Re: sendmail & localhost rDNS
On Tue, Aug 11, 2009 at 10:56:57AM +0200, Joerg Morbitzer wrote: > I just did a fresh sendmail installation on Debian Etch getting this > auto-generated new /etc/mail/access file: > > titan:~# grep "^Connect:.*RELAY" /etc/mail/access > Connect:localhost RELAY > Connect:127 RELAY > Connect:[IPv6:::1] RELAY > titan:~# Although it only binds to 127.0.0.1 and ::1 by default, Debian Lenny has the same default /etc/mail/access, which turns the whole "Doctor, it hurts when I do this!" discussion into "Doctor, it hurts when you do this to me!" On the other hand, I was not able to reproduce the problem on a Lenny virtual machine in my test environment. After I tampered with rDNS so that the sending system would resolve to 'localhost', Sendmail did indeed record the hostname 'localhost' in log messages, but it was always accompanied by the sending system's IP address and the note 'may be forged'. Even with the ability to control forward resolution of localhost (which requires commenting out the localhost lines in /etc/hosts or altering NSS configuration), I was able to get rid of the "may be forged" warnings but wasn't able to relay. I don't have any suitable Etch images prepared (and didn't want to sit through an installation), so I didn't run a test from a clean install, but in limited testing on an existing Etch system with the default "Connect:localhost RELAY" line in /etc/mail/access, I could not get the system to relay mail that it shouldn't have. Notes on test procedure: The Lenny Sendmail installation was entirely default, except that sendmail.mc was edited to allow Sendmail to bind all interfaces on the system. BIND was installed on the same system and provided with a suitably altered version of my number-to-name zone. The /etc/resolv.conf file was altered to point only at this new nameserver. To test ability to control forward resolution of 'localhost', I commented out all 'localhost' lines in /etc/mail/access and added a new line which matched the information my test DNS server was delivering. I did not perform tests on the Etch system that required altering /etc/hosts. On the Etch Here is a session transcript from a conversation with the Lenny system (with hostnames and IP addresses altered). Note that the same results happend regardless of whether I HELO'd with 'localhost', the target system's hostname, or some other name. | 220 vmtest1.a.test ESMTP Sendmail 8.14.3/8.14.3/Debian-5; Wed, 12 Aug 2009 16:43:04 -0600; (No UCE/UBE) logging access from: [x.x.x.5](FORGED)-localhost [x.x.x.5] (may be forged) | helo myhostname | 250 vmtest1.a.test Hello localhost [x.x.x.5] (may be forged), pleased to meet you | mail from: us...@a.test | 250 2.1.0 us...@a.test... Sender ok | rcpt to: us...@a.test | 550 5.7.1 us...@a.test... Relaying denied. IP name possibly forged [x.x.x.5] | quit | 221 2.0.0 vmtest1.a.test closing connection Here is a (hand-retyped) section of the mail log for the above session: | Aug 12 16:43:15 vmtest1 sm-mta[4761]: n7CMh4Q5004761: ruleset=check_rcpt, arg1=us...@a.test, relay=localhost [x.x.x.5] (may be forged), reject=550 5.7.1 us...@a.test... Relaying denied. IP name possibly forged [x.x.x.5] | Aug 12 16:43:16 vmtest1 sm-mta[4761]: n7CMh4Q5004761: from=us...@a.test, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=localhost [x.x.x.5] (may be forged) -- William Aoki KD7YAFwa...@umnh.utah.edu5-1924 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
If sendmail would do a double lookup verify on the reverse DNS records, there would be no problem at all. When some obscure IP address has reverse DNS pointer record "localhost" and sendmail would do another lookup to see what IP address belongs to "localhost", then it would not match (obscure IP != 127.0.0.1) and the access DB rule should not be valid for this connection. Could someone from the Debian security team do some test and check if sendmail does the double lookup verify? If not, a DSA would be appropriate and it should be patched. With kind regards, Michiel Klaver IT professional At 11-8-2009 10:45, Lupe Christoph wrote: > OK, I give up. And shut up. > > Please file a bug against the sendmail package, with the information > that sendmail allows you to enter "Connect:localhost RELAY" in > /etc/mail/access. > > And another one that "Connect:127.0.0.1 RELAY" opens up the same hole as > "Connect:localhost RELAY". > > Since I have no sendmail installation to use for testing, I can't > reproduce the second problem. The sendmail package maintainer will > probably require the submitter to provide details which I can't. > > Thank you, > Lupe Christoph -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
* Lupe Christoph [090811 10:56]: > > So it is in my eyes no criteria at all that the user has to change some > > configuration. The question is whether this change is supposed to cause > > the effects it does and if a user can be expected to understand the > > effects. > > Please go ahead and file security-related bugs against all packages that > allow the user to open security holes by changing the default > configuration. > > I suppose we should agree to disagree and terminate this thread here. Of > course I will not restrict your freedom to answer to this mail, but I > will leave your reply unanswered because I believe we won't ever > agree. Thanks for "not restricting" my "freedom" to reply to a mail that ridicules what I say by drawing absurd conclusions out of it. I never said that being able to change a configuration to open holes is in itself and always a security problem. What I am saying is that needing user action or having to change a configuration file is no reason at all to claim that something is not a security problem. Annoyed, Bernhard R. Link > That is a bug because sshd does not what is documented. Suppose > sshd_config had an option "PermitRootLogin always", meaning that no > password or key is required to log in as root. Would it be a bug of sshd > to include this option or a misfeature? Of course not. And being able to add an option to sendmail to allow everyone to relay would of course also definitely be no problem if it was documentated to do so and has a sensible name. And noone in this thread claimed it would be. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
Lupe Christoph wrote: > OK, I give up. And shut up. > > Please file a bug against the sendmail package, with the information > that sendmail allows you to enter "Connect:localhost RELAY" in > /etc/mail/access. > > And another one that "Connect:127.0.0.1 RELAY" opens up the same hole as > "Connect:localhost RELAY". > > Since I have no sendmail installation to use for testing, I can't > reproduce the second problem. The sendmail package maintainer will > probably require the submitter to provide details which I can't. > > Thank you, > Lupe Christoph I just did a fresh sendmail installation on Debian Etch getting this auto-generated new /etc/mail/access file: titan:~# grep "^Connect:.*RELAY" /etc/mail/access Connect:localhost RELAY Connect:127 RELAY Connect:[IPv6:::1] RELAY titan:~# Regards, Joerg. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
On Tuesday, 2009-08-11 at 10:32:04 +0200, Bernhard R. Link wrote: > * Lupe Christoph [090810 21:13]: > > > Almost all security holes need to user to do something. (If only to > > > power up the machine, to install some packages, to connect to the > > > internet, to give accounts to users). The question cannot be that > > > something has to be done do make people vulnerable, but whether properly > > > sane and educated people can guess that something opens a security > > > problem. > > I interpret this to mean that there should be DSAs for all problems *made > > possible* by Debian packages, rather than those *caused* by the package. > What I try to tell you is that I do not share your interpretion of > "caused". > If bash had a bug to always include . in PATH, would that cause > a problem or make a problem possible? (After all, noone forces you do > switch to other peoples directories before doing ls). That would be a defect in the package that requires no user configuration. The equivalent of "Connect:localhost RELAY" would be this in .bashrc: PATH=.:$PATH . > If a webbrowser has a problem executing arbitrary stuff told by the > website visited, is that a security problem "caused" or made possible by > the webbrowser. (After all, if you do not visit untrusted sites, there > is no problem). That is a defect in the webbrowser. It requires no user configuration. > If sshd had a bug so that "PermitRootLogin without-password" (which is not > the default) allowed people to login without any identification as root > instead of what it is supposed to be, would that be bug caused by ssh > or a bug made possible by ssh? That is a bug because sshd does not what is documented. Suppose sshd_config had an option "PermitRootLogin always", meaning that no password or key is required to log in as root. Would it be a bug of sshd to include this option or a misfeature? > So it is in my eyes to criteria at all that the user has to change some > configuration. The question is whether this change is supposed to cause > the effects it does and if a user can be expected to understand the > effects. Please go ahead and file security-related bugs against all packages that allow the user to open security holes by changing the default configuration. I suppose we should agree to disagree and terminate this thread here. Of course I will not restrict your freedom to answer to this mail, but I will leave your reply unanswered because I believe we won't ever agree. Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
OK, I give up. And shut up. Please file a bug against the sendmail package, with the information that sendmail allows you to enter "Connect:localhost RELAY" in /etc/mail/access. And another one that "Connect:127.0.0.1 RELAY" opens up the same hole as "Connect:localhost RELAY". Since I have no sendmail installation to use for testing, I can't reproduce the second problem. The sendmail package maintainer will probably require the submitter to provide details which I can't. Thank you, Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
