Forgot your password?
typodupeerror
Security

Security-Fix Sendmail 8.12.9 Released 166

Posted by timothy
from the preemptive dept.
bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.
This discussion has been archived. No new comments can be posted.

Security-Fix Sendmail 8.12.9 Released

Comments Filter:
  • by Exiler (589908)
    This is why every variable should just be a long int darnit
    • long int foo = 87;
      long int foobar = 2;
      long int foofoobar = 0;

      foofoobar = (long int)foo / foobar; //???
  • I'm glad they kept this SM exploit fairly quiet. You would have thought it would become public and cause lots of mischief, but now that there is a fix, I suspect they will release what the problem was in more detail. So we can encourage people to upgrade, right? :)

    ~ The Devil

    • Re:Good. (Score:5, Insightful)

      by Anonymous Coward on Saturday March 29, 2003 @05:32PM (#5623635)
      I'm glad they kept this SM exploit fairly quiet. You would have thought it would become public and cause lots of mischief, but now that there is a fix, I suspect they will release what the problem was in more detail.

      If this was a Microsoft problem and they kept it quiet you would have been ranting and raving right now, right?
      • You wouldn't have? :)
      • If this was a Microsoft problem and they kept it quiet you would have been ranting and raving right now, right?

        Were it a Microsoft problem, they would have known about it six months ago and not told anybody.

        Were it a Microsoft problem, three months ago their customers would have started reporting the problem (along with the exploits people had been trying to use), and Microsoft would have denied everything.

        Were it a Microsoft problem, four months after discovery they would have released a patch which b

  • Patched and there's only 3 comments posted. Damn I'm good! :)

    I would like to thank CERT for sending this security notification on a Saturday that I was working, rather than on a Saturday that I was not.
  • by Dogun (7502) on Saturday March 29, 2003 @05:36PM (#5623652) Homepage
    I switched to postfix last time! MWAHAHAHAHA!
  • Sendmail.... (Score:5, Interesting)

    by Chester K (145560) on Saturday March 29, 2003 @05:41PM (#5623665) Homepage
    Sendmail: The IIS of Open Source.

    This is the straw that breaks the camel's back. I'm changing to another MTA.
    • Qmail [qmail.org] is small, fast, easy and secure.
      • Re:Sendmail.... (Score:4, Insightful)

        by dissy (172727) on Saturday March 29, 2003 @06:00PM (#5623724)
        > Qmail [qmail.org] is small, fast, easy and secure.

        Yes but qmail and postfix dont do near as much as sendmail.

        Most of the people using sendmail (Myself included) use it because its the only option for our needs.

        Until qmail and/or postfix reach the feature set of sendmail (or come anywhere near it) it will remain useless to me.

        Thank you for preaching, please drive through.
        • What does qmail do that sendmail doesn't?
          • ...or the other way around. I'm dyslexic today.
            • Re:Sendmail.... (Score:4, Interesting)

              by dissy (172727) on Saturday March 29, 2003 @06:43PM (#5623856)
              Perhaps I just dont know the undocumented tricks of those mail servers.

              If anyone could give me either detailed instructions on how to translate from sendmail to qmail/postfix configs, or a good website that explains this, I would be most grateful.

              Please do keep in mind my only experence with qmail or postfix was reading the documentation to see how hard it would be to convert my sendmail setup, and seeing most of the features i need not being listed, i didnt bother setting them up.
              I am not at all familiar with the config files used by either.

              I am also assuming in this post one IS familiar with sendmail.
              Where i simply say virtusertable, that would of course be /etc/mail/virtusertable.

              I use the short names assuming you know what i mean. In a reply, please use the long form when describing qmail/postfix, as i have no clue whats what :)

              My current setup uses sendmails virtusertable for all domains i handle.
              There is never an instance where mail sent to user@domain will just deliver to the account user, which is sendmails default method of delivery.
              Every domain i have in my cw file is in virtusertable.

              That said, the features I need are:

              Fall-through addresses

              in sendmails virtusertable if you add @domain.com
              if the email address doesnt match a specific entry in virtusertable for a domian, it will then deliver using that rule.

