Reimplement "Deny RCPT hacks"
Earlier versions of ASG offered the possibility to deny email recipients which follow a sender based routing naming scheme (e.g. email@example.com). This feature is missing since v6 I guess.
Unfortunately, this feature is of great importance, since the default behavior of some MTAs (at least postfix) is, to "accept_percent_hack" from locally known IP addresses, which is true for the ASG. So a spammer for example could connect to ASG:25and send a mail to firstname.lastname@example.org. ASG will use callouts (if configured) to the internal MTA in order to validate the recipient address. Since ASG has a local IP address, the MTA will accept that address and will relay the mail to email@example.com - pretty bad thing...
So please, reimplement the "Deny RCPT hacks" feature!
Christoph Bott commented
Bob, this is not really a security issue on the ASG.
Only the combination of
a) an ASG, which passes over sender based routed mails to the internal MTA
b) an internal MTA which accepts sender based routed mails
is a security nightmare.
The problem here is, that some MTAs (e.g. postfix) by default _do_ allow sender based routed mail recipients for _local_ sender IPs. Since in most setups the ASG _has_ an internal (to the MTA) IP, this precondition is met...
The solution is quite simple - just disallow the use of sender based routed recipient addresses on the internal MTA. For postfix, the option "allow_percent_hack = no" should do the trick.
But since the issue exists _by default_ , I thought it'd be a great idea to block "recipient hacked" mails on the ASG by default.
Bob Alfson commented
Christoph, have you confirmed that this is indeed a problem since V7? My Exchange 2003 rejects such addresses.