https://community.hpe.com/t5/operating-system-hp-ux/sendmail-patch-amp-ipf-or-remove/m-p/2924783#M110314 Hi Karl,<BR /><BR />No need to remove sendmail, just turn off it's ability to accept mail. That's what this latest exploit was targeting - systems that *accept* mail.<BR />To stop sendmail run<BR /><BR />/sbin/init.d/sendmail stop<BR /><BR />Then to disable it from starting at next boot edit<BR /><BR />/etc/rc.config.d/mailservs<BR /><BR />and set <BR /><BR />export SENDMAIL_SERVER=0<BR /><BR />I doubt IPF rules would stop this exploit. The header was where the danger was &amp; I'm not sure IPF can interrogate the header of mail msgs.<BR /><BR />Rgds,<BR />Jeff Wed, 12 Mar 2003 00:54:24 GMT Jeff Schussele 2003-03-12T00:54:24Z https://community.hpe.com/t5/operating-system-hp-ux/sendmail-patch-amp-ipf-or-remove/m-p/2924782#M110313 Context: I work at a bank, and we get an awful lot of security warnings, the most recent about sendmail.<BR /><BR />General Question: Are the latest patches enough to address standard security concerns? I have the option to turn it off completely, as it's not being used, except by the system itself for various messages generated when I do software installs, etc. The systems are devoted to other uses.<BR /><BR />Specific Question: If inclined, how would I go about removing sendmail from the system, is it as simple as swremove and clearning out the mail queue? Bonus: Can't a few nifty IPF rules solve this and leave the nicely patched sendmail intact? Wed, 12 Mar 2003 00:46:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/sendmail-patch-amp-ipf-or-remove/m-p/2924782#M110313 Karl Balsmeier 2003-03-12T00:46:42Z https://community.hpe.com/t5/operating-system-hp-ux/sendmail-patch-amp-ipf-or-remove/m-p/2924783#M110314 Hi Karl,<BR /><BR />No need to remove sendmail, just turn off it's ability to accept mail. That's what this latest exploit was targeting - systems that *accept* mail.<BR />To stop sendmail run<BR /><BR />/sbin/init.d/sendmail stop<BR /><BR />Then to disable it from starting at next boot edit<BR /><BR />/etc/rc.config.d/mailservs<BR /><BR />and set <BR /><BR />export SENDMAIL_SERVER=0<BR /><BR />I doubt IPF rules would stop this exploit. The header was where the danger was &amp; I'm not sure IPF can interrogate the header of mail msgs.<BR /><BR />Rgds,<BR />Jeff Wed, 12 Mar 2003 00:54:24 GMT https://community.hpe.com/t5/operating-system-hp-ux/sendmail-patch-amp-ipf-or-remove/m-p/2924783#M110314 Jeff Schussele 2003-03-12T00:54:24Z https://community.hpe.com/t5/operating-system-hp-ux/sendmail-patch-amp-ipf-or-remove/m-p/2924784#M110315 We have faced similar concerns. Our systems use sendmail to route outbound messages from cron to mailboxes that indicate the cron job has succeeded in doing important things like backing up the database.<BR /><BR />So sendmail has to run and its possible to direct mail at this exploit with a telnet session.<BR /><BR />So we installed the latest sendmail 8.11.1 patch and will be installed the new binaries after making sure the patch didn't do anything bad.<BR /><BR />Here is how we keep up on these security issues.<BR /><BR />Fist we subscribe to itrc security bulletins, which you apparently already do.<BR /><BR />Next we use the following tools to harden security on our system and notify us of security patches.<BR /><BR />Bastille Security hardening<BR /><A href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA" target="_blank">http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA</A><BR /><BR />Perl which the above needs.<BR /><A href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL" target="_blank">http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL</A><BR /><BR />Security Patch Check<BR /><A href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA" target="_blank">http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA</A><BR /><BR />TCP Wrappers<BR /><BR /><A href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP" target="_blank">http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP</A><BR /><BR />IDS/9000 (Intrusion Detection Sytstem)<BR /><BR /><A href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA" target="_blank">http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA</A><BR /><BR />Get all these products working you'll be quite secure.<BR /><BR />SEP<BR /> Wed, 12 Mar 2003 03:57:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/sendmail-patch-amp-ipf-or-remove/m-p/2924784#M110315 Steven E. Protter 2003-03-12T03:57:38Z