Very Computer

Hey there,

I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
insecure. Anybody know something about this, and specially about this
version?

Thanks, Max

:Hey there,
:
:I run sendmail 8.9.3 on my system, but a lot of people say sendmail is
:insecure. Anybody know something about this, and specially about this
:version?

If you look through the archive of CERT advisories
(http://www.cert.org/advisories) you'll find a number of past security
problems with sendmail mentioned.  But the most recent
(CA-97.05.sendmail) is almost three years old now, and refers to
versions 8.8.3 and 8.8.4.  Of course that's no guarantee there aren't
problems somewhere in 8.9.3 too, but the trend at least seems
promising...

There are a number of things you can do to enhance sendmail security
beyond the typical default installation, such as running it in a
chroot'ed environment, or under a nonpriviliged UID whereever it can
(the 'RunAsUser' option) and even run it without being setuid, though
that's a bit complicated to set up.

One general complaint about sendmail is that it's a big, monolithic
setuid program running (normally) with root privileges.  Newer MTAs
like qmail or postfix split up the MTA functions into a series of
small programs, most of which don't need to run as a privileged user.
Presumably separating the privileged parts from the rest of the MTA
makes those systems potentially more secure -- there's less privileged
code to audit.  In a sendmail security tutorial at LISA '99,
sendmail's author mentioned he was thinking about splitting up future
sendmails into two programs, one to be the SMTP daemon and the other
to handle everything else.  (Though he was down on the concept of
splitting things up into lots of little programs, on efficiency
grounds if I remember correctly).
--

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt's Closet: Postfix - the Sendmail replacement
http://www.securityportal.com/direct.cgi?/closet/closet19990915.html

Postfix is a hell of a lot easier to configure, and more secure
IMNHO.
http://www.securityportal.com/direct.cgi?/lasg/servers/email/index.htm
l

- --

Kurt Seifried
http://www.seifried.org/
http://www.securityportal.com/lasg/
http://www.securityportal.com/closet/
http://www.cryptoarchive.net/
My public keys are available at:
http://www.seifried.org/keys/
http://www.pgpi.org/ - recommended for Windows
http://www.gnupg.org/ - recommended for UNIX
http://www.pgp.com/ - recommended for commercial use

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOHQqqIb9cm7tpZo3EQIOCACfWTGV9RGpaRycqJ594SWTbXD3QKUAmwei
sv8uyH8+AxI9S0xJE0Z/DYs8
=QfFt
-----END PGP SIGNATURE-----

Ofcourse , sendmail is definitely insecure, to an knowledable person which
knows the "BAT_BOOK" by heart, tweaks any sendmail.cf from a
commandprompt and is also an gifted c/c++/lisp programmer.
But in the mean time it just keeps runnning  about 60% of the Internet's
mail services on this part of the Universe called earth.

cor

#include<humor.h>
(defunc humor-on (nil)
        (setq humor-on t ))

--
/* If GNU/LINUX has no solution...then you have the problem */
/* Never install Slackware........You might learn something */

There is always qmail (http://www.qmail.org.) According to the web
page, "qmail is a secure package. There was a $1,000.00 prize for anyone
who can show otherwise, which went unclaimed." The only security
problems that I recall concerning qmail are minor denial of service
attacks. I'm sure denial of service issues exist in any MTA. Wietse Venema
publicized such qmail attacks on the Bugtraq
(http://www.securityfocus.com/) mailing list in what I assume are efforts
to advocate his Postfix MTA. I'm really not trying to start a MTA debate
on this thread but I want the inquirer to know its options. ;)

--

   Programmer; CE Net, Inc.  "http://www.freezersearch.com/index.cfm?aff=dhc",
   (302) 854-5440 Ext. 206   "http://www.homeworkhelp.org",0}; */

I work as an administrator for an ISP in the Bahamas we used to run
sendmail, it is just an invitation to UBE.

