Spoofing in Thunderbird (option: Edit message as new)

[viccar]

Hello,
We work with Zimbra Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P6.

Everything works properly, but we have found the following security problem from the Mozilla Thunderbird mail client, which usually use many of our users:

If we select an email received from another person, and then we press the option "Edit as New Message" with the right mouse button, we can send the mail again with the "FROM" of the original message (Spoofing).

We have implemented security measures to "Enforcing a match between FROM address and sasl username":
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5

In addition, we apply other recommended options, for example "Rejecting false mail from addresses", although it is not the case:
https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses

But the problem persists.

The above actions have securized Zimbra, and now is not possible send emails using a different email address to sasl username (error 5.7.1). But the problem with the option of Thundertbird "Edit as New Message" persist.

Reviewing the LOG file, we found that the FROM field of the mail sent corresponds to sasl, but when we read the mail in Thunderbird, Zimbra or other mail client, the FROM has changed, and we see the spoofing.

This problem has appeared with the latest version of Thunderbird (v 45).

Any idea how to fix it?

[jorgedlcruz]

Hi viccar,
Are the End-Users using Thunderbird on the same network as the Zimbra Collaboration Server?

Best regards

[viccar]

Hi Jorge,

Thanks for your reply,

The users are not included in MTA trusted networks.

The case is very strange, we have set the security settings recommended in your blog (https://www.jorgedelacruz.es/2014/09/08 ... imbra-8-5/), that work perfectly.

But for some unknown reason, the indicated option of Thunderbird allow to send emails as other user, even as a user of an external domain.

[jorgedlcruz]

Hi viccar,
Would you mind to paste here part of the headers? You can obfuscate the real email address, just for checking and for a better troubleshooting.

Best regards

[viccar]

Hi Jorge,
No problem, I have made the following test:

- I have opened the Mozilla Thunderbird client (version 45.1.1), I selected a email received from forums-noreply@zimbra.com, and with right button of mouse I selected the option "Edit as new".

- Then in the writing screen, I put my email address as destination. Note that in this screen Thunderbird showed forums-noreply@zimbra.com as "from" address. Finally, I have sent the email.

- In the LOG of Zimbra, I can see this results: (included only the most significant lines)

saslauthd[32530]: auth_zimbra: my-email@domain auth OK
sasl_username=my-email@domain
ORIGINATING [my-IP-not in MTA networks] <my-email@domain> -> <my-email@domain>
opendkim[8521]: 3394731A1E80: no signing table match for 'forums-noreply@zimbra.com'
amavis[2245]: (02245-01) lDSEDdTXAh-2 FWD from <my-email@domain> -> <my-email@domain>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 3394731A1E80
postfix/qmgr[797]: 013C731A1E7F: from=<my-email@domain>, size=2887, nrcpt=1 (queue active)
postfix/smtp[4952]: 3394731A1E80: to=<my-email@domain>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.83, delays=0.09/0/0/0.74, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 013C731A1E7F)

- Finally, when I check the new email using Thunderbird or other mail client, I can see the previous mail sent as if the sender is forums-noreply@zimbra.com.
The headers of Zimbra-webmail are:

