Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: zimbra peforming dns lookups where it should not be

  1. #1
    Join Date
    Sep 2007
    Posts
    65
    Rep Power
    8

    Default zimbra peforming dns lookups where it should not be

    Hello,

    I noticed this today. I have a script that runs, and its output is emailed to me when complete. The subject line of the script is 'rsync_killall.sh'.

    Whenever this script sends a mail to the Zimbra server, a dns lookup is performed on 'rsync_killall.sh'. The same occurs for any email, from anywhere, with a subject line of:

    rsync.*., such as 'rsync.com', 'rsyncsdfsdfsdfsd.ca' and so on. For example, emailing a Zimbra account with:

    echo "Test" | mail -s rsync.ca account@zimbraserver

    results in this same DNS lookup.


    Anyhow, this just seems a little weird. I have all spam and virus checking _off_ in the Zimbra web admin interface, and have never had them on. Again, Zimbra doesn't check the DNS entries of incoming emails that have subjects of other urls in them, so what weirdness is this? I'd really like some feedback on this, because I don't want Zimbra to start performing DNS checkups on apparently random subjects. It can be a killer for privacy.



    ngrep logs of the lookups:

    x.x.x.x:15246 -> x.x.x.x:53
    .............rsync.ca.multi.uribl.com.....

    U x.x.x.x:53 -> x.x.x.x:15246
    .............rsync.ca.multi.uribl.com............. ...!...dnsa
    dmin..G.............:....,

    U x.x.x.x:15246 -> x.x.x.x:53
    .............rsync.ca.bl.open-whois.org.....

    U x.x.x.x:53 -> x.x.x.x:15246
    .............rsync.ca.bl.open-whois.org..............8.(.a.ns
    ...hostmaster..G.............:.....

    U x.x.x.x:15246 -> x.x.x.x:53
    .............rsync.ca.multi.surbl.org.....

    U x.x.x.x:53 -> x.x.x.x:15246
    .............rsync.ca.multi.surbl.org............. .8.%.dev.nu
    ll..zone..G.............:.....

    U x.x.x.x:15246 -> x.x.x.x:53
    .............rsync.ca.dob.sibl.support-intelligence.net.....

    U x.x.x.x:53 -> x.x.x.x:15246
    .............rsync.ca.dob.sibl.support-intelligence.net......
    ........8.7.a...zone.support-intelligence.com.w..t..........:

    U x.x.x.x:15246 -> x.x.x.x:53
    .............rsync.ca.....

    U x.x.x.x:53 -> x.x.x.x:15246
    .............rsync.ca................1.jbq01.tor.c ira...admin
    -dns.0w.............:.....

  2. #2
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Well. . .you probably know this, but for the benefit of users who aren't as familiar with Linux. . .

    rsync is a linux command to "remotely sync" one directory with another. It's useful for backups; in fact I use it to back up my open source Zimbra box. I'm guessing that something in your server is parsing that text as a command instead of as an email subject, and then trying to look up the destination you have "asked" it to sync.

    So the bug, if bug it be, is probably the fact that your command-line mail utility isn't parsing out the whole line as parameters for email; the DNS lookup is only an artifact resulting from the system trying to figure out where the heck you want it to rsync.

  3. #3
    Join Date
    Sep 2007
    Posts
    65
    Rep Power
    8

    Default

    I'm guessing that something in your server is parsing that text as a command instead of as an email subject, and then trying to look up the destination you have "asked" it to sync.
    No, that is not the case. There is no way that the command:

    echo "Test" | mail -s rsync.ca account@zimbraserver

    is doing anything other than emailing an email to the Zimbra server, with the subject 'rsync.ca' and a content of 'Test'. As well, as I stated, this works with any email client, and even if you telnet into the Zimbra server and perform the SMTP dialog by hand.

    So the bug, if bug it be, is probably the fact that your command-line mail utility isn't parsing out the whole line as parameters for email; the DNS lookup is only an artifact resulting from the system trying to figure out where the heck you want it to rsync.
    I have two systems. The mail command I am running above is not even on the Zimbra server. I can watch the mail leave box A via ngrep, and enter the Zimbra box. The mail does have the subject I list above. Further, upon examining the received email on the Zimbra box with 'view original', the mail appears as one would expect it to.

    So, whatever is happening is happening entirely on the Zimbra server, and has to do with any email message that has a subject as I listed above.

  4. #4
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Fair enough. I assumed it was all happening on one server. I have seen weirder things than having a perfectly normal, well-behaved command spawn a completely irrelevant process. But if the mail coming from OUTSIDE the box does the same thing, I can see why you've implicated the Zimbra software.