Re, Lupe Christoph wrote: On Monday, 2009-08-10 at 14:35:06 +0200, Bernhard R. Link wrote: * Lupe Christoph [090810 13:53]: On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote: last week, there was an article on heise security about MTAs[1] which relay mails for hosts having a reverse resolution of 'localhost'. Doing a small test shows that sendmail on etch seems to be vulnerable, too. I need to have a localhost RELAY line in my access file (which is not default AFAIK). Will there be a DSA on this issue, since it seems to turn Sendmail installations with allowed localhost RELAYing into Open Relays? Are you saying you want a DSA for a package that does not have that particular vulnerability, but allows a user to create it? "Doctor, it hurts when I do this!" "Don't do it, then." "Help, help my computer does funny things!" "Don't power it up, then." That's not what I meant. Admitted, the quote is more funny than exact (and it isn;t particularly funny...). What I mean is that a lot of software allows the user to shoot himself in various body parts. One such example is rm. As in "rm * .o". Oooops. If 'rm foo' has the same effect like 'rm -rf /', than rm would be broken. If '127.0.0.1 RELAY' has the same effect like '* RELAY' than sendmail is broken. More related to the OP, sendmail allows you to configure an open relay in a number of ways, not all of them as easily identified as the "localhost" problem. It has a built-in write-only language... This has nothing todo with the OP. But why would the posssibility to configure the package to open a relay warrant a DSA? It would IMNSHO only when the package came preconfigured to do that. yep, I think most of the recent DSAs shouldn't be published. The packages can be exploided if feed with user data - this is a change to the preconfigured setup !!! Almost all security holes need to user to do something. (If only to power up the machine, to install some packages, to connect to the internet, to give accounts to users). The question cannot be that something has to be done do make people vulnerable, but whether properly sane and educated people can guess that something opens a security problem. I interpret this to mean that there should be DSAs for all problems *made possible* by Debian packages, rather than those *caused* by the package. It is caused by the package, due the implementation of the access.db handling. If netfilter wouldn't drop/reject any packets, you won't issue an DSA? The preconfiguration doesn't ship any rules, so nobody should care if netfilter doesn't work in stable... Regards, Thomas PS: The guy who went to the doctor has died by disease last week. If the doc would have take a look at the guy, he would still be alive. -- supp...@ibh.de Tel. +49 351 477 77 30 www.ibh.de Fax +49 351 477 77 39 --- Dipl.-Ing. Thomas Liske Netzwerk- und System-Design IBH IT-Service GmbH Amtsgericht Dresden Gostritzer Str. 61-63 HRB 13626 D-01217 Dresden GF: Prof. Dr. Thomas Horn Germany VAT DE182302907 --- Ihr Partner für: LAN, WAN IP-Quality, Security, VoIP, SAN, Backup, USV --- professioneller IT-Service - kompetent und zuverlässig --- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
* Lupe Christoph [090810 21:13]: > > Almost all security holes need to user to do something. (If only to > > power up the machine, to install some packages, to connect to the > > internet, to give accounts to users). The question cannot be that > > something has to be done do make people vulnerable, but whether properly > > sane and educated people can guess that something opens a security > > problem. > > I interpret this to mean that there should be DSAs for all problems *made > possible* by Debian packages, rather than those *caused* by the package. What I try to tell you is that I do not share your interpretion of "caused". If bash had a bug to always include . in PATH, would that cause a problem or make a problem possible? (After all, noone forces you do switch to other peoples directories before doing ls). If a webbrowser has a problem executing arbitrary stuff told by the website visited, is that a security problem "caused" or made possible by the webbrowser. (After all, if you do not visit untrusted sites, there is no problem). If sshd had a bug so that "PermitRootLogin without-password" (which is not the default) allowed people to login without any identification as root instead of what it is supposed to be, would that be bug caused by ssh or a bug made possible by ssh? So it is in my eyes to criteria at all that the user has to change some configuration. The question is whether this change is supposed to cause the effects it does and if a user can be expected to understand the effects. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
On Monday, 2009-08-10 at 14:35:06 +0200, Bernhard R. Link wrote: > * Lupe Christoph [090810 13:53]: > > On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote: > > > last week, there was an article on heise security about MTAs[1] which > > > relay mails for hosts having a reverse resolution of 'localhost'. Doing > > > a small test shows that sendmail on etch seems to be vulnerable, too. I > > > need to have a localhost RELAY line in my access file (which is not > > > default AFAIK). > > > Will there be a DSA on this issue, since it seems to turn Sendmail > > > installations with allowed localhost RELAYing into Open Relays? > > Are you saying you want a DSA for a package that does not have that > > particular vulnerability, but allows a user to create it? > > "Doctor, it hurts when I do this!" "Don't do it, then." > "Help, help my computer does funny things!" "Don't power it up, then." That's not what I meant. Admitted, the quote is more funny than exact (and it isn;t particularly funny...). What I mean is that a lot of software allows the user to shoot himself in various body parts. One such example is rm. As in "rm * .o". Oooops. More related to the OP, sendmail allows you to configure an open relay in a number of ways, not all of them as easily identified as the "localhost" problem. It has a built-in write-only language... But why would the posssibility to configure the package to open a relay warrant a DSA? It would IMNSHO only when the package came preconfigured to do that. > Almost all security holes need to user to do something. (If only to > power up the machine, to install some packages, to connect to the > internet, to give accounts to users). The question cannot be that > something has to be done do make people vulnerable, but whether properly > sane and educated people can guess that something opens a security > problem. I interpret this to mean that there should be DSAs for all problems *made possible* by Debian packages, rather than those *caused* by the package. Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
* Lupe Christoph [090810 13:53]: > On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote: > > > last week, there was an article on heise security about MTAs[1] which > > relay mails for hosts having a reverse resolution of 'localhost'. Doing > > a small test shows that sendmail on etch seems to be vulnerable, too. I > > need to have a localhost RELAY line in my access file (which is not > > default AFAIK). > > > Will there be a DSA on this issue, since it seems to turn Sendmail > > installations with allowed localhost RELAYing into Open Relays? > > Are you saying you want a DSA for a package that does not have that > particular vulnerability, but allows a user to create it? > > "Doctor, it hurts when I do this!" "Don't do it, then." "Help, help my computer does funny things!" "Don't power it up, then." Almost all security holes need to user to do something. (If only to power up the machine, to install some packages, to connect to the internet, to give accounts to users). The question cannot be that something has to be done do make people vulnerable, but whether properly sane and educated people can guess that something opens a security problem. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
* Jan de Groot [090810 14:22]: > On Mon, 2009-08-10 at 14:03 +0200, Thomas Liske wrote: > > if an access line like: > > > > Connect:localhost RELAY > > > > turns a MTA into an Open Relay than I would prefere a DSA, since the > > ACL > > implementation is broken IMHO. > > As long as reverse DNS can be faked, I would never use hostnames in my > configuration files like that. How common is programs verifying reverse DNS by doing forward DNS of the result? At least all programs relying on this information I've yet met consciously had it. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
Re, Jan de Groot wrote: On Mon, 2009-08-10 at 14:03 +0200, Thomas Liske wrote: if an access line like: Connect:localhost RELAY turns a MTA into an Open Relay than I would prefere a DSA, since the ACL implementation is broken IMHO. As long as reverse DNS can be faked, I would never use hostnames in my configuration files like that. If the debian package doesn't ship with this ACL as default, I don't see reason for a DSA. the problem is even more worse. Replacing localhost with 127.0.0.1 as suggested by Lupe Christoph doesn't change anything. I can still relay if my reverse DNS resolves to localhost. Regards, Thomas -- supp...@ibh.de Tel. +49 351 477 77 30 www.ibh.de Fax +49 351 477 77 39 --- Dipl.-Ing. Thomas Liske Netzwerk- und System-Design IBH IT-Service GmbH Amtsgericht Dresden Gostritzer Str. 61-63 HRB 13626 D-01217 Dresden GF: Prof. Dr. Thomas Horn Germany VAT DE182302907 --- Ihr Partner für: LAN, WAN IP-Quality, Security, VoIP, SAN, Backup, USV --- professioneller IT-Service - kompetent und zuverlässig --- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
On Mon, 2009-08-10 at 14:03 +0200, Thomas Liske wrote: > if an access line like: > > Connect:localhost RELAY > > turns a MTA into an Open Relay than I would prefere a DSA, since the > ACL > implementation is broken IMHO. As long as reverse DNS can be faked, I would never use hostnames in my configuration files like that. If the debian package doesn't ship with this ACL as default, I don't see reason for a DSA. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
On Monday, 2009-08-10 at 14:03:44 +0200, Thomas Liske wrote: > #Lupe Christoph wrote: >> On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote: >>> last week, there was an article on heise security about MTAs[1] which >>> relay mails for hosts having a reverse resolution of 'localhost'. >>> Doing a small test shows that sendmail on etch seems to be >>> vulnerable, too. I need to have a localhost RELAY line in my access >>> file (which is not default AFAIK). >>> Will there be a DSA on this issue, since it seems to turn Sendmail >>> installations with allowed localhost RELAYing into Open Relays? >> Are you saying you want a DSA for a package that does not have that >> particular vulnerability, but allows a user to create it? > if an access line like: > Connect:localhost RELAY > turns a MTA into an Open Relay than I would prefere a DSA, since the ACL > implementation is broken IMHO. Well, a line like this: Connect:spammer.comRELAY does the same, so, as I said, just don't do it. I still don't see why on one hand you say that you need a localhost line, and then complain that it hurts you. Why can't you use 127.0.0.1 or localhost.mydomain? Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
Re, #Lupe Christoph wrote: On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote: last week, there was an article on heise security about MTAs[1] which relay mails for hosts having a reverse resolution of 'localhost'. Doing a small test shows that sendmail on etch seems to be vulnerable, too. I need to have a localhost RELAY line in my access file (which is not default AFAIK). Will there be a DSA on this issue, since it seems to turn Sendmail installations with allowed localhost RELAYing into Open Relays? Are you saying you want a DSA for a package that does not have that particular vulnerability, but allows a user to create it? if an access line like: Connect:localhost RELAY turns a MTA into an Open Relay than I would prefere a DSA, since the ACL implementation is broken IMHO. Regards, Thomas -- supp...@ibh.de Tel. +49 351 477 77 30 www.ibh.de Fax +49 351 477 77 39 --- Dipl.-Ing. Thomas Liske Netzwerk- und System-Design IBH IT-Service GmbH Amtsgericht Dresden Gostritzer Str. 61-63 HRB 13626 D-01217 Dresden GF: Prof. Dr. Thomas Horn Germany VAT DE182302907 --- Ihr Partner für: LAN, WAN IP-Quality, Security, VoIP, SAN, Backup, USV --- professioneller IT-Service - kompetent und zuverlässig --- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote: > last week, there was an article on heise security about MTAs[1] which > relay mails for hosts having a reverse resolution of 'localhost'. Doing > a small test shows that sendmail on etch seems to be vulnerable, too. I > need to have a localhost RELAY line in my access file (which is not > default AFAIK). > Will there be a DSA on this issue, since it seems to turn Sendmail > installations with allowed localhost RELAYing into Open Relays? Are you saying you want a DSA for a package that does not have that particular vulnerability, but allows a user to create it? "Doctor, it hurts when I do this!" "Don't do it, then." Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail-bin: uninstallable due to unavailable libsasl2 (>= 2.1.19.dfsg1)
