Security-Fix Sendmail 8.12.9 Released

bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.

Re:Good.

I'm glad they kept this SM exploit fairly quiet. You would have thought it would become public and cause lots of mischief, but now that there is a fix, I suspect they will release what the problem was in more detail.

If this was a Microsoft problem and they kept it quiet you would have been ranting and raving right now, right?

Too late sendmail monkeys!

[Dogun]

I switched to postfix last time! MWAHAHAHAHA!

Sendmail....

[Chester+K]

Sendmail: The IIS of Open Source.

This is the straw that breaks the camel's back. I'm changing to another MTA.

Re:Sendmail....

[dissy]

> Qmail [qmail.org] is small, fast, easy and secure.

Yes but qmail and postfix dont do near as much as sendmail.

Most of the people using sendmail (Myself included) use it because its the only option for our needs.

Until qmail and/or postfix reach the feature set of sendmail (or come anywhere near it) it will remain useless to me.

Thank you for preaching, please drive through.

Re:Sendmail....

[kuroth]

> What does [sendmail] do that [qmail] doesn't?

It gives you something to do on Saturdays. See, the sendmail team knows how tedious it is to do things like spend time with your wife and kids, play fetch with the dog, wax the car, and mow the lawn. Therefore, every two to four weeks, they release a fantastic new remote exploit, so you can spend your Saturday patching stuff or running your package management program of choice.

This stands in start constrast to qmail. If you were running qmail, you'd have no choice but to spend all that annoying "quality" time with your friends and family. Secure and reliable? Honestly, I don't know what DJB was thinking.

Re:Sendmail....

[dissy]

Perhaps I just dont know the undocumented tricks of those mail servers.

If anyone could give me either detailed instructions on how to translate from sendmail to qmail/postfix configs, or a good website that explains this, I would be most grateful.

Please do keep in mind my only experence with qmail or postfix was reading the documentation to see how hard it would be to convert my sendmail setup, and seeing most of the features i need not being listed, i didnt bother setting them up.
I am not at all familiar with the config files used by either.

I am also assuming in this post one IS familiar with sendmail.
Where i simply say virtusertable, that would of course be /etc/mail/virtusertable.

I use the short names assuming you know what i mean. In a reply, please use the long form when describing qmail/postfix, as i have no clue whats what :)

My current setup uses sendmails virtusertable for all domains i handle.
There is never an instance where mail sent to user@domain will just deliver to the account user, which is sendmails default method of delivery.
Every domain i have in my cw file is in virtusertable.

That said, the features I need are:

Fall-through addresses

in sendmails virtusertable if you add @domain.com
if the email address doesnt match a specific entry in virtusertable for a domian, it will then deliver using that rule.

Configurable bounce errors

I have some addresses (and some domains fall-through address) have entrys as:
@domain.com error:nouser No such user
which returns the correct error code and the text message above.

Delivery to a piped process

in sendmails aliases file you can add an entry such as
somealias: "|/path/to/an/app"
and sendmail will execute that program passing the email to its stdin.

Backup mail spooling

Where the server accepts mail for a domain but doesnt attempt to deliver it locally, just forward to a mail server with a higher(lower) MX priority.

Support 'list' forwards

IE staff@domain.com -> account1, account2, outside@emailaddy.com
Sendmail does this really ghetto by using both virtusertable and aliases, as only aliases can have multiple places of delivery, but virtusertable can send domain mail to an alias easily enough.

Access controls for relaying

I use IP addresses to control who can send mail out through the mailserver (Only machines in my IP space, as well as a couple friends statics are on the list)
I would be interested in smtp-auth in the future but until I finished the server transistion I would want the functionality to remain as-is, and inform my users later for new and added features, preferably without having to say older features will no longer work.
Doing without smtp-auth would also be fine with me.

Domain mirroring

In sendmails virtusertable, if you have say 3 domains that use the same mappings, you can do the following:

user1@domain.com user1 ...
user99@domain.com user99
@domain.com error:nouser No such user

@domain.NET %1@domain.com
@domain.ORG %1@domain.com

Then you only need to manage one list (for com) and if you sent mail to user1@domain.org it would rewrite it as user1@domain.com

Also for local delivery, the mailer would need to work with procmail.
Im sure qmail and postfix both do, so that shouldnt be a problem. Just wanted to mention it incase..