    What log are you finding this dnslookup in? A quick scan of my logs after sending myself a similarly-composed message is not showing anything weird, but I could well be looking in the wrong files. I'd like to see if I can duplicate your results or not.

    And am I correct (this time) in taking from your post that the mail message is coming through to the correct inbox, it's just that you are ALSO getting this weird DNS error?

  5. #5
    Join Date
    Sep 2007
    Posts
    65
    Rep Power
    8

    Default

    Quote Originally Posted by dwmtractor View Post
    Fair enough. I assumed it was all happening on one server. I have seen weirder things than having a perfectly normal, well-behaved command spawn a completely irrelevant process. But if the mail coming from OUTSIDE the box does the same thing, I can see why you've implicated the Zimbra software.

    What log are you finding this dnslookup in? A quick scan of my logs after sending myself a similarly-composed message is not showing anything weird, but I could well be looking in the wrong files. I'd like to see if I can duplicate your results or not.
    I am not finding it in any logs, but you can observe the behavior via ngrep if you wish. For example, you could run:

    ngrep port 53

    to watch all traffic going out to DNS servers. When I do this, I do see DNS server requests for (as an example) rsync.ca.

    And am I correct (this time) in taking from your post that the mail message is coming through to the correct inbox, it's just that you are ALSO getting this weird DNS error?
    Yes, the email gets through fine without issue.

  6. #6
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    OK I can confirm that this happens on my box too. The queries happen pretty darn fast so I don't know that it causes much overhead, but it definitely happens exactly as you reported.

    Truth be told, I wouldn't have thought to watch for this!

    But at least it's not unique to your installation. I'm going to have to defer to people who know a lot more than I as to whether it is a problem and/or what to do about it. . .

  7. #7
    Join Date
    Sep 2007
    Posts
    65
    Rep Power
    8

    Default

    Quote Originally Posted by dwmtractor View Post
    OK I can confirm that this happens on my box too. The queries happen pretty darn fast so I don't know that it causes much overhead, but it definitely happens exactly as you reported.

    Truth be told, I wouldn't have thought to watch for this!

    But at least it's not unique to your installation. I'm going to have to defer to people who know a lot more than I as to whether it is a problem and/or what to do about it. . .
    I wouldn't be as concerned if virus checking and spam filtering were on. After all, it might make sense (but a little silly) for a spam filter, or virus filter, to parse the entire header of a message and then search for an RBL hit for that URL.

    However, it is exceptionally strange that this happens when I have all spam and virus checking off in Zimbra, and that it only happens when I have subjects that include 'rsync' in the text. It would be extremely prudent to find out what is causing this, as anything sufficiently strange, such as this, should be treated as a security risk.

  8. #8
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Quote Originally Posted by bbarnett View Post
    It would be extremely prudent to find out what is causing this, as anything sufficiently strange, such as this, should be treated as a security risk.
    Hi BBarnett-
    I've deferred this to another someone @ zimbra for more info.

    Could you please PM me why you believe this is a security risk?

    Thanks!
    john

  9. #9
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Please file a bug.

    Although a bug, we do not believe this poses any danger as a security issue.

    In the future, if anyone ever believes that there is any security issue, it should never be posted in the forums, rather an e-mail to support@zimbra.com or a PM to a zimbra employee would be welcomed.

    We always take security very seriously.

    Thanks
    john
    Last edited by jholder; 10-15-2007 at 05:23 PM.

  10. #10
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Also, the mail command has nothing to do with zimbra itself.
    "echo "Test" | mail -s rsync.ca account@zimbraserver"

    Mail is installed on most linux platforms. I'm willing to bet that if there is an issue, it's with mail and not with Zimbra.

Similar Threads

  1. Replies: 26
    Last Post: 04-19-2011, 10:24 AM
  2. [SOLVED] Spam Being Sent Thru Server - Help Needed!
    By msf004 in forum Administrators
    Replies: 22
    Last Post: 03-15-2008, 12:11 AM
  3. [SOLVED] Error Installing Zimbra on RHEL 5
    By harris7139 in forum Installation
    Replies: 10
    Last Post: 09-25-2007, 12:39 PM
  4. zimbra-core missing
    By kinaole in forum Developers
    Replies: 1
    Last Post: 10-02-2006, 12:59 PM
  5. Mail logs
    By Rick Baker in forum Installation
    Replies: 8
    Last Post: 01-17-2006, 04:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •