[975] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] sendmail security

daemon@ATHENA.MIT.EDU (John Henders)
Sat Jul 27 10:49:21 1996

To: linux-security@tarsier.cv.nrao.edu
Date: Fri, 26 Jul 1996 15:44:53 -0700 (PDT)
Reply-to: jhenders@bogon.com
From: John Henders <jhenders@bogon.com>

To moderator. I sent this yesterday but didn't see it on the list. On
chacking I discovered I'd accidently wrapped the iuncluded text with my
new text so it may have been rejected for unreadbility. Here is the
message properly formatted.

Richard Bullington writes:

> Smail may not have CERT advisories put out, but people who write 
> mailbombing software are actively exploiting a weakness in the production 
> version (at least up to 3.1.29.1): it does not keep an IP address trail of 
> SMTP participants in the "Received:" line of the headers.  
> 

It does when configured correctly. You need a line like this in the
config file. Notice the second if def: line. The problem is most smail
setups are not configured correctly. This part of my config file came
with the smail installation for SLS 1.0, and I believe it was supplied
by Ian Kluft, though I modified it to add the ident field when I
upgraded smail to use identd. Slackware gave smail a very bad name
because it was never configured correctly. Debian does a much better
job.

#
received_field="Received: \
                ${if def:sender_host {from $sender_host }}\
                ${if def:sender_host_addr {[$sender_host_addr] }}\
                ${if def:sender_proto: with $sender_proto }\
                ${if def:ident_sender:[ident $ident_sender] by $ident_method }\
                ${if def:sender_host {\n\t}}\
                by $primary_name \
                ${if def:sender_proto {with $sender_proto }}\
                \n\t($version_string #$compile_num) \
                id $message_id; $spool_date"

  

> This means that if you can telnet to the SMTP port of a machine running
> smail, you can effectively forge mail. Smail will hide your tracks from
> the recipient of the message, who will need to get cooperation from the
> system administrators of the smail system to do any more tracing.

I've never seen anyone post on comp.mail.smail asking for a fix for this
or I would have posted it.


> Can someone quote from an SMTP related RFC that specifies what should
> be in the "Received:" header? Is Smail being a bad SMTP citizen?

Look at 822. I doubt it requires the IP address or smail would probably
have it by default. It always attempted to follow the RFC's pretty
carefully, from the comments in the code.

My new favorite mailer is Exim. It has similar config files to smail,
but is much more efficient by design.

-- 
      Artificial Intelligence stands no chance against Natural Stupidity.
                GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
                     b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*

home help back first fref pref prev next nref lref last post