sendmail

sendmail

Post by max » Thu, 06 Jan 2000 04:00:00



Hey there,

I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
insecure. Anybody know something about this, and specially about this
version?

Thanks, Max

 
 
 

sendmail

Post by Jim Dav » Thu, 06 Jan 2000 04:00:00


:Hey there,
:
:I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
:insecure. Anybody know something about this, and specially about this
:version?

If you look through the archive of CERT advisories
(http://www.cert.org/advisories) you'll find a number of past security
problems with sendmail mentioned.  But the most recent
(CA-97.05.sendmail) is almost three years old now, and refers to
versions 8.8.3 and 8.8.4.  Of course that's no guarantee there aren't
problems somewhere in 8.9.3 too, but the trend at least seems
promising...

There are a number of things you can do to enhance sendmail security
beyond the typical default installation, such as running it in a
chroot'ed environment, or under a nonpriviliged UID whereever it can
(the 'RunAsUser' option) and even run it without being setuid, though
that's a bit complicated to set up.

One general complaint about sendmail is that it's a big, monolithic
setuid program running (normally) with root privileges.  Newer MTAs
like qmail or postfix split up the MTA functions into a series of
small programs, most of which don't need to run as a privileged user.
Presumably separating the privileged parts from the rest of the MTA
makes those systems potentially more secure -- there's less privileged
code to audit.  In a sendmail security tutorial at LISA '99,
sendmail's author mentioned he was thinking about splitting up future
sendmails into two programs, one to be the SMTP daemon and the other
to handle everything else.  (Though he was down on the concept of
splitting things up into lots of little programs, on efficiency
grounds if I remember correctly).
--


 
 
 

sendmail

Post by seifrie » Thu, 06 Jan 2000 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt's Closet: Postfix - the Sendmail replacement
http://www.securityportal.com/direct.cgi?/closet/closet19990915.html

Postfix is a hell of a lot easier to configure, and more secure
IMNHO.
http://www.securityportal.com/direct.cgi?/lasg/servers/email/index.htm
l

- --

Kurt Seifried
http://www.seifried.org/
http://www.securityportal.com/lasg/
http://www.securityportal.com/closet/
http://www.cryptoarchive.net/
My public keys are available at:
http://www.seifried.org/keys/
http://www.pgpi.org/ - recommended for Windows
http://www.gnupg.org/ - recommended for UNIX
http://www.pgp.com/ - recommended for commercial use




> > Hey there,

> > I run sendmail 8.9.3 on my system, but a lot of people say
> > sendmail is insecure. Anybody know something about this, and
> > specially about this version?

> > Thanks, Max

> Ofcourse , sendmail is definitely insecure, to an knowledable
> person which knows the "BAT_BOOK" by heart, tweaks any sendmail.cf
> from a
> commandprompt and is also an gifted c/c++/lisp programmer.
> But in the mean time it just keeps runnning  about 60% of the
> Internet's mail services on this part of the Universe called earth.

> cor

> #include<humor.h>
> (defunc humor-on (nil)
> (setq humor-on t ))

> --
> /* If GNU/LINUX has no solution...then you have the problem */
> /* Never install Slackware........You might learn something */


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOHQqqIb9cm7tpZo3EQIOCACfWTGV9RGpaRycqJ594SWTbXD3QKUAmwei
sv8uyH8+AxI9S0xJE0Z/DYs8
=QfFt
-----END PGP SIGNATURE-----

 
 
 

sendmail

Post by cor gest j » Fri, 07 Jan 2000 04:00:00



> Hey there,

> I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
> insecure. Anybody know something about this, and specially about this
> version?