              Configurable bounce errors

              I have some addresses (and some domains fall-through address) have entrys as:
              @domain.com error:nouser No such user
              which returns the correct error code and the text message above.

              Delivery to a piped process

              in sendmails aliases file you can add an entry such as
              somealias: "|/path/to/an/app"
              and sendmail will execute that program passing the email to its stdin.

              Backup mail spooling

              Where the server accepts mail for a domain but doesnt attempt to deliver it locally, just forward to a mail server with a higher(lower) MX priority.

              Support 'list' forwards

              IE staff@domain.com -> account1, account2, outside@emailaddy.com
              Sendmail does this really ghetto by using both virtusertable and aliases, as only aliases can have multiple places of delivery, but virtusertable can send domain mail to an alias easily enough.

              Access controls for relaying

              I use IP addresses to control who can send mail out through the mailserver (Only machines in my IP space, as well as a couple friends statics are on the list)
              I would be interested in smtp-auth in the future but until I finished the server transistion I would want the functionality to remain as-is, and inform my users later for new and added features, preferably without having to say older features will no longer work.
              Doing without smtp-auth would also be fine with me.

              Domain mirroring

              In sendmails virtusertable, if you have say 3 domains that use the same mappings, you can do the following:

              user1@domain.com user1 ...
              user99@domain.com user99
              @domain.com error:nouser No such user

              @domain.NET %1@domain.com
              @domain.ORG %1@domain.com

              Then you only need to manage one list (for com) and if you sent mail to user1@domain.org it would rewrite it as user1@domain.com

              Also for local delivery, the mailer would need to work with procmail.
              Im sure qmail and postfix both do, so that shouldnt be a problem. Just wanted to mention it incase..

              If qmail/postfix really can do everything above, then i stand corrected, but would ask either for a source of good documentation, or just an explnation on each point for how to do it the qmail/postfix way.

              Thanks

              • Re:Sendmail.... (Score:3, Informative)

                by j3110 (193209)
                I only see two things that you ask for that I'm not using Qmail for right now.

                I hate setting up qmail, but it even has an easy to use web interface for configuring those things.

                I haven't tried domain mirroring, but I'm sure you can do it with a simlink.

                I don't know if anything else can do piped mail processing. If you ask me, I think that's a security risk in itself.
              • Send the above post to the qmail/postfix mailing lists and see what happens.

                I can tell you that postfix definitely works with procmail. :-)
              • You can do all of those things with postfix. Either contact the postfix mailing lists, or a decent consultant for more details.
              • Re:Sendmail.... (Score:2, Informative)

                by Anonymous Coward
                Qmail does all of these, and I bet the other MTAs do as well. There's plenty of useful documentation at qmail.org on how to migrate. I find it bizarre that you consider these features to be unusual in at MTA. I consider them necessary and normal.

                "Fall through addresses" (default delivery instructions)
                put "example.com:alias-example-com" in /var/qmail/control/virtualdomains
                put default delivery instructions in ~alias/.qmail-example-com-default

                "Configurable bounce errors"
                You can do this either with piping
                • Qmail ONLY works with procmail. It requires procmail for local delivery.

                  Wrong. qmail can use procmail to deliver to /var/mail. It can natively deliver to mbox or the much superior Maildir.
              • Re:Sendmail.... (Score:3, Informative)

                by ldspartan (14035)
                Although I am not a qmail expert by any stretch of the imagination, I'm pretty damn sure you can do all of that with qmail combined with vpopmail, a reasonably popular virtual-user package (GPL, of course).

                Fall-through addresses: Done easily in vpopmail.

                Configurable bounce errors: bounce-saying in the .qmail file for that address.

                Delivery to a process: put "|/bin/appname" in your .qmail file.

                Backup mail spooling: Put the domain you want to be a secondary for in /var/qmail/control/rcpthosts, make sure it
                • > All of this is well documented in "Life with Qmail," a great reference.

                  I will defiantly check that document out.
                  My main problem before was the only place i knew to look for docs was qmails site itself. Now hopefully that i know what to look for...

                  But i do have one question:

                  > Fall-through addresses: Done easily in vpopmail.

                  As a fall through address is something that is basically a method to deliver mail, how can a popper do this at all?

