zimbra peforming dns lookups where it should not be

[bbarnett]

Hello,

I noticed this today. I have a script that runs, and its output is emailed to me when complete. The subject line of the script is 'rsync_killall.sh'.

Whenever this script sends a mail to the Zimbra server, a dns lookup is performed on 'rsync_killall.sh'. The same occurs for any email, from anywhere, with a subject line of:

rsync.*., such as 'rsync.com', 'rsyncsdfsdfsdfsd.ca' and so on. For example, emailing a Zimbra account with:

echo "Test" | mail -s rsync.ca account@zimbraserver

results in this same DNS lookup.


Anyhow, this just seems a little weird. I have all spam and virus checking _off_ in the Zimbra web admin interface, and have never had them on. Again, Zimbra doesn't check the DNS entries of incoming emails that have subjects of other urls in them, so what weirdness is this? I'd really like some feedback on this, because I don't want Zimbra to start performing DNS checkups on apparently random subjects. It can be a killer for privacy.



ngrep logs of the lookups:

x.x.x.x:15246 -> x.x.x.x:53
.............rsync.ca.multi.uribl.com.....

U x.x.x.x:53 -> x.x.x.x:15246
.............rsync.ca.multi.uribl.com............. ...!...dnsa
dmin..G.............:....,

U x.x.x.x:15246 -> x.x.x.x:53
.............rsync.ca.bl.open-whois.org.....

U x.x.x.x:53 -> x.x.x.x:15246
.............rsync.ca.bl.open-whois.org..............8.(.a.ns
...hostmaster..G.............:.....

U x.x.x.x:15246 -> x.x.x.x:53
.............rsync.ca.multi.surbl.org.....

U x.x.x.x:53 -> x.x.x.x:15246
.............rsync.ca.multi.surbl.org............. .8.%.dev.nu
ll..zone..G.............:.....

U x.x.x.x:15246 -> x.x.x.x:53
.............rsync.ca.dob.sibl.support-intelligence.net.....

U x.x.x.x:53 -> x.x.x.x:15246
.............rsync.ca.dob.sibl.support-intelligence.net......
........8.7.a...zone.support-intelligence.com.w..t..........:

U x.x.x.x:15246 -> x.x.x.x:53
.............rsync.ca.....

U x.x.x.x:53 -> x.x.x.x:15246
.............rsync.ca................1.jbq01.tor.c ira...admin
-dns.0w.............:.....

[dwmtractor]

Well. . .you probably know this, but for the benefit of users who aren't as familiar with Linux. . .

rsync is a linux command to "remotely sync" one directory with another. It's useful for backups; in fact I use it to back up my open source Zimbra box. I'm guessing that something in your server is parsing that text as a command instead of as an email subject, and then trying to look up the destination you have "asked" it to sync.

So the bug, if bug it be, is probably the fact that your command-line mail utility isn't parsing out the whole line as parameters for email; the DNS lookup is only an artifact resulting from the system trying to figure out where the heck you want it to rsync.

[bbarnett]

I'm guessing that something in your server is parsing that text as a command instead of as an email subject, and then trying to look up the destination you have "asked" it to sync.

No, that is not the case. There is no way that the command:

echo "Test" | mail -s rsync.ca account@zimbraserver

is doing anything other than emailing an email to the Zimbra server, with the subject 'rsync.ca' and a content of 'Test'. As well, as I stated, this works with any email client, and even if you telnet into the Zimbra server and perform the SMTP dialog by hand.

So the bug, if bug it be, is probably the fact that your command-line mail utility isn't parsing out the whole line as parameters for email; the DNS lookup is only an artifact resulting from the system trying to figure out where the heck you want it to rsync.

I have two systems. The mail command I am running above is not even on the Zimbra server. I can watch the mail leave box A via ngrep, and enter the Zimbra box. The mail does have the subject I list above. Further, upon examining the received email on the Zimbra box with 'view original', the mail appears as one would expect it to.

So, whatever is happening is happening entirely on the Zimbra server, and has to do with any email message that has a subject as I listed above.

[dwmtractor]

Fair enough. I assumed it was all happening on one server. I have seen weirder things than having a perfectly normal, well-behaved command spawn a completely irrelevant process. But if the mail coming from OUTSIDE the box does the same thing, I can see why you've implicated the Zimbra software.

What log are you finding this dnslookup in? A quick scan of my logs after sending myself a similarly-composed message is not showing anything weird, but I could well be looking in the wrong files. I'd like to see if I can duplicate your results or not.

And am I correct (this time) in taking from your post that the mail message is coming through to the correct inbox, it's just that you are ALSO getting this weird DNS error?

[bbarnett]

Fair enough. I assumed it was all happening on one server. I have seen weirder things than having a perfectly normal, well-behaved command spawn a completely irrelevant process. But if the mail coming from OUTSIDE the box does the same thing, I can see why you've implicated the Zimbra software.

What log are you finding this dnslookup in? A quick scan of my logs after sending myself a similarly-composed message is not showing anything weird, but I could well be looking in the wrong files. I'd like to see if I can duplicate your results or not.

I am not finding it in any logs, but you can observe the behavior via ngrep if you wish. For example, you could run:

ngrep port 53

to watch all traffic going out to DNS servers. When I do this, I do see DNS server requests for (as an example) rsync.ca.

And am I correct (this time) in taking from your post that the mail message is coming through to the correct inbox, it's just that you are ALSO getting this weird DNS error?

Yes, the email gets through fine without issue.

[dwmtractor]

OK I can confirm that this happens on my box too. The queries happen pretty darn fast so I don't know that it causes much overhead, but it definitely happens exactly as you reported.

Truth be told, I wouldn't have thought to watch for this!

But at least it's not unique to your installation. I'm going to have to defer to people who know a lot more than I as to whether it is a problem and/or what to do about it. . .

[bbarnett]

OK I can confirm that this happens on my box too. The queries happen pretty darn fast so I don't know that it causes much overhead, but it definitely happens exactly as you reported.

Truth be told, I wouldn't have thought to watch for this!

But at least it's not unique to your installation. I'm going to have to defer to people who know a lot more than I as to whether it is a problem and/or what to do about it. . .

I wouldn't be as concerned if virus checking and spam filtering were on. After all, it might make sense (but a little silly) for a spam filter, or virus filter, to parse the entire header of a message and then search for an RBL hit for that URL.

However, it is exceptionally strange that this happens when I have all spam and virus checking off in Zimbra, and that it only happens when I have subjects that include 'rsync' in the text. It would be extremely prudent to find out what is causing this, as anything sufficiently strange, such as this, should be treated as a security risk.

[jholder]

It would be extremely prudent to find out what is causing this, as anything sufficiently strange, such as this, should be treated as a security risk.

Hi BBarnett-
I've deferred this to another someone @ zimbra for more info.

Could you please PM me why you believe this is a security risk?

Thanks!
john

[jholder]

Please file a bug.

Although a bug, we do not believe this poses any danger as a security issue.

In the future, if anyone ever believes that there is any security issue, it should never be posted in the forums, rather an e-mail to support@zimbra.com or a PM to a zimbra employee would be welcomed.

We always take security very seriously.

Thanks
john

[jholder]

Also, the mail command has nothing to do with zimbra itself.
"echo "Test" | mail -s rsync.ca account@zimbraserver"

Mail is installed on most linux platforms. I'm willing to bet that if there is an issue, it's with mail and not with Zimbra.