[942] in linux-security and linux-alert archive
Re: [linux-security] sendmail security i
daemon@ATHENA.MIT.EDU (Miller, Raul D.)
Tue Jul 23 04:56:15 1996
From: "Miller, Raul D." <RDMiller@legislate.com>
To: linux-security@tarsier.cv.nrao.edu
Date: Mon, 22 Jul 96 11:48:00 PDT
Raul Miller wrote;
>>If this ever crosses uid boundaries, it should be treated as just another
>>mail message and go through all the standard mechanisms for handling mail
>>messages.
Jesse Pollard wrote:
>Unfortunately this will waste a LOT of time:
> sendmail -> 0.delivery (gets 4 forwarding addresses)
....
> And each of these sendmail processes must do a delivery. Guess what happens
>if one of these forwarded addresses includes an address of the first delivery
>(0.delivery). Infinite recursion.
An alternative would be to put sufficient information in the headers to
detect the loop.
An example of a mailer which performs at least as well as sendmail, and
doesn't have sendmail's security problems exists at
ftp://koobera.math.uic.edu/pub/software/
The most recent version is qmail-0.76.tar.gz
It's still in beta, but several CERT announcements have gone out on sendmail
(and analogous mailers, such as smail) and in each case qmail has not
exhibitted the problem. (qmail is coded very defensively). The reason it's
still in beta has to do with large scale deployment issues -- administration,
list management, backwards compatability with (a minimal set of) sendmail
features.
Anyways, the point is that there's no design issue that prevents an efficient
implementation of a mail transport agent which hands off mail at each uid
boundary.
Jesse Pollard wrote:
>The approach outlined is also a major performance hog. Sendmail is an
>intelligent (well... relatively) delivery and does analysis to reduce system
>overhead and avoid delivering the same message multiple times.
I don't think that sendmail has made the right design tradeoffs.
--
Raul