Angelo

The default configuration disallows relaying as of 8.9.0/8.9.0 98/05/19.
Of course this can be fixed manually if you're using an older version; but
you shouldn't because of security issues.

--

   Programmer; CE Net, Inc.  "http://www.freezersearch.com/index.cfm?aff=dhc",
   (302) 854-5440 Ext. 206   "http://www.homeworkhelp.org",0}; */

With all of sendmail's "bad", its the most popular MTA around, and quite
alot of software was built around it, before even thinking of alternatives,
see that you dont have any software that depends on sendmail per-se, some
CGI scripts, some Perl software, etc depends on Sendmail being installed
(and/or used as the active MTA) on the system.

Some popular replacments are qmail (Fast, Secure): www.qmail.org
                                                exim (Simple, easy to use):
www.exim.org
                                                and postfix (???):
www.postfix.org

Those are definitely not the ONLY MTA's there are around, so you might find
something more suitable for your needs at www.freshmeat.net or
www.linuxberg.com

"http://www.freezersearch.com/index.cfm?aff=dhc",

Quote:>    (302) 854-5440 Ext. 206   "http://www.homeworkhelp.org",0}; */

Postfix (http://www.postfix.org/) is a sendmail drop-in replacement MTA
which designed to be more secure than sendmail.

I was really happy when I turned off sendmail and started using postfix.
Much easier to configure and it has built-in support for LDAP etc.

Ciao, Michael.

Quote:> With all of sendmail's "bad", its the most popular MTA around, and quite
> alot of software was built around it, before even thinking of alternatives,
> see that you dont have any software that depends on sendmail per-se, some
> CGI scripts, some Perl software, etc depends on Sendmail being installed
> (and/or used as the active MTA) on the system.

> Some popular replacments are qmail (Fast, Secure): www.qmail.org
>                                                 exim (Simple, easy to use):
> www.exim.org
>                                                 and postfix (???):
> www.postfix.org

> Those are definitely not the ONLY MTA's there are around, so you might find
> something more suitable for your needs at www.freshmeat.net or
> www.linuxberg.com

It's worth mentioning that most Unix/Linux installations today come
with sendmail as the default. In addition, there are many add-ons
that have been tailored to sendmail.

In that light, both Exim and Postfix are drop-in replacements for
sendmail. They can pretty much hook into the other add-ins the
same way that sendmail did, though they both have their own config
files. Qmail is completely different from anything else. There are
many bridge programs to let it work with the stuff that has grown
up around sendmail, but it's more work to set up.

For security, Qmail has been the reigning champ, and Postfix is
a relative newcomer to that arena. I'm under the impression that
Exim is more secure than sendmail, but isn't in the same league
as the other two. On the other hand, for dialup users, security
isn't quite as important as support for intermittant connections
and easy/flexible address rewriting. (For when your machine name
changes with connects, or you use multiple email providers.) Exim
is great for those.

And as mentioned, there are many others.

Dale Pontius
NOT speaking for IBM

The 8.9.x version is versie secure! Perhaps there will be found a buffer
overflow error in the near future.
Sendmail got it's name in the early version 5 states when it was a
MTA well ahead of it's time it could do things that others dreamt of.
(Wich made it complex and insecure). For instance you could run arbitrary
software by setting a pipelined command in the rcpt to: field wich could
mail a no-shadowed passwd file. Nowadays it is locked up very good. The
only problem that sendmail still has is it's complexity.

Raymond

Are you aware that people said similar things in 1996? See

   http://cr.yp.to/maildisasters/sendmail.html
   http://cr.yp.to/maildisasters/postfix.html
   http://cr.yp.to/qmail/guarantee.html

for some perspective. Then go learn about---for example---the 8.8.8
security problem pointed out in July 1999 by Michal Zalewski, combining
a bug fixed in 8.9.1, a bug silently fixed in 8.9.3, and a bug fixed in
8.10.0.Beta7.

---Dan