topic Re: Another Sendmail Question in Operating System - HP-UX

Another Sendmail Question

Tom Jackson — Mon, 10 Mar 2003 14:48:44 GMT

Hi:

I shutdown sendmail to hopefully avoid the sendmail vulnerability. However, I am still able to send mail from my J6000 to local and remote mail accounts.

Do I still need to worry about the sendmail vulnerability since ssendmail is shutdown?

How come I can still send messages?

Tom

Re: Another Sendmail Question

Robin Wakefield — Mon, 10 Mar 2003 14:52:58 GMT

Hi Tom,

The sendmail that you've disabled is the listening daemon (together with maybe a queue run timing switch), e.g.

/usr/lib/sendmail -bd -q15m

The ability to send out is not affected by you switching the daemon off, since sendmail can simply be run as a one-off command to "send mail".

rgds, Robin

Re: Another Sendmail Question

David_246 — Mon, 10 Mar 2003 15:01:57 GMT

Hi Tom,

Indeed sendmail can run as a daemon (permanent) to receive incomming emails(connections). But if installed and set your DS in your /etc/mail/sendmail.cf or in /etc/mail/sendmail.cw you are able to send e-mails.
The period sendmail opens a connection is very short to send an e-mail, so security risc, yep sure but very minim.
/usr/lib/sendmail -q will be able to send e-mails at a specific time using cron. So, you take the choise what you want. Remove sendmail, or just minimize the impact.

Regs David

Re: Another Sendmail Question

Michael Steele_2 — Mon, 10 Mar 2003 15:24:55 GMT

Could you elaborate about the vulnerability of sending messages via sendmail? Current version address these problems I thought.

Receiving email can be easily enought disabled.

I know about .mailrc or .forward files for example.

But to disable sendmail permanantly edit file /etc/rc.config.d/mailservs file and replace
export SENDMAIL_SERVER=1
with
export SENDMAIL_SERVER=0

Re: Another Sendmail Question

Michael Steele_2 — Mon, 10 Mar 2003 15:27:15 GMT

PS Use killsm or /sbin/init.d/sendmail stop for the momment.

Re: Another Sendmail Question

Frank Slootweg — Tue, 11 Mar 2003 13:15:45 GMT

I am *not* a mail specialist, so take this with a grain of salt, but I have looked into this for our/my own use, and, as far as I know, you *are* vulnerable, even if (unpatched) sendmail is shut down. I don't see why some [.]forward somewhere would not allow your sendmail to be attacked.

*Please* correct me if I am wrong. I would sleep better and so would many others.

Re: Another Sendmail Question

Tom Jackson — Tue, 11 Mar 2003 13:33:30 GMT

Frank:

Thanks for sharing your concern. Since I'm inside a firewall and we don't use sendmail for anything except to mail cron status, I thought shutting down sendmail would prevent the problem from occurring.

One thing I noticed is that I still get my cron status mail messages, but I can't send messages to accounts on the system where sendmail is stopped. I can also send from the system where sendmail is stopped.

Does anyone know when a RELEASED patch will be available? I am reluctant to install the binary fix since some sites are having problems and it hasn't gone through all of its testing.

Are there any other options?

Tom

Re: Another Sendmail Question

Michael Steele_2 — Tue, 11 Mar 2003 13:39:01 GMT

Hmmmmm, Frank, can you spell facetious any other way?

Dot files like .forward and .mailrc allow for executables and are subject to hijacking and certainly a security issue, especially if its world readable. /etc/mail/alias is recommended instead.

Re: Another Sendmail Question

W.C. Epperson — Tue, 11 Mar 2003 13:54:05 GMT

Servers which can send outbound via sendmail but not receive inbound are vulnerable, to the extent that someone could transfer an exploit to the machine via FTP (etc) and then send it. You have to evaluate this likelihood, but the threat from the Internet would appear very low.

Re: Another Sendmail Question

Frank Slootweg — Tue, 11 Mar 2003 13:56:09 GMT

M. (Cool name! :-)),

Yes, I know of the dangers of non-safe/closed .forward and .mailrc files, but my point was that even if they *are* safe/closed, they do not (completely) disable *this* (sendmail) vulnerability.