                  Mail comes into your MTA, not your popper :}
                  (I think im jus
                  • vpopmail is a MDA (delivery agent). qmail hands off deliveries for virtual domains to vpopmail, which then actually handles the delivery stage.

                    And yes, you can still access things via Pine, or Mutt, or IMAP, or POP3, or what have you. The mail is stored in the Maildir format, which is tremendously superior to mbox.

                    And yes, you can set the 'default' rule for a domain; be it to bounce, or deliver to a user.
                  • As a fall through address is something that is basically a method to deliver mail, how can a popper do this at all?

                    Mail comes into your MTA, not your popper :}
                    (I think im just misunderstanding)


                    You are misunderstanding. vpopmail [inter7.com] is a virtual domain manager for qmail.
              • Re:Sendmail.... (Score:3, Informative)

                by witwerg (26651)
                This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

                Main Configuration/Documenation

                Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man page

                • by witwerg (26651) on Saturday March 29, 2003 @08:43PM (#5624210)
                  Here's the proofread formated version

                  This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

                  Main Configuration/Documenation

                  Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's [postfix.org] and mailing lists [postfix.org].

                  Tables

                  Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

                  • TYPE:LOCATION

                  The Type is the type of table/format being used. The Location is simply one of several things

                  1. For simple tables like gdbm or has it is the location where the table is on the disk,
                  2. For mysql it's the location of a configuraiton file for the mysql table(i think)
                  3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

                  For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

                  Virtual Stuff

                  Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

                  • Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) [berkeley.edu] for more.
                  • Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8) [berkeley.edu]

                  Fallback Address or "Catchalls"

                  Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

                  Configurable bounce errors

                  I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5) [berkeley.edu].

                  Delivery to a piped process

                  Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

                  cyrus unix - n n - - pipe
                  flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
                  uucp unix - n n - - pipe
                  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

                  Backup mail spooling

                  In postfix there is a transports map that has three fields: domain(key), transport(servic

              • ...my only experence with qmail or postfix was reading the documentation to see how hard it would be to convert my sendmail setup...

                I don't see anything unusual in your list. Do you think there aren't qmail users who have widely varied and specialised needs? I'm not going to pretend that you won't have to do any reading and learning in order to migrate to qmail, but that's very different than claiming that only sendmail has the features you need. Unfortunately, I am unable to give you step-by-step ins

              • There is never an instance where mail sent to user@domain will just deliver to the account user, which is sendmails default method of delivery.
                Heh, apparently my employer's ISP is too stupid to realize this factoid. We (being a small company, where the suits handle IT stuff) have our email handles by our ISP, where we have username@ourcompany.com addresses. However, at least half of the spam I get is addressed to username@ourisp.net. I always knew this is what was happening, but I never realized exactly wh
              • Fall-through addresses

                in sendmails virtusertable if you add @domain.com if the email address doesnt match a specific entry in virtusertable for a domian, it will then deliver using that rule.

                When you set up virtual domains with qmail's virtualdomains file [qmail.org] (near the bottom), you basically tell qmail each domain you want to be handled as a virtual domain, and the user it should go to. That user can create a .qmail-default file in their home directory which handles any mail sent to that domain (aka a fall

              • Fall-through addresses

                ~alias/.qmail-domain-org-default

                Configurable bounce errors

                in .qmail-*:
                |echo "Error message (#a.b.c)"; exit 100

                Delivery to a piped process

                in .qmail-*:
                |command

                Backup mail spooling

                add the domains to /var/qmail/control/rcpthosts but not to /var/qmail/control/locals; maybe also set up /var/qmail/control/smtproutes.

                Support 'list' forwards

                Add the addresses to ~alias/.qmail-address, you can even redirect bounces by setting up ~alias/.qmail-address-owner.

                Access controls

          • by kuroth (11147) on Saturday March 29, 2003 @06:29PM (#5623810)
            > What does [sendmail] do that [qmail] doesn't?

            It gives you something to do on Saturdays. See, the sendmail team knows how tedious it is to do things like spend time with your wife and kids, play fetch with the dog, wax the car, and mow the lawn. Therefore, every two to four weeks, they release a fantastic new remote exploit, so you can spend your Saturday patching stuff or running your package management program of choice.

