Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security-Fix Sendmail 8.12.9 Released

Posted by timothy on from the preemptive dept.

bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.

10 of 166 comments (clear)

  1. Re:Good. by Anonymous Coward · · Score: 5, Insightful

    I'm glad they kept this SM exploit fairly quiet. You would have thought it would become public and cause lots of mischief, but now that there is a fix, I suspect they will release what the problem was in more detail.

    If this was a Microsoft problem and they kept it quiet you would have been ranting and raving right now, right?

  2. Too late sendmail monkeys! by Dogun · · Score: 5, Funny

    I switched to postfix last time! MWAHAHAHAHA!

  3. Sendmail.... by Chester+K · · Score: 4, Interesting

    Sendmail: The IIS of Open Source.

    This is the straw that breaks the camel's back. I'm changing to another MTA.

    --

    NO CARRIER
    1. Re:Sendmail.... by kuroth · · Score: 4, Funny

      > What does [sendmail] do that [qmail] doesn't?

      It gives you something to do on Saturdays. See, the sendmail team knows how tedious it is to do things like spend time with your wife and kids, play fetch with the dog, wax the car, and mow the lawn. Therefore, every two to four weeks, they release a fantastic new remote exploit, so you can spend your Saturday patching stuff or running your package management program of choice.

      This stands in start constrast to qmail. If you were running qmail, you'd have no choice but to spend all that annoying "quality" time with your friends and family. Secure and reliable? Honestly, I don't know what DJB was thinking.

  4. Sendmail advertisement by statusbar · · Score: 4, Funny

    "Providing hackers with security holes for DECADES" --jeff++

    --
    ipv6 is my vpn
  5. Is Sendmail still worth it? by mnmn · · Score: 5, Interesting


    I fought with the M4 format of sendmail.cfg for a while in setting up a complex system before switching to qmail. Ive tried postfix too, but I still see diehard sendmailers around.

    For one, sendmail is really not intuitive. If youre given a server youve never seen before and have to alter some fancy configs in it, could you do it faster than if it were say qmail? Maybe if I stare at M4 pinfo I could begin to get it, I gave up early there.

    Secondly these security problems.

    So beside the fact that sendmail is the standard, quite mature and very flexible if you know how to config it, does it have any big edge over postfix or qmail that everyone should know about?

    And can the sendmail developers be brave trailblazers and finally change the config file syntax to just text words like httpd.conf?

    --
    "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
  6. Sednmail holes are GOOD by Adam9 · · Score: 4, Funny

    See, they give you much needed practice of patching services at a proper pace! Patching it every 2 weeks or so is great practice for every administrator. Every good admin should have at least 1 box with sendmail on it. See, a few years ago I put on qmail. Now my patch skills are severely lacking. When this advisory for sendmail came out today, I said "that's enough, I'm falling behind. I'm going back to sendmail." I think I'll be much more happier now.

  7. Dear IT Workers by I+Am+The+Owl · · Score: 4, Funny
    Please stop using Sendmail. I'm tired of my favorite IRC networks being DDOSed by machines whose administrators were too incompetent to use a real MTA.

    Thank you,
    --The rest of the fucking Internet

    --

    --sdem
  8. Re:Sendmail.... Opps Hit submits too soon by witwerg · · Score: 4, Informative
    Here's the proofread formated version

    This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

    Main Configuration/Documenation

    Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

    Tables

    Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

    • TYPE:LOCATION

    The Type is the type of table/format being used. The Location is simply one of several things

    1. For simple tables like gdbm or has it is the location where the table is on the disk,
    2. For mysql it's the location of a configuraiton file for the mysql table(i think)
    3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

    For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

    Virtual Stuff

    Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

    • Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
    • Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

    Fallback Address or "Catchalls"

    Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

    Configurable bounce errors

    I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

    Delivery to a piped process

    Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

    cyrus unix - n n - - pipe
    flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

    Backup mail spooling

    In postfix there is a transports map that has three fields: domain(key), transport(servic

  9. I still choose Sendmail as my MTA by please+explain · · Score: 5, Insightful

    Sendmail gets a bad name sometimes from folks who gave up on it for various reasons (Too hard?). Sometimes some of these "administrators" can't tell the difference between a Message store and an MTA. /var/mail is not sendmail!

    I personally like the way the sendmail community handles these issues when they arise. 2 reports in a row is a bummer, but the frequency is exaggerated. I respect the fact that there are other open source MTAs and think they can be made to work well too (postfix, qmail, exim, etc...).

    Please keep in mind that this MTA was around when the network was more of a community (not a lot of .com) and having an open relay was normal. Think ARPAnet.

    Sendmail pioneered lots of the AntiSPAM/AntiSPAMMER features that are taken for granted today (advanced relay control, ip to dns a record verify, DNS blacklisting etc...).

    There are reasons why many (think mega sized corporations around the world) use sendmail in front of their message store systems (Exchange, Notes, Cyrus, /var/mail, etc...). Think scale and way beyond systems for only 10s of thousands or less.

    It has/provides:

    The ability to use LDAP information for routing.

    The ability to use LDAP instead of a flat Alias file.

    LDAP intelligence at the port 25 gateway (Think not have unreturnable bounce messages traveling all the way into the network and then getting stuck at your message store) A smart MTA at the gateway will break the connection and not waste time trying to pass the message through.

    Pass based (w/crypt options) SMTP Authentication

    Certificate base SMTP authentication

    Unlimited relay control options (rule sets and milters)

    Built in SMTP encryption (TLS/SSL) with support for PKI systems

    Multiple queues and deterministic queuing (queue groups)

    Fallback MX (this is huge for failover)

    Mid-protocol conversation filtering (Milter, do all of your attachment stripping and message scanning without adding extra hops).

    Capable of sending email just as fast as any other MTA without violating RFCs (do you really not want to commit your data to stable storage?) and putting your data at risk.

    SMTP pipelining (why open a new connection each time?)

    Active development with developers developing to the RFC/IETF's standards and the needs of today's internet.

    Ability to be configured to avoid port 25 Denial of service attacks that other MTAs are vulnerable to.

    My 2 pennies, just another opinion, now leaving verbose mode...