Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sendmail Hit by Data Interception Flaw

CowboyNeal posted more than 8 years ago | from the bumps-in-the-night dept.

208

ricepudd writes "Computer Weekly reports that Internet security researchers have discovered a serious flaw in Sendmail. The flaw could allow remote attackers to take control of users' PCs. The Sendmail Consortium urged users to upgrade to version 8.13.6 of the software, which contains a fix to the problem. Computer Weekly seems to think that the fact that the Windows version isn't affected will help curtail the threat."

cancel ×

208 comments

Wait (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#14984680)

People use Sendmail?

Re:Wait (1)

roosterx (739030) | more than 8 years ago | (#14984847)

people use sendmail on windows?

Re:Wait (-1, Redundant)

Pxtl (151020) | more than 8 years ago | (#14984903)

Bewilders me too. A program that old and infamously cryptic doing a job that is so (theoretically) simple (it sends mail - whoa) has no excuse to have security flaws this late in the game.

Of course, I'm not an admin, so I am officially talking out of my hiney.

Reality check: (4, Funny)

Anonymous Coward | more than 8 years ago | (#14984682)

Ah, the WINDOWS version is NOT affected! How ironic!

Re:Reality check: (5, Funny)

Anonymous Coward | more than 8 years ago | (#14984740)

it's safer running the windows version of something?

truly, it is the end times

Re:Reality check: (1)

Adeus666 (886040) | more than 8 years ago | (#14985822)

When windows has the most secure version of multi-platform software, it's not ironic. It's downright F***ed up!

Flaw seems unexploited (5, Informative)

rg3 (858575) | more than 8 years ago | (#14984685)

As everyone who follows the Slackware changelog, new packages were available yesterday. It seems there is still no exploit for this flaw, and it's somehow hard to exploit. That's the impression I got from the changelog entry. I'll paste it here:

n/sendmail-8.13.6-i486-1.tgz: Upgraded to sendmail-8.13.6.
              This new version of sendmail contains a fix for a security problem
              discovered by Mark Dowd of ISS X-Force. From sendmail's advisory:
              Sendmail was notified by security researchers at ISS that, under some
              specific timing conditions, this vulnerability may permit a specifically
              crafted attack to take over the sendmail MTA process, allowing remote
              attackers to execute commands and run arbitrary programs on the system
              running the MTA, affecting email delivery, or tampering with other
              programs and data on this system. Sendmail is not aware of any public
              exploit code for this vulnerability. This connection-oriented
              vulnerability does not occur in the normal course of sending and
              receiving email. It is only triggered when specific conditions are
              created through SMTP connection layer commands.
              Sendmail's complete advisory may be found here:
              http://www.sendmail.com/company/advisory/index.sht ml [sendmail.com]
              The CVE entry for this issue may be found here:
              http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2006-0058 [mitre.org]
              (* Security fix *)

Re:Flaw seems unexploited (4, Informative)

molnarcs (675885) | more than 8 years ago | (#14984782)

FreeBSD also has details in their security notification. [freebsd.org] Those guys are fast - if you want to have up to date info on security vulns., FreeBSD has them (usually with patches) way before the news hits slashdot ;) For those who are asking [slashdot.org] for line numbers, just take a look at the patches included. Or better, here is a kompare screenshot [unideb.hu] .

Re:Flaw seems unexploited (5, Informative)

cperciva (102828) | more than 8 years ago | (#14985115)

FreeBSD also has details in their security notification. Those guys are fast - if you want to have up to date info on security vulns., FreeBSD has them (usually with patches) way before the news hits slashdot

We do our best. :-)

Seriously though, CERT told us that the embargo was going to end at 16:00 UTC, so I had a shell window open with a series of "cvs commit" commands waiting for me to hit <enter>, a window with the commit messages I was going to use, a window with the advisory text waiting for me to type in the correction times, a shell window open to ftp-master.freebsd.org waiting for me to copy the patches into the right directory...

When you have two weeks advance notice, it's easy to get advisories out soon after the embargo ends -- the hardest part of the process was making sure that I'd be awake at 8:00 AM (PST).

Re:Flaw seems unexploited (1, Funny)

Anonymous Coward | more than 8 years ago | (#14985166)

the hardest part of the process was making sure that I'd be awake at 8:00 AM (PST).

Commie.

Re:Flaw seems unexploited (1)

non-poster (529123) | more than 8 years ago | (#14984894)

Gentoo's advisory [gentoo.org] , released 2006/03/22

Re:Flaw seems unexploited (0, Flamebait)

Radak (126696) | more than 8 years ago | (#14985322)

As everyone who follows the Slackware changelog, new packages were available yesterday.

