address=1xx.xx.0.142 dst-port=25
According to this it's not:
http://searchsecurity.techtarget.com/ti ... 30,00.html#
For protocols such as SMTP, most normal cases can be handled by a server such as Postfix with relaying allowed from internal hosts. However, with features such as SMTP-AUTH and SMTP-TLS in use, proxying can break, and there is no way to differentiate between "normal" SMTP traffic and SMTP traffic using SMTP-AUTH on most firewalls or routers.
When we try it we get mixed results. On some mail clients it appears to work, on other there is an error, and on other's it prompt for a username and password every time the user tries to send e-mail.

Is there a workaround to have it always working?
Top
 
rickhodger
just joined
Posts: 24
Joined: Tue Aug 18, 2009 6:32 pm
Location: Belfast, UK
Contact:
Contact rickhodger

Re: Intercept SMTP-auth Traffic

Wed Jan 13, 2010 11:23 am

Depending on your SMTP server software, you may be able to configure it to always accept SMTP authentication requests and allow the user to send mail. Of course, you wouldn't want to leave this server exposed to the internet either.
Top
 
User avatar
eugenevdm
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa
Contact:
Contact eugenevdm

Re: Intercept SMTP-auth Traffic

Wed Jan 13, 2010 11:35 am

Fantastic! That's what I was hoping. We have Postfix and I have searched high and low to figure this out, but no clues yet. Do you have any for Postfix, or any other server for that matter? I could use information from another server and cross reference this with Postfix info.

kind regards,
Top
 
Feklar
Forum Guru
Forum Guru
Posts: 1724
Joined: Tue Dec 01, 2009 11:46 pm

Re: Intercept SMTP-auth Traffic

Wed Jan 13, 2010 4:40 pm

I was able to get this working by having this for my smtpd.conf file (assuming you have the sasl packages installed and running):
Code: Select all
 pwcheck_method: saslauthd
 mech_list: DIGEST-MD5
I wasn't able to get it working with any other mech_list options, and it appears to accept any user-name and password because it's not really checking the password file. I'm not sure if it works for everyone, because there are auth-failures in the logs, but we haven't had many/any complaints about the e-mail relays since having this setup.
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Intercept SMTP-auth Traffic

Wed Jan 13, 2010 4:46 pm

You could configure Postfix to use SASL with PAM, and then hook PAM into a database (say MySQL) with a query that always returns success. Not the most straightforward configuration, but it should work fairly cleanly.
Top
 
User avatar
eugenevdm
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa
Contact:
Contact eugenevdm

Re: Intercept SMTP-auth Traffic

Wed Feb 03, 2010 1:32 pm

I tried suggestions from Feklar but I get mixed results. On some Windows workstations some options work (with Outlook but not Outlook Express) and on some Linux mail clients (most) options work. If it works on the one it doesn't work on the other.

But I cannot only live with DIGEST-MD5 or PLAIN as I am intercepting 100s of different mail user's SMTP. I need at least a longer list maybe even this long:
mech_list: plain login digest-md5 cram-md5
You could configure Postfix to use SASL with PAM, and then hook PAM into a database (say MySQL) with a query that always returns success. Not the most straightforward configuration, but it should work fairly cleanly.
I like your suggestion a lot. I tried it but ran into some problems. First it appears that when SASL with PAM is hooked into MySQL due whatever reason it insists on always checking the password.

I tried fooling it by modifying the sql_select statement:

smtpd.conf
sql_select: SELECT '%v' from users where username = '%u'
But it seems it's catching my plan:
Feb 3 13:07:05 monitor postfix/smtpd[32315]: '%v' shouldn't be in a SELECT or DELETE
Feb 3 13:07:05 monitor postfix/smtpd[32315]: sql plugin doing query SELECT '' from users where username = 'test';
Feb 3 13:07:05 monitor postfix/smtpd[32315]: sql plugin: no result found
I suspect it always wants to return a password.

So I looked at the source here:
http://www.opensource.apple.com/source/ ... gins/sql.c

I think in static int _mysql_exec if I can modify the source to always return 0 instead of -1 I have an answer.