If qmail/postfix really can do everything above, then i stand corrected, but would ask either for a source of good documentation, or just an explnation on each point for how to do it the qmail/postfix way.

Thanks

Re:Sendmail....

[ldspartan]

Although I am not a qmail expert by any stretch of the imagination, I'm pretty damn sure you can do all of that with qmail combined with vpopmail, a reasonably popular virtual-user package (GPL, of course).

Fall-through addresses: Done easily in vpopmail.

Configurable bounce errors: bounce-saying in the .qmail file for that address.

Delivery to a process: put "|/bin/appname" in your .qmail file.

Backup mail spooling: Put the domain you want to be a secondary for in /var/qmail/control/rcpthosts, make sure it doesn't appear in locals.

"list" forwards: Put multiple addresses in your .qmail file, on seperate lines.

Access controls for relaying: Done with ucspi-tcp by setting environment variables based on IP of clients.

Domain mirroring: one command with vpopmail; 'valias'.

All of this is well documented in "Life with Qmail," a great reference.

--
Phil

Re:Sendmail....

[witwerg]

This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actually data doesn't matter,, just the entry so set it to unknown for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix these is a transports map that has three fields: domain(key), transport(service to deliver), nexthop(next machine in chain). An entry has a form the actual data for the entry is in the form tra

Sendmail advertisement

[statusbar]

"Providing hackers with security holes for DECADES" --jeff++

Is Sendmail still worth it?

[mnmn]

I fought with the M4 format of sendmail.cfg for a while in setting up a complex system before switching to qmail. Ive tried postfix too, but I still see diehard sendmailers around.

For one, sendmail is really not intuitive. If youre given a server youve never seen before and have to alter some fancy configs in it, could you do it faster than if it were say qmail? Maybe if I stare at M4 pinfo I could begin to get it, I gave up early there.

Secondly these security problems.

So beside the fact that sendmail is the standard, quite mature and very flexible if you know how to config it, does it have any big edge over postfix or qmail that everyone should know about?

And can the sendmail developers be brave trailblazers and finally change the config file syntax to just text words like httpd.conf?

Advisories, more like invatations to exploit

[Neophytus]

Developers recently have been getting fed up with security "advisories", that include an exploit, being posted on most "security" websites before they have even been notified. Unfortunatly this leads to many script kiddies getting their kicks from "owning" a popular site before they have been patched, and probably many of the websites that exist exist purly for this purpose. Sendmail are just the latest people to fall victim from this.

Re:Advisories, more like invatations to exploit

[grokBoy]

Well, the Full-Disclosure list that I am involved with was one of the ones that received the premature announcement, but I'm sure you'll agree that even with the follow-up it was far from anything that provided a remote exploit. The tone of the thread seemed to indicate that there was already interest in this 'in the wild' before it was disclosed to the lists in question, in any case. Kudos to the Sendmail team for getting the fix out so promptly.

Sednmail holes are GOOD

[Adam9]

See, they give you much needed practice of patching services at a proper pace! Patching it every 2 weeks or so is great practice for every administrator. Every good admin should have at least 1 box with sendmail on it. See, a few years ago I put on qmail. Now my patch skills are severely lacking. When this advisory for sendmail came out today, I said "that's enough, I'm falling behind. I'm going back to sendmail." I think I'll be much more happier now.

Dear IT Workers

[I+Am+The+Owl]

Please stop using Sendmail. I'm tired of my favorite IRC networks being DDOSed by machines whose administrators were too incompetent to use a real MTA.

Thank you,
--The rest of the fucking Internet

Qmail and postfix hippies: shut the hell up please

[CoolVibe]

First, this is about sendmail, not postfix or qmail. Yes we know your MTA is vastly superior and yes, it does your laundry and even makes coffee.