And if you just install libsasl2 2.1.19.dfsg1 from DSA 1155-2, you end up with a number of other failing dependecies: canardo:/tmp# apt-get dist-upgrade Reading Package Lists... Done Building Dependency Tree... Done You might want to run `apt-get -f install' to correct these. The following packages have unmet dependencies: libsasl2-modules: Depends: libsasl2 (= 2.1.19-1.5sarge1) but 2.1.19.dfsg1-0sarge2 is installed libsasl2-modules-gssapi-heimdal: Depends: libsasl2 (= 2.1.19-1.5sarge1) but 2.1.19.dfsg1-0sarge2 is installed libsasl2-modules-kerberos-heimdal: Depends: libsasl2 (= 2.1.19-1.5sarge1) but 2.1.19.dfsg1-0sarge2 is installed E: Unmet dependencies. Try using -f. Bjørn pgpgGqMhvIf4k.pgp Description: PGP signature
Re: sendmail vulnerability
Andreas Piper wrote: > ISS has reported a serious flaw in sendmail before 8.13.6, see > http://xforce.iss.net/xforce/alerts/id/216 and > http://sendmail.org/8.13.6.html > > Is a security fix of the sendmail-package(s) in view, or should I try to > install sendmail 8.13.6 standalone? Packages for Sarge and Woody are currently building and will appear soon. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail vulnerability
* Andreas Piper ([EMAIL PROTECTED]) [060323 09:45]: > Hello, > ISS has reported a serious flaw in sendmail before 8.13.6, see > http://xforce.iss.net/xforce/alerts/id/216 and > http://sendmail.org/8.13.6.html > > Is a security fix of the sendmail-package(s) in view, or should I try to > install sendmail 8.13.6 standalone? A package is being prepared and should be available soon. Cheers, Andi -- http://home.arcor.de/andreas-barth/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail vulnerability
On Thu, Mar 23, 2006 at 09:44:38AM +0100, Andreas Piper wrote: >Hello, >ISS has reported a serious flaw in sendmail before 8.13.6, see >http://xforce.iss.net/xforce/alerts/id/216 and >http://sendmail.org/8.13.6.html > >Is a security fix of the sendmail-package(s) in view, or should I try to >install sendmail 8.13.6 standalone? sendmail 8.13.6-1 is in NEW. See http://ftp-master.debian.org/new.html Aníbal Monsalve Salazar -- http://v7w.com/anibal signature.asc Description: Digital signature
Re: sendmail: 550 Error: Message content rejected
Michelle Konzack <[EMAIL PROTECTED]> wrote: > > How do you send the previous Message ? > > If a resond to it, I get in 'mutt' the error Message: > > sendmail: 550 Error: Message content rejected > The message from Russel had Content-Type: text/plain; charset="iso-8859-1" and Content-Transfer-Encoding: 7bit but iso-8859-1 doesn't fit in 7-bit ;-) Beside that I see no unusal things in Russel's mail. To me it looks like a bug in kmail, an mua should 'nt send with the wrong encoding. Or did murphy change it to 7-bit because there wasn't any 8-bit content? However, that's all OT here. hth and bye, Manne -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail problem:connection timed out
Are you able to ping 64.4.33.7 !? If so, try 'telnet 64.4.33.7 25' next to get a smtp prompt. If nothing works look at your connection: Firewall rules etc. Beside that your sendmail seems to work. Christian - Original Message - From: "arun raj" <[EMAIL PROTECTED]> To: Sent: Monday, January 05, 2004 11:48 AM Subject: sendmail problem:connection timed out hello, I am using sendmail 8.12 in redhat linux9.0 to send mail.It sends the message between the internal network. But it doesnot send the message to the external network. I want to send mail to [EMAIL PROTECTED] But it is not sending mail.The following logs are generated in maillog . >From the message i understand that it is accepting the mail.But it is not able to relay to the user_account @hotmail.com Please reply as soon as possible. very urgent. logs ** Jan 5 12:04:56 arun sendmail[5213]: i056YuFS005213: from=root, size=133, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, [EMAIL PROTECTED] Jan 5 12:04:56 arun sendmail[5215]: i056Yuor005215: from=<[EMAIL PROTECTED]>, size=333, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] (may be forged) Jan 5 12:04:56 arun sendmail[5213]: i056YuFS005213: [EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30086, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (i056Yuor005215 Message accepted for delivery) Jan 5 12:07:56 arun sendmail[5217]: i056Yuor005215: to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0), delay=00:03:00, xdelay=00:03:00, mailer=esmtp, pri=30286, relay=hotmail.com [64.4.33.7], dsn=4.0.0, stat=Deferred: Connection timed out with hotmail.com thanks, arun my email_id: [EMAIL PROTECTED] Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail problem:connection timed out
Are you able to ping 64.4.33.7 !? If so, try 'telnet 64.4.33.7 25' next to get a smtp prompt. If nothing works look at your connection: Firewall rules etc. Beside that your sendmail seems to work. Christian - Original Message - From: "arun raj" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 05, 2004 11:48 AM Subject: sendmail problem:connection timed out hello, I am using sendmail 8.12 in redhat linux9.0 to send mail.It sends the message between the internal network. But it doesnot send the message to the external network. I want to send mail to [EMAIL PROTECTED] But it is not sending mail.The following logs are generated in maillog . >From the message i understand that it is accepting the mail.But it is not able to relay to the user_account @hotmail.com Please reply as soon as possible. very urgent. logs ** Jan 5 12:04:56 arun sendmail[5213]: i056YuFS005213: from=root, size=133, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, [EMAIL PROTECTED] Jan 5 12:04:56 arun sendmail[5215]: i056Yuor005215: from=<[EMAIL PROTECTED]>, size=333, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] (may be forged) Jan 5 12:04:56 arun sendmail[5213]: i056YuFS005213: [EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30086, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (i056Yuor005215 Message accepted for delivery) Jan 5 12:07:56 arun sendmail[5217]: i056Yuor005215: to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0), delay=00:03:00, xdelay=00:03:00, mailer=esmtp, pri=30286, relay=hotmail.com [64.4.33.7], dsn=4.0.0, stat=Deferred: Connection timed out with hotmail.com thanks, arun my email_id: [EMAIL PROTECTED] Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail package version weirdness
On Fri, Sep 19, 2003 at 01:47:28AM -0400, Robert Brockway wrote: > On Fri, 19 Sep 2003, Matt Zimmerman wrote: > > > On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote: > > > > > Was there any particular reason that this newer fixed version has a > > > version number the makes it look older than the exploitable version? > > > > Simple: it doesn't. The version in stable is 8.12.3-4, and the version on > > security.debian.org is 8.12.3-6.6. Your package came from someplace else. > > Hi Matt. Thanks for clearing that up. FYI I located the origin of the > version I was using: > > http://people.debian.org/~cowboy/sendmail_8.12.3-7woody_i386.changes > Just like anyone using debian.seabone.net for the debian-ipv6 repository for woody would have 8.12.9-3 installed... Regards, Jeremy > Rob > > -- > Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED] > Linux counter project ID #16440 (http://counter.li.org) > "The earth is but one country and mankind its citizens" -Baha'u'llah > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: Digital signature
Re: Sendmail package version weirdness
On Fri, 19 Sep 2003, Matt Zimmerman wrote: > On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote: > > > Was there any particular reason that this newer fixed version has a > > version number the makes it look older than the exploitable version? > > Simple: it doesn't. The version in stable is 8.12.3-4, and the version on > security.debian.org is 8.12.3-6.6. Your package came from someplace else. Hi Matt. Thanks for clearing that up. FYI I located the origin of the version I was using: http://people.debian.org/~cowboy/sendmail_8.12.3-7woody_i386.changes Rob -- Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED] Linux counter project ID #16440 (http://counter.li.org) "The earth is but one country and mankind its citizens" -Baha'u'llah
Re: Sendmail package version weirdness
On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote: > Was there any particular reason that this newer fixed version has a > version number the makes it look older than the exploitable version? Simple: it doesn't. The version in stable is 8.12.3-4, and the version on security.debian.org is 8.12.3-6.6. Your package came from someplace else. -- - mdz
Re: Sendmail package version weirdness
On Fri, Sep 19, 2003 at 01:47:28AM -0400, Robert Brockway wrote: > On Fri, 19 Sep 2003, Matt Zimmerman wrote: > > > On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote: > > > > > Was there any particular reason that this newer fixed version has a > > > version number the makes it look older than the exploitable version? > > > > Simple: it doesn't. The version in stable is 8.12.3-4, and the version on > > security.debian.org is 8.12.3-6.6. Your package came from someplace else. > > Hi Matt. Thanks for clearing that up. FYI I located the origin of the > version I was using: > > http://people.debian.org/~cowboy/sendmail_8.12.3-7woody_i386.changes > Just like anyone using debian.seabone.net for the debian-ipv6 repository for woody would have 8.12.9-3 installed... Regards, Jeremy > Rob > > -- > Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED] > Linux counter project ID #16440 (http://counter.li.org) > "The earth is but one country and mankind its citizens" -Baha'u'llah > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: Digital signature
Re: Sendmail package version weirdness
On Fri, 19 Sep 2003, Matt Zimmerman wrote: > On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote: > > > Was there any particular reason that this newer fixed version has a > > version number the makes it look older than the exploitable version? > > Simple: it doesn't. The version in stable is 8.12.3-4, and the version on > security.debian.org is 8.12.3-6.6. Your package came from someplace else. Hi Matt. Thanks for clearing that up. FYI I located the origin of the version I was using: http://people.debian.org/~cowboy/sendmail_8.12.3-7woody_i386.changes Rob -- Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED] Linux counter project ID #16440 (http://counter.li.org) "The earth is but one country and mankind its citizens" -Baha'u'llah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail package version weirdness