What exactly does this sentence mean? Or are you just one of those Slashdot writers who thinks that the more words he includes in his sentences, the smarter he will be perceived to be?

Flaimbait (0, Flamebait)

LordOfTheNoobs (949080) | more than 8 years ago | (#14985803)

It is obvious the author left out the word 'knows'. If you couldn't tell this, you are a bit slow in the head. If you could, you are an asinine prick. Your choice.

Re:Flaw seems unexploited (4, Informative)

Bacon Bits (926911) | more than 8 years ago | (#14985545)

It seems there is still no exploit for this flaw, and it's somehow hard to exploit.
If you read Sendmail's complete advisory, you can see that the vulnerability requires the exploitation of a race condition. You have to submit a request, and then before that one times-out submit another malformed one.

What? Another one? (0)

Anonymous Coward | more than 8 years ago | (#14984688)

All I hear from CERT is how insecure Sendmail is.

Next time, I'm using Postfix.

Re:What? Another one? (1)

Rekolitus (899752) | more than 8 years ago | (#14984846)

Actually, QMail is the one designed with security in mind. As far as I'm aware it's never had any vulnerabilities. See security guarantee [cr.yp.to] .

Re:What? Another one? (1)

stor (146442) | more than 8 years ago | (#14985759)

I used to be a Qmail fan. I had a couple of Qmail+Patches mailservers that stayed up and fairly secure for years. For the past few years though, it's Postfix all the way for me.

You need to apply about 50 patches to get a decent Qmail MTA, at which time all the security guarantees vanish. This is a problem because Dan seems unwilling to apply the patches that make Qmail a usable MTA. Big concurrency patch anyone?

wtf is it with Dan Bernstien's World?

He couldn't use standard SysV init scripts to start Qmail, no... we need the "supervise" and /services cruft! Xinetd? Nahh fuck it, I'll write "ucspi-tcp" instead and force that down everyone's throat. Configuration files in /etc? Nahh, we'll create some wierd-ass Bernstien World hierarchy for that too.

Dr B's software is mostly useful in theory, not in practise.

Just use Postfix or Exim: you'll save yourself a lot of pain. It doesn't treat your Unix box like it's just a mere application launcher.

Cheers
Stor

Re:What? Another one? (2, Interesting)

ZeekWatson (188017) | more than 8 years ago | (#14985846)

Windows Unaffected (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14984690)

its because linux sucks.

the future. (1)

Gravis Zero (934156) | more than 8 years ago | (#14984692)

tomorrows news: Sun's Grid taken over, largest spamming opperation ever

fp (-1, Troll)

jonaskoelker (922170) | more than 8 years ago | (#14984693)

Now, all I've got to do is think of something interesting to say in my first first post...

Re:fp (-1, Offtopic)

djdanlib (732853) | more than 8 years ago | (#14984723)

Like maybe... Wait, this is a Second Post?

Gee, Full Disclosure would be nice (1, Interesting)

QuantumG (50515) | more than 8 years ago | (#14984694)

Can you tell us the file and line number that causes the problem and the mitigating circumstances under which it occurs. Jesus, it is open source ya know.

Re:Gee, Full Disclosure would be nice (5, Informative)

LiquidCoooled (634315) | more than 8 years ago | (#14984828)

If you knew that you would be 99% of the way to solving the bug.
As it happens, someone already posted [slashdot.org] a screenshot of the BSD version of the fix.

A single line of c:

t = 0;

Inserted between lines 147 and 148 of file fflush.c appears to be the fix (reset a mem pointer just use above).
I don't vouch for it and haven't even bothered to look at context or even if its the actual fix required, however its not like it was hidden and you don't need to get uppity about it.

Incidentally, its such small code modifications that can bring great amounts of money to maintainers of corporate code that the monkeys don't understand what they are paying for.

"But you only changed 1 line"
"Yer, but that one line makes it work now...."

Re:Gee, Full Disclosure would be nice (1)

LiquidCoooled (634315) | more than 8 years ago | (#14984839)

there was a lot more files included in the fix than just the one.

*refer to sig*

Re:Gee, Full Disclosure would be nice (2)

QuantumG (50515) | more than 8 years ago | (#14984845)

I hark from a time when that kind of information was front and centre in the security advisory. I'm old, I have an inalienable right to get uppity.

Re:Gee, Full Disclosure would be nice (1)

pyrotic (169450) | more than 8 years ago | (#14985622)

Considering the size, age and complexity of the sendmail code base, there can't be too many people who know which line to patch. Sendmail is ugly and unmaintainable, and needs to be rewritten from the ground up. Just ask sendmail. [sendmail.org] (The design document reminds me strongly of postfix. And no more sendmail.mc, yay!)

