From: Lee Howard <faxguy(_at_)server(_dot_)deanox(_dot_)com>
I have set up an email-to-fax gateway using procmail as a filter
to grep out the faxing information from the body and/or header of
the e-mail. Things work well, however, I would like to increase
the security of the system somewhat. I would appreciate some
recommendations in this regard.
I have some old tricks sitting unused in one of my .procmailrcs that
may get you on the road here. Hey, I'll help you get it working, and
all I ask is that you let me use your email-to-fax gateway on
occasion. :-)
I have considered comparing the return-path of the e-mail against a
fax user-list. How easy is it to falsify the return-path? (quite
simple I'm sure)
You can set up a user list and a password system in a .procmailrc. I
will show you the password system in a moment. (It was essentially
written by our friend David Tamkin, who helped me out a couple of
years ago quite generously. I may be marginally clever, but I'm not
clever enough to have done this one on my own. :-) Thanks, David!)
This can be adapted without too much trouble to the use you have in
mind.
It is relatively simple to spoof incoming mail. If the spoofer has
access to the password, say, by watching your mail packets stream past
a server, then he will be able to wile his way into your privileged
setup. However, it's a bit of trouble and may not be worth somebody's
while to do that, especially if you change the password pretty often.
I'd think this is pretty good security by obscurity. I suppose you
could layer PGP on top of it to increase the security a few-fold; but
that is getting way too complicated for me to conceptualize at the
moment. :-) (Maybe after another coffee, though . . .) :-)
In the case of my own (well, David's) recipe, the action was to send
my mail spool to another email address of mine. So even if somebody
faked it after learning of my password, the only untoward result would
be that my mail got forwarded when I didn't order it myself. Not a
biggie. (I was doing this when my IS Manager, who worked *for* me,
got into a battle of wits with me and turned off Internet access from
all the managerial offices, including mine. Rather than get into a
confrontation with him right away - I was new there - I immediately
set up a port redirector to give myself web access, and the procmail
forwarder to send my spooled mail from the shell account I couldn't
reach by telnet from work. This all resolved itself within about 4 or 5
weeks, but the remnants of the workarounds - in particular, the procmail
recipe stuff - are still sitting there in my rc.) :-)
I have considered comparing both the return-path of the e-mail and a
PASSWORD: body line against a fax user-password-list. The PASSWORD:
line entry is a bit more hassle than I'd like, but if it helps
security... My concern is with someone else intercepting the e-mail
and using the password to their advantage.
Can the username (sedded from the return-path) and password be
compared against the UNIX username and password list? Probably not,
especially since the rc file is being run in a non-root user mode (the
uid of the fax-bound mail account).
I sure wouldn't send UNIX passwords through the email - especially not
to a static setup such as you envision, where crackers would learn of
it pretty easily and target it.
Okay, here are the relevant recipes, which, as I say, could be adapted
without too much trouble. All that's left to do is supply a user list
and change the action part. The user list I would get from a static
file (via another INCLUDERC call) rather than grepping /etc/passwd
every time. You can update the file whenever the users change, maybe
as part of the admin scripts that create or delete users from your
system.
Before we start, you need to know what's inside a file called
".forwardpass". It says: "SPOOL_FORWARD_PASSWORD=yourpassword"
######
###### Next recipe set looks for mail from me with a specific header.
###### Then, if I provide the correct password in the body of the mail,
###### my mail spool on this server is wrapped up and mailed to me at
###### another address; and my local spool is cleared.
######
:0D # (here's where you'd change things to supply a privileged user list)
* ^From .*d(man|ross)
* ^Subject: +#FWMAIL
{
INCLUDERC=.forwardpass
# I agreed it's a cute name, but I didn't invent it. :)
# Now we will log failed attempts (bad passwords), just for grins
:0 B: # B means search body, not headers
* $ ! ^$SPOOL_FORWARD_PASSWORD$
spoofattempts
LOCKFILE=$ORGMAIL$LOCKEXT # regional lockfile; we'll be using it until
# procmail exits, so we don't need to unset LOCKFILE to remove it
:0c: # if you want to keep copies of the trigger messages
forwarding_requests
VERBOSE=on # extended logging
:0friw
* ? test -s $ORGMAIL # if $ORGMAIL is non-empty
| cat $ORGMAIL
VERBOSE=off
:0Arc
| $FORMAIL -I "X-Forwarded: from $LOGNAME(_at_)$HOST" \
-A "X-Loop: Dallman's Amanuensis" \
-es $SENDMAIL $SENDMAILFLAGS AnAddress(_at_)adomain(_dot_)com
:0Arc # for safety during testing; once it's working, drop this step
| gzip -fc >> .sentspool.gz # compress and append to backup
:0Ahi
| true > $ORGMAIL # safer to empty it than to rm it
:0bfwi # we use b because it was empty, so smaller footprint than h
| echo "$ORGMAIL was empty. There was nothing to forward."
:0hfw # not to get return address but to add Re: and remove
| $FORMAIL -r # old From: and Date: and remove X-Forwarding-Password:
:0
! AnAddress(_at_)adomain(_dot_)com
}
--
\ .-. .-. .-. .-. .-. .-. .-. /
\-d-/-m-\-a-/-n-\-(_at_)-/-n-\-e-/-t-\-c-/-o-\-m-/-.-\-c-/-o-\-m-/
'-' '-' '-' '-' '-' '-' '-' '-'