[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

re: [LI] Authentication in Sendmail.

To: "K K Pareek" <kkpareek@xxxxxxxx>, Linux India <linux-india@xxxxxxxxxxxxxxxxxxxxx>
Subject: re: [LI] Authentication in Sendmail.
From: "Suresh Ramasubramanian" <Suresh@xxxxxxxxxxx>
Date: Thu, 4 Nov 1999 07:13:38 +0530
Organization: KCircle [ http://www.kcircle.com ]
Reply-to: linux-india
Sender: owner-linux-india@xxxxxxxxxxxxxxxxxxxxx

Hi

> We are using sendmail 8.9.3-10 on RHL 6.0 as mail server. Can some
> body tell me how to configure sendmail to validate the user before
> accepting the mail for transfer. I want to use linux user names &
> passwords, just like reading POP3 mail boxes.

Sendmail uses check_rcpt tables to validate users / hosts allowed to 
relay.

Sendmail admins can see 
http://www.sendmail.org/tips/relaying.html which has quite a few 
useful bits of information.  

Redhat linux users check out ftp://admin.netus.com/sendmail/ and 
download preconfigured, secure sendmail 8.9.3 rpms. Linuxconf 
users beware! - Linuxconf was found to be generating faulty (old) 
check_rcpt tables as recently as 20 July 1999. Make sure your 
version is newer than this before using it to generate sendmail.cf 
files.

Sun Admins may see  http://sunsolve.sun.com/pub-
cgi/show.pl?target=patches/patch-access  (url may wrap) for 
updates to sendmail 8.9.x.

Consider trying the latest beta for sendmail (sendmail 8.10.0.Beta6) 
which supports Authenticated SMTP. It also (amongst other things) 
has built in support for multiple dns based blacklists (like the RBL).

When upgrading sendmail to secure versions: Always generate a 
new sendmail.cf - continuing to use the sendmail.cf from a previous 
version which had a relaying vulnerability will usually result in that 
relaying vulnerability not being fixed.  

If you are uncomfortable with M4 scripting, WIDE in Japan have a 
.cf generator which may be useful. It can be downloaded from 
ftp://ftp.jpcert.or.jp/pub/security/tools/CF/

If you need sendmail on a machine so that processes can send out 
mail, but no inbound mail facilities are needed, all you need to do is 
change sendmail's startup settings by removing the "-bd" flag. It's 
the -bd flag (-bD if run in the foreground) which tells sendmail to 
listen on port 25 and if that is deleted, it will only deliver locally 
generated mail rather than acting as a full-blown mailserver.   

Please note: this will only secure a server for as long as the -bd flag 
is disabled, so should be regarded as a temporary measure.  
Eventually, someone is bound to accidentally re-enable the -bd flag. 
 Wherever possible, please update to sendmail 8.9.3 or later.  

For those using older Sendmail versions - here's a note

Sendmail builds lower than 8.8 are fundamentally insecure, and full 
of security holes.  Additionally all versions of sendmail prior to 8.8.9 
are susceptable to a HELO buffer overflow attack - and most 
recently, several thousand sendmail 8.8 installations have been 
exploited by a spammer using RCPT TO:<"victim@target"> - with 
the "" in the envelope.

If you have one of these sendmail versions, disable or update it 
immediately and audit your machine's security. Sendmail Inc 
describe version 8.6 and earlier as "Not supported, not secure and 
should NOT be run on a network-connected computer." 

If you are running Sendmail 8.8, see Claus Assmann's check_rcpt 
Sendmail 8.8 antirelay patches, which fix relay vulnerablities using 
"", %, ! and : vulnerabilties in 8.8.x sendmail.  Visit his page at 
http://www.sendmail.org/~ca/email/check.html for more details.  
More useful information is available at 
http://hexadecimal.uoregon.edu/antirelay/

Sendmail 8.8 is effectively unsupported and susceptible to a buffer 
overflow attack (caused when a HELO of over 1024 characters is 
sent).  There are probably more relaying holes lurking in it.  
Sendmail 8.9.0 and 8.9.1 are susceptable to relaying attacks using 
the : pathing control character in the RCPT TO:<> header. 

hope this helps
--s


Suresh Ramasubramanian
106D, Aditya Enclave, Ameerpet, Hyderabad 500038, India.
Phone: +(91-40)3736553/3745398 | eFax: +(1-603)590-5437
Suresh@xxxxxxxxxxx | Suresh@xxxxxxxx
http://www.kcircle.com | http://www.angen.net/~pegasus/
    Having your back scratched is not the only reason to be married,
    but it is a good one, especially for those spots that are so
    hard to reach by yourself.

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.

Prev by Subject: [LI] Authentication in Sendmail.
Next by Subject: [LI] auto reply to email
Previous by thread: [LI] Authentication in Sendmail.
Next by thread: [LI] Need Red Hat certification course and Exam.
Index(es):
- Subject
- Thread