HPE Community
Operating System - HP-UX
1830354 Members
2140 Online
110001 Solutions
New Discussion

Sendmail 8.9.3 and Security

 
Tracey
Trusted Contributor

‎06-17-2002 08:43 AM

‎06-17-2002 08:43 AM

Sendmail 8.9.3 and Security

My corporate IS department has suggested we move to 8.9.3 (latest?) in order to use its mail server relay capabilities for security reasons. I currently have version 8.8.6.1 and have installed the latest patch software that I have (3/2002).

I can't seem to find the patch, where would I find this patch/upgrade? Is it Patch: PHNE_24419 or PHNE_17190 or something else?

Is it truly that easy to hack into a system using port 25 of sendmail? I can't seem to do it, but then again I've never tried to hack into it before, so I may not be doing everything "correctly".

Any thoughts or experiences are appreciated.
0 Kudos
Reply
6 REPLIES 6
Bill Costigan
Honored Contributor

‎06-17-2002 09:40 AM

‎06-17-2002 09:40 AM

Re: Sendmail 8.9.3 and Security

PHNE_24419 is for 11.0

try this url:

http://support1.itrc.hp.com/service/patch/patchDetail.do?patchid=PHNE_24419&context=hpux:800:11:00
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎06-17-2002 10:02 AM

‎06-17-2002 10:02 AM

Re: Sendmail 8.9.3 and Security

Hi

Try this :-

Telnet to your server using port 25,

it will return somthing like this :-Trying...
Connected to
.

Escape character is '^]'.
220 d370 ESMTP Sendmail 8.8.6 (PHNE_17190)/8.8.6; Mon, 17 Jun 2002 18:52:49 -060
0 (MDT)
Hostname is there :- "d370"

Sendmail version :-8.8.6

The PHNE indicated a Unix server


Try:-

vrfy root
250 Super User

vrfy fred

550 fred unknown user.

vrfy bert

250 Super User

------------------------------------------

Right, what have we got without logging into the server.

IT is a HP-UX machine running sendmail version 8.8.6 it does not have a user called fred in the passwd file but has a user called bert who has superuser rights.

So Bert looks like a good way in:-


HTH


BTW the HP security course is one of the fun ones !!!


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎06-17-2002 10:05 AM

‎06-17-2002 10:05 AM

Re: Sendmail 8.9.3 and Security

Hi

Btw

To disable vrfy edit:-

/etc/mail/sendmail.cf
find PrivacyOptions test
add line "O PrivacyOptions=novrfy"
stop and restart send mail:-

/sbin/init.d/sendmail stop/start

and recheck the vrvf command.
It wiil now not work.


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Tracey
Trusted Contributor

‎06-17-2002 10:34 AM

‎06-17-2002 10:34 AM

Re: Sendmail 8.9.3 and Security

Thanks,

I've turned off the verify, and there was also an interesting little privacy option of "goaway". Now that I understand how to get in, and I have set the two privacy options, I can still type:

MAIL From:

and it tells me "Sender OK" which I am lead to beleive will allow others to send bogus email from my system - is there any way of stopping this - short of shutting down sendmail?
0 Kudos
Reply
Craig Rants
Honored Contributor

‎06-17-2002 10:51 AM

‎06-17-2002 10:51 AM

Re: Sendmail 8.9.3 and Security

It would be tough to filter good and bad email. If you have the latest 8.9.3 to block relays and have changed your PrivacyOptions, then you have done what I would recommend. The only thing I would add that could lock down port 25 more is IPF/9000. You can write filtering rules to determine if the source is an ip you want to receive mail from or not.

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
benoit Bruckert
Honored Contributor

‎06-17-2002 11:39 PM

‎06-17-2002 11:39 PM

Re: Sendmail 8.9.3 and Security

For information,
Sendmail latest is 8.12.3, and this version include many securities (relay and so on....).
Of course, you don't have the latest version on HP's cd, you have to download from sendmail.org and compile by hand to make it work.
It's true that between 8.8 and 8.9, security is better (for the 8.9), because by default some capabilities like relay are closed. You have to open it to make it work.

Hope it'll help
Une application mal pansée aboutit à une usine à gaze (GHG)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.