Security-Fix Sendmail 8.12.9 Released

bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.

Re:Sendmail.... Opps Hit submits too soon

[witwerg]

Here's the proofread formated version

This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix there is a transports map that has three fields: domain(key), transport(servic