            This stands in start constrast to qmail. If you were running qmail, you'd have no choice but to spend all that annoying "quality" time with your friends and family. Secure and reliable? Honestly, I don't know what DJB was thinking.

        • qmail and postfix dont do near as much as sendmail.

          And sendmail doesn't do as much as Exchange, so what's that got to do with it? The major weakness of sendmail compared to qmail is precisely that it's a monolithic beast that tries to do everything. Qmail's approach is to have small modules that perform one task, and perform it well (and securely - still no claims on the security guarantee [cr.yp.to] in six years).

          Thank you for preaching, please drive through.

          Seems to be that like many others, it's the auth

          • > And sendmail doesn't do as much as Exchange, so what's that got to do with it?

            If i was using exchange and needed all its features, and someone told me to change to sendmail because it would be better, I would make the same reply as i just did.

            I dont need exchanges features, but do need sendmails. Changing to qmail/postfix (assuming they really dont have all the features of sendmail) isnt an option, yet thats what everyone is telling me to do.

            Thats what it has to do with it :P

            > So go on, tell us
          • And sendmail doesn't do as much as Exchange

            Equally, exchange doesn't do as much as sendmail. They both have different feature sets, which overlap in places, but each does some things that the other doesn't. But then the two aren't really comparable in the first place. Sendmail is a pure MTA. Exchange isn't.

        • Yes but qmail and postfix dont do near as much as sendmail.

          Care to provide examples? I've never seen anyone actually come up with a useful thing you can do with sendmail but not postfix, for all the times people have said this.

          Hell, even if you do have to patch Postfix's C source, it's probably still easier than doing whatever in sendmail's m4-preprocessed cf files. I have written a patch to Postfix, and it was not difficult.

          • > Care to provide examples?

            http://slashdot.org/comments.pl?sid=58903&cid=56 23 856

            Already did in reply to another user :)

            I would be most greatful for any help proving me wrong.
            • I would be most greatful for any help proving me wrong.

              Looking at that list, most of your stuff deals with sendmail's virtusertable. Postfix's virtual map does the same thing. The only thing I don't know that it supports is domain mirroring, but you could accomplish that by preprocessing the virtual file a bit.

              The alias file format is the same as sendmail's. (Well, not quite true; it supports two file formats; one is the same.) Everything you can do with sendmail you can do there, though you need to k

        • Most of the people using sendmail (Myself included) use it because its the only option for our needs.

          Until qmail and/or postfix reach the feature set of sendmail (or come anywhere near it) it will remain useless to me.

          Unless you are a serious user of milter features (an extensive MIMEDefang [roaringpenguin.com] setup, for instance) I think you'll find a switch to postfix or qmail to be a net plus. The learning curve probably won't be as bad as you assume... just set up a test server someplace and see what's actually invol

    • I decided to bite the bullet and replace sendmail with qmail. Having gotten partway through the process and learned a little about it, I'm now not so sure it's a good idea:
      • Qmail isn't free-as-in-speech. It has some goofy license that doesn't allow redistribution of modified sources. In other words, you can't fork it. This is such a drastic deviation from the way the world of open-source software normally works that it really gives me doubts about using the software.
      • On my FreeBSD server, installing qmai
      • Qmail isn't free-as-in-speech. It has some goofy license that doesn't allow redistribution of modified sources. In other words, you can't fork it. This is such a drastic deviation from the way the world of open-source software normally works that it really gives me doubts about using the software.

        Nice troll. qmail has no license. Thus, you are only restricted by copyright law. You are free to install and use the software. You are also free to distribute patches. How does this negatively affect your u
        • Thanks for the technical info!

          Nice troll. qmail has no license. Thus, you are only restricted by copyright law. You are free to install and use the software. You are also free to distribute patches. How does this negatively affect your usage of the software?
          True or false? -- It's illegal for me to modify the source code and redistribute the modified version.
          True or false? -- Qmail complies with OSI's open source definition [opensource.org].

          • True or false? -- It's illegal for me to modify the source code and redistribute the modified version.

            How does this negatively affect your usage of the software?

