[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Re: [LI] Info on Y2K!!!
Mannu
On 28 Nov 99, at 19:57, thus spake Linux India Digest:
> Anyone here has a clue about the Y2K readiness of RedHat 5.2 and
> Sendmail 8.8.7???
It's Y2K compliant all right, but totally insecure - especially sendmail
8.8.7 (as IIT Madras found to their cost a couple of days ago when a
spammer attacked them).
1. Sendmail builds lower than 8.9.3 are generally unstable, and
subject to several buffer overflow attacks (say HELO string > 1kb
length).
2. Older builds are generally open relays.
3. Even the sendmail supplied with RH6 is slightly broken - or rather
the linuxconf generated sendmail.cf file is outdated, generating
faulty check_rcpt tables vulnerable to open relay using mail from:""
, user%host, uucp bangpathing etc hacks (which several commercial
spamware uses)
According to sendmail.org - sendmail 8.8 is effectively unsupported
and susceptible to a buffer overflow attack (caused when a HELO of
over 1024 characters is sent). It is also vulnerable to uucp
bangpathing, %, "" etc relaying hacks.
Sendmail 8.9.0 and 8.9.1 are susceptable to relaying attacks using
the : pathing control character in the RCPT TO:<> header.
Hence, golden rule - upgrade to RH6.1 or at least upgrade your
sendmail to 8.9.3. Or get sendmail 8.10.x.Beta which supports
Authenticated SMTP.
When upgrading sendmail - always rebuild your sendmail.cf - or
download the .cf generator for free from
ftp://ftp.jpcert.or.jp/pub/security/tools/CF/
Or better - as u use Red Hat, see ftp://admin.netus.com/sendmail/
for free, preconfigured sendmail 8.9.3 rpms for various scenarios.
[hell, why do I keep saying "free"? this is Linux after all, not
windoze <g>]
--s
Suresh Ramasubramanian
106D, Aditya Enclave, Ameerpet, Hyderabad 500038, India.
Phone: +(91-40)3736553/3745398 | eFax: +(1-603)590-5437
Suresh@xxxxxxxxxxx | Suresh@xxxxxxxx
http://www.kcircle.com | http://www.angen.net/~pegasus/
Freedom's just another word for not caring about the quality of your work.
- Scott Adams (in Dilbert)
--------------------------------------------------------------------
The Linux India Mailing List Archives are now available. Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.