[971] in linux-security and linux-alert archive
Re: [linux-security] sendmail security
daemon@ATHENA.MIT.EDU (John Henders)
Fri Jul 26 10:35:08 1996
To: rbulling@obscure.org (Richard Bullington)
Date: Fri, 26 Jul 1996 03:07:57 -0700 (PDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.94.960726035841.824B-100000@marduk.obscure.org> from Richard Bullington at "Jul 26, 96 04:05:27 am"
Reply-to: jhenders@bogon.com
From: John Henders <jhenders@bogon.com>
Richard Bullington writes:
> Smail may not have CERT advisories put out, but people who write >
mailbombing software are actively exploiting a weakness in the
production > version (at least up to 3.1.29.1): it does not keep an IP
address trail of > SMTP participants in the "Received:" line of the
headers. > It does when configured correctly. You need a line like this
in the config file. Notice the second if def: line. The problem is most
smail setups are not configured correctly. This part of my config file
came with the smail installation for SLS 1.0, and I believe it was
supplied by Ian Kluft, though I modified it to add the ident field when
I upgraded smail to use identd. Slackware gave smail a very bad name
because it was never configured correctly. Debian does a much better
job.
#
received_field="Received: \
${if def:sender_host {from $sender_host }}\
${if def:sender_host_addr {[$sender_host_addr] }}\
${if def:sender_proto: with $sender_proto }\
${if def:ident_sender:[ident $ident_sender] by $ident_method }\
${if def:sender_host {\n\t}}\
by $primary_name \
${if def:sender_proto {with $sender_proto }}\
\n\t($version_string #$compile_num) \
id $message_id; $spool_date"
> This means that if you can telnet to the SMTP port of a machine running
> smail, you can effectively forge mail. Smail will hide your tracks from
> the recipient of the message, who will need to get cooperation from the
> system administrators of the smail system to do any more tracing.
>
I've never seen anyone post on comp.mail.smail asking for a fix for this
or I would have posted it.
> Can someone quote from an SMTP related RFC that specifies what should
> be in the "Received:" header? Is Smail being a bad SMTP citizen?
Look at 822. I doubt it requires the IP address or smail would probably
have it by default. It always attempted to follow the RFC's pretty
carefully, from the comments in the code.
[Mod: I'm looking at 822 right now, and it's...well...interesting in
this respect. From section 4.1:
trace = return ; path to sender
1*received ; receipt tags
...
received = "Received" ":" ; one per relay
["from" domain] ; sending host
["by" domain] ; receiving host
["via" atom] ; physical path
*("with" atom) ; link/mail protocol
["id" msg-id] ; receiver msg id
["for" addr-spec] ; initial form
Later:
4.3.2. RECEIVED
A copy of this field is added by each transport service that
relays the message. The information in the field can be quite
useful for tracing transport problems.
The names of the sending and receiving hosts and time-of-
receipt may be specified.
My reading of this is that the Received: header is required, but that
any actual trace information it contains is optional. It appears that
John is correct in his assertion; someone please correct me if I am
wrong. --Jeff.]
My new favorite mailer is Exim. It has similar config files to smail,
but is much more efficient by design.
--
Artificial Intelligence stands no chance against Natural Stupidity.
GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*