            True or false? -- Qmail complies with OSI's open source definition [opensource.org].

            How does what OSI thinks negatively affect your usage of the software?

            (I have at least a dozen machines running qmail. These magic problems don't affect me or anyone else I know that runs qmail. Yahoo! runs qmail. It doesn't seem to affect them either.)
      • Incorrect. You can certainly start svscan without rebooting your computer. However, saying "reboot" is a lot easier than explaining how to do it.

    • Before you go bashing sendmail, why not go through all the sendmail patches (say post V5) and see what they fixed. Then find out if your MTA might have that issue and if so, was it fixed. You may find that many sendmail bug fixes are to workaround bugs in things like the local delivery agents.

      Most sendmail patches are to work around bugs in the OS or libraries. Some of the race conditions patches that were patched long ago also exist today in other MTAs. If you look closely, you will see that some of t
  • by statusbar (314703) <jeffk@statusbar.com> on Saturday March 29, 2003 @05:42PM (#5623673) Homepage Journal
    "Providing hackers with security holes for DECADES" --jeff++
  • by mnmn (145599) on Saturday March 29, 2003 @05:46PM (#5623678) Homepage

    I fought with the M4 format of sendmail.cfg for a while in setting up a complex system before switching to qmail. Ive tried postfix too, but I still see diehard sendmailers around.

    For one, sendmail is really not intuitive. If youre given a server youve never seen before and have to alter some fancy configs in it, could you do it faster than if it were say qmail? Maybe if I stare at M4 pinfo I could begin to get it, I gave up early there.

    Secondly these security problems.

    So beside the fact that sendmail is the standard, quite mature and very flexible if you know how to config it, does it have any big edge over postfix or qmail that everyone should know about?

    And can the sendmail developers be brave trailblazers and finally change the config file syntax to just text words like httpd.conf?
    • For one, sendmail is really not intuitive. If youre given a server youve never seen before and have to alter some fancy configs in it, could you do it faster than if it were say qmail? Maybe if I stare at M4 pinfo I could begin to get it, I gave up early there.

      That's not insightful; that's personal opinion. Sendmail's m4 configuration is pretty logical and editable for me, but I have no idea how to alter a running Qmail setup. Does that make Sendmail better than Qmail? No. It makes me better at runnin

    • And can the sendmail developers be brave trailblazers and finally change the config file syntax to just text words like httpd.conf?

      My main sendmail config file is a whole 32 lines long and includes SMTP authentication methods, blacklists, load avg checks, privacy options and of course the delivery mechanism.

      The only thing I don't have that I've been thinking about adding is LDAP support, but that's only another line in my conf file and modification to where all the db maps point to.

      I have trouble sharin
      • I did just try to buy sendmail from sendmail.com for a someone for whom I was doing some work, and we couldn't figure out how to do it from the website. There's no product or price list, certainly no "purchase online" section. You have to engage a salesperson, and the guy for whom I was working thought it was too much trouble to have to do phone-tag just to find out how much it would cost. He's still a sendmail user, but only the free version.
  • by Neophytus (642863) on Saturday March 29, 2003 @05:46PM (#5623679)
    Developers recently have been getting fed up with security "advisories", that include an exploit, being posted on most "security" websites before they have even been notified. Unfortunatly this leads to many script kiddies getting their kicks from "owning" a popular site before they have been patched, and probably many of the websites that exist exist purly for this purpose. Sendmail are just the latest people to fall victim from this.
    • Well, the Full-Disclosure [netsys.com] list that I am involved with was one of the ones that received the premature announcement [netsys.com], but I'm sure you'll agree that even with the follow-up [netsys.com] it was far from anything that provided a remote exploit. The tone of the thread seemed to indicate that there was already interest in this 'in the wild' before it was disclosed to the lists in question, in any case. Kudos to the Sendmail team for getting the fix out so promptly.
  • Alot of people suggest just switching to something else. Obviously, they don't want to. I use sendmail all the time, I love sendmail. If this was a windows app, i might switch, but being opensource as it is, when the holes are discovered, they are patched pretty quickly. I don't really see much point is saying switch to qmail or something else, people who want to use sendmail will keep using it.
    • Re:Sendmail (Score:2, Insightful)

      by khuber (5664)
      I don't understand why anyone would run sendmail as their MTA with all the alternatives. It's insecure by design -- it's a monolithic suid root program. It's inefficient and it's difficult to configure.