No link to actual advisory in summary or article (5, Informative)

doorbot.com (184378) | more than 8 years ago | (#14984695)

I believe this is the actual advisory:

http://www.frsirt.com/english/advisories/2006/1049 [frsirt.com]

A critical vulnerability has been identified in Sendmail, which could be exploited by remote attackers or network worms to take complete control of an affected system. This flaw is due to errors in the "setjmp()", "longjmp()" and "sm_syslog()" functions that do not properly handle certain asynchronous signals, which could be exploited by remote unauthenticated attackers to execute arbitrary commands by sending specially crafted requests to the SMTP port.

Re:No link to actual advisory in summary or articl (3, Informative)

pneumatus (936254) | more than 8 years ago | (#14984806)

Further info of this security advisory available on CVE-2006-0058 [mitre.org] and from Security Focus [securityfocus.com]

Stupid Article (0)

Krach42 (227798) | more than 8 years ago | (#14984700)

They say that the Sendmail Consortium says that some 70% of the world's email uses their services, but the fact that Windows isn't affected by the flaw will help curtail the effect?

Who the hell thought that was even a smart thing to say? I mean, that's like saying that because Mac OSX and Linux aren't affected by the Sasser virus that this will curtail the effects of any worm.

WHAT CRACK ARE YOU SMOKING AND WHY AREN'T YOU SHARING?!

Re:Stupid Article (0)

babbling (952366) | more than 8 years ago | (#14984770)

Not really. The fact that Windows is so common means that when Windows isn't affected, there IS less of an effect.

Suppose on a network, 20% of hosts are Windows and 80% are Linux. If a worm is spreading through Windows, it will have to scan through more computers (on average) to find another Windows host to infect. Having to scan more hosts per host that you infect slows down the infection rate.

can someone explain... (2, Insightful)

Churla (936633) | more than 8 years ago | (#14984701)

The difference between "Serious" and "Highly Critical"...

(Yes, tongue is firmly in cheek here...)

Why would this qualify as serious if there isn't even a known way to exploit it yet? Or was there one in there I missed?

Re:can someone explain... (4, Funny)

Anonymous Coward | more than 8 years ago | (#14984719)

You want a serious answer or a highly critical one?

Re:can someone explain... (1)

hotdiggitydawg (881316) | more than 8 years ago | (#14984766)

Nice one. Been a while since anything on /. has actually made me laugh out loud!

Re:can someone explain... (1)

Darth_brooks (180756) | more than 8 years ago | (#14984758)

If the flaw has been made public, there's an exploit for it. The 'sploit might not be available on www.l33t-d0wn0ad-sp10tz.ru right now, but you have to assume that it's floating around out there.

Re:can someone explain... (1)

G-Licious! (822746) | more than 8 years ago | (#14984824)

Well sure, I imagine the folks at ISS wrote and ran an exploit to back up their claims.

Re:can someone explain... (1)

Chris Kamel (813292) | more than 8 years ago | (#14984942)

because in a few hours there will be...

Ah! (4, Funny)

O'Laochdha (962474) | more than 8 years ago | (#14984716)

So the FBI was wiser than we thought in withholding e-mail accounts...

The FreeBSD mailing list is a little less alarmist (4, Informative)

micheas (231635) | more than 8 years ago | (#14984721)

An email I received from the FreeBSD security mailing list seems to imply to me that this might be more of a concern for multi user systems.

From: Claus Assmann <freebsd+security@esmtp.org>
To: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:13.sendmail
Date: Thu, 23 Mar 2006 10:31:20 -0800

On Thu, Mar 23, 2006, Bigby Findrake wrote:
> Does an attacker need network access to the machine, or does the attacker

Yes.

> merely need to be able to get an SMTP message to the machine?

He needs to control the timeouts (AFAICT).

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd- security [freebsd.org]
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Re:The FreeBSD mailing list is a little less alarm (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14984833)

I got an email too!

From: Bill Gates
To: Steve Jobs
Date: Date: Thu, 23 Mar 2006 12:23:31 -0800 (PDT)
Subject: I Left You A Soiled Condom

Steve, I loved our anal encounter yesterday. The way you rammed your rod into me while you rubbed my member with a Nano really sold me on just how much I miss all those Apple stocks. Tonight I'm going to kick that worthless whore out and sell all my Microsoft shares. BTW, I left a soiled condom as a momento of our encounter. Right now I'm ramming a cucumber up my hole just waiting for our next meeting.

Bah!! (0)

Anonymous Coward | more than 8 years ago | (#14984735)

OOOLLLDDD NEWS!!

My PC? (1)

whitehatlurker (867714) | more than 8 years ago | (#14984736)

Sendmail is a mail transfer agent that would run on mail relays or servers, not typically on a desktop, particularly not in a network server configuration, which as far as I could see was the vulnerable configuration.

