Wietse, thanks.
On Mon, 21 Oct 2019, Wietse Venema wrote:
Fred Morris:
[...]
From an opsec perspective I wouldn't recommend running a service which
enumerates accounts and email aliases for all the world to see,
encrypted or not. However the risks and mitigations of doing so on
loopback or in a VPC are fairly well understood, moreso by people who
architect with such information available by design as a matter of course.
What's the chief security concern with TCP tables, and does the
operational environment impact it? [...]
As documented in the tcp_table manpage, the connection is not
protected and the server is not authenticated, meaning that the
client has no certainty that the data it receives is the same as
the data that would have been sent by the intended server.
I'd recommend running it specifying 127.0.0.1 and not using DNS (YMMV,
of course). Impersonating that address seems unlikely. I'm not sure how
MITM on Linux works in this scenario unless you've got root.
More generally speaking my concerns ran to: is there any way this could
override mail being sent to root or to the account receiving security
notifications, and I concluded that as long as those were real accounts
that this was not an issue: I assume something which resolves to a real
account will not subsequently be tested for resolution as an alias.
There is also the issue of publishing data to unauthenticated
clients, but that issue would also exist with TLS.
[...]
Somebody with more knowledge of the code could do a much more deft job of
disabling security checks in local(8). I don't presently see an issue with
the way I did it, in my environment; maybe somebody else will discover an
issue or submit a better fix.
Thanks again...
--
Fred Morris
