Jing Luo wrote:
> Bob, while you are at it, I think you might also want to check if sendmail
> on vcs systemd & frontend is vulnerable to this (below). sendmail (actually
> apt-listchanges??) sent an email to tell me that sendmail got a security
> update (which I think is ironic).
None of the Savannah systems are vulnerable to the SMTP smuggling by
virtue that none of them are accessible to receive SMTP connections.
All incoming email routes through eggs.gnu.org first.
$ host -t mx gnu.org
gnu.org mail is handled by 10 eggs.gnu.org.
Thanks for thinking about these things though!
> Btw, I got a "permission denied" trying to login as svadm from mgt1 to vcs2.
> Got distracted and did not try other hosts.
That's something I can fix. Fixed now. Try it again.
> sendmail (8.18.1-3) unstable; urgency=medium
>
> Sendmail was affected by SMTP smuggling (CVE-2023-51765).
That's actually the "sendmail" package and though I do actually have
friends who are running Sendmail it's use has declined over the many
years. We aren't running Sendmail on any of the servers. I mean it
is a huge monolithic program with an obscure and arcane configuration
syntax and it runs as root. What could go wrong? :-)
But Sendmail is not Postfix which is not Exim. Those are the three
main free software Mail Transfer Agents mostly seen in the wild.
Additionally there are various light weight "leaf node" agents that
are not full MTAs but are light weight proxies to get mail to a full
featured MTA on another system such as nullmailer or dma.
Just by generality the FSF admins like the Exim program and always
install and use Exim. I like the Postfix program and always install
and use Postfix. The two are both best in class mail transport agents
and so in the end it does not matter. All of the Savannah systems are
running Postfix. The rest of the systems are running Exim.
The difference is that Postfix uses a simple table based configuration
scheme. It's simple and very powerful. I can't really describe the
Exim configuration scheme because I have never been able to understand
it. But it's quite different. In the end whichever one you learn is
the one you want to use since that's the one you can operate.
Bob
