Re: [SLUG] Sendmail security?

From: Ian C. Blenke (icblenke@nks.net)
Date: Fri Apr 05 2002 - 18:05:34 EST


On Fri, 2002-04-05 at 17:04, Brett Simpson wrote:
> Recently I had a security consultant come in and offered to take a quick look at our Network and he mentioned that he could do a number of things to Sendmail that could get it to cough up information and other things that he should be able to do. I don't know the exact details of what he said because I'm only getting bits and pieces from my managers closed meeting. Does anyone have any comments about this? Has anyone
> heard of Sendmail 8.11.6-3 and up being hacked into or exploited?
>
> I did see a number of documents that referenced Sendmail as having numerous security issues but none of them listed the versions of Sendmail that had these issues. Other websites say that Sendmail can be secure depending on how you configure it. According to the Sendmail website the latest release corrects a number of bugs and makes Sendmail 8.12 more secure than 8.11 and below by forcing it to run as a non-root user.
>
> The big question of the day is.... should Postfix be used over Sendmail 8.11.6-3 or 8.12?
>
> If only Sendmail 8.11.6-3 is bad how about Sendmail 8.12?
>
> Or am I ok with Sendmail 8.11.6-3 provided I do certain things?
>
> Brett

I'm currently using 8.12.1-5 from debian unstable for development, but
8.11.6 should be safe (AFAIK). A quick look on PacketStormSecurity shows
no exploits in the wild yet:

        http://packetstormsecurity.org

He may be referring to information that he can gather from your running
daemon as to version information and other things that he probably
shouldn't be able to do (EXPN and VRFY, for example).

Some things to add to your sendmail.mc are:

 define(`confSMTP_LOGIN_MSG', `Private Mailserver v10.0')

This will make your daemon report generically (for most port scanning
tools, anyway).

Also, you will want to prune your sendmail "helpfile" to remove any
mention of the version of sendmail being used (try the SMTP "help"
command sometime.. sendmail's default helpfile reports the version
number on the first line).

You will probably want to disable the ability to verify valid email
addresses (VRFY) and view the "expanded" list of members of an alias
(EXPN).

 define(`confPRIVACY_FLAGS', defn(`confPRIVACY_FLAGS')`,noexpn,novrfy')

This doesn't address the headers of email that flows through sendmail.
You will still see "(8.11.6-5/8.11.6-5/Debian -5)" in the headers.
The latter part is simple to change, merely edit your $Z definition (the
DZ line in your sendmail.cf), but this will still leave 8.11.6-5 at the
beginning. To get rid of this, you will need to rebuild sendmail from
source.

A large part of taking the above steps is merely to obfuscate the
version of sendmail you are running from potential hack attempts.
Security by obscurity is NOT real security (although it can help keep
people honest).

Aside from basic obfuscation, you get into real exploit protection.
Running your sendmail in a chrooted jail, changing the user sendmail
runs as, and tightening permissions on the files and spool directories
are all more paranoid steps.

        http://www.sendmail.net/000705securitygeneral.shtml

Remember, any version of sendmail can be configured insecurely (a
"/bin/sh" local mailer, for example) - you really do need to be careful.

Postfix is arguably more secure, but it has a much smaller user base.
I've used it, and it does work, but it simply never gave me the warm
fuzzies (and I'm a hardcore old school sendmail kind of guy).

Hope this helps.

- Ian C. Blenke <icblenke@nks.net> <ian@blenke.com>
http://ian.blenke.com



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:50:35 EDT