[pmg-devel] [PATCH pmg-api/gui] add quarantine self service button

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Nov 17 17:11:35 CET 2020


On 17.11.20 16:53, Dominik Csapak wrote:
> On 11/17/20 4:29 PM, Thomas Lamprecht wrote:
>> On 17.11.20 15:57, Dominik Csapak wrote:
>>> adds an option/api call to request an quarantine link for an
>>> email whose domain is in the relay domains
>>>
>>> for now, we do not expose that option to the ui, but this can easily be
>>> added if wanted
>>>
>>> NOTES on security:
>>>
>>> this adds a world reachable api call, that can potentially send e-mails
>>> to users that belong to a relay domain
>>>
>>> this is ok, since anybody can already send e-mails to the users
>>> via normal smtp, and since the content of the e-mail cannot be
>>> controlled, the only thing a potential attacker can do is a dos attack
>>> (which can always be done via resource exhaustion, e.g. send a lot of mail)
>>
>> But, isn't the difference that here the server does it for me, no
>> greylisting or similar involved? Also possible lower payload required
>> vs. doing the SMTP myself.
> 
> sure, but it is basically the same as a 'forgot password' link on any website
> 

those often have captchas, though, at least if you retry a few times.

> also i am not sure about the cost of an tls+http call vs plain smtp...
> (i guess that this difference will not stop an attacker...)
> 
> in general you can always dos a system, given enough network bandwidth...

but misusing the PMG, a project to protect for mail spam, among other things,
to allow producing mail spam which gets relayed to the users behind a network
is something completely different - normally you cannot send anything to them
if they do not open a connection to you, at least for most state full firewall
setups.

Not saying this is outright bad, just that it cannot brushed off with "I can
produce network traffic otherwise" as the real target here can be something
where this may not be true without this feature.

>>
>>
>>>
>>> we could add more checks to make it more secure, but not so convenient:
>>
>> why not rate limit it to three per day or so? not convenience reducing,
>> we would need to safe the usage count somewhere though.
> 
> i thought of this, but would take a little more time to develop ;)
> if wanted, i can of course implement something like this, though
> i am not sure where we would want to save that info, and how much
> time i'd need

as long as this gets logged somewhere, even just HTTP access log (if relevant
params are in the URL itself) then an admin could setup fail2ban and we wouldn't
need to handle this ourself.





More information about the pmg-devel mailing list