Security-Fix Sendmail 8.12.9 Released

bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.

Re:Good.

[Anonymous Coward]

I'm glad they kept this SM exploit fairly quiet. You would have thought it would become public and cause lots of mischief, but now that there is a fix, I suspect they will release what the problem was in more detail.

If this was a Microsoft problem and they kept it quiet you would have been ranting and raving right now, right?

Re:Sendmail....

[dissy]

> Qmail [qmail.org] is small, fast, easy and secure.

Yes but qmail and postfix dont do near as much as sendmail.

Most of the people using sendmail (Myself included) use it because its the only option for our needs.

Until qmail and/or postfix reach the feature set of sendmail (or come anywhere near it) it will remain useless to me.

Thank you for preaching, please drive through.

Re:Sendmail

[khuber]

I don't understand why anyone would run sendmail as their MTA with all the alternatives. It's insecure by design -- it's a monolithic suid root program. It's inefficient and it's difficult to configure.

Why? For the love of SMTP, why??? j/k

-Kevin

Qmail and postfix hippies: shut the hell up please

[CoolVibe]

First, this is about sendmail, not postfix or qmail. Yes we know your MTA is vastly superior and yes, it does your laundry and even makes coffee.

But that still doesn't make sendmail bad. Software has bugs. Your precious MTAs have bugs too. As a matter of fact, sendmail works. It has worked for decades. It's still around. And it will stay around for decades more.

Before y'all jump up and say: "Look! a possibly remote exploit!". Read the advisory. This will be VERY hard to exploit, besides your test lab where you control the address space and eventual host naming that just MIGHT overflow something, and then you need to figure out if it's even possible to do something more fun other than let some sendmail spawned child crash, whoopdeedoo.

Although it's not impossible to do, I still maintain that admins should patch their systems, but you don't have to rush. I don't see script kiddies exploting this one in the coming time yet. And besides, my data isn't worth crap either, so I'm harly a target.

So qmail and postfix zealots, shut the hell up please. We know. Yes, qmail and postfix are nice, and yes, they have some merits over sendmail and yes, I sometimes choose to prefer them for some jobs, but the inverse is also true. Right tool for the job and all that. Now be happy with your MTA and be done with it. Geez, it's only a mail server.

Re:Sendmail....

[Vainglorious Coward]

qmail and postfix dont do near as much as sendmail.

And sendmail doesn't do as much as Exchange, so what's that got to do with it? The major weakness of sendmail compared to qmail is precisely that it's a monolithic beast that tries to do everything. Qmail's approach is to have small modules that perform one task, and perform it well (and securely - still no claims on the security guarantee [cr.yp.to] in six years).

Thank you for preaching, please drive through.

Seems to be that like many others, it's the author of qmail that's your problem, not the actual software. So go on, tell us : what features does sendmail provide that can't be found in other MTAs?

All Linux users should be using postfix

[0x0d0a]

I can't understand why any general-purpose distros still ship sendmail. Qmail is good too, though I prefer postfix.

Sendmail takes (on my system) a thousand-line config file just to have sane settings for the modern world. It has a horrendous security history.

Postfix has non-dumb defaults, is quite secure, and I cannot see why anyone wouldn't use it.

Re:Is Sendmail still worth it?

[Just Some Guy]

For one, sendmail is really not intuitive. If youre given a server youve never seen before and have to alter some fancy configs in it, could you do it faster than if it were say qmail? Maybe if I stare at M4 pinfo I could begin to get it, I gave up early there.

That's not insightful; that's personal opinion. Sendmail's m4 configuration is pretty logical and editable for me, but I have no idea how to alter a running Qmail setup. Does that make Sendmail better than Qmail? No. It makes me better at running Sendmail than Qmail.

All open source MTAs suck

[Anonymous Coward]

- sendmail is one huge, bloated, insecure POS.
- There's been no new qmail version for YEARS. Everything you need to add you have to search for on the web and patch it in, with patches conflicting and everything
- exim claims to be easier to configure than sendmail but in reality just replaces the $)(%")( with plain text
- The author of courier is an arrogant prick and I haven't found a way to use virtual domains without it being an ugly hack
- postfix is awfully documented and awkward to use with all its backward-compatibility hacks ...and one last thing: WHO CARES ABOUT SYSTEM USERS? I'd guess 99,9% of all mail today is delivered via dedicated mail systems. Why is every single mail system out there system-user-centric and can only be taught virtual domains with ugly hacks and impractical aliases files?

I still choose Sendmail as my MTA

[please explain]

Sendmail gets a bad name sometimes from folks who gave up on it for various reasons (Too hard?). Sometimes some of these "administrators" can't tell the difference between a Message store and an MTA. /var/mail is not sendmail!

I personally like the way the sendmail community handles these issues when they arise. 2 reports in a row is a bummer, but the frequency is exaggerated. I respect the fact that there are other open source MTAs and think they can be made to work well too (postfix, qmail, exim, etc...).

Please keep in mind that this MTA was around when the network was more of a community (not a lot of .com) and having an open relay was normal. Think ARPAnet.

Sendmail pioneered lots of the AntiSPAM/AntiSPAMMER features that are taken for granted today (advanced relay control, ip to dns a record verify, DNS blacklisting etc...).

There are reasons why many (think mega sized corporations around the world) use sendmail in front of their message store systems (Exchange, Notes, Cyrus, /var/mail, etc...). Think scale and way beyond systems for only 10s of thousands or less.

It has/provides:

The ability to use LDAP information for routing.

The ability to use LDAP instead of a flat Alias file.

LDAP intelligence at the port 25 gateway (Think not have unreturnable bounce messages traveling all the way into the network and then getting stuck at your message store) A smart MTA at the gateway will break the connection and not waste time trying to pass the message through.

Pass based (w/crypt options) SMTP Authentication

Certificate base SMTP authentication

Unlimited relay control options (rule sets and milters)

Built in SMTP encryption (TLS/SSL) with support for PKI systems

Multiple queues and deterministic queuing (queue groups)

Fallback MX (this is huge for failover)

Mid-protocol conversation filtering (Milter, do all of your attachment stripping and message scanning without adding extra hops).

Capable of sending email just as fast as any other MTA without violating RFCs (do you really not want to commit your data to stable storage?) and putting your data at risk.

SMTP pipelining (why open a new connection each time?)

Active development with developers developing to the RFC/IETF's standards and the needs of today's internet.

Ability to be configured to avoid port 25 Denial of service attacks that other MTAs are vulnerable to.

My 2 pennies, just another opinion, now leaving verbose mode...