On Thu, 2003-02-13 at 17:48, Robert Wideman wrote:
> >> As you see, I am looking for a decent HOWTO for the
> >> Sendmail included with Mandrake 8.2. If possible,
> >> both a "quick setup" HOWTO and a detailed version
> >> would be greatly appreciated as I'm trying to get this
> >> going ASAP but would like to know more later...
>
> Mandrake does NOT like sendmail. There are HOWTO's on mandrake secure on
> HOWTO for QMail. It is the MOST secure email server out there. There is
> even a few thousand dollar reward for any hacks on it.
>
> Rob
>
Qmail is IMO the best email server out there. It's a pleasure to use,
and security is never a worry, believe it or not. Dave Sill wrote a good
book on this MTA called "Life With Qmail". Vincent Danen is the prime
source for qmail rpm's; his site and work have been of incalculable
value to anyone that does Qmail for a living. He's a god. ;))
Postfix, on the other hand, has been shown to exhibit some security
problems. In the bugtraq archives I have, which date back to Jan 1,
2000, show several security problems that have cropped up, one as close
as Jan 15th of this year. However that may be, you can't begin to
compare Postfix to Sendmail when you talk about security. Sendmail is a
WHOLE nother ball game.
Sendmail is probably the WORST possible email server you could
concievably install. The problem it has is basically a major design
flaw that has never really been addressed, dating almost from the 1970's
if I remember correctly, which is that it runs it's whole sack of
marbles as root. Although admittedly it's gotten marginally better,
over the years the bugtraq mailing list has benefitted from quite a bit
of sendmail traffic. It keeps them busy.
Example, Nov 28, 2002:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
Mandrake Linux Security Update Advisory
________________________________________________________________________
Package name: sendmail
Advisory ID: MDKSA-2002:083
Date: November 28th, 2002
Affected versions: 7.2, 8.0, 8.1, 8.2, 9.0
________________________________________________________________________
Problem Description:
A vulnerability was discovered by zen-parse and Pedram Amini in the
sendmail MTA. They found two ways to exploit smrsh, an application
intended as a replacement for the sh shell for use with sendmail; the
first by inserting specially formatted commands in the ~/.forward file
and secondly by calling smrsh directly with special options. These
can be exploited to give users with no shell account, or those not
permitted to execute certain programs or commands, the ability to
bypass
these restrictions.
________________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1165
http://www.sendmail.org/smrsh.adv.txt
Happy sendmailing. :D
LX
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