That the Windows version is or isn't vulnerable doesn't enter into it. I doubt that 1 in 10000 windows boxes would run an email server. (Okay somebody do the sales of Exchange divided by total Windows boxes and show me to be wrong. ;-)

Re:My PC? (3, Informative)

YU Nicks NE Way (129084) | more than 8 years ago | (#14984760)

Windows has shipped with an SMTP server installed since Windows 2000. It's off by default in Server 2003 and in all client versions, and, I think, in 2000 Server, but it's there.

What do you think the spammers use on their zombie boxes? Code they wrote themselves?

Re:My PC? (1)

whitehatlurker (867714) | more than 8 years ago | (#14984781)

Thank you, I had forgotten that. I sit corrected. ;-)

What do you think the spammers use on their zombie boxes? Code they wrote themselves?
No, but I didn't think they actually used SMTP for anything. Isn't it all IRC traffic? I've never actually seen a zombie computer, sorry.

Re:My PC? (3, Funny)

Dionysus (12737) | more than 8 years ago | (#14984902)

What do you think the spammers use on their zombie boxes? Code they wrote themselves?

Why would a spammer need a smtp server on a zombie box? Don't zombie boxes just send email?

Re:My PC? (4, Funny)

techno-vampire (666512) | more than 8 years ago | (#14984933)

Why would a spammer need a smtp server on a zombie box? Don't zombie boxes just send email?

And what protocol do they use to send it? SMTP, of course.

This has been another D'oh! moment.

Re:My PC? (2)

larry bagina (561269) | more than 8 years ago | (#14985121)

But they're an SMTP client, not an SMTP server.

Re:My PC? (1)

Ryan Amos (16972) | more than 8 years ago | (#14985342)

Yeah, but they sure as hell don't use sendmail. It's just easier to open a socket connection on port 25 and spew out your faked headers than it is to bother trying to hack it through sendmail.

Re:My PC? (1)

ignorant_newbie (104175) | more than 8 years ago | (#14985470)

>Yeah, but they sure as hell don't use sendmail.
>It's just easier to open a socket connection on port 25 and spew out
>your faked headers than it is to bother trying to hack it through sendmail.

which is why techniques like HELO verification and greylisting are so effective.

Re:My PC? (2, Informative)

Batou (532120) | more than 8 years ago | (#14985657)

HELO verification as far as verifying HELO matching fqdn or ptr record or something is a highly dangerous thing to do and will lead to tons of false positives. Ever notice how many MSexChange servers are running out there declaring "IAMASTUPIDEXCHANGESERVER.LOCAL" or something?

I see an awful lot of this on any given day ...

@400000004422e50b06a4b4dc Accept::RCPT::Rcpthosts_Rcptto: S:63.145.94.241:unknown H:ms1.remax.local F: T:xxxx@xxxxx
@400000004422e514391f8af4 Accept::RCPT::Rcpthosts_Rcptto: S:65.218.62.86:unknown H:wolf-server.WolfRealty.local F:xxxx@xxxx T:xxxx@xxxx
@400000004422e5340cc927bc Accept::RCPT::Rcpthosts_Rcptto: S:70.89.50.73:unknown H:apollo.kwlansdale.local F:xxxx@xxxxx T:xxxx@xxxx
@400000004422e53a3ae2842c Accept::RCPT::Rcpthosts_Rcptto: S:67.43.168.74:unknown H:bilbo.idcdomain.local F:xxxx@xxxx T:xxxx@xxxx
@400000004422e56c2bf424d4 Accept::RCPT::Rcpthosts_Rcptto: S:71.4.51.66:unknown H:cmsacsvr01.comstock.local F:xxxx@xxxx T:xxxx@xxxx

Like it or not, and whether the rfc's require it or not, there are an awful lot of people out there using mail servers setup by people completely and utterly unqualified to maintain them. And you bet your ass your users are going to complain (loudly) when they can't get emails from their customers/clients/aunt betty/whatever.

Same for requiring reverse dns, spf records, etc. Use any of these for hard rejection, and you're nuts. (Hear me AOL?)

Re:My PC? (1)

stor (146442) | more than 8 years ago | (#14985818)

Like it or not, and whether the rfc's require it or not, there are an awful lot of people out there using mail servers setup by people completely and utterly unqualified to maintain them.

Yes that's true. I tell them to fix their MTA.

Same for requiring reverse dns, spf records, etc. Use any of these for hard rejection, and you're nuts. (Hear me AOL?)

Well I do. The spam situation is out of control. If the problem is that a remote MTA doesn't have a proper reverse DNS entry for instance, that needs to be fixed. Why should I modify my MTA to support other people's broken ones?