> Thanks, Max

Ofcourse , sendmail is definitely insecure, to an knowledable person which
knows the "BAT_BOOK" by heart, tweaks any sendmail.cf from a
commandprompt and is also an gifted c/c++/lisp programmer.
But in the mean time it just keeps runnning  about 60% of the Internet's
mail services on this part of the Universe called earth.

cor

#include<humor.h>
(defunc humor-on (nil)
        (setq humor-on t ))

--
/* If GNU/LINUX has no solution...then you have the problem */
/* Never install Slackware........You might learn something */

 
 
 

sendmail

Post by <su.. » Fri, 07 Jan 2000 04:00:00



> Hey there,
> I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
> insecure. Anybody know something about this, and specially about this
> version?
> Thanks, Max

There is always qmail (http://www.qmail.org.) According to the web
page, "qmail is a secure package. There was a $1,000.00 prize for anyone
who can show otherwise, which went unclaimed." The only security
problems that I recall concerning qmail are minor denial of service
attacks. I'm sure denial of service issues exist in any MTA. Wietse Venema
publicized such qmail attacks on the Bugtraq
(http://www.securityfocus.com/) mailing list in what I assume are efforts
to advocate his Postfix MTA. I'm really not trying to start a MTA debate
on this thread but I want the inquirer to know its options. ;)

--

   Programmer; CE Net, Inc.  "http://www.freezersearch.com/index.cfm?aff=dhc",
   (302) 854-5440 Ext. 206   "http://www.homeworkhelp.org",0}; */

 
 
 

sendmail

Post by spam » Fri, 07 Jan 2000 04:00:00


I work as an administrator for an ISP in the Bahamas we used to run
sendmail, it is just an invitation to UBE.

Angelo


> Hey there,

> I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
> insecure. Anybody know something about this, and specially about this
> version?

> Thanks, Max

 
 
 

sendmail

Post by <su.. » Fri, 07 Jan 2000 04:00:00



> I work as an administrator for an ISP in the Bahamas we used to run
> sendmail, it is just an invitation to UBE.

The default configuration disallows relaying as of 8.9.0/8.9.0 98/05/19.
Of course this can be fixed manually if you're using an older version; but
you shouldn't because of security issues.

> Angelo

>> Hey there,

>> I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
>> insecure. Anybody know something about this, and specially about this
>> version?

>> Thanks, Max

--

   Programmer; CE Net, Inc.  "http://www.freezersearch.com/index.cfm?aff=dhc",
   (302) 854-5440 Ext. 206   "http://www.homeworkhelp.org",0}; */
 
 
 

sendmail

Post by Dingo 4 » Fri, 07 Jan 2000 04:00:00


With all of sendmail's "bad", its the most popular MTA around, and quite
alot of software was built around it, before even thinking of alternatives,
see that you dont have any software that depends on sendmail per-se, some
CGI scripts, some Perl software, etc depends on Sendmail being installed
(and/or used as the active MTA) on the system.

Some popular replacments are qmail (Fast, Secure): www.qmail.org
                                                exim (Simple, easy to use):
www.exim.org
                                                and postfix (???):
www.postfix.org

Those are definitely not the ONLY MTA's there are around, so you might find
something more suitable for your needs at www.freshmeat.net or
www.linuxberg.com



> > Hey there,

> > I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
> > insecure. Anybody know something about this, and specially about this
> > version?

> > Thanks, Max

> There is always qmail (http://www.qmail.org.) According to the web
> page, "qmail is a secure package. There was a $1,000.00 prize for anyone
> who can show otherwise, which went unclaimed." The only security
> problems that I recall concerning qmail are minor denial of service
> attacks. I'm sure denial of service issues exist in any MTA. Wietse Venema
> publicized such qmail attacks on the Bugtraq
> (http://www.securityfocus.com/) mailing list in what I assume are efforts
> to advocate his Postfix MTA. I'm really not trying to start a MTA debate
> on this thread but I want the inquirer to know its options. ;)

> --

>    Programmer; CE Net, Inc.

"http://www.freezersearch.com/index.cfm?aff=dhc",

- Show quoted text -

Quote:>    (302) 854-5440 Ext. 206   "http://www.homeworkhelp.org",0}; */

 
 
 

sendmail

Post by Michael Str?de » Fri, 07 Jan 2000 04:00:00



> I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
> insecure.

Postfix (http://www.postfix.org/) is a sendmail drop-in replacement MTA
which designed to be more secure than sendmail.

I was really happy when I turned off sendmail and started using postfix.
Much easier to configure and it has built-in support for LDAP etc.

Ciao, Michael.

