Security-Fix Sendmail 8.12.9 Released

bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.

Re:See

[saskboy]

long int foo = 87;
long int foobar = 2;
long int foofoobar = 0;

foofoobar = (long int)foo / foobar; //???

Re:Good.

I'm glad they kept this SM exploit fairly quiet. You would have thought it would become public and cause lots of mischief, but now that there is a fix, I suspect they will release what the problem was in more detail.

If this was a Microsoft problem and they kept it quiet you would have been ranting and raving right now, right?

Too late sendmail monkeys!

[Dogun]

I switched to postfix last time! MWAHAHAHAHA!

Sendmail....

[Chester+K]

Sendmail: The IIS of Open Source.

This is the straw that breaks the camel's back. I'm changing to another MTA.

Re:Sendmail....

[dissy]

> Qmail [qmail.org] is small, fast, easy and secure.

Yes but qmail and postfix dont do near as much as sendmail.

Most of the people using sendmail (Myself included) use it because its the only option for our needs.

Until qmail and/or postfix reach the feature set of sendmail (or come anywhere near it) it will remain useless to me.

Thank you for preaching, please drive through.

Re:Sendmail....

[kuroth]

> What does [sendmail] do that [qmail] doesn't?

It gives you something to do on Saturdays. See, the sendmail team knows how tedious it is to do things like spend time with your wife and kids, play fetch with the dog, wax the car, and mow the lawn. Therefore, every two to four weeks, they release a fantastic new remote exploit, so you can spend your Saturday patching stuff or running your package management program of choice.

This stands in start constrast to qmail. If you were running qmail, you'd have no choice but to spend all that annoying "quality" time with your friends and family. Secure and reliable? Honestly, I don't know what DJB was thinking.

Re:Sendmail....

[Vainglorious+Coward]

qmail and postfix dont do near as much as sendmail.

And sendmail doesn't do as much as Exchange, so what's that got to do with it? The major weakness of sendmail compared to qmail is precisely that it's a monolithic beast that tries to do everything. Qmail's approach is to have small modules that perform one task, and perform it well (and securely - still no claims on the security guarantee in six years).

Thank you for preaching, please drive through.

Seems to be that like many others, it's the author of qmail that's your problem, not the actual software. So go on, tell us : what features does sendmail provide that can't be found in other MTAs?

Re:Sendmail....

[dissy]

Perhaps I just dont know the undocumented tricks of those mail servers.

If anyone could give me either detailed instructions on how to translate from sendmail to qmail/postfix configs, or a good website that explains this, I would be most grateful.

Please do keep in mind my only experence with qmail or postfix was reading the documentation to see how hard it would be to convert my sendmail setup, and seeing most of the features i need not being listed, i didnt bother setting them up.
I am not at all familiar with the config files used by either.

I am also assuming in this post one IS familiar with sendmail.
Where i simply say virtusertable, that would of course be /etc/mail/virtusertable.

I use the short names assuming you know what i mean. In a reply, please use the long form when describing qmail/postfix, as i have no clue whats what :)

My current setup uses sendmails virtusertable for all domains i handle.
There is never an instance where mail sent to user@domain will just deliver to the account user, which is sendmails default method of delivery.
Every domain i have in my cw file is in virtusertable.

That said, the features I need are:

Fall-through addresses

in sendmails virtusertable if you add @domain.com
if the email address doesnt match a specific entry in virtusertable for a domian, it will then deliver using that rule.

Configurable bounce errors

I have some addresses (and some domains fall-through address) have entrys as:
@domain.com error:nouser No such user
which returns the correct error code and the text message above.

Delivery to a piped process

in sendmails aliases file you can add an entry such as
somealias: "|/path/to/an/app"
and sendmail will execute that program passing the email to its stdin.

Backup mail spooling

Where the server accepts mail for a domain but doesnt attempt to deliver it locally, just forward to a mail server with a higher(lower) MX priority.

Support 'list' forwards

IE staff@domain.com -> account1, account2, outside@emailaddy.com
Sendmail does this really ghetto by using both virtusertable and aliases, as only aliases can have multiple places of delivery, but virtusertable can send domain mail to an alias easily enough.

Access controls for relaying

I use IP addresses to control who can send mail out through the mailserver (Only machines in my IP space, as well as a couple friends statics are on the list)
I would be interested in smtp-auth in the future but until I finished the server transistion I would want the functionality to remain as-is, and inform my users later for new and added features, preferably without having to say older features will no longer work.
Doing without smtp-auth would also be fine with me.

Domain mirroring

In sendmails virtusertable, if you have say 3 domains that use the same mappings, you can do the following:

user1@domain.com user1 ...
user99@domain.com user99
@domain.com error:nouser No such user

@domain.NET %1@domain.com
@domain.ORG %1@domain.com

Then you only need to manage one list (for com) and if you sent mail to user1@domain.org it would rewrite it as user1@domain.com

Also for local delivery, the mailer would need to work with procmail.
Im sure qmail and postfix both do, so that shouldnt be a problem. Just wanted to mention it incase..