On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote: > Was there any particular reason that this newer fixed version has a > version number the makes it look older than the exploitable version? Simple: it doesn't. The version in stable is 8.12.3-4, and the version on security.debian.org is 8.12.3-6.6. Your package came from someplace else. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail + mailscanner
Hy, please consider that amavis and mailscanner are completly different mail scanners. AFAIK: There is no standard debian package containing amavis for sendmail, only for postfix. The error messages in Your log are generated, by mailscanner. I would say that Your mailscanner expects an other version of f-prot than You use. What You can do is to "mail the author of MailScanner". Regards, Tibor Repasi Matteo Vescovi wrote: >May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in >MailScanner's F-Prot output parser, or F-Prot's output format has changed! >F-Prot said this "Switches: -ARCHIVE -OLD". Please mail the author of >MailScanner > >
Re: sendmail + mailscanner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 14 April 2003 21:31, Répási Tibor wrote: > Hy, > > just follow the steps described in /usr/share/sendmail/examples/amavis > download the lates sources and it works. I've installed it a few weeks > ago and it is running well. I'm using it with f-prot, but You can config > it for any antivir software You want. > > Regards, > Tibor Repasi Hi Tibor! I followed your advice and installed mailscanner with f-prot. Now, when I fetch the mails and mailscanner scans them, I see in my /var/log/mail.log: May 2 14:11:17 blackhawk mailscanner[237]: Scanning 2 messages, 8063 bytes May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Search: .". Please mail the author of MailScanner May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Action: Report only". Please mail the author of MailScanner May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Files: "Dumb" scan of all files". Please mail the author of MailScanner May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Switches: -ARCHIVE -OLD". Please mail the author of MailScanner May 2 14:11:53 blackhawk mailscanner[237]: Scanned 2 messages, 8063 bytes in 0 seconds What's the problem here? How could I say to fetchmail (or mailscanner, I don't know!) that this is not a problem but only the output of the f-prot antivirus? Thanks for your help. Matteo - -- Debian GNU/Linux. The most software. The most people. The biggest is still the best. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+smQ/wpmiLhhMAcoRAsXNAJ0Zsb3q3sEVFUvk4q0Der1zHK1skwCfYX+v +CXnxtp3qdegPaGJ0BCg/to= =lG7/ -END PGP SIGNATURE-
RE: sendmail + mailscanner
> Hello! > > I know this is not specially a security topic, but I need to > do this for > My security :)) > I'm using sendmail, and I want to use mailscanner and > spamassassin with > it. I don't know how to configure sendmail to work with > mailscanner. The > mailscanner's howtos are very outdated, and in the mailscanner's > homepage, there is the same howtos. > So, if someone knows what should I do, to work sendmail with > mailscanner, please let me know. Hello Levai, This site is quitte up to date, and contains a new faq section: http://www.sng.ecs.soton.ac.uk/mailscanner/ Kind regards, Michel van der Klei Mitch IT www.mitch-it.com
Re: sendmail + mailscanner
Hy, just follow the steps described in /usr/share/sendmail/examples/amavis download the lates sources and it works. I've installed it a few weeks ago and it is running well. I'm using it with f-prot, but You can config it for any antivir software You want. Regards, Tibor Repasi LeVA wrote: Hello! I know this is not specially a security topic, but I need to do this for My security :)) I'm using sendmail, and I want to use mailscanner and spamassassin with it. I don't know how to configure sendmail to work with mailscanner. The mailscanner's howtos are very outdated, and in the mailscanner's homepage, there is the same howtos. So, if someone knows what should I do, to work sendmail with mailscanner, please let me know. Thanks. Levai Daniel [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
Rich Puhek schrieb: Jeremy T. Bouse wrote: It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Woah... easy on Jor-el, everyone. He wasn't slamming Debian's schedule on security updates so much as being concerned about whether Debian was being given the same early notification of vulnerabilities as RedHat, SuSe, and other vendors. As mentioned in another thread, Debian didn't appear to be on the list of vendors notified by CERT (see http://www.cert.org/advisories/CA-2003-07.html). -- Rich Hmm , I don't think so. Debian WAS notified by CERT (see http://www.kb.cert.org/vuls/id/JPLA-5K6Q3L). Cya Arnd
Re: Sendmail vulnerability : is Debian falling behind?
Rich Puhek schrieb: Jeremy T. Bouse wrote: It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Woah... easy on Jor-el, everyone. He wasn't slamming Debian's schedule on security updates so much as being concerned about whether Debian was being given the same early notification of vulnerabilities as RedHat, SuSe, and other vendors. As mentioned in another thread, Debian didn't appear to be on the list of vendors notified by CERT (see http://www.cert.org/advisories/CA-2003-07.html). -- Rich Hmm , I don't think so. Debian WAS notified by CERT (see http://www.kb.cert.org/vuls/id/JPLA-5K6Q3L). Cya Arnd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
Jeremy T. Bouse wrote: It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Woah... easy on Jor-el, everyone. He wasn't slamming Debian's schedule on security updates so much as being concerned about whether Debian was being given the same early notification of vulnerabilities as RedHat, SuSe, and other vendors. As mentioned in another thread, Debian didn't appear to be on the list of vendors notified by CERT (see http://www.cert.org/advisories/CA-2003-07.html). -- Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _
RE: Sendmail vulnerability : is Debian falling behind?
Debian co-ordinates between quite a few hardware types, that takes time. If at the end of the day you believe Mandrake is better go install Mandrake. Before you do take a look at how many bugs/patches Mandrake has announced v Debian over say the last year. I wouldnt be surprised if 1) Debian is on average quicker, 2) the packaging system and pre-work the developers do means some of these bugs are already ironed out so are never exploitable, so Debian never needs to release an advisory. regards Thing -Original Message- From: Bernard Lheureux [mailto:[EMAIL PROTECTED] Sent: Tuesday, 4 March 2003 12:35 To: debian-security@lists.debian.org Cc: Jeremy T. Bouse Subject: Re: Sendmail vulnerability : is Debian falling behind? On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: > > In case noone noticed, news of a Sendmail vulnerability appeared > > on Slashdot. The really interesting piece of the story for me was the > > portion of the blurb with said "...RedHat and OpenBSD have already issued > > patches.links to an update from SuSE, too". Mandrake released patched versions for all of their versions a few hours ago too... -- (?- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ <<<<<< * >>>>>> http://www.portalinux.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
Quoting Bernard Lheureux <[EMAIL PROTECTED]>: > On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: > > > In case noone noticed, news of a Sendmail vulnerability appeared > > > on Slashdot. The really interesting piece of the story for me was the > > > portion of the blurb with said "...RedHat and OpenBSD have already > issued > > > patches.links to an update from SuSE, too". > Mandrake released patched versions for all of their versions a few hours ago > too... Put a little faith in Dedian developers. I have no reason to believe they would leave this vulnerability unpatched. Cheers, Joost. -- (2*b) || !(2*b) == 1 - Support open source software like - Linux - Apache - PHP - MySQL - Horde and many others
Re: Sendmail vulnerability : is Debian falling behind?
On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: > > In case noone noticed, news of a Sendmail vulnerability appeared > > on Slashdot. The really interesting piece of the story for me was the > > portion of the blurb with said "...RedHat and OpenBSD have already issued > > patches.links to an update from SuSE, too". Mandrake released patched versions for all of their versions a few hours ago too... -- (°- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ << * >> http://www.portalinux.org/
Re: Sendmail vulnerability : is Debian falling behind?
Jeremy T. Bouse wrote: It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Woah... easy on Jor-el, everyone. He wasn't slamming Debian's schedule on security updates so much as being concerned about whether Debian was being given the same early notification of vulnerabilities as RedHat, SuSe, and other vendors. As mentioned in another thread, Debian didn't appear to be on the list of vendors notified by CERT (see http://www.cert.org/advisories/CA-2003-07.html). -- Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Sendmail vulnerability : is Debian falling behind?
Debian co-ordinates between quite a few hardware types, that takes time. If at the end of the day you believe Mandrake is better go install Mandrake. Before you do take a look at how many bugs/patches Mandrake has announced v Debian over say the last year. I wouldnt be surprised if 1) Debian is on average quicker, 2) the packaging system and pre-work the developers do means some of these bugs are already ironed out so are never exploitable, so Debian never needs to release an advisory. regards Thing -Original Message- From: Bernard Lheureux [mailto:[EMAIL PROTECTED] Sent: Tuesday, 4 March 2003 12:35 To: [EMAIL PROTECTED] Cc: Jeremy T. Bouse Subject: Re: Sendmail vulnerability : is Debian falling behind? On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: > > In case noone noticed, news of a Sendmail vulnerability appeared > > on Slashdot. The really interesting piece of the story for me was the > > portion of the blurb with said "...RedHat and OpenBSD have already issued > > patches.links to an update from SuSE, too". Mandrake released patched versions for all of their versions a few hours ago too... -- (?- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ <<<<<< * >>>>>> http://www.portalinux.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: > Hi, > > In case noone noticed, news of a Sendmail vulnerability appeared > on Slashdot. The really interesting piece of the story for me was the > portion of the blurb with said "...RedHat and OpenBSD have already issued > patches.links to an update from SuSE, too". > > What about Debian? I just looked at http://security.debian.org and > see no mention of this vulnerability. I dont use Sendmail myself. > Nevertheless I am still concerned that the people who notify vendors are > not notifying Debian ahead of time before vulnerabilities are publicly > announced. Is that the case? Can someone in the know comment? > > Thanks, > Jor-el > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Sendmail vulnerability : is Debian falling behind?