      Why? For the love of SMTP, why??? j/k

      -Kevin

    • but being opensource as it is, when the holes are discovered, they are patched pretty quickly

      Usually people suggest you to switch to postfix, qmail and courier - all three are open source as well.

      I'll add that Courier's major developer is a very arrogant persont ignoring real life things and that gives you a quite good MTA with no support whatsoever.

      The major complain of Qmail users (acrttually admins) is very similar: the major developer is concentratied on revolutionary new version of his program,

  • by Adam9 (93947) on Saturday March 29, 2003 @05:52PM (#5623699) Journal
    See, they give you much needed practice of patching services at a proper pace! Patching it every 2 weeks or so is great practice for every administrator. Every good admin should have at least 1 box with sendmail on it. See, a few years ago I put on qmail. Now my patch skills are severely lacking. When this advisory for sendmail came out today, I said "that's enough, I'm falling behind. I'm going back to sendmail." I think I'll be much more happier now.
  • Not a fun thing to always be on the lookout for sendmail exploits. After the thousandth's exploit, I finally got my ass in order and switched to qmail. Much better and easier to configure too!
  • by I Am The Owl (531076) on Saturday March 29, 2003 @06:04PM (#5623736) Homepage Journal
    Please stop using Sendmail. I'm tired of my favorite IRC networks being DDOSed by machines whose administrators were too incompetent to use a real MTA [qmail.org].

    Thank you,
    --The rest of the fucking Internet

  • by CoolVibe (11466) on Saturday March 29, 2003 @06:18PM (#5623773) Journal
    First, this is about sendmail, not postfix or qmail. Yes we know your MTA is vastly superior and yes, it does your laundry and even makes coffee.

    But that still doesn't make sendmail bad. Software has bugs. Your precious MTAs have bugs too. As a matter of fact, sendmail works. It has worked for decades. It's still around. And it will stay around for decades more.

    Before y'all jump up and say: "Look! a possibly remote exploit!". Read the advisory. This will be VERY hard to exploit, besides your test lab where you control the address space and eventual host naming that just MIGHT overflow something, and then you need to figure out if it's even possible to do something more fun other than let some sendmail spawned child crash, whoopdeedoo.

    Although it's not impossible to do, I still maintain that admins should patch their systems, but you don't have to rush. I don't see script kiddies exploting this one in the coming time yet. And besides, my data isn't worth crap either, so I'm harly a target.

    So qmail and postfix zealots, shut the hell up please. We know. Yes, qmail and postfix are nice, and yes, they have some merits over sendmail and yes, I sometimes choose to prefer them for some jobs, but the inverse is also true. Right tool for the job and all that. Now be happy with your MTA and be done with it. Geez, it's only a mail server.


    • Guess what, you are not "hardly a target". Script kiddies will hack your machine purely to have another platform to run DDOS attacks from, or to hack into yet other machines.

      It doesn't matter who you are or what data you have. If you have an IP address, you are a target, period.
    • by Anonymous Coward
      This one bug doesn't make sendmail bad. The fact that it's had scores of bugs does.

      It's "only" a mail server, but what about a company whose email contains very sensitive information? They may feel safe using, say, smtps and imaps, but if sendmail isn't secure, they're sunk. In addition, getting on a mail server may allow access to a local network filled with insecure windows boxes. Oops.

      You seem to be way too attached to sendmail. There are better alternatives [postfix.org] available, so why not use them? I brok
      • I _do_ use postfix, and yes I also _do_ use Qmail. I also use exim in some places. And yes, I use sendmail too. They are MTAs, and MTAs aren't complex beasts, well they can get complex, depending what you are planning to do with it. I'm not anymore attached to sendmail as you are. I'm just voicing the irritation over the brainless "Ooh, sendmail has a bug, let's plug [insert MTA of choice]" jammering out here.

        About my "attachement to sendmail": It's all dependant what the machines job is. Read my post aga

    • Geez, it's only a mail server.