But the source fails to compile on Ubuntu 32-bit 8.03 LTS even before any changes are made:

cyrus-sasl2_2.1.23.dfsg1 from here:
http://security.ubuntu.com/ubuntu/pool/ ... rus-sasl2/

make returns:
digestmd5.c:3704: warning: unused parameter 'serverinlen'
digestmd5.c: In function 'digestmd5_client_mech_step3':
digestmd5.c:3838: warning: unused parameter 'prompt_need'
digestmd5.c:3839: warning: unused parameter 'clientout'
digestmd5.c:3840: warning: unused parameter 'clientoutlen'
digestmd5.c: In function 'digestmd5_client_mech_step':
digestmd5.c:4000: warning: pointer targets in assignment differ in signedness
make[2]: *** [digestmd5.lo] Error 1
make[2]: Leaving directory `/home/eugene/cyrus-sasl2_2.1.23.dfsg1/plugins'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/eugene/cyrus-sasl2_2.1.23.dfsg1'
make: *** [all] Error 2
So now I am stuck.
Top
 
rickhodger
just joined
Posts: 24
Joined: Tue Aug 18, 2009 6:32 pm
Location: Belfast, UK
Contact:
Contact rickhodger

Re: Intercept SMTP-auth Traffic

Wed Feb 03, 2010 2:56 pm

sql_select: SELECT '%v' from users where username = '%u'
But it seems it's catching my plan:
Feb 3 13:07:05 monitor postfix/smtpd[32315]: '%v' shouldn't be in a SELECT or DELETE
Feb 3 13:07:05 monitor postfix/smtpd[32315]: sql plugin doing query SELECT '' from users where username = 'test';
Feb 3 13:07:05 monitor postfix/smtpd[32315]: sql plugin: no result found
Try using something like
Code: Select all
SELECT '1' AS `result`;
This will not query any actual table, but simply return a single row containing a single column named "result" and "1". eg.
Code: Select all
mysql> SELECT '1' AS `result`;
+--------+
| result |
+--------+
| 1      |
+--------+
1 row in set (0.00 sec)
Top
 
User avatar
eugenevdm
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa
Contact:
Contact eugenevdm

Re: Intercept SMTP-auth Traffic

Wed Feb 03, 2010 3:25 pm

Thanks for the response. I worked past the compilation problem, it turns out to be a problem with GCC that has more stringent checking (actually a bug related to elif statements).

But I don't think this SASL Cyrus MySQL plugin module was designed to be bypassed. I tried your suggestion and now I get:
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin Parse the username username
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin try and connect to a host
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin trying to open db 'mail' on host '127.0.0.1'
Feb 3 15:24:40 monitor postfix/smtpd[13212]: begin transaction
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin create statement from userPassword username server.domain.com
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin doing query SELECT '1' AS 'result';
Feb 3 15:24:40 monitor postfix/smtpd[13212]: commit transaction
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin Parse the username username
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin try and connect to a host
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin trying to open db 'mail' on host '127.0.0.1'
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin Parse the username username
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin try and connect to a host
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin trying to open db 'mail' on host '127.0.0.1'
Feb 3 15:24:40 monitor postfix/smtpd[13212]: begin transaction
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin create statement from userPassword username server.domain.com
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin doing query SELECT '1' AS 'result';
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin create statement from cmusaslsecretPLAIN username server.domain.com
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin doing query SELECT '1' AS 'result';
Feb 3 15:24:40 monitor postfix/smtpd[13212]: commit transaction
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin Parse the username username
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin try and connect to a host
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin trying to open db 'mail' on host '127.0.0.1'
On the front end it keeps on prompting for the password. I guess it's off to look for some Cyrus mailing list. I can't find any forum. What a drag.
Top
 
rickhodger
just joined
Posts: 24
Joined: Tue Aug 18, 2009 6:32 pm
Location: Belfast, UK
Contact:
Contact rickhodger

Re: Intercept SMTP-auth Traffic

Thu Feb 04, 2010 11:19 am

Amongst the Cyrus SASL authentication mechanisms (pwcheck_method) there appears to be one called "alwaystrue". It might be worth seeing if that does what it says :)
Top
Post Reply
  4. RouterOS
  5. General