Quoting Bernard Lheureux <[EMAIL PROTECTED]>: > On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: > > > In case noone noticed, news of a Sendmail vulnerability appeared > > > on Slashdot. The really interesting piece of the story for me was the > > > portion of the blurb with said "...RedHat and OpenBSD have already > issued > > > patches.links to an update from SuSE, too". > Mandrake released patched versions for all of their versions a few hours ago > too... Put a little faith in Dedian developers. I have no reason to believe they would leave this vulnerability unpatched. Cheers, Joost. -- (2*b) || !(2*b) == 1 - Support open source software like - Linux - Apache - PHP - MySQL - Horde and many others -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: > > In case noone noticed, news of a Sendmail vulnerability appeared > > on Slashdot. The really interesting piece of the story for me was the > > portion of the blurb with said "...RedHat and OpenBSD have already issued > > patches.links to an update from SuSE, too". Mandrake released patched versions for all of their versions a few hours ago too... -- (°- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ << * >> http://www.portalinux.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: > Hi, > > In case noone noticed, news of a Sendmail vulnerability appeared > on Slashdot. The really interesting piece of the story for me was the > portion of the blurb with said "...RedHat and OpenBSD have already issued > patches.links to an update from SuSE, too". > > What about Debian? I just looked at http://security.debian.org and > see no mention of this vulnerability. I dont use Sendmail myself. > Nevertheless I am still concerned that the people who notify vendors are > not notifying Debian ahead of time before vulnerabilities are publicly > announced. Is that the case? Can someone in the know comment? > > Thanks, > Jor-el > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail + RBL
hi ya you can try some of my *.mc files w/ rbl http://www.Linux-Sec.net/Mail - click on the sendmail stuff and i'd install check_local too so that i can check headers, message id and some virus c ya alvin On Thu, 10 Oct 2002, Hantzley wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > I'm currently evaluating sendmail's antispam feature (rbl). see > http://mail-abuse.org/rbl/usage.html > The problem is that it when the test it returns "rewrite: ruleset 192 > returns: OK". > In fact I should get : > rewrite: ruleset 192 returns: $# error $@ 5 . 7 . 1 $: "Mail from " 127 . 0 > . 0 . 2 " refused; see http://www.mail-abuse.org/cgibin/lookup?127.0.0.2"; > > Is there other ways to configure sendmail with RBL > Please advise.. >
Re: Sendmail + RBL
hi ya you can try some of my *.mc files w/ rbl http://www.Linux-Sec.net/Mail - click on the sendmail stuff and i'd install check_local too so that i can check headers, message id and some virus c ya alvin On Thu, 10 Oct 2002, Hantzley wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > I'm currently evaluating sendmail's antispam feature (rbl). see > http://mail-abuse.org/rbl/usage.html > The problem is that it when the test it returns "rewrite: ruleset 192 > returns: OK". > In fact I should get : > rewrite: ruleset 192 returns: $# error $@ 5 . 7 . 1 $: "Mail from " 127 . 0 > . 0 . 2 " refused; see http://www.mail-abuse.org/cgibin/lookup?127.0.0.2"; > > Is there other ways to configure sendmail with RBL > Please advise.. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail + RBL
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >Is there other ways to configure sendmail with RBL If you arn't using ancient sendmail, (woody's is fine) use the dnsbl feature in your sendmail.mc: (examples from my sendmail.mc, see the web pages before you use any dnsbl) FEATURE(`dnsbl',`relays.osirusoft.com',`"mail from open relays and spammers refused, see http://relays.osirusoft.com";')dnl FEATURE(`dnsbl',`relays.ordb.org',`"mail from open relays refused, see http://www.ordb.org";')dnl FEATURE(`dnsbl',`block.blars.org',`"mail from spamming sites refused, see http://www.blars.org/errors/block.html";')dnl see www.sendmail.org for details, they have an antispam page. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden
Re: Sendmail + RBL
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >Is there other ways to configure sendmail with RBL If you arn't using ancient sendmail, (woody's is fine) use the dnsbl feature in your sendmail.mc: (examples from my sendmail.mc, see the web pages before you use any dnsbl) FEATURE(`dnsbl',`relays.osirusoft.com',`"mail from open relays and spammers refused, see http://relays.osirusoft.com";')dnl FEATURE(`dnsbl',`relays.ordb.org',`"mail from open relays refused, see http://www.ordb.org";')dnl FEATURE(`dnsbl',`block.blars.org',`"mail from spamming sites refused, see http://www.blars.org/errors/block.html";')dnl see www.sendmail.org for details, they have an antispam page. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail
[Please do not use HTML in email] On Wed, Sep 18, 2002 at 21:53:58 +0800, Glen Tapley wrote: >Periodically when I run ps x, I find processes running and tonight I found >the following process > >sendmail: server debian.org [65.125.64.134] child wai >sendmail: server debian.org [65.125.64.134] cmd read What makes you think this is anything other than your machine receiving list mail from debian.org? Ray -- Sexual paranoia: did I once unknowingly sleep with THEM?
Re: sendmail
[Please do not use HTML in email] On Wed, Sep 18, 2002 at 21:53:58 +0800, Glen Tapley wrote: >Periodically when I run ps x, I find processes running and tonight I found >the following process > >sendmail: server debian.org [65.125.64.134] child wai >sendmail: server debian.org [65.125.64.134] cmd read What makes you think this is anything other than your machine receiving list mail from debian.org? Ray -- Sexual paranoia: did I once unknowingly sleep with THEM? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail, masquerading and HELO
Richard A Nelson ([EMAIL PROTECTED]) wrote on 21 May 2002 11:26: >You do know why the Received lines are there right? I thought I knew but after this remark I'm no longer sure :-) >> What's annoying is that some sites are using the helo= field to check >> the IP address via dns. Since in this case it's an internal addres >> it'll obviously not work, and these sites are refusing to receive >> email from us. > >Such sites are broken - apply cluex4 repeatedly until they understand >that they are to verify *ONLY* the sending MTA... And they *HAVE* its >IP, they check forward/reverse resolution on it, and only it. I think I wasn't clear, sorry. In the headers below >On Tue, 21 May 2002, Carlos Carvalho wrote: >> The problem is that sendmail puts in the headers the internal host >> name, as you can see from this message itself and here is another >> example: >> >> Received: from fisica.ufpr.br ([200.17.209.129] helo=hoggar.fisica.ufpr.br) >> ** >> by foo.bar.ufpr.br with esmtp (Exim 3.35 #1 (Debian)) >> id 17A8E9-0001mj-00 >> for <[EMAIL PROTECTED]>; Tue, 21 May 2002 08:54:53 -0300 >> Received: (from [EMAIL PROTECTED]) >> by hoggar.fisica.ufpr.br (8.11.2/8.11.2/Debian 8.11.2-1) >> the sending MTA is hoggar.fisica.ufpr.br, and that's what they're trying to test. foo.bar.ufpr.br is the receiving MTA. So I think they're doing right. I'm trying to stop hoggar's sendmail from telling the world its hostname, and only announce its domain name. >> Is there a way to make sendmail put the domain name in the helo field >> and all the received headers? > >If you have administrative control over *all* boxen, yes - you can >define your own Received: header format... I don't know if I had >the file in 8.11.2, but in 8.12.3, check >/usr/share/sendmail/cf/hack/virthost_by_ip.m4 for an example. I don't think this is a problem of the header format, it's a problem of the transmitted information. The Received: header format is up to the receiving MTA, what ends up there is a problem of the sending MTA, and this is what I'm trying to do. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail, masquerading and HELO
Richard A Nelson ([EMAIL PROTECTED]) wrote on 21 May 2002 11:26: >You do know why the Received lines are there right? I thought I knew but after this remark I'm no longer sure :-) >> What's annoying is that some sites are using the helo= field to check >> the IP address via dns. Since in this case it's an internal addres >> it'll obviously not work, and these sites are refusing to receive >> email from us. > >Such sites are broken - apply cluex4 repeatedly until they understand >that they are to verify *ONLY* the sending MTA... And they *HAVE* its >IP, they check forward/reverse resolution on it, and only it. I think I wasn't clear, sorry. In the headers below >On Tue, 21 May 2002, Carlos Carvalho wrote: >> The problem is that sendmail puts in the headers the internal host >> name, as you can see from this message itself and here is another >> example: >> >> Received: from fisica.ufpr.br ([200.17.209.129] helo=hoggar.fisica.ufpr.br) >> ** >> by foo.bar.ufpr.br with esmtp (Exim 3.35 #1 (Debian)) >> id 17A8E9-0001mj-00 >> for <[EMAIL PROTECTED]>; Tue, 21 May 2002 08:54:53 -0300 >> Received: (from carlos@localhost) >> by hoggar.fisica.ufpr.br (8.11.2/8.11.2/Debian 8.11.2-1) >> the sending MTA is hoggar.fisica.ufpr.br, and that's what they're trying to test. foo.bar.ufpr.br is the receiving MTA. So I think they're doing right. I'm trying to stop hoggar's sendmail from telling the world its hostname, and only announce its domain name. >> Is there a way to make sendmail put the domain name in the helo field >> and all the received headers? > >If you have administrative control over *all* boxen, yes - you can >define your own Received: header format... I don't know if I had >the file in 8.11.2, but in 8.12.3, check >/usr/share/sendmail/cf/hack/virthost_by_ip.m4 for an example. I don't think this is a problem of the header format, it's a problem of the transmitted information. The Received: header format is up to the receiving MTA, what ends up there is a problem of the sending MTA, and this is what I'm trying to do. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail forward to exchange