      And it's only an editor.

      And it's only an operating system.

      Come on, without fans of programs, the world would be lots less exciting.

      Although it's not impossible to do, I still maintain that admins should patch their systems, but you don't have to rush. I don't see script kiddies exploting this one in the coming time yet. And besides, my data isn't worth crap either, so I'm harly a target.

      Yeah, I used to say the same thing until I had a box get broken into.
    • qmail has no security holes. There's $500 sitting on the table for you if you can find a security hole.
      -russ
      • Like I said to some anonymous coward, you'd be pretty naive if you claim that a piece of software has no (possibly security related) bugs at all.

        All software has bugs. Bug-free software and hardware do NOT EXIST

        In fact, the fact that nobody claimed that award, does not mean that Qmail is bugfree. Do you really think that some blackhat will give away an advisory? He couldn't care less about $ 500, he can intrude into Qmail boxes that are deployed widely and thought to be secure. That's priceless.

        Of co

  • this Redhat advisory [redhat.com] from a couple weeks ago already addressed this issue?
  • by donscarletti (569232) on Saturday March 29, 2003 @06:48PM (#5623860)
    What's the difference between sendmail and telnet?

    You need a password to get root access through telnet!

    *ducks barrage of rotten fruit*

    But seriously, and without the bad humor, it makes me wonder why everyone allways sees X as the bloated, non-scensical, anacronistic piece of junk that is holding LINUX/BSD back. Hell at least I can understand a XF86Conf-4 file (although the old style XF86Conf file is still rather infuriating).

    • What's the difference between sendmail and telnet?

      You need a password to get root access through telnet!

      Minor nit -- most OSs won't let you login as root via telnet, and haven't done so for a while. So you'll need more than a password -- you'll need a user account, it's password, and THEN the password for root (for su'ing from once you're in.) Depending on the OS and configuration, this user account may need to be in the `wheel' group.

      HTH.

  • Mandatory Postfix ad (Score:3, Informative)

    by Anonymous Coward on Saturday March 29, 2003 @06:50PM (#5623869)
    Hi!

    Is your sendmail buggy? Would it be time to change to Postfix [postfix.org]?

    Only $0,00.

  • I use qmail (Score:4, Informative)

    by spun (1352) <loverevolutionary@@@yahoo...com> on Saturday March 29, 2003 @07:05PM (#5623929) Journal
    After researching sendmail, postfix, and qmail, I settled on qmail for it's speed and security. I can't count the number of times I had to upgrade sendmail in the past. I have never heard of a single remote exploit affecting qmail.
  • http://videl.ics.hawaii.edu/~warren/fedora/sendmai l-8.12.8-2.fdr.1.80.src.rpm [hawaii.edu]

    I converted the security patch to a unidiff and applied it to Red Hat's latest sendmail errata SRPM for Red Hat Linux 8.0. Use at your owk risk.

  • by Billly Gates (198444) on Saturday March 29, 2003 @07:34PM (#5624016) Journal
    55 flaws in the code, 55 flaws in the code....

    Take one down debug it around 58 flaws in the code...

  • Does anyone happen to know if Red Hat will be releasing a patch for version 6.2 of their distibution? I suppose I could patch it manually, but it'd be nice to stick with Red Hat fixes until I migrate to a newer version early this summer.

    I ask as I belive this weekend is the offical EOL for 6.2 errata.
  • by please explain (646745) <slashdot@g e t data.org> on Saturday March 29, 2003 @08:58PM (#5624248)
    Sendmail gets a bad name sometimes from folks who gave up on it for various reasons (Too hard?). Sometimes some of these "administrators" can't tell the difference between a Message store and an MTA. /var/mail is not sendmail!

    I personally like the way the sendmail community handles these issues when they arise. 2 reports in a row is a bummer, but the frequency is exaggerated. I respect the fact that there are other open source MTAs and think they can be made to work well too (postfix, qmail, exim, etc...).

    Please keep in mind that this MTA was around when the network was more of a community (not a lot of .com) and having an open relay was normal. Think ARPAnet.