If qmail/postfix really can do everything above, then i stand corrected, but would ask either for a source of good documentation, or just an explnation on each point for how to do it the qmail/postfix way.

Thanks

Re:Sendmail....

[j3110]

I only see two things that you ask for that I'm not using Qmail for right now.

I hate setting up qmail, but it even has an easy to use web interface for configuring those things.

I haven't tried domain mirroring, but I'm sure you can do it with a simlink.

I don't know if anything else can do piped mail processing. If you ask me, I think that's a security risk in itself.

Re:Sendmail....

Qmail does all of these, and I bet the other MTAs do as well. There's plenty of useful documentation at qmail.org on how to migrate. I find it bizarre that you consider these features to be unusual in at MTA. I consider them necessary and normal.

"Fall through addresses" (default delivery instructions)
put "example.com:alias-example-com" in /var/qmail/control/virtualdomains
put default delivery instructions in ~alias/.qmail-example-com-default

"Configurable bounce errors"
You can do this either with piping to a bounce program, or via any of the appriopriate patches linked from qmail.org.

"Delivery to a piped process"
Just put |cmd in the .qmail file which corresponds to that rule.

"Backup mail spooling"
Put the domain to spool for in "rcpthosts" but not in "locals" or "virtualdomains".

"'list' forwards" .qmail files may contain any number of recipients, be they pipes, users, files, or Maildirs.

"Access controls for relaying"
This is controlled via ucspi-tcp, the socket interface preferred for qmail. It's very simple and powerful, and there are patches for doing elaborate things like "pop before smtp" to allow roaming users to relay without authentication.

"Domain mirroring"
Just point your virtuals at the same alias. here's your /var/qmail/control/virtualdomains:
example.com:al ias-example
example.net:alias-example

Qmail ONLY works with procmail. It requires procmail for local delivery.

What makes Qmail seem so difficult is that it's DEAD SIMPLE. When comparing to sendmail, I used to get confused. How can it be this easy? I don't understand! Well it is. It took me a few weeks to get out of my sendmail mindset, but once I did, I was glad.

Re:Sendmail....

[ldspartan]

Although I am not a qmail expert by any stretch of the imagination, I'm pretty damn sure you can do all of that with qmail combined with vpopmail, a reasonably popular virtual-user package (GPL, of course).

Fall-through addresses: Done easily in vpopmail.

Configurable bounce errors: bounce-saying in the .qmail file for that address.

Delivery to a process: put "|/bin/appname" in your .qmail file.

Backup mail spooling: Put the domain you want to be a secondary for in /var/qmail/control/rcpthosts, make sure it doesn't appear in locals.

"list" forwards: Put multiple addresses in your .qmail file, on seperate lines.

Access controls for relaying: Done with ucspi-tcp by setting environment variables based on IP of clients.

Domain mirroring: one command with vpopmail; 'valias'.

All of this is well documented in "Life with Qmail," a great reference.

--
Phil

Re:Sendmail....

[witwerg]

This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actually data doesn't matter,, just the entry so set it to unknown for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix these is a transports map that has three fields: domain(key), transport(service to deliver), nexthop(next machine in chain). An entry has a form the actual data for the entry is in the form tra

Re:Sendmail....

[Vainglorious+Coward]

...my only experence with qmail or postfix was reading the documentation to see how hard it would be to convert my sendmail setup...

I don't see anything unusual in your list. Do you think there aren't qmail users who have widely varied and specialised needs? I'm not going to pretend that you won't have to do any reading and learning in order to migrate to qmail, but that's very different than claiming that only sendmail has the features you need. Unfortunately, I am unable to give you step-by-step instructions, but given that you're intelligent enough to understand how to configure sendmail, you shouldn't have any problem starting with the qmail home page and proceeding from there. Also good is life with qmail.

Sendmail advertisement

[statusbar]

"Providing hackers with security holes for DECADES" --jeff++

Is Sendmail still worth it?

[mnmn]

I fought with the M4 format of sendmail.cfg for a while in setting up a complex system before switching to qmail. Ive tried postfix too, but I still see diehard sendmailers around.

For one, sendmail is really not intuitive. If youre given a server youve never seen before and have to alter some fancy configs in it, could you do it faster than if it were say qmail? Maybe if I stare at M4 pinfo I could begin to get it, I gave up early there.

Secondly these security problems.

So beside the fact that sendmail is the standard, quite mature and very flexible if you know how to config it, does it have any big edge over postfix or qmail that everyone should know about?