Look at /etc/mail/mailertable hostname.com smtp:exchange.hostname.com exchange.hostname.comsmtp:exchange.hostname.com Define exchange.hostname.com in /etc/hosts of your sendmail machine. -- Rob Carlson [EMAIL PROTECTED] http://vees.net/ On Tue, 14 May 2002, Marcel Welschbillig wrote: > Can anyone tell me how to setup sendmail to forward all INCOMING mail to > an exchange server ? I have a Debian firewall running send mail with an > exchange server behind the fire wall on a private IP. I would like all > mail to be MXed to the Debian box and then forwarded to the Exchange box. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail forward to exchange
Look at /etc/mail/mailertable hostname.com smtp:exchange.hostname.com exchange.hostname.comsmtp:exchange.hostname.com Define exchange.hostname.com in /etc/hosts of your sendmail machine. -- Rob Carlson [EMAIL PROTECTED] http://vees.net/ On Tue, 14 May 2002, Marcel Welschbillig wrote: > Can anyone tell me how to setup sendmail to forward all INCOMING mail to > an exchange server ? I have a Debian firewall running send mail with an > exchange server behind the fire wall on a private IP. I would like all > mail to be MXed to the Debian box and then forwarded to the Exchange box. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail forward to exchange
On Tue, 14 May 2002, Marcel Welschbillig wrote: > Hi, > > Can anyone tell me how to setup sendmail to forward all INCOMING mail to > an exchange server ? I have a Debian firewall running send mail with an > exchange server behind the fire wall on a private IP. I would like all > mail to be MXed to the Debian box and then forwarded to the Exchange box. Look into MAIL_HUB http://www.sendmail.org/m4/masquerading.html I think: define(`MAIL_HUB',`relay:exchangehost.name') Yours Tony. /* * "The significant problems we face cannot be solved at the * same level of thinking we were at when we created them." * --Albert Einstein */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[OT] Re: Sendmail forward to exchange
A simple way to do this is to have separate DNS servers serving the same zones, one for the "outside" and one for the "inside." When Internet systems do an MX query for your mail domain(s), they get the address of your Debian SMTP gateway. Your gateway box should use the inside DNS system for queries. When it performs an MX lookup for the the same mail domain(s) (which sendmail in the process of trying to deliver the mail), it'll get the address of the Exchange system and relay on to it. As far as I know, this is a fairly common configuration; it's how I've done it in the past. There is dicussion of this internal/external DNS strategy in "Building Internet Firewalls" (Chapman and Zwicky), and probably in other places as well. Take care to configure sendmail to relay only the domains for which you have an MX record, otherwise you'll be setting up an open relay. Hope that helps, tony On Tue, 14 May 2002, Marcel Welschbillig wrote: > Can anyone tell me how to setup sendmail to forward all INCOMING mail to > an exchange server ? I have a Debian firewall running send mail with an > exchange server behind the fire wall on a private IP. I would like all > mail to be MXed to the Debian box and then forwarded to the Exchange box. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail forward to exchange
On Tue, 14 May 2002, Marcel Welschbillig wrote: > Hi, > > Can anyone tell me how to setup sendmail to forward all INCOMING mail to > an exchange server ? I have a Debian firewall running send mail with an > exchange server behind the fire wall on a private IP. I would like all > mail to be MXed to the Debian box and then forwarded to the Exchange box. Look into MAIL_HUB http://www.sendmail.org/m4/masquerading.html I think: define(`MAIL_HUB',`relay:exchangehost.name') Yours Tony. /* * "The significant problems we face cannot be solved at the * same level of thinking we were at when we created them." * --Albert Einstein */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[OT] Re: Sendmail forward to exchange
A simple way to do this is to have separate DNS servers serving the same zones, one for the "outside" and one for the "inside." When Internet systems do an MX query for your mail domain(s), they get the address of your Debian SMTP gateway. Your gateway box should use the inside DNS system for queries. When it performs an MX lookup for the the same mail domain(s) (which sendmail in the process of trying to deliver the mail), it'll get the address of the Exchange system and relay on to it. As far as I know, this is a fairly common configuration; it's how I've done it in the past. There is dicussion of this internal/external DNS strategy in "Building Internet Firewalls" (Chapman and Zwicky), and probably in other places as well. Take care to configure sendmail to relay only the domains for which you have an MX record, otherwise you'll be setting up an open relay. Hope that helps, tony On Tue, 14 May 2002, Marcel Welschbillig wrote: > Can anyone tell me how to setup sendmail to forward all INCOMING mail to > an exchange server ? I have a Debian firewall running send mail with an > exchange server behind the fire wall on a private IP. I would like all > mail to be MXed to the Debian box and then forwarded to the Exchange box. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >In the last weeks I`ve installed twice Debian 3.0 * with sendmail >.12.3-5 ). And I get some stupid error every few minutes: > > >May 6 16:40:01 velikov sm-msp-queue[26216]: STARTTLS=client: file >/etc/mail/ssl/sendmail-server.crt unsafe: No such file or directory This bug was caused by making sendmail-tls the default sendmail after the security to main transition. It's fixed in the -6 version (where you have to enable tls if you want it), -7 is currently in unstable. If you need -6 rather than -7 for some reason, it's on my web site. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >In the last weeks I`ve installed twice Debian 3.0 * with sendmail >.12.3-5 ). And I get some stupid error every few minutes: > > >May 6 16:40:01 velikov sm-msp-queue[26216]: STARTTLS=client: file >/etc/mail/ssl/sendmail-server.crt unsafe: No such file or directory This bug was caused by making sendmail-tls the default sendmail after the security to main transition. It's fixed in the -6 version (where you have to enable tls if you want it), -7 is currently in unstable. If you need -6 rather than -7 for some reason, it's on my web site. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail
These errors occure because sendmail cannot find the ssl certificate in the default dir. As off this version sendmails supports relaying on the basis off certificate authentication. It took me a while to get things going. This website was a big help for me: http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml good luck - Wouter [On 06 May, 2002, Vladimir Velikov wrote in "sendmail ..."] > Hi there! > > In the last weeks I`ve installed twice Debian 3.0 * with sendmail > .12.3-5 ). And I get some stupid error every few minutes: > > > May 6 16:40:01 velikov sm-msp-queue[26216]: STARTTLS=client: file > /etc/mail/ssl/sendmail-server.crt unsafe: No such file or directory > May 6 16:40:01 velikov sm-msp-queue[26216]: STARTTLS=client, error: load > verify locs /etc/ssl/certs/, /etc/mail/ssl/sendmail-server.crt failed: 0 > May 6 16:50:01 velikov sm-msp-queue[27796]: STARTTLS=client: file > /etc/mail/ssl/sendmail-client.crt unsafe: No such file or directory > May 6 16:50:01 velikov sm-msp-queue[27796]: STARTTLS=client: file > /etc/mail/ssl/sendmail-common.key unsafe: No such file or directory > May 6 16:50:01 velikov sm-msp-queue[27796]: STARTTLS=client: file > /etc/mail/ssl/sendmail-server.crt unsafe: No such file or directory > May 6 16:50:01 velikov sm-msp-queue[27796]: STARTTLS=client, error: load > verify locs /etc/ssl/certs/, /etc/mail/ssl/sendmail-server.crt failed: 0 > > > > > > > Vladimir Velikov, System Administrator > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- ~~~ Wouter van Gils -=- [EMAIL PROTECTED] http://the-construct.cx/ ~~~ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sendmail
These errors occure because sendmail cannot find the ssl certificate in the default dir. As off this version sendmails supports relaying on the basis off certificate authentication. It took me a while to get things going. This website was a big help for me: http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml good luck - Wouter [On 06 May, 2002, Vladimir Velikov wrote in "sendmail ..."] > Hi there! > > In the last weeks I`ve installed twice Debian 3.0 * with sendmail > .12.3-5 ). And I get some stupid error every few minutes: > > > May 6 16:40:01 velikov sm-msp-queue[26216]: STARTTLS=client: file > /etc/mail/ssl/sendmail-server.crt unsafe: No such file or directory > May 6 16:40:01 velikov sm-msp-queue[26216]: STARTTLS=client, error: load > verify locs /etc/ssl/certs/, /etc/mail/ssl/sendmail-server.crt failed: 0 > May 6 16:50:01 velikov sm-msp-queue[27796]: STARTTLS=client: file > /etc/mail/ssl/sendmail-client.crt unsafe: No such file or directory > May 6 16:50:01 velikov sm-msp-queue[27796]: STARTTLS=client: file > /etc/mail/ssl/sendmail-common.key unsafe: No such file or directory > May 6 16:50:01 velikov sm-msp-queue[27796]: STARTTLS=client: file > /etc/mail/ssl/sendmail-server.crt unsafe: No such file or directory > May 6 16:50:01 velikov sm-msp-queue[27796]: STARTTLS=client, error: load > verify locs /etc/ssl/certs/, /etc/mail/ssl/sendmail-server.crt failed: 0 > > > > > > > Vladimir Velikov, System Administrator > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- ~~~ Wouter van Gils -=- [EMAIL PROTECTED] http://the-construct.cx/ ~~~ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail patches in work?