But that still doesn't make sendmail bad. Software has bugs. Your precious MTAs have bugs too. As a matter of fact, sendmail works. It has worked for decades. It's still around. And it will stay around for decades more.

Before y'all jump up and say: "Look! a possibly remote exploit!". Read the advisory. This will be VERY hard to exploit, besides your test lab where you control the address space and eventual host naming that just MIGHT overflow something, and then you need to figure out if it's even possible to do something more fun other than let some sendmail spawned child crash, whoopdeedoo.

Although it's not impossible to do, I still maintain that admins should patch their systems, but you don't have to rush. I don't see script kiddies exploting this one in the coming time yet. And besides, my data isn't worth crap either, so I'm harly a target.

So qmail and postfix zealots, shut the hell up please. We know. Yes, qmail and postfix are nice, and yes, they have some merits over sendmail and yes, I sometimes choose to prefer them for some jobs, but the inverse is also true. Right tool for the job and all that. Now be happy with your MTA and be done with it. Geez, it's only a mail server.

What's the difference

[donscarletti]

What's the difference between sendmail and telnet?

You need a password to get root access through telnet!

*ducks barrage of rotten fruit*

But seriously, and without the bad humor, it makes me wonder why everyone allways sees X as the bloated, non-scensical, anacronistic piece of junk that is holding LINUX/BSD back. Hell at least I can understand a XF86Conf-4 file (although the old style XF86Conf file is still rather infuriating).

Mandatory Postfix ad

Hi!

Is your sendmail buggy? Would it be time to change to Postfix?

Only $0,00.

I use qmail

[spun]

After researching sendmail, postfix, and qmail, I settled on qmail for it's speed and security. I can't count the number of times I had to upgrade sendmail in the past. I have never heard of a single remote exploit affecting qmail.

Re:Sendmail.... Opps Hit submits too soon

[witwerg]

Here's the proofread formated version

This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix there is a transports map that has three fields: domain(key), transport(servic

I still choose Sendmail as my MTA

[please+explain]

Sendmail gets a bad name sometimes from folks who gave up on it for various reasons (Too hard?). Sometimes some of these "administrators" can't tell the difference between a Message store and an MTA. /var/mail is not sendmail!

I personally like the way the sendmail community handles these issues when they arise. 2 reports in a row is a bummer, but the frequency is exaggerated. I respect the fact that there are other open source MTAs and think they can be made to work well too (postfix, qmail, exim, etc...).

Please keep in mind that this MTA was around when the network was more of a community (not a lot of .com) and having an open relay was normal. Think ARPAnet.

Sendmail pioneered lots of the AntiSPAM/AntiSPAMMER features that are taken for granted today (advanced relay control, ip to dns a record verify, DNS blacklisting etc...).

There are reasons why many (think mega sized corporations around the world) use sendmail in front of their message store systems (Exchange, Notes, Cyrus, /var/mail, etc...). Think scale and way beyond systems for only 10s of thousands or less.

It has/provides:

The ability to use LDAP information for routing.

The ability to use LDAP instead of a flat Alias file.

LDAP intelligence at the port 25 gateway (Think not have unreturnable bounce messages traveling all the way into the network and then getting stuck at your message store) A smart MTA at the gateway will break the connection and not waste time trying to pass the message through.

Pass based (w/crypt options) SMTP Authentication

Certificate base SMTP authentication

Unlimited relay control options (rule sets and milters)

Built in SMTP encryption (TLS/SSL) with support for PKI systems

Multiple queues and deterministic queuing (queue groups)

Fallback MX (this is huge for failover)

Mid-protocol conversation filtering (Milter, do all of your attachment stripping and message scanning without adding extra hops).

Capable of sending email just as fast as any other MTA without violating RFCs (do you really not want to commit your data to stable storage?) and putting your data at risk.

SMTP pipelining (why open a new connection each time?)

Active development with developers developing to the RFC/IETF's standards and the needs of today's internet.

Ability to be configured to avoid port 25 Denial of service attacks that other MTAs are vulnerable to.

My 2 pennies, just another opinion, now leaving verbose mode...