Security-Fix Sendmail 8.12.9 Released 166
bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to
a char to int conversion problem which is potentially
remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.
Advisories, more like invatations to exploit (Score:4, Informative)
Mandatory Postfix ad (Score:3, Informative)
Is your sendmail buggy? Would it be time to change to Postfix [postfix.org]?
Only $0,00.
Re:Sendmail.... (Score:3, Informative)
I hate setting up qmail, but it even has an easy to use web interface for configuring those things.
I haven't tried domain mirroring, but I'm sure you can do it with a simlink.
I don't know if anything else can do piped mail processing. If you ask me, I think that's a security risk in itself.
I use qmail (Score:4, Informative)
Re:Anyone know if . . . (Score:2, Informative)
This is new.
Re:Sendmail.... (Score:2, Informative)
"Fall through addresses" (default delivery instructions)
put "example.com:alias-example-com" in
put default delivery instructions in ~alias/.qmail-example-com-default
"Configurable bounce errors"
You can do this either with piping to a bounce program, or via any of the appriopriate patches linked from qmail.org.
"Delivery to a piped process"
Just put |cmd in the
"Backup mail spooling"
Put the domain to spool for in "rcpthosts" but not in "locals" or "virtualdomains".
"'list' forwards"
"Access controls for relaying"
This is controlled via ucspi-tcp, the socket interface preferred for qmail. It's very simple and powerful, and there are patches for doing elaborate things like "pop before smtp" to allow roaming users to relay without authentication.
"Domain mirroring"
Just point your virtuals at the same alias. here's your
example.com:a
example.net:alias-example
Qmail ONLY works with procmail. It requires procmail for local delivery.
What makes Qmail seem so difficult is that it's DEAD SIMPLE. When comparing to sendmail, I used to get confused. How can it be this easy? I don't understand! Well it is. It took me a few weeks to get out of my sendmail mindset, but once I did, I was glad.
Re:Sendmail.... (Score:3, Informative)
Fall-through addresses: Done easily in vpopmail.
Configurable bounce errors: bounce-saying in the
Delivery to a process: put "|/bin/appname" in your
Backup mail spooling: Put the domain you want to be a secondary for in
"list" forwards: Put multiple addresses in your
Access controls for relaying: Done with ucspi-tcp by setting environment variables based on IP of clients.
Domain mirroring: one command with vpopmail; 'valias'.
All of this is well documented in "Life with Qmail," a great reference.
--
Phil
Re:Sendmail.... (Score:3, Informative)
Main Configuration/Documenation
Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables,
and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary
documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for
FAQ's, HOWTO's [postfix.org] and mailing lists [postfix.org].
Tables
Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form
The Type is the type of table/format being used. The Location is simply one of several things
For backwards compatibility, hash:/etc/alias is normally setup as an alias database.
Virtual Stuff
Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.
Fallback Address or "Catchalls"
Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.
Configurable bounce errors
I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actually data doesn't matter,, just the entry so set it to unknown for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).
Delivery to a piped process
Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery.
Here are some examples:
Backup mail spooling
In postfix these is a transports map that has three fields: domain(key), transport(service to deliver), nexthop(next machine in chain). An entry has a form the actual data for the entry is in the form tra
Re:Sendmail.... Opps Hit submits too soon (Score:4, Informative)
This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).
Main Configuration/Documenation
Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables,
and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary
documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for
FAQ's, HOWTO's [postfix.org] and mailing lists [postfix.org].
Tables
Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form
The Type is the type of table/format being used. The Location is simply one of several things
For backwards compatibility, hash:/etc/alias is normally setup as an alias database.
Virtual Stuff
Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.
Fallback Address or "Catchalls"
Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.
Configurable bounce errors
I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5) [berkeley.edu].
Delivery to a piped process
Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery.
Here are some examples:
Backup mail spooling
In postfix there is a transports map that has three fields: domain(key), transport(servic
Re:Sendmail.... (Score:2, Informative)
I don't see anything unusual in your list. Do you think there aren't qmail users who have widely varied and specialised needs? I'm not going to pretend that you won't have to do any reading and learning in order to migrate to qmail, but that's very different than claiming that only sendmail has the features you need. Unfortunately, I am unable to give you step-by-step instructions, but given that you're intelligent enough to understand how to configure sendmail, you shouldn't have any problem starting with the qmail home page [qmail.org] and proceeding from there. Also good is life with qmail [lifewithqmail.org].
Why I don't like qmail (Score:3, Informative)
2) There are like 5 different programs, each with different user accounts (qmaild, qmaill, qmailp, qmialq, qmailr, qmails, vmail, etc) - all running from the same !@#!@ bin directory! Talk about confusing as !@#! hell when you want to audit permissions!
3) Qmail has a truly hideous license. Yeah, it's "open source", but you can't redistribute changes!!?!
This means:
4) If you want something decent (such as LDAP support,antivirus filtering or integration with SpamAssassin, etc.) you have to apply 57 god-knows patches to the "official" qmail source, and in just the right order to get everything working.
5) The log format is different than sendmail's. While this is understandable, it means that all these neat reporting tools for sendmail can't be used.
And finally,
6) Administering Sendmail on RH Linux is a breeze. up2date sendmail;
-Ben