 
 
 

sendmail

Post by Dale Ponti » Fri, 07 Jan 2000 04:00:00




Quote:> With all of sendmail's "bad", its the most popular MTA around, and quite
> alot of software was built around it, before even thinking of alternatives,
> see that you dont have any software that depends on sendmail per-se, some
> CGI scripts, some Perl software, etc depends on Sendmail being installed
> (and/or used as the active MTA) on the system.

> Some popular replacments are qmail (Fast, Secure): www.qmail.org
>                                                 exim (Simple, easy to use):
> www.exim.org
>                                                 and postfix (???):
> www.postfix.org

> Those are definitely not the ONLY MTA's there are around, so you might find
> something more suitable for your needs at www.freshmeat.net or
> www.linuxberg.com

It's worth mentioning that most Unix/Linux installations today come
with sendmail as the default. In addition, there are many add-ons
that have been tailored to sendmail.

In that light, both Exim and Postfix are drop-in replacements for
sendmail. They can pretty much hook into the other add-ins the
same way that sendmail did, though they both have their own config
files. Qmail is completely different from anything else. There are
many bridge programs to let it work with the stuff that has grown
up around sendmail, but it's more work to set up.

For security, Qmail has been the reigning champ, and Postfix is
a relative newcomer to that arena. I'm under the impression that
Exim is more secure than sendmail, but isn't in the same league
as the other two. On the other hand, for dialup users, security
isn't quite as important as support for intermittant connections
and easy/flexible address rewriting. (For when your machine name
changes with connects, or you use multiple email providers.) Exim
is great for those.

And as mentioned, there are many others.

Dale Pontius
NOT speaking for IBM

 
 
 

sendmail

Post by Raymond Doetje » Fri, 14 Jan 2000 04:00:00


The 8.9.x version is versie secure! Perhaps there will be found a buffer
overflow error in the near future.
Sendmail got it's name in the early version 5 states when it was a
MTA well ahead of it's time it could do things that others dreamt of.
(Wich made it complex and insecure). For instance you could run arbitrary
software by setting a pipelined command in the rcpt to: field wich could
mail a no-shadowed passwd file. Nowadays it is locked up very good. The
only problem that sendmail still has is it's complexity.

Raymond


> Hey there,

> I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
> insecure. Anybody know something about this, and specially about this
> version?

> Thanks, Max

 
 
 

sendmail

Post by d.. » Fri, 14 Jan 2000 04:00:00



> But the most recent (CA-97.05.sendmail) is almost three years old now,
> and refers to versions 8.8.3 and 8.8.4.

Are you aware that people said similar things in 1996? See

   http://cr.yp.to/maildisasters/sendmail.html
   http://cr.yp.to/maildisasters/postfix.html
   http://cr.yp.to/qmail/guarantee.html

for some perspective. Then go learn about---for example---the 8.8.8
security problem pointed out in July 1999 by Michal Zalewski, combining
a bug fixed in 8.9.1, a bug silently fixed in 8.9.3, and a bug fixed in
8.10.0.Beta7.

---Dan

 
 
 

1. sendmail 8.6.8 and sendmail.cw

As a result of the latest security related postings regarding sendmail,
I've got the sendmail 8.6.8 binary and configuration files (from our local
security group) but I can't find anyone to tell me how to set up
/etc/sendmail.cw for my site. Following the example file, if my machine
were public.x.org, /etc/sendmail.cw would look like:

public.x.org ftp.x.org

My machine, however, has no internet alias. What should be in my
/etc/sendmail.cw?

If you're reading this from comp.mail.sendmail, please respond via e-mail
since this is not one of my regular groups.

2. FAX tool

3. sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

4. Wrong Dates when using 'pr'

5. Sendmail routing to UUCP host on OS5.0.4 (sendmail 8.8.5)

6. Playing .au files

7. AmiVIs+Sendmail+Sophos - Need a little help please with sendmail.cf for ..

8. Ahhh!

9. mail daemon: smail, sendmail+IDA 5.6.x, Sendmail 8.6.4, umail

10. AIX 4.1 Sendmail; comp.mail.sendmail

11. sendmail queue delays (Sun sendmail, Solaris2.3, SS10)

12. problem in unstanding sendmail/cf SMTP auth (Solaris 8 Sendmail 8.10) Please Explain

13. mail sendmail sendmail.cf problems