Sendmail Removed From NetBSD

Derkjan de Haan writes "Christos Zoulas removed sendmail from the NetBSD source tree, after a lot of discussion about its security track-record. Sendmail will remain available from pkgsrc." But without sendmail.cf foo, how will we distinguish between the best admins and the mediocre? Sendmail was more useful as a litmus test than as an MTA ;)

The Security Concerns

[eldavojohn]

Well, I don't think that a short note covered much at all on why they removed it so I did some investigative work. Disclaimer: I use sendmail although I am by no means an expert at it. I'm ignoring pre-2k security issues [wikipedia.org] as that is older than five years ago.

• A security alert [cert.org] from March of 2003 in which Sendmail has been determined to contain a buffer overflow vulnerability.
• Another security alert [cert.org] from later that year.
• A security alert [cert.org] also from 2003 regarding a remote buffer overflow.
• A security alert [cert.org] from 2002 regarding a trojan horse horse sendmail distro.
• Some freebsd specific [cert.org] Sendmail alerts.
• A security alert [us-cert.gov] from March of 2006 (this year) regarding a race condition that may allow remote code execution by an arbitrary user.
• A plethera of similar or smaller security concerns [cert.org] can easily be found.
• The most recent release of Sendmail [sendmail.org] involves things like fixing possible integer overflows & unsafe use of setjmp(3)/longjmp(3) or adding time outs.

As you can see with above security concerns, Sendmail has had significant historical problems but they have been active in rectifying these problems. If you have the time to patch often, Sendmail most probably will provide you with one of the safest mail transfer agents out there.

The largest concern seems to be the possibility of being compromised via a remote connection [deer-run.com]. If you're not using it, simply turn off the Sendmail Daemon. And I think that's why they removed it from NetBSD. Some idiot like myself might install NetBSD and leave that sucker listening on port 25. Now, there are no problems immediately because I'll have the latest version but I'm lazy and I don't patch NetBSD regularly so a few security alerts come out and then ... well, you know the rest.

Funny thing is, I've never heard of anyone losing data or being hacked due to Sendmail. Perhaps it's because the last place I saw it used widely was college?

Sendmail? Insecure?

[Pirogoeth]

I just don't believe it [cr.yp.to]...

They did overhaul sendmail.

[Trigun]

And named it postfix.

Re:The Security Concerns

[archen]

I'm not sure about NetBSD, but in FreeBSD you can remove Sendmail entirely. Add "NO_SENDMAIL=true" to make.conf. During your next buildworld sendmail (and related stuff) will not be built. After installworld, do a search for old files - particularly /usr/libexec/sendmail I think is the location. Then install another MTA from ports if you need one.

Re:What's the alternative?

[jmcneill]

On a default NetBSD installation where does the cron output go?

Postfix has been in the tree for a while, and will now be the default MTA.

8 years after "The Worm" Snedmail is closed

[sgent]

You've never heard of a security issue with sendmail??!!!?? Time for a history lesson. Although obviously fixed now, Sendmail was the main culprit in the first internet worm ever found in the wild.

The Internet Worm of 1988 -- Introduction by Francis Litterio

The below document tells the story of the Internet Worm of 1988 and how it effectively shut down the Internet. I didn't write it, but it's hard to find it on the net these days, so I offer it here on the theory that those who fail to learn from history are doomed to repeat it.

I remember when it happened. It was a big deal to computer people like me, but in 1988 the Internet was unknown even to the most sophisticated media reporters, and the World Wide Web had not been invented yet. I remember the NBC Evening News devoting less than 30 seconds to the topic. If an equally severe disruption of the Internet were to happen today, the President of the United States would probably hold a press conference to calm the nation.

Google Cache to the Article by Don Seeley, Univ. of Utah [64.233.187.104]

Re:Provide examples

[liliafan]

Postfix is based on sendmails codebase, with much stronger security features and a lot of the more complex configuration hidden away. It is very fast and featureful.

Qmail is a fairly secure pretty fast MTA it is very modular and very suited to sites with multiple domains to handle.

There is others such as exim, james, etc but Sendmail, Postfix and Qmail are the 3 biggest I think next would be exim (it used to be the default in debian I don't know if it still is).

Personally I would recommend postfix if you are handling just your own email, I use postfix, courier-imapd, spamassassin, amavisd, clamav, maildrop, and procmail and I haven't had a single security incident on my system (knock on wood), additionally I have about a 99% success rate catching spam with almost no false positives.

Re:Sendmail is a pain in the ass

[Megane]

That's the new configuration process.

Then it's at least nine years new. The second edition of the bat-book dates to January 1997. (I don't think I've ever seen a copy of the first edition, so I don't know if the m4 config is as old as late 1993.) I've been using the m4 config since early 2000 when I first got fixed IP DSL.

Anyhow, in my experience, Sendmail also won't work right if your DNS is broken. Both the IP and MX records have to be right.

Re:Provide examples

[Kadin2048]

Personally, I use Postfix. It's Free, it's intelligently designed (by this guy [porcupine.org], if you were wondering), it's much easier to set up to be secure, and it has a certain level of Sendmail compatibility, so that older programs that assume you're running Sendmail don't barf when you switch.

The biggest architectural difference between Sendmail and Postfix is that Postfix has many small executables (arguably, many not-so-small executables) while Sendmail is monolithic. From a user's perspective this is basically transparent: the biggest benefit to a sysadmin of running Postfix is the config files, which are as close to being self-explanatory as a MTA config file can be, in my opinion.

Sendmail always struck me as a bit of a challenge to set up securely/properly (i.e. "not an open relay"); Postfix is pretty simple to get going securely, and has well-chosen default parameters (at least as I've seen it installed, on Debian) that let you set up a server that won't be immediately spewing Russian penis-enlargement emails quickly. I've never tried to set up Sendmail with SSL support, but I'm going to go out on a limb and guess that it's easier to do this with Postfix as well.

