Secure testing team - Aug 2010 - Bug#591678: greylistd-setup-exim4 causes excessive callouts and cause the server to be blacklisted

Package: greylistd
Version: 0.8.7+nmu1
Severity: grave
Tags: security patch
Justification: renders package unusable


The ''greylistd-setup-exim4'' script added a section
''deny'' to /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt.

 # Deny if blacklisted by greylist
 deny
   message = $sender_host_address is blacklisted from delivering \\
                     mail from <$sender_address> to
<$local_part@$domain>.
   log_message = blacklisted.
   !senders        = :
   !authenticated = *
   verify         = recipient/callout=20s,use_sender,defer_ok
   condition      = ${readsocket{/var/run/greylistd/socket}\\
                                 {--black \\
                                  $sender_host_address \\
                                  $sender_address \\
                                  $local_part@$domain}\\
                                 {5s}{}{false}}

In this added section, recipient/callouts are performed without verifying
recipient''s hostname. Thus, when spammers send to the hosting server
emails with
recipient refering to other domains that are not relayed, excessive and wrong
recipient callouts will be performed. The final results then include

1, high server load due to excessive callouts
2, potential DDOS attack to other domains
3, the hosting server being blocked because of sending callouts to spam-trap
addresses
4, complain from ISP and termination of service

A simple fix should be removing the recipient/callout verification in this
''deny'' section, since there is NO POINT TO NOT DENY if
recipient/callout would fail.

The patch is then as following

*** greylistd-0.8.7+nmu1/program/greylistd-setup-exim4	2007-12-02
10:51:35.000000000 -0500
--- greylistd-0.8.7+nmu1.my/program/greylistd-setup-exim4	2010-08-04
12:54:31.802439372 -0400
*************** exim4conf_texts = {
*** 85,91 ****
     log_message = blacklisted.
     !senders        = :
     !authenticated = *
-    verify         = recipient/callout=20s,use_sender,defer_ok
     condition      = ${readsocket{/var/run/greylistd/socket}\\
                                   {--black \\
                                    $sender_host_address \\
--- 85,90 ----



-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, ''stable'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages greylistd depends on:
ii  adduser                       3.110      add and remove users and groups
ii  debconf [debconf-2.0]         1.5.24     Debian configuration management sy
ii  python                        2.5.2-3    An interactive high-level object-o

Versions of packages greylistd recommends:
ii  exim4                         4.69-9     metapackage to ease Exim MTA (v4) 

greylistd suggests no packages.

-- debconf information:
  greylistd/autoconfig_notdone:
  greylistd/restartexim: true
* greylistd/autoconfig_notdone_exim4: