Exim accepting fake logins!!!
Answered
Cpanel is accepting fake logins from emails that are on a distributed node!
This is very serious!
I'm not sure if this started to happen after the last update to version 132.0.14 but I'll check.
Anyone has this issue?
-
I just checked the logs and it started immediately after updating today to 132.0.14
0 -
Can you clarify exactly what you mean as I'm unsure which systems may be affected and how.
Based on your description, it sounds like somebody remote is able to send email through your server without authentication (as this is the only thing Exim handles - Dovecot handles POP3/IMAP "pickup" of email, cPanel handles port 2082/2083/2087 etc logins). Is this correct?
Is this only a remote mail profile server and the main cPanel/WHM server is not affected? Did the same IP address recently login to send emails?
If this is a security issue, it'll probably be best to email security@cpanel.net with the full details (including version numbers of each server and which version of Exim is installed on each server), logs showing this issue and a copy of your Exim configuration which should allow them to replicate the issue and get it fixed.
0 -
Correct, they are sending email, through the server.
The server is relaying every email, that apparently come with valid authentication but, in fact, it's not valid. There are even examples of using an address to Auth that is just a forwarder.
So, I basically, the MAIN/PARENT node it's openly relaying emails for domains that have their MX on the MAIL node.
The same PARENT node is actively refusing emails with wrong auth if the MX is the PARENT node itself so, that is OK.
So, to answer you questions clearly:
"Based on your description, it sounds like somebody remote is able to send email through your server without authentication (as this is the only thing Exim handles - Dovecot handles POP3/IMAP "pickup" of email, cPanel handles port 2082/2083/2087 etc logins). Is this correct?"
Yes, correct
"Is this only a remote mail profile server and the main cPanel/WHM server is not affected?"
Correct
"Did the same IP address recently login to send emails?"
No, this is not related to the relay ips from popbeforesmtp. Relay is completely open and it's from a few hundred IP addresses from all over the world.0 -
We'll need to investigate this directly on your system. Were you able to email security or create a ticket on this yet?
0 -
Hi, yes, I already have a ticket for this, thanks.
0 -
Could you post the number here so I can follow along?
0 -
it's #95865570
0 -
Meanwhile, parent node update as this
"Completed update 11.130.0.16 -> 11.132.0.14"0 -
just noticed on the /var/log/maillog with a lot of lines like these
Dec 15 05:30:10 aquarius dovecot[612203]: auth(XXXX@XXXX.com,149.54.62.54,sasl:login): Error: policy: Policy server HTTP error: Absolute request timeout expired (Request queued 2.002 secs ago, 1 send attempts in 2.001 secs, 2.002 in other ioloops)0 -
also on /var/maillog
maybe dovecot auth is being forced to fail and then defaults to accepting that connection?
Dec 15 22:25:18 aquarius dovecot[3151918]: auth(__cpanel__service__auth__exim__alz8ugzoz5cc_jrp,127.0.0.1,sasl:plain): Error: policy: Policy server HTTP error: Connection lost: read((conn:127.0.0.1:579,id=84)) failed: read(size=7676) failed: Connection reset by peer (Request queued 0.008 secs ago, 1 send attempts in 0.007 secs, 0.008 in other ioloops, connected 0.041 secs ago)0 -
Update: As mentioned in the ticket, our team has created case CPANEL-50715 so they can address this. It's been given some priority, although I don't have any specific ETA on what that will be completely resolved.
0 -
Issue has been solved with an update to Cpanel 132.0.15
Thanks to all Cpanel helpdesk assistants for their support.0 -
I'm glad we were able to get that one out so quickly before the end of the year!
0 -
I'm affraid I have another issue now that might be related:
0 -
We'll check it out!
0 -
I'm affraid this issue has returned maybe in a different form..
It actually validates the user but, if the authentication data gets compromised and we change it, the proxy still accepts email with the previous password.
Is there some kind of cache we can clean? Or which services should we restart to restart the proxies?
Best regards
Daniel0 -
If you have a machine where this is happening it would be best to create a ticket so we can see this in action directly on an affected system.
0 -
This is still happening...
An account had its password changed, the account has suspended login, incoming email and outgoing email and the PROXY server (main server on a server/mail node configuration) still accepts and delivers emails for that account.
Shouldn't the emails accepted on the proxy be proxied to the mail node for delivery?
This also causes the mail archive not to work properly but that's another topic.
Most important in terms of security is proxy server accepting and delivering authenticated email without respecting:
- password
- account suspensions0 -
Hi,
Thank you for your detailed report. That said, since we haven't seen widespread reports of this behavior, it's likely something specific to your server configuration rather than a platform-wide issue. The mail node/proxy setup adds several moving parts to authentication and suspension enforcement, so diagnosing this properly likely requires direct access to the servers involved.
This isn't something we'd be able to reliably troubleshoot through the forum alone. I'd recommend opening a ticket at your earliest convenience so the issue can be reviewed closer with server access.
0 -
I'm guessing it can be the @pwcache folder.
It had an old entry, on the main server, for that email address.
I deleted this one. Is it save to delete the entire @pwcache folder, on the main node, at least for this account?0 -
Rather than deleting, I'd move it to a different location temporarily so you have a copy in case you need to put it back, but it's fine to do that for testing.
0 -
Done.
I'll return with feedback as soon as I have news.0
Please sign in to leave a comment.
Comments
22 comments