And can the sendmail developers be brave trailblazers and finally change the config file syntax to just text words like httpd.conf?

Re:Is Sendmail still worth it?

[Just+Some+Guy]

For one, sendmail is really not intuitive. If youre given a server youve never seen before and have to alter some fancy configs in it, could you do it faster than if it were say qmail? Maybe if I stare at M4 pinfo I could begin to get it, I gave up early there.

That's not insightful; that's personal opinion. Sendmail's m4 configuration is pretty logical and editable for me, but I have no idea how to alter a running Qmail setup. Does that make Sendmail better than Qmail? No. It makes me better at running Sendmail than Qmail.

Advisories, more like invatations to exploit

[Neophytus]

Developers recently have been getting fed up with security "advisories", that include an exploit, being posted on most "security" websites before they have even been notified. Unfortunatly this leads to many script kiddies getting their kicks from "owning" a popular site before they have been patched, and probably many of the websites that exist exist purly for this purpose. Sendmail are just the latest people to fall victim from this.

Re:Advisories, more like invatations to exploit

[grokBoy]

Well, the Full-Disclosure list that I am involved with was one of the ones that received the premature announcement, but I'm sure you'll agree that even with the follow-up it was far from anything that provided a remote exploit. The tone of the thread seemed to indicate that there was already interest in this 'in the wild' before it was disclosed to the lists in question, in any case. Kudos to the Sendmail team for getting the fix out so promptly.

Sednmail holes are GOOD

[Adam9]

See, they give you much needed practice of patching services at a proper pace! Patching it every 2 weeks or so is great practice for every administrator. Every good admin should have at least 1 box with sendmail on it. See, a few years ago I put on qmail. Now my patch skills are severely lacking. When this advisory for sendmail came out today, I said "that's enough, I'm falling behind. I'm going back to sendmail." I think I'll be much more happier now.

Dear IT Workers

[I+Am+The+Owl]

Please stop using Sendmail. I'm tired of my favorite IRC networks being DDOSed by machines whose administrators were too incompetent to use a real MTA.

Thank you,
--The rest of the fucking Internet

Re:Sendmail

[khuber]

I don't understand why anyone would run sendmail as their MTA with all the alternatives. It's insecure by design -- it's a monolithic suid root program. It's inefficient and it's difficult to configure.

Why? For the love of SMTP, why??? j/k

-Kevin

Qmail and postfix hippies: shut the hell up please

[CoolVibe]

First, this is about sendmail, not postfix or qmail. Yes we know your MTA is vastly superior and yes, it does your laundry and even makes coffee.

But that still doesn't make sendmail bad. Software has bugs. Your precious MTAs have bugs too. As a matter of fact, sendmail works. It has worked for decades. It's still around. And it will stay around for decades more.

Before y'all jump up and say: "Look! a possibly remote exploit!". Read the advisory. This will be VERY hard to exploit, besides your test lab where you control the address space and eventual host naming that just MIGHT overflow something, and then you need to figure out if it's even possible to do something more fun other than let some sendmail spawned child crash, whoopdeedoo.

Although it's not impossible to do, I still maintain that admins should patch their systems, but you don't have to rush. I don't see script kiddies exploting this one in the coming time yet. And besides, my data isn't worth crap either, so I'm harly a target.

So qmail and postfix zealots, shut the hell up please. We know. Yes, qmail and postfix are nice, and yes, they have some merits over sendmail and yes, I sometimes choose to prefer them for some jobs, but the inverse is also true. Right tool for the job and all that. Now be happy with your MTA and be done with it. Geez, it's only a mail server.

What's the difference

[donscarletti]

What's the difference between sendmail and telnet?

You need a password to get root access through telnet!

*ducks barrage of rotten fruit*

But seriously, and without the bad humor, it makes me wonder why everyone allways sees X as the bloated, non-scensical, anacronistic piece of junk that is holding LINUX/BSD back. Hell at least I can understand a XF86Conf-4 file (although the old style XF86Conf file is still rather infuriating).

All Linux users should be using postfix

[0x0d0a]

I can't understand why any general-purpose distros still ship sendmail. Qmail is good too, though I prefer postfix.

Sendmail takes (on my system) a thousand-line config file just to have sane settings for the modern world. It has a horrendous security history.

Postfix has non-dumb defaults, is quite secure, and I cannot see why anyone wouldn't use it.

Mandatory Postfix ad

Hi!

Is your sendmail buggy? Would it be time to change to Postfix?

Only $0,00.

Re:Qmail and postfix hippies: shut the hell up ple

This one bug doesn't make sendmail bad. The fact that it's had scores of bugs does.

It's "only" a mail server, but what about a company whose email contains very sensitive information? They may feel safe using, say, smtps and imaps, but if sendmail isn't secure, they're sunk. In addition, getting on a mail server may allow access to a local network filled with insecure windows boxes. Oops.