Cheers
Stor

Re:My PC? (1)

Spy der Mann (805235) | more than 8 years ago | (#14984762)

I doubt that 1 in 10000 windows boxes would run an email server.

We're running hMailServer (F/OSS) on our XP box, works like charm, has relaying controls and spam protection. Great for those with Apache/PHP/MySQL on windows.

Re:My PC? (1)

MightyMartian (840721) | more than 8 years ago | (#14984785)

I didn't even know there was a Win32 port of sendmail. Not that I'd use it anyways, Postfix on *nix is waaaaaaay easier to set up and administer.

FC5 comes with sendmail-8.13.6-0.FC5.1 (1)

erroneus (253617) | more than 8 years ago | (#14984774)

Yay! I've been meaning to upgrade my mail server anyway... I'll just do it with more urgency now.

CONVERT!! CONVERT!! (1)

AltGrendel (175092) | more than 8 years ago | (#14984989)

Or you could just use the system-switch-mail command and move over to postfix.

Re:FC5 comes with sendmail-8.13.6-0.FC5.1 (1)

metamatic (202216) | more than 8 years ago | (#14985642)

Are you saying FC5 still has sendmail as default MTA?

hear that? (-1, Troll)

illuminatedwax (537131) | more than 8 years ago | (#14984794)

It's the sound of thousands of qmail users gloating.

Re:hear that? (0)

Anonymous Coward | more than 8 years ago | (#14984914)

and millions of exim users too :) and tens of milions of postfix users...

Re:hear that? (0)

Anonymous Coward | more than 8 years ago | (#14984946)

Denying the existence of security holes (qmail's preferred way of "fixing" them) doesn't make them stop existing.

Re:hear that? (1)

illuminatedwax (537131) | more than 8 years ago | (#14985014)

I didn't say I was gloating (I haven't ever installed an MTA!), but 1 bug that can be easily worked around (instead of requiring a patch) which 99% of the users won't even come across, in 9 years is awfully impressive.

Re:hear that? (0)

Anonymous Coward | more than 8 years ago | (#14985041)

Damn this got modded down right fast. And right above a "CHECK OUT OTHER MTAS DUMMY" comment that got modded up to 3...

The inevitable 'use postfix!' post.... (5, Informative)

Malor (3658) | more than 8 years ago | (#14984810)

Yes, I realize this is too late for those of you running Sendmail now, and please don't take this as criticism for using it.... it's a solid mail program. But it was written when the Net was a much nicer place, and it's proving, once again, that retrofitting security is either very difficult or impossible. For a long time, it seemed like practically every third exploit was for Sendmail... it got pretty frustrating.

The two major alternatives are Qmail and Postfix; Courier is sort of an up-and-comer, but they've had quite a number of security holes in those packages. (of course, that may also be related to the fact that Courier does a lot more than just deliver mail.) Of the three, I prefer Postfix. It's exceedingly solid, very fast, and fairly easy to configure. The initial learning curve is a little steep (mostly because there's about a billion things you can set), but the config files are readable when you're done. You don't have to relearn the whole program every six months. It's also very secure... I'm only aware of two security problems in its entire history. (I don't remember the details, but I think one was minor, and the other was moderately serious.)

QMail is also solid, fast, and secure. But the author has decided that Unix machines should be configured a particular way, with files in particular places, and he uses his code as a weapon to try to force you to do things the way he wants. So I won't run it unless I have to. I don't deny that he's a brilliant coder and forty-eight times smarter than I am, but I refuse to be dictated to.

Postfix can take a beating.. it is Truly Great Software. It will handle any load that Sendmail will handle, it's easier to administer, and the security is better. And, of course, it's truly free... Wietse won't try to make your administration decisions for you.

Re:The inevitable 'use postfix!' post.... (1)

ClamIAm (926466) | more than 8 years ago | (#14984956)

There's also Exim and some others, as well.

Re:The inevitable 'use postfix!' reactionary rant (0)

Anonymous Coward | more than 8 years ago | (#14985021)

Yeah I'd say that in 1981 the net was a different place.

A few clarifications:
Sendmail is BSD licensed, thats pretty 'free'.

and

IIRC this is the first major security advisory since ~1997, give it a rest, one "serious" bug a decade isn't exactly every other week.

Agreed (3, Interesting)

waldoj (8229) | more than 8 years ago | (#14985024)

I ignored posts like this for years, figuring it was like the Linux vs. BSD debates -- just a bunch of zealots. I was wrong.

Years after I mastered mc files and learned the magic of m4, back around 2002, I succumbed to /. peer pressure and switched to Postfix. It's just like Sendmail, only it doesn't suck. I didn't know Sendmail sucked until I used Postfix. It's easy, it's secure, and my servers haven't once been 0wn3d because of the ubiquitous MTA flaws of Sendmail.

