topic Re: Sendmail 8.9.3 and Security in Operating System - HP-UX

Sendmail 8.9.3 and Security

Tracey — Mon, 17 Jun 2002 15:43:43 GMT

My corporate IS department has suggested we move to 8.9.3 (latest?) in order to use its mail server relay capabilities for security reasons. I currently have version 8.8.6.1 and have installed the latest patch software that I have (3/2002).

I can't seem to find the patch, where would I find this patch/upgrade? Is it Patch: PHNE_24419 or PHNE_17190 or something else?

Is it truly that easy to hack into a system using port 25 of sendmail? I can't seem to do it, but then again I've never tried to hack into it before, so I may not be doing everything "correctly".

Any thoughts or experiences are appreciated.

Re: Sendmail 8.9.3 and Security

Bill Costigan — Mon, 17 Jun 2002 16:40:05 GMT

PHNE_24419 is for 11.0

try this url:

http://support1.itrc.hp.com/service/patch/patchDetail.do?patchid=PHNE_24419&context=hpux:800:11:00

Re: Sendmail 8.9.3 and Security

Paula J Frazer-Campbell — Mon, 17 Jun 2002 17:02:21 GMT

Hi

Try this :-

Telnet to your server using port 25,

it will return somthing like this :-Trying...
Connected to
.

Escape character is '^]'.
220 d370 ESMTP Sendmail 8.8.6 (PHNE_17190)/8.8.6; Mon, 17 Jun 2002 18:52:49 -060
0 (MDT)
Hostname is there :- "d370"

Sendmail version :-8.8.6

The PHNE indicated a Unix server

Try:-

vrfy root
250 Super User

vrfy fred

550 fred unknown user.

vrfy bert

250 Super User

------------------------------------------

Right, what have we got without logging into the server.

IT is a HP-UX machine running sendmail version 8.8.6 it does not have a user called fred in the passwd file but has a user called bert who has superuser rights.

So Bert looks like a good way in:-

HTH

BTW the HP security course is one of the fun ones !!!

Paula

Re: Sendmail 8.9.3 and Security

Paula J Frazer-Campbell — Mon, 17 Jun 2002 17:05:43 GMT

Hi

Btw

To disable vrfy edit:-

/etc/mail/sendmail.cf
find PrivacyOptions test
add line "O PrivacyOptions=novrfy"
stop and restart send mail:-

/sbin/init.d/sendmail stop/start

and recheck the vrvf command.
It wiil now not work.

Paula

Re: Sendmail 8.9.3 and Security

Tracey — Mon, 17 Jun 2002 17:34:21 GMT

Thanks,

I've turned off the verify, and there was also an interesting little privacy option of "goaway". Now that I understand how to get in, and I have set the two privacy options, I can still type:

MAIL From:

and it tells me "Sender OK" which I am lead to beleive will allow others to send bogus email from my system - is there any way of stopping this - short of shutting down sendmail?

Re: Sendmail 8.9.3 and Security

Craig Rants — Mon, 17 Jun 2002 17:51:05 GMT

It would be tough to filter good and bad email. If you have the latest 8.9.3 to block relays and have changed your PrivacyOptions, then you have done what I would recommend. The only thing I would add that could lock down port 25 more is IPF/9000. You can write filtering rules to determine if the source is an ip you want to receive mail from or not.

GL,
C

Re: Sendmail 8.9.3 and Security

benoit Bruckert — Tue, 18 Jun 2002 06:39:02 GMT

For information,
Sendmail latest is 8.12.3, and this version include many securities (relay and so on....).
Of course, you don't have the latest version on HP's cd, you have to download from sendmail.org and compile by hand to make it work.
It's true that between 8.8 and 8.9, security is better (for the 8.9), because by default some capabilities like relay are closed. You have to open it to make it work.

Hope it'll help