Security-Fix Sendmail 8.12.9 Released

bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.

Advisories, more like invatations to exploit

[Neophytus]

Developers recently have been getting fed up with security "advisories", that include an exploit, being posted on most "security" websites before they have even been notified. Unfortunatly this leads to many script kiddies getting their kicks from "owning" a popular site before they have been patched, and probably many of the websites that exist exist purly for this purpose. Sendmail are just the latest people to fall victim from this.

Mandatory Postfix ad

Hi!

Is your sendmail buggy? Would it be time to change to Postfix?

Only $0,00.

Re:Sendmail....

[j3110]

I only see two things that you ask for that I'm not using Qmail for right now.

I hate setting up qmail, but it even has an easy to use web interface for configuring those things.

I haven't tried domain mirroring, but I'm sure you can do it with a simlink.

I don't know if anything else can do piped mail processing. If you ask me, I think that's a security risk in itself.

I use qmail

[spun]

After researching sendmail, postfix, and qmail, I settled on qmail for it's speed and security. I can't count the number of times I had to upgrade sendmail in the past. I have never heard of a single remote exploit affecting qmail.

Re:Anyone know if . . .

[arget]

It does not.

This is new.

Re:Sendmail....

Qmail does all of these, and I bet the other MTAs do as well. There's plenty of useful documentation at qmail.org on how to migrate. I find it bizarre that you consider these features to be unusual in at MTA. I consider them necessary and normal.

"Fall through addresses" (default delivery instructions)
put "example.com:alias-example-com" in /var/qmail/control/virtualdomains
put default delivery instructions in ~alias/.qmail-example-com-default

"Configurable bounce errors"
You can do this either with piping to a bounce program, or via any of the appriopriate patches linked from qmail.org.

"Delivery to a piped process"
Just put |cmd in the .qmail file which corresponds to that rule.

"Backup mail spooling"
Put the domain to spool for in "rcpthosts" but not in "locals" or "virtualdomains".

"'list' forwards" .qmail files may contain any number of recipients, be they pipes, users, files, or Maildirs.

"Access controls for relaying"
This is controlled via ucspi-tcp, the socket interface preferred for qmail. It's very simple and powerful, and there are patches for doing elaborate things like "pop before smtp" to allow roaming users to relay without authentication.

"Domain mirroring"
Just point your virtuals at the same alias. here's your /var/qmail/control/virtualdomains:
example.com:al ias-example
example.net:alias-example

Qmail ONLY works with procmail. It requires procmail for local delivery.

What makes Qmail seem so difficult is that it's DEAD SIMPLE. When comparing to sendmail, I used to get confused. How can it be this easy? I don't understand! Well it is. It took me a few weeks to get out of my sendmail mindset, but once I did, I was glad.

Re:Sendmail....

[ldspartan]

Although I am not a qmail expert by any stretch of the imagination, I'm pretty damn sure you can do all of that with qmail combined with vpopmail, a reasonably popular virtual-user package (GPL, of course).

Fall-through addresses: Done easily in vpopmail.

Configurable bounce errors: bounce-saying in the .qmail file for that address.

Delivery to a process: put "|/bin/appname" in your .qmail file.

Backup mail spooling: Put the domain you want to be a secondary for in /var/qmail/control/rcpthosts, make sure it doesn't appear in locals.

"list" forwards: Put multiple addresses in your .qmail file, on seperate lines.

Access controls for relaying: Done with ucspi-tcp by setting environment variables based on IP of clients.

Domain mirroring: one command with vpopmail; 'valias'.

All of this is well documented in "Life with Qmail," a great reference.

--
Phil

Re:Sendmail....

[witwerg]

This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actually data doesn't matter,, just the entry so set it to unknown for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix these is a transports map that has three fields: domain(key), transport(service to deliver), nexthop(next machine in chain). An entry has a form the actual data for the entry is in the form tra

Re:Sendmail.... Opps Hit submits too soon

[witwerg]

Here's the proofread formated version

This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix there is a transports map that has three fields: domain(key), transport(servic

Re:Sendmail....

[Vainglorious+Coward]

...my only experence with qmail or postfix was reading the documentation to see how hard it would be to convert my sendmail setup...

I don't see anything unusual in your list. Do you think there aren't qmail users who have widely varied and specialised needs? I'm not going to pretend that you won't have to do any reading and learning in order to migrate to qmail, but that's very different than claiming that only sendmail has the features you need. Unfortunately, I am unable to give you step-by-step instructions, but given that you're intelligent enough to understand how to configure sendmail, you shouldn't have any problem starting with the qmail home page and proceeding from there. Also good is life with qmail.

Why I don't like qmail

[mcrbids]

1) Qmail doesn't follow convention. Forget inetd, DJB uses his own, goofy "tcpserver". Never mind any other services you have on the machine, and pray to god they don't conflict. You *can* get qmail to work with xinet.d, but good luck getting all the (much needed) features working, since with xinet.d you get an open mail relay by default.

2) There are like 5 different programs, each with different user accounts (qmaild, qmaill, qmailp, qmialq, qmailr, qmails, vmail, etc) - all running from the same !@#!@ bin directory! Talk about confusing as !@#! hell when you want to audit permissions!

3) Qmail has a truly hideous license. Yeah, it's "open source", but you can't redistribute changes!!?!

This means:

4) If you want something decent (such as LDAP support,antivirus filtering or integration with SpamAssassin, etc.) you have to apply 57 god-knows patches to the "official" qmail source, and in just the right order to get everything working.

5) The log format is different than sendmail's. While this is understandable, it means that all these neat reporting tools for sendmail can't be used.

And finally,

6) Administering Sendmail on RH Linux is a breeze. up2date sendmail; /etc/rc.d/init.d/sendmail restart takes care of most of it.

-Ben