I can't personally vouch for its speed, because I don't run a high-volume mailserver, nor do I have the hardware to really give the MTA that much of a workout (it just becomes disk-bound on my systems). Plus I use flat mbox files and the situation may be totally different with the more modern database-type mailstores. (Yeah, yeah, I know -- 1986 called and they want their file format back and all that. But it works for me.)

There are other choices out there for MTAs, and I'm sensitive to arguments in favor of them and I'm not trying to say that Postfix is necessarily the best possible thing out there for everyone, but at least in my experience it beats the hell out of Sendmail. If somebody wants to jump in here and discuss qmail or exim, and why they think they're great, please do.

Re:This really sucks

[Anonymous Coward]

Not sure what your are saying, English must be your second language.

Anyway, if you mean you are going to install FreeBSD over your existing NetBSD installs on "All your servers" then you are a dumbass. Sendmail is still in pkgsrc. Try this.

cd /usr/pkgsrc/mail/sendmail
make install

Duh.

Re:Linux is too heavy as it is...

[molarmass192]

I sort of agree with you. I'd like Novell to put out something like an official SLICK [opensuse.org] which would be optimized for GUI-less implementations and built to run in the smallest footprint possible (ie. less than 50M). If it was included as an option in the stock SuSE, then wow. Now, as for spending 2-3 hours running rpm -ev / yast pulling packages from SLES to make it usable, somehting isn't right there. First off, you should have setup a test server to determine your needs. Once that's done, create an AutoYast install script (think RH KickStart) to do your production installs (eg. yast2 autoyast). Second, even if unneeded pacakges are installed, you can easily disable the cruft services you don't need in Yast->System->Services, I'd guess in under 5 minutes start to finish. [suse.com]

Re:Replacement?

[perry]

Postfix was made the default mailer.

Re:Be serious

[ajs318]

The format of sendmail.cf made perfect sense when sendmail was written, however many years ago it was. In those days, people were smart and machines were stupid.

When you look at modern programs with their fancy-pants SQL and XML configurations, they may be easier for a human being to understand; but they're also a hell of a lot of work for the computer to understand, precisely because of all the human-readable cruft. Twenty or thirty years ago, there wasn't the computing power to waste on processing such a config file; it was simply less effort, and more productive, to get a human being to bond well enough with the computer to be able to create a sendmail.cf from scratch.

Re:The Security Concerns

[dodobh]

Complex mail handling requirements such as? Postfix handles most stuff fine (and if you have really complex policies, pushing those policies into an external policy daemon is recommended).

As for milters, the latest Postfix snapshots are adding milter support.

Because it's broken from the ground up

[metamatic]

Sendmail is pre-Internet. It was built to route mail between BITNET, UUCP, ARPAnet, JAnet, and so on, all of which had different e-mail syntax. That's why it has a big slow crufty macro engine that every message goes through, and that's why it rewrites the headers of e-mail passing through it. None of that is necessary or desirable these days. Most of sendmail's other problems, from lack of speed to poor security, flow from that initial design decision, so you really need to start again from scratch with a simple e-mail parser and build up from there.

Re:A Good Sign

[Anonymous Coward]

It is still the default MTA on OpenBSD, and the OBSD developers (up to now) have been resistent to the idea of replacing it. It has been stated that Sendmail's recent security record (on OpenBSD) has been acceptable, and that sendmail's authors are always reasonable when it comes to making changes (this is important!).

I'm curious, how many systems still ship sendmail as the default MTA?

cron

[Gandalf_007]

The main reason an MTA is included is because of the daily (and weekly, monthly) cron jobs that email their output to root. As one of the daily jobs is /etc/security (which compares the checksum, permissions, and timestamps of a list of system files to known values, among other things), this is a good thing. (It's also a good idea to put audit-packages in security.local, and download-vulnerability-list in daily.)

Just an FYI, on both NetBSD and OpenBSD (and also FreeBSD, AFAIK), the out-of-the-box configuration has sendmail listening only on 127.0.0.1 and ::1 -- you have to manually configure it (insert sendmail.cf snark) to listen on physical interfaces.

While pkgsrc does make installation very easy, the stuff in base undergoes more throrough audits, and usually has {Net,Open,Free}BSD-specific patches to it. While pkgsrc includes patches as well, those are usually just what's sufficient to make it run on $platform.

Re:The Security Concerns

[dodobh]

http://www.postfix.org/postconf.5.html#canonical_m aps [postfix.org]
http://www.postfix.org/generic.5.html [postfix.org]
http://www.postfix.org/ADDRESS_REWRITING_README.ht ml [postfix.org]
http://www.postfix.org/transport.5.html [postfix.org]

Pretty trivial stuff.

Re:This really sucks

[Anonymous Coward]

Then you are one of the very few folks using sendmail w/o pkgsrc. Everyone else who was asked admitted to already using the pkgsrc sendmail as it supported sasl and other important features that can't be supported in base.

Since the folks (well, all the ones asked before this was done) using sendmail weren't using the sendmail in base, it seems like litle will be lost by removing it.

Re:define("Improved" sendmail configuration)dnl

[welsh git]

> dnl means "delete new-lines".
>
> The M4 macro preprocessing tends to insert a lot of extra blank lines into the
> resulting .cf file, so the dnl's are basically macros that remove extra new-line
> characters.
>
> Yes, it is stupid.

Actually, you are, because you're wrong!

I don't know exactly what it stands for, but it's purpose is to "ignore rest of line", in other words, do exactly as '#' does in shell scripts etc.

"delete (to) newline"
or "disregard to newline" ?

Dunno.. Yeah, stupid name, but at least it does something more useful than you thought!