Some day I'll try Qmail. Baby steps.

-Waldo Jaquith

Re:Agreed (1)

Vellmont (569020) | more than 8 years ago | (#14985198)


I didn't know Sendmail sucked until I used Postfix.


You must be a massochist. I remember using sendmail and simply wanting to change my outgoing mail so the from address was me@domain.com instead of me@machine.domain.com. I delved into it like any other project, but decided it wasn't worth it when I found out I had to learn an entire language (m4 or whatever it is), then compile that into another language just to do this one stupid thing. No thanks! A friend recommened postfix, and I've never looked back.

Re:Agreed (1)

sedman (210394) | more than 8 years ago | (#14985794)

I never have spent much time with the new fangled m4 stuff, I can get it to do everything I want with the straight sendmail config language. I have been using (and configuring) sendmail since 1990. I have not seen another mail program come close to its capabilities.

Re:Agreed (0)

Anonymous Coward | more than 8 years ago | (#14985200)

You don't need to try qmail. I've done sendmail, qmail and postfix. There's no earthly reason why you'd use qmail when postfix is available.

Re:Agreed (0)

Anonymous Coward | more than 8 years ago | (#14985856)

Some day I'll try Qmail. Baby steps.

baby steps backwards...

Courier (1)

temojen (678985) | more than 8 years ago | (#14985072)

Courier is a Great idea. One mail application. Not an MTA and seperate MDAs. Just one. Unfortunately, trying to figure out how to set up just SMTP+POP3 for a single machine with multiple aliases and a few virtual users seems to require knowing how to configure everything

(If I'm wrong, and there actually is a guide telling how to do this, someone please post a note, I'd like to finally migrate to the new server we got 1.5y ago.)

Re:Courier (1)

HermanAB (661181) | more than 8 years ago | (#14985242)

The guides are at www.postfix.org and at www.dovecot.org.

Re:The inevitable 'use postfix!' post.... (1)

killjoe (766577) | more than 8 years ago | (#14985146)

Debian and derivatives come with exim set as the default MTA. I don't understand why redhat and it's derivatives come with sendmail as the default MTA. Postfix can actually be configured by normal people unlike sendmail and it's just as performant and a lot more secure.

Just doesn't make sense. The first thing I do any redhat system is to chuck sendmail and install postfix instead.

Re:The inevitable 'use postfix!' post.... (1)

bigtrike (904535) | more than 8 years ago | (#14985203)

Redhat has so many stupid defaults. The stupid path setup makes it tedious to compile anything yourself. Apache, postgres, php, etc stupidly do not have many features compiled in or compiled as modules, which forces you to compile things yourself. Their libc compiles have bizarre patches applied which tend to cause hard to trade bugs that only affect Redhat users. RPM is fairly painful to work with.

While you probably have your reasons for using or sticking with Redhat, I decided years ago to chuck it and have been much happier.

Re:The inevitable 'use postfix!' post.... (1)

naelurec (552384) | more than 8 years ago | (#14985414)

Postfix is licensed under the IBM Public License v1.0. I am unsure how compatible that is with the GPL (and perhaps the primary reason for it not being included). Exim is GPL .. not quite sure why it isn't more popular among the distros (perhaps sendmail history wins out?)

Re:The inevitable 'use postfix!' post.... (1, Offtopic)

violent.ed (656912) | more than 8 years ago | (#14985505)

(of course, that may also be related to the fact that Courier does a lot more than just deliver mail.)

This entire sentence, being a complete thought, is entirely encompassed by parentheses, which is wrong.

Sorry, just nitpicking your signature... and dont start with me about indenting paragraphs, I haven't figured that out yet. :P

... After further evaulation of the rules for parentheses, I retract my previous statement. Your post is truly gramatically correct, and i (lowercase I) humble myself before thee!

Re:The inevitable 'use postfix!' post.... (5, Insightful)

ajs (35943) | more than 8 years ago | (#14985632)

There was a time when sendmail exploits were all the rage, but at the time, sendmail was one of a very, very small number of programs that had reached its level of maturity, breadth of features AND was network accessible, and was the only one in widespread use under Unix-like systems. Because of some high-profile bugs, many companies including Sun and later Red Hat did heavy security audits of the code, revealing and fixing more problems.

These are all good things, and it seems to me to be a bit two-faced to say that the power of open source is that there are many eyes on the source, and then to punish the software with the most eyes on it. Sendmail has been the heart of mail on the Internet for decades, and deservedly will continue to do so for the forseeable future.

