[3713] in bugtraq
Re: A security issue of a different kind.
daemon@ATHENA.MIT.EDU (Alan Brown)
Fri Nov 29 13:40:08 1996
Date: Sat, 30 Nov 1996 06:21:55 +1300
Reply-To: Alan Brown <alan@manawatu.gen.nz>
From: Alan Brown <alan@manawatu.gen.nz>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.SUN.3.90.961130041018.3030i-100000@papaioea.manawatu.gen.nz>
This from the 8.8.3 release notes:
.
.
.
8.8.0/8.8.0 96/09/26
.
.
.
After 25 EXPN or VRFY commands, start pausing for a second before
processing each one. This avoids a certain form of denial
of service attack. Potential attack pointed out by Bryan
Costales.
.
.
.
Define new macros ${client_name}, ${client_addr}, and ${client_port}
that have the name, IP address, and port number (respectively)
of the SMTP client (that is, the entity at the other end of
the connection. These can be used in (e.g.) check_rcpt to
verify that someone isn't trying to relay mail through your
host inappropriately. Be sure to use the deferred evaluation
form, for example $&{client_name}, to avoid having these bound
when sendmail reads the configuration file.
Add new config file rule check_relay to check the incoming connection
information. Like check_compat, it is passed the host name
and host address separated by $| and can reject connections
on that basis.
.
.
.
