Security-Fix Sendmail 8.12.9 Released 166
bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to
a char to int conversion problem which is potentially
remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.
Re:Good. (Score:5, Insightful)
If this was a Microsoft problem and they kept it quiet you would have been ranting and raving right now, right?
Re:Sendmail.... (Score:4, Insightful)
Yes but qmail and postfix dont do near as much as sendmail.
Most of the people using sendmail (Myself included) use it because its the only option for our needs.
Until qmail and/or postfix reach the feature set of sendmail (or come anywhere near it) it will remain useless to me.
Thank you for preaching, please drive through.
Re:Sendmail (Score:2, Insightful)
Why? For the love of SMTP, why??? j/k
-Kevin
Qmail and postfix hippies: shut the hell up please (Score:4, Insightful)
But that still doesn't make sendmail bad. Software has bugs. Your precious MTAs have bugs too. As a matter of fact, sendmail works. It has worked for decades. It's still around. And it will stay around for decades more.
Before y'all jump up and say: "Look! a possibly remote exploit!". Read the advisory. This will be VERY hard to exploit, besides your test lab where you control the address space and eventual host naming that just MIGHT overflow something, and then you need to figure out if it's even possible to do something more fun other than let some sendmail spawned child crash, whoopdeedoo.
Although it's not impossible to do, I still maintain that admins should patch their systems, but you don't have to rush. I don't see script kiddies exploting this one in the coming time yet. And besides, my data isn't worth crap either, so I'm harly a target.
So qmail and postfix zealots, shut the hell up please. We know. Yes, qmail and postfix are nice, and yes, they have some merits over sendmail and yes, I sometimes choose to prefer them for some jobs, but the inverse is also true. Right tool for the job and all that. Now be happy with your MTA and be done with it. Geez, it's only a mail server.
Re:Sendmail.... (Score:2, Insightful)
And sendmail doesn't do as much as Exchange, so what's that got to do with it? The major weakness of sendmail compared to qmail is precisely that it's a monolithic beast that tries to do everything. Qmail's approach is to have small modules that perform one task, and perform it well (and securely - still no claims on the security guarantee [cr.yp.to] in six years).
Seems to be that like many others, it's the author of qmail that's your problem, not the actual software. So go on, tell us : what features does sendmail provide that can't be found in other MTAs?
All Linux users should be using postfix (Score:3, Insightful)
Sendmail takes (on my system) a thousand-line config file just to have sane settings for the modern world. It has a horrendous security history.
Postfix has non-dumb defaults, is quite secure, and I cannot see why anyone wouldn't use it.
Re:Is Sendmail still worth it? (Score:3, Insightful)
That's not insightful; that's personal opinion. Sendmail's m4 configuration is pretty logical and editable for me, but I have no idea how to alter a running Qmail setup. Does that make Sendmail better than Qmail? No. It makes me better at running Sendmail than Qmail.
All open source MTAs suck (Score:1, Insightful)
- There's been no new qmail version for YEARS. Everything you need to add you have to search for on the web and patch it in, with patches conflicting and everything
- exim claims to be easier to configure than sendmail but in reality just replaces the $)(%")( with plain text
- The author of courier is an arrogant prick and I haven't found a way to use virtual domains without it being an ugly hack
- postfix is awfully documented and awkward to use with all its backward-compatibility hacks
I still choose Sendmail as my MTA (Score:5, Insightful)
I personally like the way the sendmail community handles these issues when they arise. 2 reports in a row is a bummer, but the frequency is exaggerated. I respect the fact that there are other open source MTAs and think they can be made to work well too (postfix, qmail, exim, etc...).
Please keep in mind that this MTA was around when the network was more of a community (not a lot of
Sendmail pioneered lots of the AntiSPAM/AntiSPAMMER features that are taken for granted today (advanced relay control, ip to dns a record verify, DNS blacklisting etc...).
There are reasons why many (think mega sized corporations around the world) use sendmail in front of their message store systems (Exchange, Notes, Cyrus,
It has/provides:
The ability to use LDAP information for routing.
The ability to use LDAP instead of a flat Alias file.
LDAP intelligence at the port 25 gateway (Think not have unreturnable bounce messages traveling all the way into the network and then getting stuck at your message store) A smart MTA at the gateway will break the connection and not waste time trying to pass the message through.
Pass based (w/crypt options) SMTP Authentication
Certificate base SMTP authentication
Unlimited relay control options (rule sets and milters)
Built in SMTP encryption (TLS/SSL) with support for PKI systems
Multiple queues and deterministic queuing (queue groups)
Fallback MX (this is huge for failover)
Mid-protocol conversation filtering (Milter, do all of your attachment stripping and message scanning without adding extra hops).
Capable of sending email just as fast as any other MTA without violating RFCs (do you really not want to commit your data to stable storage?) and putting your data at risk.
SMTP pipelining (why open a new connection each time?)
Active development with developers developing to the RFC/IETF's standards and the needs of today's internet.
Ability to be configured to avoid port 25 Denial of service attacks that other MTAs are vulnerable to.
My 2 pennies, just another opinion, now leaving verbose mode...