Hi, > > I wonder whether a sendmail security patch (input validation > > error, BUGTRAQ ID: 3163) will be available soon? > > No: > 1) The version in unstable(sid) Beta19 isn't vulnerable > 2) The version in testing (held back by ia64) is vulnerable, > but *ONLY* if run suid root, which isn't the case unless > the administrator changes things. > 3) The version in slink, base potato isn't vulnerable thank you very for pointing me to this information! Wouldn't it make sense to make this information available in a security advisory? Just to say: we are not affected? All major distributions have issued patches yet. The recent sendmail vulnerabilty has drawn much attention on it. I think that it is reasonable in such a situation to issue a security advisory that points to the relevant information and gives us system administrators a good feeling. Cheers, Thomas
Re: Sendmail patches in work?
Hi, > > I wonder whether a sendmail security patch (input validation > > error, BUGTRAQ ID: 3163) will be available soon? > > No: > 1) The version in unstable(sid) Beta19 isn't vulnerable > 2) The version in testing (held back by ia64) is vulnerable, > but *ONLY* if run suid root, which isn't the case unless > the administrator changes things. > 3) The version in slink, base potato isn't vulnerable thank you very for pointing me to this information! Wouldn't it make sense to make this information available in a security advisory? Just to say: we are not affected? All major distributions have issued patches yet. The recent sendmail vulnerabilty has drawn much attention on it. I think that it is reasonable in such a situation to issue a security advisory that points to the relevant information and gives us system administrators a good feeling. Cheers, Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail DOS
On Thu, 22 Feb 2001 13:27:07 Antti Tolamo wrote: | At 13:16 22.2.2001, Berend De Schouwer wrote: | | | >event a DoS, from | >their description, if they are implemented correctly. At least, | >they'll offer as much protection as inetd can. I've used them | >before when a mail script when crazy and caused too many | >connections. | > | >Anyway, Debian Potato ships with Exim, not sendmail. | > | | So? So does Nessus talk to sendmail or Exim? I've had security scanners scan my OpenBSD ftp server and list wu-ftpd vulnerabilities. Just checking :) | Antti | | | -- | To UNSUBSCRIBE, email to [EMAIL PROTECTED] | with a subject of "unsubscribe". Trouble? Contact | [EMAIL PROTECTED] | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS
Re: Sendmail DOS
At 13:16 22.2.2001, Berend De Schouwer wrote: event a DoS, from their description, if they are implemented correctly. At least, they'll offer as much protection as inetd can. I've used them before when a mail script when crazy and caused too many connections. Anyway, Debian Potato ships with Exim, not sendmail. So? Antti
Re: Sendmail DOS
On Thu, 22 Feb 2001 12:59:06 Jean-Francois JOLY wrote: | Hello Everybody, | | I've ran Nessus against some servers and it reports me that | sendmail | is vulnerable to a Syn Flood. I've grabbed utilities to test the | vulnerabilitie and haven't succeed to reproduce the problem. | I've found no information about this vulnerabilitie. | Do you know if this is a true problem or just a false report ? | | In my configuration, Sendmail is run as a standalone daemon. | Should I include it in Xinetd to stop the Problem ? Somehow I don't think its necessary (I could be wrong). Look in /etc/sendmail.cf for: # load average at which we refuse connections O RefuseLA=10 # maximum number of children we allow at one time O MaxDaemonChildren=50 # maximum number of new connections per second O ConnectionRateThrottle=3 Any of the above options should be able to prevent a DoS, from their description, if they are implemented correctly. At least, they'll offer as much protection as inetd can. I've used them before when a mail script when crazy and caused too many connections. Anyway, Debian Potato ships with Exim, not sendmail. | Thanks. | | -- | Best regards, | Jean-Francois mailto:[EMAIL PROTECTED] | | | | -- | To UNSUBSCRIBE, email to [EMAIL PROTECTED] | with a subject of "unsubscribe". Trouble? Contact | [EMAIL PROTECTED] | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS
Re: Sendmail DOS
On Thu, 22 Feb 2001 13:27:07 Antti Tolamo wrote: | At 13:16 22.2.2001, Berend De Schouwer wrote: | | | >event a DoS, from | >their description, if they are implemented correctly. At least, | >they'll offer as much protection as inetd can. I've used them | >before when a mail script when crazy and caused too many | >connections. | > | >Anyway, Debian Potato ships with Exim, not sendmail. | > | | So? So does Nessus talk to sendmail or Exim? I've had security scanners scan my OpenBSD ftp server and list wu-ftpd vulnerabilities. Just checking :) | Antti | | | -- | To UNSUBSCRIBE, email to [EMAIL PROTECTED] | with a subject of "unsubscribe". Trouble? Contact | [EMAIL PROTECTED] | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail DOS
At 13:16 22.2.2001, Berend De Schouwer wrote: >event a DoS, from >their description, if they are implemented correctly. At least, >they'll offer as much protection as inetd can. I've used them >before when a mail script when crazy and caused too many >connections. > >Anyway, Debian Potato ships with Exim, not sendmail. > So? Antti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail DOS
On Thu, 22 Feb 2001 12:59:06 Jean-Francois JOLY wrote: | Hello Everybody, | | I've ran Nessus against some servers and it reports me that | sendmail | is vulnerable to a Syn Flood. I've grabbed utilities to test the | vulnerabilitie and haven't succeed to reproduce the problem. | I've found no information about this vulnerabilitie. | Do you know if this is a true problem or just a false report ? | | In my configuration, Sendmail is run as a standalone daemon. | Should I include it in Xinetd to stop the Problem ? Somehow I don't think its necessary (I could be wrong). Look in /etc/sendmail.cf for: # load average at which we refuse connections O RefuseLA=10 # maximum number of children we allow at one time O MaxDaemonChildren=50 # maximum number of new connections per second O ConnectionRateThrottle=3 Any of the above options should be able to prevent a DoS, from their description, if they are implemented correctly. At least, they'll offer as much protection as inetd can. I've used them before when a mail script when crazy and caused too many connections. Anyway, Debian Potato ships with Exim, not sendmail. | Thanks. | | -- | Best regards, | Jean-Francois mailto:[EMAIL PROTECTED] | | | | -- | To UNSUBSCRIBE, email to [EMAIL PROTECTED] | with a subject of "unsubscribe". Trouble? Contact | [EMAIL PROTECTED] | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail Workaround for Linux Capabilities Bug (fwd)
Christian Hammers wrote: > > Hello List > > Is it right that there must exist a vulnerability in the server, too that > allowes the attacker to execute code to exploit the capabilities bug? > In other words, how severe is the urge to update the kernels on our > production systems? > > bye, > > -christian- > Below you'll find the original messages from Alan Cox announcing the new 2.2.16 kernel release. The main point here is that you'd already need a local account; however, I personally wouldn't take any chances on a production system. -- Maarten Vink [EMAIL PROTECTED] http://lsb4.euroslicht.nl/ "A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila." > Linux 2.2.16 security release > > The following security problems are fixed by this release > > o Setuid applications. even when correctly checking for failures of > setuid() calls could fail to drop priviledges if the invoker had > made certain adjustments to the capability sets > > o Opening a socket and issuing multiple connects on it could be used > to hang the box > > o Readv/writev might misbehave on some very large inputs > > o Potentially remote exploitable hole in the sunrpc code > > o User causable oopses in Appletalk and Socket code > > o Obscure exploitable bugs in the Sparc kernel > > The full list of enhancements and other bug fixes will follow later. > > Recommendations: > > You should consider updating your 2.2 kernel to 2.2.16 if > > o You have untrusted users on your system > o You have publically accessible kernel sunrpc services > > Other major bug fixes include > > o The tcp retransmit crash on very high load > o Poor VM performance under some load patterns > o Fix for 3com 3c590 8K card stalls > > Alan
Re: Sendmail Workaround for Linux Capabilities Bug (fwd)
On Thu, Jun 08, 2000 at 02:03:21PM +0200, Wichert Akkerman wrote: > Previously Christian Hammers wrote: > > Is it right that there must exist a vulnerability in the server, too that > > allowes the attacker to execute code to exploit the capabilities bug? > > In other words, how severe is the urge to update the kernels on our > > production systems? > > It indeed requires local access to the machine. there is however a sunrpc fix in 2.2.16 that Alan Cox feels is remotely exploitable. if your not running sunrpc you should be ok there though.. still it is not a good idea to leave local holes open since there are other ways to get local access, (say a bad CGI in apache, could get you a www-data shell) or of course bind, wu-ftpd etc. -- Ethan Benson http://www.alaska.net/~erbenson/ pgptbO3ET77i6.pgp Description: PGP signature
Re: Sendmail Workaround for Linux Capabilities Bug (fwd)
Previously Christian Hammers wrote: > Is it right that there must exist a vulnerability in the server, too that > allowes the attacker to execute code to exploit the capabilities bug? > In other words, how severe is the urge to update the kernels on our > production systems? It indeed requires local access to the machine. Wichert. -- / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Sendmail Workaround for Linux Capabilities Bug (fwd)
Hello List
Is it right that there must exist a vulnerability in the server, too that
allowes the attacker to execute code to exploit the capabilities bug?
In other words, how severe is the urge to update the kernels on our
production systems?
bye,
-christian-
> Date: Wed, 7 Jun 2000 18:42:34 -0700
> Sender: Bugtraq List
> From: Sendmail Security <[EMAIL PROTECTED]>
> Subject: Sendmail Workaround for Linux Capabilities Bug
>
> SENDMAIL SECURITY TEAM ADVISORY
>
> Sendmail Workaround for Linux Capabilities Bug
>
> The Sendmail Consortium and Sendmail, Inc. has been informed of a
> serious problem in the Linux kernel that can be used to get root
> access. This is not a sendmail security problem, although sendmail
> is one of the vectors for this attack.