These bugs demonstrate the old saying: where there is code, there are bugs. I'll stick with software that has already had the vast majority of its security problems shaken out.

this is what happens (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14984834)

when you use Open Source software.
truth.

Insufficient data. (4, Insightful)

jd (1658) | more than 8 years ago | (#14984858)

Sendmail is a big program. It also has several components. This tells me that things like selinux and other mandatory access control systems MAY prevent the attack from taking over the PC. What impact there is on such systems depends on what component the failure is in and what rights that component must have.


There are also multiple ways of configuring sendmail when compiling it, which tells me that whilst an upgrade may be important, it may be much more important for some users than others.


Also, saying it doesn't affect Windows is unclear. Does it not affect Windows when you use some official .exe? When you compile it yourself? When compiled/run via Cygwin? If you run under Wine, do you see the bug or not? Are all versions of Windows safe, or would the bug be exposed under certain versions?


The report, as described, is about as useful as saying "we think we know a way by which under certain circumstances that we know, another may think they know a way by which you might have an increased chance of being struck by an asteroid". If you don't know what the way is, or what those circumstances might be, the information has little value. Sure, it has some in that they provide a bugfixed release, but we don't know how long the bug has existed and therefore have absolutely bugger all way of quantifying what the risk is that a server has already been compromised. It only prevents uncompromised servers from being attacked by this method in future.


Just because the press release is dated XYZ does not mean that every Black Hat under the sun hasn't got a CD-ROM filled with exploits for it and a list of backdoors on cracked sites from three years back. XYZ is merely the date the rest of us know about it. You don't maintain a secure system by assuming all crackers only know the exploits you've fixed. You maintain a secure system by assuming at least one cracker has the means to discover the exploits you've neither heard of nor have patches for - ie: by assuming you're running buggy software and taking the necessary steps to limit what those bugs can do.

eh (1)

mnemonic_ (164550) | more than 8 years ago | (#14984909)

A little heavy on the linebreaks son?

Re:Insufficient data. (1)

myowntrueself (607117) | more than 8 years ago | (#14985490)

"Sendmail is a big program."

When my eyes grazed over your text I initially read that as "Sendmail is a big problem"

Do you know why the "sendmail book" has a bat on the cover? ;)

Who the hell still uses sendmail? (-1, Troll)

Neo-Rio-101 (700494) | more than 8 years ago | (#14984864)

I can't believe that in this day and age, people still use sendmail when there are clearly better alternatives out there. Alternatives which don't require you to consult a phonebook-thick bat book to configure, and don't give you nasty security issues.
Using sendmail is anomalous to asking for trouble.

Surely qmail and postfix are way better.

Re:Who the hell still uses sendmail? (4, Informative)

Radak (126696) | more than 8 years ago | (#14985294)

Using sendmail is anomalous to asking for trouble.

This sentence alone shows what an idiot you are. Go look up anomalous and then come back.

Back? Okay, good. Let's move on.

We still use sendmail because it meets our needs and because to those of us who actually know how to use it, it is less of a pain in the ass than your "better" alternatives. Sendmail had a whole slew of security problems many years ago before alternatives were even available, but in recent years, it has really not notably more security issues than any of the other options.

Face the facts here. Qmail and Postfix certainly have their uses, and are both excellent MTAs, but neither is "way better" than Sendmail for all installations. We each have our own requirements, and Sendmail meets those requirements for a lot of my installations.

Re:Who the hell still uses sendmail? (1)

iggymanz (596061) | more than 8 years ago | (#14985497)

look at the source code of sendmail: big tangled ball(s) of twine. Then look at the source code of some competing systems, strange, they're actually well-designed and modular! then look at the memory consumption of a sendmail process, vs. what qmail or postfix takes (20% of a sendmail process). I used to use sendmail in the 90's, but I'm glad I've long ago given up that bloated, hard to configure crap.

Re:Who the hell still uses sendmail? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14985370)

Oh only almost every major corporation in the whole world.

Go back to your mom's basement.

IE and sendmail flaws on the same day? (5, Funny)

MadFarmAnimalz (460972) | more than 8 years ago | (#14984971)

Coincidence? I think not...

Shared codebase? Hmm?

Re:IE and sendmail flaws on the same day? (1)

Dr.Dubious DDQ (11968) | more than 8 years ago | (#14985770)

I was WONDERING why sendmail wouldn't display my .png files properly...

Security? (0, Redundant)

Chris Kamel (813292) | more than 8 years ago | (#14984992)

Wait a minute, does this mean that there is software other than Microsoft's that has security issues? I'm flabbergasted.

What the.... (0)

Anonymous Coward | more than 8 years ago | (#14985105)

Wow, I thought only Microsoft wrote imperfect code! It's going to take me a while to get over this....
Hopefully this means there will be a reduction in pointless Microsoft bashing on /.

