On Tue, Feb 01, 2000 at 12:43:59AM +0100, Martin Lesser wrote:
> "Charles Leeds" <[EMAIL PROTECTED]> writes:
>
> > We were audited and one of the findings was that our qmail server allowed
> > addresses with the pipe symbol in them, which was reported in our audit as a
> > bad practice.
>
> IIRC this test is sendmail-specific. I.e. Nessus reports problems with
> the pipe symbol addressing (AFAIK was the pipe symbol important for
> mailing with uucp). The test results positive if the MTA accepts
> RCPT TO: |[EMAIL PROTECTED] I don't know whether other auditing
> tools use the same way, but in any case you won't have a problem with
> qmail - it delivers such false adressed mails to the postmaster.
The pipe-symbol is not UUCP-related. The problem is that sendmail doesn't
(or at least didn't) do enough checks on program delivery so that every once
in a while a hole is found that allows remote users to do program delivery
as root.
Very old sendmails accept the '|blah@domain' syntax to have stuff executed.
> Perhaps the auditor doesn't know the qmail-features as well?
The actual 'feature' that he's barfing on, is qmail not reporting 'User not
found' when somebody mails to a non-existing/invalid address.
Greetz, Peter.
--
Peter van Dijk - student/sysadmin/ircoper/madly in love/pretending coder
|
| 'C makes it easy to shoot yourself in the foot;
| C++ makes it harder, but when you do it blows your whole leg off.'
| Bjarne Stroustrup, Inventor of C++