    Sendmail pioneered lots of the AntiSPAM/AntiSPAMMER features that are taken for granted today (advanced relay control, ip to dns a record verify, DNS blacklisting etc...).

    There are reasons why many (think mega sized corporations around the world) use sendmail in front of their message store systems (Exchange, Notes, Cyrus, /var/mail, etc...). Think scale and way beyond systems for only 10s of thousands or less.

    It has/provides:

    The ability to use LDAP information for routing.

    The ability to use LDAP instead of a flat Alias file.

    LDAP intelligence at the port 25 gateway (Think not have unreturnable bounce messages traveling all the way into the network and then getting stuck at your message store) A smart MTA at the gateway will break the connection and not waste time trying to pass the message through.

    Pass based (w/crypt options) SMTP Authentication

    Certificate base SMTP authentication

    Unlimited relay control options (rule sets and milters)

    Built in SMTP encryption (TLS/SSL) with support for PKI systems

    Multiple queues and deterministic queuing (queue groups)

    Fallback MX (this is huge for failover)

    Mid-protocol conversation filtering (Milter, do all of your attachment stripping and message scanning without adding extra hops).

    Capable of sending email just as fast as any other MTA without violating RFCs (do you really not want to commit your data to stable storage?) and putting your data at risk.

    SMTP pipelining (why open a new connection each time?)

    Active development with developers developing to the RFC/IETF's standards and the needs of today's internet.

    Ability to be configured to avoid port 25 Denial of service attacks that other MTAs are vulnerable to.

    My 2 pennies, just another opinion, now leaving verbose mode...
  • by mcrbids (148650) on Saturday March 29, 2003 @09:24PM (#5624310) Journal
    1) Qmail doesn't follow convention. Forget inetd, DJB uses his own, goofy "tcpserver". Never mind any other services you have on the machine, and pray to god they don't conflict. You *can* get qmail to work with xinet.d, but good luck getting all the (much needed) features working, since with xinet.d you get an open mail relay by default.

    2) There are like 5 different programs, each with different user accounts (qmaild, qmaill, qmailp, qmialq, qmailr, qmails, vmail, etc) - all running from the same !@#!@ bin directory! Talk about confusing as !@#! hell when you want to audit permissions!

    3) Qmail has a truly hideous license. Yeah, it's "open source", but you can't redistribute changes!!?!

    This means:

    4) If you want something decent (such as LDAP support,antivirus filtering or integration with SpamAssassin, etc.) you have to apply 57 god-knows patches to the "official" qmail source, and in just the right order to get everything working.

    5) The log format is different than sendmail's. While this is understandable, it means that all these neat reporting tools for sendmail can't be used.

    And finally,

    6) Administering Sendmail on RH Linux is a breeze. up2date sendmail; /etc/rc.d/init.d/sendmail restart takes care of most of it.

    -Ben
    • 1) Qmail doesn't follow convention. Forget inetd, DJB uses his own, goofy "tcpserver". Never mind any other services you have on the machine, and pray to god they don't conflict. You *can* get qmail to work with xinet.d, but good luck getting all the (much needed) features working, since with xinet.d you get an open mail relay by default.

      You can use qmail with inetd if you want. But inetd is a potential security hazard; why would you complain about an alternative that improves that situation?

      2) There

  • by bill_mcgonigle (4333) on Sunday March 30, 2003 @12:54AM (#5624916) Homepage Journal
    Interesting how we just had this article [slashdot.org] the other day.

    I know some places process alot of mail with sendmail and need all the speed they can get, but the monster sites seem to have gone to qmail anyway. Considering the speed of my computer vs. the speed of my 'net pipe, I don't have much of a load on my mailserver, which leads me to ask:

    Does anybody know of a good mailserver written in a higher-level language?

    This is what, the 82nd remote root-exploit in sendmail due to C coding problems? Let's see something written in Perl or Python or Java, even.
  • Would be for them to stop releasing fixes. The same goes for BIND versions 9. These programs are endless thorns in the sides of the internet, and the developers of said programs would be doing us all a favor if they would just stop developing, pull the source off of the internet, and tell the world to use software that was coded to be secure.
  • Don't queue mail with sendmail.
    Send mail with Qmail.

Measure twice, cut once.

Working...