>
> PROBLEM
>
> There is a bug in the Linux kernel capability model for versions
> through 2.2.15 that allows local users to get root. Sendmail is
> one of the programs that can be attacked this way. This problem
> may occur in other capabilities-based kernels.
>
> SOLUTION
>
> The correct fix is to update your Linux kernel to version
> 2.2.16. This is the only way to ensure that other programs
> running on Linux cannot be attacked by this bug.
>
> WORKAROUND
>
> Sendmail 8.10.2 has added a check to see if the kernel has
> this bug, and if so will refuse to run. This version also
> does more detailed checks on certain system calls, notably
> setuid(2), to detect other possible attacks. Although there
> are no known attacks, this version is strongly recommended,
> whether or not you have a vulnerable kernel.
>
> Sendmail 8.10.2 can be obtained from:
>
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.10.2.tar.gz
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.10.2.tar.Z
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.10.2.tar.sig
>
> and has MD5 signatures:
>
> acb8b6f50869a058a9baaa4fb4692c4b sendmail.8.10.2.tar.Z
> 00705e5ca3412604cebd052e0d7aefcd sendmail.8.10.2.tar.gz
> 92dca37fb68a2a44f02c292656c123b6 sendmail.8.10.2.tar.sig
>
> You only need one of the first two files (either the gzip'ed
> version or the compressed version). The .sig file is a PGP
> signatures of the tar file (after uncompressing it). It is
> signed with the Sendmail Signing Key/2000, available on the web
> site (http://www.sendmail.org/) or on the public key servers.
>
> Note however that installing this sendmail patch does not
> fully protect you from attack. Other programs are probably
> vulnerable.
>
> ACKNOWLEDGEMENTS
>
> Several people contributed to this advisory. Wojciech Purczynski
> of Elzab Soft first identified the problem. Alan Cox verified
> and patched the Linux kernel bug. Gregory Neil Shapiro and other
> members of the Sendmail Consortium helped identify the problem
> and produce the sendmail workaround.
>
> DETAILS OF THE VULNERABILITY
>
> The problem lies in the setcap(2) call, which is not documented
> on most Linux-based systems (we think there might be a man page
> on Mandrake). This call, based on the unratified Posix 1e draft,
> attempts to break down root permissions into a series of
> capabilities. Normally root has all capabilities and normal
> users have none of the capabilities.
>
> One such capability is the ability of a process to do an
> arbitrary setuid(2) call. As documented in ISO/IEC 9945-1
> (ANSI/IEEE Std 1003.1) POSIX Part 1:
>
> 4.2.2.2 Description
> ...
> If {_POSIX_SAVED_IDS} is defined:
>
> (1) If the process has appropriate privileges, the
> setuid() function sets the real user ID, effective
> user ID, and the saved set-user-ID to uid.
>
> (2) If the process does not have the appropriate
> privileges, but uid is equal to the real user ID
> or the saved set-user-ID, the setuid() function
> sets the effective user ID to uid; the real user
> ID and saved set-user-ID remain unchanged by this
> function call.
>
> The CAP_SETUID capability represents the "appropriate privileges".
>
> Normally this would not be an issue, since a setuid root program
> would simply have capability reinstated. However, Linux has
> an added capability CAP_SETPCAP that controls the ability of a
> process to inherit capabilities; this capability does affect
> setuid programs. It is possible to set the capabilities such
> that a setuid program does not have "appropriate privileges."
> The effect of this is that a root program cannot fully give up
> its root privilege
Re: Sendmail
On 27 Mar 2000, Brian May wrote: > I think some programs use port 25 for outgoing mail, too (netscape? > pine? mh?). True. In which case block port 25 on all _external_ interfaces (eth0, ppp0 etc) but leave it open on the loopback interface. -- Zak Kipling. "As long as the superstition that people should obey unjust laws exists, so long will slavery exist." -- M. K. Gandhi
Re: Sendmail
> "Sebastian" == Sebastian Stark <[EMAIL PROTECTED]> writes: Sebastian> On Sun, 26 Mar 2000, Oswald Buddenhagen wrote: >> i like the idea of denying all incoming packets on port 25. Sebastian> why not do it? port 25 is only for incoming mail, so Sebastian> block it if you don't need it (that's what you should Sebastian> do for all ports you don't need). I think some programs use port 25 for outgoing mail, too (netscape? pine? mh?). I seem to remember ages ago, when I first installed qmail, there were suggestions for how to make pine and mh use sendmail rather then port 25. This was years ago now, the situation might be different now. I have purged pine, so can't check. -- Brian May <[EMAIL PROTECTED]>
Re: Sendmail
On Mon, Mar 27, 2000 at 12:39:02AM +0300 , Martin Fluch wrote:
> Hi,
>
> how about using the /etc/hosts.allow file. I have for example the
> following line there (among others):
>
> exim : LOCAL
>
> which restricts conects to the exim mta service (port 25) to local
thjis will only work with exim in inetd.conf. exim is NOT linked with libwrap0
because of "historical" reasons :(
> conections. sendmail seems to be linked against libwrap0, hence I gues, it
Petr Cech
--
Debian GNU/Linux maintainer - www.debian.{org,cz}
[EMAIL PROTECTED]
Re: Sendmail
On Sun, 26 Mar 2000, Srebrenko Sehic wrote: > Is there a stright forward method of denying _all_ incoming emails with > sendmail (v8.8.7)? I need this because sendmail's only purpose is to send > and not accept any. > > I guess I could just block all incoming packets to port 25, but is this a > good idea? Hi, how about using the /etc/hosts.allow file. I have for example the following line there (among others): exim : LOCAL which restricts conects to the exim mta service (port 25) to local conections. sendmail seems to be linked against libwrap0, hence I gues, it will respect a sendmail : LOCAL entry there (or somthing similar). more informations can probably be found in the hosts_access (5) and hosts_options (5) man pages. Martin -- Win2k: "It's not so much that it's only 65,000 bugs, it's just that they stopped at 65,535 to prevent an overflow." For public PGP-key: finger [EMAIL PROTECTED]
Re: Sendmail
Previously Sebastian Stark wrote: > why not do it? port 25 is only for incoming mail, so block it if you don't > need it (that's what you should do for all ports you don't need). Why block it if you can just tell sendmail to not listen on that port? Much simpler: simply remove "-bd" from the arguments in /etc/init.d/sendmail . Wichert. -- / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Sendmail
On Sun, 26 Mar 2000, Oswald Buddenhagen wrote: > i like the idea of denying all incoming packets on port 25. why not do it? port 25 is only for incoming mail, so block it if you don't need it (that's what you should do for all ports you don't need). > > alternatively you can setup relay/delivery blocking rules in the > > sendmail-config. but it's just a question of time, when the next > > security hole is found in sendmail, so i prefer low-level-blocking. i agree. you want to use some deliver-only MTA for these kind of sites. ssmtp is the program of your choice. (apt-get install ssmtp) generally i'd say, don't use sendmail at all :) sebastian -- gravity is a myth. the earth sucks.
Re: Sendmail
On Sun, Mar 26, 2000 at 03:39:10PM +0200, Petr Cech wrote: > what aour runq using cron? Or running sendmail in queue only mode, for that matter? -- Mark Brown mailto:[EMAIL PROTECTED] (Trying to avoid grumpiness) http://www.tardis.ed.ac.uk/~broonie/ EUFShttp://www.eusa.ed.ac.uk/societies/filmsoc/ pgpoP20X3BQj6.pgp Description: PGP signature
Re: Sendmail
On Sun, Mar 26, 2000 at 03:13:24PM +0200 , Oswald Buddenhagen wrote:
> On Sun, 26 Mar 2000, David wrote:
> > /etc/init.d/sendmail stop
> >
> i'm not sure, if this is a good idea. what about outgoing mails, that get
> delayed (i.e., cannot be sent immediately)? don't they need a running
> daemon? of course, they probably would get sent when a new mail is sent,
> but this may be ages later ...
what aour runq using cron?
Petr Cech
--
Debian GNU/Linux maintainer - www.debian.{org,cz}
[EMAIL PROTECTED]
Re: Sendmail
On Sun, 26 Mar 2000, David wrote: > /etc/init.d/sendmail stop > i'm not sure, if this is a good idea. what about outgoing mails, that get delayed (i.e., cannot be sent immediately)? don't they need a running daemon? of course, they probably would get sent when a new mail is sent, but this may be ages later ... i like the idea of denying all incoming packets on port 25. alternatively you can setup relay/delivery blocking rules in the sendmail-config. but it's just a question of time, when the next security hole is found in sendmail, so i prefer low-level-blocking. > On Sun, Mar 26, 2000 at 01:47:51PM +0200, Srebrenko Sehic wrote: > > Hello > > > > Is there a stright forward method of denying _all_ incoming emails with > > sendmail (v8.8.7)? I need this because sendmail's only purpose is to send > > and not accept any. > > > > I guess I could just block all incoming packets to port 25, but is this a > > good idea? > > > > /Srebrenko > > -- Hi! I'm a .signature virus! Copy me into your ~/.signature, please! -- Linux - the last service pack you'll ever need.
Re: Sendmail
/etc/init.d/sendmail stop On Sun, Mar 26, 2000 at 01:47:51PM +0200, Srebrenko Sehic wrote: > Hello > > Is there a stright forward method of denying _all_ incoming emails with > sendmail (v8.8.7)? I need this because sendmail's only purpose is to send > and not accept any. > > I guess I could just block all incoming packets to port 25, but is this a > good idea? > > /Srebrenko > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- David ______ <===>/ _ \___ __ __(_)__/ / mailto:[EMAIL PROTECTED] / // / _ `/ |/ / / _ / http://tuxfinder.com/ //\_,_/|___/_/\_,_/