Return-Path: my-email@domain
Received: from email-server (LHLO email-server) (IP-email-server) by
email-server with LMTP; Thu, 2 Jun 2016 07:34:32 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by email-server (Postfix) with ESMTP id 013C731A1E7F
for <my-email@domain>; Thu, 2 Jun 2016 07:34:32 +0200 (CEST)
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-10 required=6.6
tests=[ALL_TRUSTED=-1, BAYES_00=-1.9,
HEADER_FROM_DIFFERENT_DOMAINS=0.001] autolearn=ham autolearn_force=no
Received: from email--server ([127.0.0.1])
by localhost (email-server [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id yDuTD9XYk-FI for <my-email@domain>;
Thu, 2 Jun 2016 07:34:31 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by email-server (Postfix) with ESMTP id 3394731A1E80
for <my-email@domain>; Thu, 2 Jun 2016 07:34:31 +0200 (CEST)
X-Virus-Scanned: amavisd-new at domain
Received: from email-server ([127.0.0.1])
by localhost (email-server [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id lDSEDdTXAh-2 for <my-email@domain>;
Thu, 2 Jun 2016 07:34:31 +0200 (CEST)
Received: from [my-IP] (unknown [my-IP])
by email-server (Postfix) with ESMTPSA id F274031A1E7F
for <my-email@domain>; Thu, 2 Jun 2016 07:34:30 +0200 (CEST)
From: forums-noreply@zimbra.com
Subject: =?UTF-8?Q?Notificaci=c3=b3n_de_respuesta_al_tema_-_=22Spoofing_in_T?=
=?UTF-8?Q?hunderbird_=28option:_Edit_message_as_new=29=22?=
Reply-To: forums-noreply@zimbra.com
X-Priority: Normal
To: my-login <my-email@domain>
Message-ID: <c74b01fc-56c1-6fa5-bbe0-c2211c1956e1@domain>
Date: Thu, 2 Jun 2016 07:34:26 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Thunderbird/45.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Thanks

[viccar]

Hello,
We have not yet found a solution to the spoofing problem with the Thunderbird mail client.
Any idea? Has someone a solution to the problem?
Thanks

[viccar]

Unfortunately there is no support or feedback in recent months for the case...
We have verified that in the version of thunderbird 45.4.0 the problem has been solved, but in case of using a previous version it is possible to exploit the vulnerability.

[jorgedlcruz]

Thank you for the update viccar.

Maybe it was some Thunderbird feature which was doing something dirty with postfix

Glad now is fixed with new Thunderbird versions

Best regards

[JDunphy]

This is pretty easy to verify... I think it exists on any mail server myself. The authentication doesn't really do anything to change this other than grant you access to relay. Perhaps there are some extra checks in postfix that can do more but I don't know them. Once you have authenticated, you are allowed to relay through the server and that is your problem in a nutshell - you would like to see additional restrictions. Because email spoofing is trivial and part of email in general, we tend to use other methods to prove identity.

To verify this isn't a thunderbird issue, enter the commands directly to your submission port... ie. 587. Because telnet doesn't handle encryption, openssl s_client can mostly work. see note below about special characters: Once you authenticate, you can send any spoofed email with both the smtp phase and data phase.

This link can be helpful: https://wiki.zimbra.com/wiki/Simple_Tro ... nd_Openssl

First get your zimbra encoded user name and password for the user so you can authenticate with postfix. Here is how I verified the smtp verb spoofing. remember to quote '@' ie. '\@example.com' in username.

Code: Select all

perl -MMIME::Base64 -e 'print encode_base64("real_user_name");'
xxxxxxxxx
perl -MMIME::Base64 -e 'print encode_base64("real_user_password");
yyyyyyyy

Now you can issue the commands by hand. Note: user lower case verbs to bypass openssl reserved characters as first character.

Code: Select all

openssl s_client -host mail.example.com -port 587 -starttls smtp -crlf
EHLO example.com
AUTH LOGIN
xxxxxxxxxxx
yyyyyyyyyyy
mail from:<spoofed_user@example.com>
rcpt to:<any_user@anydomain.com>
DATA
Subject: spoof test
From: this is a spoofed user

more data and my message
.
QUIT

Note: because openssl uses specials characters such as 'Q' ... if the first character in any of your encoded username or password is 'Q', you need another method or it will quit. Same for 'R'... lowecase.
Reference: http://postfix.1071664.n5.nabble.com/te ... 13254.html

[viccar]

Thank you very mucho for your reply,

Unfortunately, we are not able to run the test with openssl, however we forced a match between FROM address and sasl username.

We have followed the guide: https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
and after that we solve spoofing on Thunderbird in standard mail delivery. We tested change the SMTP options as in the example of openssl command, and everything is Ok.

But the curious thing about the case is that the option "Edit as New" of Thunderbird, is able to skip the rule someway.....

We understand "Edit as new" is an unusual send option, but the bad thing is that some of our users already know the bug...