You seem to be way too attached to sendmail. There are better alternatives available, so why not use them? I broke off from sendmail years ago, happily.

You should not create such an attachment to software; I use OpenSSH currently because it's free and works. I won't pretend it's not bug-ridden, though, and if something better comes along, I will switch because I care about security. I don't care if I've been using OpenSSH for years.

I use qmail

[spun]

After researching sendmail, postfix, and qmail, I settled on qmail for it's speed and security. I can't count the number of times I had to upgrade sendmail in the past. I have never heard of a single remote exploit affecting qmail.

Re:Anyone know if . . .

[arget]

It does not.

This is new.

sendmail security

[Billly+Gates]

55 flaws in the code, 55 flaws in the code....

Take one down debug it around 58 flaws in the code...

Re:Sendmail.... Opps Hit submits too soon

[witwerg]

Here's the proofread formated version

This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix there is a transports map that has three fields: domain(key), transport(servic

I still choose Sendmail as my MTA

[please+explain]

Sendmail gets a bad name sometimes from folks who gave up on it for various reasons (Too hard?). Sometimes some of these "administrators" can't tell the difference between a Message store and an MTA. /var/mail is not sendmail!

I personally like the way the sendmail community handles these issues when they arise. 2 reports in a row is a bummer, but the frequency is exaggerated. I respect the fact that there are other open source MTAs and think they can be made to work well too (postfix, qmail, exim, etc...).

Please keep in mind that this MTA was around when the network was more of a community (not a lot of .com) and having an open relay was normal. Think ARPAnet.

Sendmail pioneered lots of the AntiSPAM/AntiSPAMMER features that are taken for granted today (advanced relay control, ip to dns a record verify, DNS blacklisting etc...).

There are reasons why many (think mega sized corporations around the world) use sendmail in front of their message store systems (Exchange, Notes, Cyrus, /var/mail, etc...). Think scale and way beyond systems for only 10s of thousands or less.

It has/provides:

The ability to use LDAP information for routing.

The ability to use LDAP instead of a flat Alias file.

LDAP intelligence at the port 25 gateway (Think not have unreturnable bounce messages traveling all the way into the network and then getting stuck at your message store) A smart MTA at the gateway will break the connection and not waste time trying to pass the message through.

Pass based (w/crypt options) SMTP Authentication

Certificate base SMTP authentication

Unlimited relay control options (rule sets and milters)

Built in SMTP encryption (TLS/SSL) with support for PKI systems

Multiple queues and deterministic queuing (queue groups)

Fallback MX (this is huge for failover)

Mid-protocol conversation filtering (Milter, do all of your attachment stripping and message scanning without adding extra hops).

Capable of sending email just as fast as any other MTA without violating RFCs (do you really not want to commit your data to stable storage?) and putting your data at risk.

SMTP pipelining (why open a new connection each time?)

Active development with developers developing to the RFC/IETF's standards and the needs of today's internet.

Ability to be configured to avoid port 25 Denial of service attacks that other MTAs are vulnerable to.

My 2 pennies, just another opinion, now leaving verbose mode...

Why I don't like qmail

[mcrbids]

1) Qmail doesn't follow convention. Forget inetd, DJB uses his own, goofy "tcpserver". Never mind any other services you have on the machine, and pray to god they don't conflict. You *can* get qmail to work with xinet.d, but good luck getting all the (much needed) features working, since with xinet.d you get an open mail relay by default.

2) There are like 5 different programs, each with different user accounts (qmaild, qmaill, qmailp, qmialq, qmailr, qmails, vmail, etc) - all running from the same !@#!@ bin directory! Talk about confusing as !@#! hell when you want to audit permissions!

3) Qmail has a truly hideous license. Yeah, it's "open source", but you can't redistribute changes!!?!

This means:

4) If you want something decent (such as LDAP support,antivirus filtering or integration with SpamAssassin, etc.) you have to apply 57 god-knows patches to the "official" qmail source, and in just the right order to get everything working.

5) The log format is different than sendmail's. While this is understandable, it means that all these neat reporting tools for sendmail can't be used.

And finally,

6) Administering Sendmail on RH Linux is a breeze. up2date sendmail; /etc/rc.d/init.d/sendmail restart takes care of most of it.

-Ben

Too Cool for Secure Code

[bill_mcgonigle]

Interesting how we just had this article the other day.

I know some places process alot of mail with sendmail and need all the speed they can get, but the monster sites seem to have gone to qmail anyway. Considering the speed of my computer vs. the speed of my 'net pipe, I don't have much of a load on my mailserver, which leads me to ask:

Does anybody know of a good mailserver written in a higher-level language?

This is what, the 82nd remote root-exploit in sendmail due to C coding problems? Let's see something written in Perl or Python or Java, even.