Sendmail - now in its third decade of exploits (0, Troll)

Animats (122034) | more than 8 years ago | (#14985233)

Google: Results 1 - 10 of about 613,000 for sendmail exploit.

I mean, really. People have been struggling with Sendmail exploits since the 1980s. Dump the turkey. And pull it from every Linux distro. It's time to kill this thing off.

Re:Sendmail - now in its third decade of exploits (5, Insightful)

Radak (126696) | more than 8 years ago | (#14985313)

Results 1 - 10 of about 18,000,000 for linux exploit.

We've been struggling with Linux exploits since its birth, too. Shall we "drop the turkey" every time a new Linux exploit pops up, too, or should we acknowledge that it's a complicated piece of software whose security generally improves as it matures? I thought so.

Oh, and just for good measure...

Results 1 - 10 of about 203,000 for qmail exploit.
Results 1 - 10 of about 283,000 for postfix exploit.

I note that those queries generate about 1/3 and about 1/2 as many results, respectively, for products that have existed for about 1/10 as long as sendmail. By your ridiculously flawed "Google logic", qmail and postfix are far more dangerous "turkeys" than sendmail.

new math? (1)

snarlydwarf (532865) | more than 8 years ago | (#14985347)

postfix and qmail have been around for 1/10th the time of sendmail?

I guess if '10' is binary you're close.

If you mean ten decimal... you're way off.

Re:new math? (1)

Radak (126696) | more than 8 years ago | (#14985506)

Okay, you're right. Qmail and Postfix have been around longer than I thought. Let's throw in some real numbers then.

Sendmail is a derivative of Delivermail, which was originally released in 1979, so we'll say Sendmail is 27 years old.

Qmail was in beta in 1996, so we'll say it's twelve years old, or around 0.44 as old as Sendmail, so the original poster's Google logic suggests it's therefore around 0.75 times as dangerous as Sendmail.

Postfix was released in 1998, which makes it eight years old, or somewhere around 0.3 as old as Sendmail, so the original poster's Google logic suggests it's therefore around 1.7 times as dangerous as Sendmail.

So by this logic, Qmail *does* win, but come on. The original point of my post, that ascertaining the security of a product on the number of Google matches you get for its name followed by "exploit" is ridiculous.

Re:new math? (1)

Radak (126696) | more than 8 years ago | (#14985514)

Qmail was in beta in 1996, so we'll say it's twelve years old...

Did I just say this? Let's try that again with 10 years old. Maybe you CAN accuse me of "new math" now. If we plug in the right age for Qmail, it actually comes out to 0.9 times as dangerous, using Google logic, and still wins, but just by a nose.

Re:Sendmail - now in its third decade of exploits (2, Informative)

tqbf (59350) | more than 8 years ago | (#14985677)

There has never been a remotely or locally exploitable vulnerability in qmail, regardless of what your Google query tells you.

Google logic (1, Funny)

Anonymous Coward | more than 8 years ago | (#14985802)

Results 1 - 10 of about 119,000 for yo mama exploit. (0.23 seconds)

Does that mean she's twice as secure as the leading mail transport agents?

Sendmail (0)

Anonymous Coward | more than 8 years ago | (#14985271)

I worked on a research project for my proffesor that had to do with sendmail so I am pretty familiar with the data structures and how sendmail works. I don't understand how sendmail's timeout (control.c implementation) works.

If the problem is in sm_syslog() (in the conf.c file) and it has to do with a static variable I would link it to static char *buf = NULL;
Later in the function buf gets set to char buf0[MAXLINE];

I don't know why but that's the first thing tha popped into my head. The damn sendmail code it too much and hard to follow. Plus I don't have much experience with "write(ing) data to invalid parts of the stack (or heap in some scenarios)".

More information will be available soon... (1)

jrl (4989) | more than 8 years ago | (#14985634)

We've been playing with this bug for a few hours now. We can independently confirm it is exploitable. We will be releasing details about it to the Daily Dave list later tonight.

This is a funny one to exploit though. It'll take up to two hours to pull off on a stock install. Who ever releases the PoC exploit should include a game of Tetris in the exploit for the poor pen-tester to play while waiting =)

Cheers,

Robert E. Lee
Dyad Security

Red Hat 9 is a pain (1)

Peartree (199737) | more than 8 years ago | (#14985685)

I hope you're not running red hat 9. I'm still running it on one system just because it's a production server for about 600 users. Had to recompile gcc from 3.2.2 to 3.2.3 (not a quick process on a dual xeon 700) to get to sendmail 8.13.6 (from fedora 4 mind you) to build at all. -fpie was the culprit. was running sendmail 8.13.1 purely for greetpause.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...