Security Advice Needed

Security Advice Needed

Post by itsamoo.. » Thu, 09 Mar 2000 04:00:00



Hi All

I am *ed to sendmail having relied on it for over a year while I
connect via a dial up connection.  I have found it to be reliable and
configurable to my needs. I want to keep using it when I switch over to
cable modem and would still like to use sendmail.

I would appreciate any advice on how I should set it up to avoid any
security problems. I have sendmail-8.9.3-10 and red hat 6.0.  Relaying
is disabled by default as far as I can tell.

On the os side the only thing I know I have done is to disable finger
service.  I don't have tftp.

If you know a web site that is dedicated to this I will appreciate it
too.

Thanks much

Sent via Deja.com http://www.veryComputer.com/
Before you buy.

 
 
 

Security Advice Needed

Post by Thomas Lewi » Thu, 09 Mar 2000 04:00:00


Make sure you can even send and receive email with your cable modem.
I have a cable modem as well and they must have blocked out port 25 on
their firewall/router, whatever they use, nothing comes or goes from my
machine.

Just a word of caution for you!


> Hi All

> I am *ed to sendmail having relied on it for over a year while I
> connect via a dial up connection.  I have found it to be reliable and
> configurable to my needs. I want to keep using it when I switch over to
> cable modem and would still like to use sendmail.

> I would appreciate any advice on how I should set it up to avoid any
> security problems. I have sendmail-8.9.3-10 and red hat 6.0.  Relaying
> is disabled by default as far as I can tell.

> On the os side the only thing I know I have done is to disable finger
> service.  I don't have tftp.

> If you know a web site that is dedicated to this I will appreciate it
> too.

> Thanks much

> Sent via Deja.com http://www.veryComputer.com/
> Before you buy.


 
 
 

Security Advice Needed

Post by Geir A. Myrestran » Thu, 09 Mar 2000 04:00:00



> I would appreciate any advice on how I should set it up to
> avoid any security problems. I have sendmail-8.9.3-10 and
> red hat 6.0.  Relaying is disabled by default as far as I
> can tell.

A first step could be to upgrade to 8.10.
_______________________________________________________________

Sendmail, Inc.                          http://www.sendmail.com
 
 
 

Security Advice Needed

Post by Claus Assman » Thu, 09 Mar 2000 04:00:00



> > A first step could be to upgrade to 8.10.

> Why?  Are there are known security holes in 8.9.3?

I don't consider them serious, but check yourself:

                        SENDMAIL RELEASE NOTES

        SECURITY: The safe file checks now back track through symbolic
                links to make sure the files can't be compromised due
                to poor permissions on the parent directories of the
                symbolic link target.
        SECURITY: Only root, TrustedUser, and users in class t can rebuild
                the alias map.  Problem noted by Michal Zalewski of the
                "Internet for Schools" project (IdS).
        SECURITY: There is a potential for a denial of service attack if
                the AutoRebuildAliases option is set as a user can kill the
                sendmail process while it is rebuilding the aliases file
                (leaving it in an inconsistent state).  This option and
                its use is deprecated and will be removed from a future
                version of sendmail.
        SECURITY: Make sure all file descriptors (besides stdin, stdout, and
                stderr) are closed before restarting sendmail.  Problem noted
                by Michal Zalewski of the "Internet for Schools" project
                (IdS).

--
If you feel the urgent wish to send me a courtesy copy of a Usenet
posting, then make sure it's recognizable as such!

 
 
 

Security Advice Needed

Post by Sam » Fri, 10 Mar 2000 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




>> I would appreciate any advice on how I should set it up to
>> avoid any security problems. I have sendmail-8.9.3-10 and
>> red hat 6.0.  Relaying is disabled by default as far as I
>> can tell.

> A first step could be to upgrade to 8.10.

Why?  Are there are known security holes in 8.9.3?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: http://www.geocities.com/SiliconValley/Peaks/5799/GPGKEY.txt

iD8DBQE4xwFn+3BFaxHnGY0RAjJPAKDJVQmLCt4k1o5JtpleVAmuidhDtgCferhw
KTyvWSRvTBD+iIiQ1txjN9I=
=R9Ol
-----END PGP SIGNATURE-----

 
 
 

Security Advice Needed

Post by Timothy J. L » Fri, 10 Mar 2000 04:00:00


|I want to keep using it when I switch over to
|cable modem and would still like to use sendmail.
|
|I would appreciate any advice on how I should set it up to avoid any
|security problems. I have sendmail-8.9.3-10 and red hat 6.0.  Relaying
|is disabled by default as far as I can tell.

Do you need to receive mail via SMTP on your computer?  If not,
remove the -bd from sendmail's startup command (leave the -qwhatever
so that it checks the mail queue periodically for delayed mail).

|On the os side the only thing I know I have done is to disable finger
|service.  I don't have tftp.

Turn off all services that you don't need running (check /etc/inetd.conf
and "ps ax" and netstat).  Also consider using the included firewall
software to block things that you might have missed (or limit access
if you want stuff running but only allowed on the "inside" network).

Check Red Hat's web site for any security patches that need to be
applied for your Red Hat 6.0 (even if you turn the service off, put
the patch on in case you later need that service).

--
------------------------------------------------------------------------

Unsolicited bulk or commercial email is not welcome.             netcom.com
No warranty of any kind is provided with this message.

 
 
 

Security Advice Needed

Post by Frank Ha » Tue, 14 Mar 2000 04:00:00





>|I want to keep using it when I switch over to
>|cable modem and would still like to use sendmail.
>|
>|I would appreciate any advice on how I should set it up to avoid any
>|security problems. I have sendmail-8.9.3-10 and red hat 6.0.  Relaying
>|is disabled by default as far as I can tell.

>Do you need to receive mail via SMTP on your computer?  If not,
>remove the -bd from sendmail's startup command (leave the -qwhatever
>so that it checks the mail queue periodically for delayed mail).

At home, I have cablemodem access and I did a couple of things
that may or may not have helped.

I have a three computer network with a 486 running Linux that
has two network cards.  One is connected to the cablemodem and
the other is connected to two additional machines.  One of these
is a Sun Sparc running Solaris and the other is a MS Windows 95
machine.

I had sendmail running on the Linux machine, but I was worried
about it, so I shut it down and now I just run a cron job every
15 minutes to send out mail.  Any mail on the 486 just gets
sent to the Sun machine.

On the Sun, I run fetchmail once an hour to collect email.  I
also installed a pop server on the Sun so that my wife can collect
mail from the Sun.  I also use procmail on the Sun to make a copy
of the email so that I can read it on the Sun.

So far, the setup has worked well.

--
Frank Hahn

Eeny, Meeny, Jelly Beanie, the spirits are about to speak!
                -- Bullwinkle Moose

 
 
 

Security Advice Needed

Post by John » Sat, 18 Mar 2000 04:00:00



> Make sure you can even send and receive email with your cable modem.
> I have a cable modem as well and they must have blocked out port 25 on
> their firewall/router, whatever they use, nothing comes or goes from my
> machine.

> Just a word of caution for you!

Yes, within the standard contracts for xDSL and cable modem ISP's it mentions
that private users are not allowed to run servers. 'walling out standard
ports might be a common thing. Check with your provider to see if that's they
way it is with your contract before setting it up. They might cancel your
contract w/o a refund if you jump first.