Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security-Fix Sendmail 8.12.9 Released

Posted by timothy on from the preemptive dept.

bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.

6 of 166 comments (clear)

  1. Advisories, more like invatations to exploit by Neophytus · · Score: 3, Informative

    Developers recently have been getting fed up with security "advisories", that include an exploit, being posted on most "security" websites before they have even been notified. Unfortunatly this leads to many script kiddies getting their kicks from "owning" a popular site before they have been patched, and probably many of the websites that exist exist purly for this purpose. Sendmail are just the latest people to fall victim from this.

  2. Mandatory Postfix ad by Anonymous Coward · · Score: 3, Informative
    Hi!

    Is your sendmail buggy? Would it be time to change to Postfix?

    Only $0,00.

  3. I use qmail by spun · · Score: 3, Informative

    After researching sendmail, postfix, and qmail, I settled on qmail for it's speed and security. I can't count the number of times I had to upgrade sendmail in the past. I have never heard of a single remote exploit affecting qmail.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  4. Re:Sendmail.... by ldspartan · · Score: 3, Informative

    Although I am not a qmail expert by any stretch of the imagination, I'm pretty damn sure you can do all of that with qmail combined with vpopmail, a reasonably popular virtual-user package (GPL, of course).

    Fall-through addresses: Done easily in vpopmail.

    Configurable bounce errors: bounce-saying in the .qmail file for that address.

    Delivery to a process: put "|/bin/appname" in your .qmail file.

    Backup mail spooling: Put the domain you want to be a secondary for in /var/qmail/control/rcpthosts, make sure it doesn't appear in locals.

    "list" forwards: Put multiple addresses in your .qmail file, on seperate lines.

    Access controls for relaying: Done with ucspi-tcp by setting environment variables based on IP of clients.

    Domain mirroring: one command with vpopmail; 'valias'.

    All of this is well documented in "Life with Qmail," a great reference.

    --
    Phil

  5. Re:Sendmail.... by witwerg · · Score: 3, Informative
    This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

    Main Configuration/Documenation

    Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

    Tables

    Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

    • TYPE:LOCATION

    The Type is the type of table/format being used. The Location is simply one of several things

    1. For simple tables like gdbm or has it is the location where the table is on the disk,
    2. For mysql it's the location of a configuraiton file for the mysql table(i think)
    3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

    For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

    Virtual Stuff

    Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

    • Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
    • Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

    Fallback Address or "Catchalls"

    Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

    Configurable bounce errors

    I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actually data doesn't matter,, just the entry so set it to unknown for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

    Delivery to a piped process

    Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

    cyrus unix - n n - - pipe
    flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

    Backup mail spooling

    In postfix these is a transports map that has three fields: domain(key), transport(service to deliver), nexthop(next machine in chain). An entry has a form the actual data for the entry is in the form tra

  6. Re:Sendmail.... Opps Hit submits too soon by witwerg · · Score: 4, Informative
    Here's the proofread formated version

    This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

    Main Configuration/Documenation

    Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

    Tables

    Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

    • TYPE:LOCATION

    The Type is the type of table/format being used. The Location is simply one of several things

    1. For simple tables like gdbm or has it is the location where the table is on the disk,
    2. For mysql it's the location of a configuraiton file for the mysql table(i think)
    3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

    For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

    Virtual Stuff

    Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

    • Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
    • Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

    Fallback Address or "Catchalls"

    Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

    Configurable bounce errors

    I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

    Delivery to a piped process

    Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

    cyrus unix - n n - - pipe
    flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

    Backup mail spooling

    In postfix there is a transports map that has three fields: domain(key), transport(servic