RE: AW: [suse-security] SuSE Security Announcement: sendmail (SuSE-SA:2003:013)
Hi Uli and Martin --- <... last nite I downloaded the patch for "sendmail" However, i have my copy of "sendmail" turned off, put I was planning to turn it on soon, when I saw Martin's post and wondered how many have switched to Wietse Venema's "postmix, which SuSE has a version for my 8.0 box, and probably for 8.1 too--- i tried to load "postfix" but it conflicts w/send mail -- so .....what to do??? comments, anyone. TIA
"Ulrich Roth"
Hi Martin,
SuSE Security Announcement
Package: sendmail, sendmail-tls Announcement-ID: SuSE-SA:2003:013
Does the bugfix "repair" affected messages, so that servers behind a patched sendmail are protected? Or are the "bad" headers passed on to the next MTA unmodified?
Yes, the bad headers are passed on.
Quote from the announcement:
The vulnerability is triggered by an email message sent through the sendmail MTA subsystem. In that respect, it is different from commonly known bugs that occur in the context of an open TCP connection. By consequence, the vulnerability also exists if email messages get forwarded over a relay that itself does not run a vulnerable MTA. This specific detail and the wide distribution of sendmail in the internet causes this vulnerability to be considered an error of major severity.
Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth@impact.de
--
__________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
GarUlbricht7@netscape.net (GarUlbricht7@netscape.net) wrote:
last nite I downloaded the patch for "sendmail" However, i have my copy of "sendmail" turned off, put I was planning to turn it on soon, when I saw Martin's post and wondered how many have switched to Wietse Venema's "postmix, which SuSE has a version for my 8.0 box, and probably for 8.1 too--- i tried to load "postfix" but it conflicts w/send mail -- so .....what to do??? comments, anyone.
Because of sendmail security reasons, I switched to qmail (compiled from sources) and never regretted it. With the help of D. Sill book or Life With Qmail (www.lwq.org) it's very easy to install it and one can have some understanding how it works. Btw, qmail is very stable & secure ie. you don't need to update it frequently - actually there are no new updates :-) The omly glitch is that Yast complains that neither Sendmail nor Postfix are installed, but it's nothing serious. Sincerely, Gour -- Gour gour@mail.inet.hr Registered Linux User #278493
* Gour (gour@mail.inet.hr) [030304 23:44]:
The omly glitch is that Yast complains that neither Sendmail nor Postfix are installed, but it's nothing serious.
I've LSB-ized the fake_mta package (http://www.csi.hu/) so that it works with
SuSE. It's basically just a dummy package that provides the
'smtp_daemon' capability. Take the following spec file and run 'rpm
-bb' with it, then install the rpm it creates:
Buildarch: noarch
# Change below if you want to protect something other
# than qmail. For example, for postfix, put qmail in, but leave
# postfix out. Leaving out the MTA you want to protect, will
# let you install the MTA from an rpm---if that is what you want.
Conflicts: sendmail, postfix
Group: Productivity/Networking/Email/Servers
License: GPL
Name: fake_mta
Provides: smtp_daemon
Release: 1LSB
Summary: fake package to protect my MTA
Version: 1
%description
A fake package so that foreign MTAs like sendmail will not be
installed on my system (messing up my non-rpm MTA install). For
example, a system upgrade will install sendmail if it thinks you do
not have an MTA/smtpdaemon installed.
%changelog
* Wed Mar 5 2003 Christopher Mahmood
Christopher Mahmood (ckm@suse.com) wrote:
I've LSB-ized the fake_mta package (http://www.csi.hu/) so that it works with SuSE. It's basically just a dummy package that provides the 'smtp_daemon' capability. Take the following spec file and run 'rpm -bb' with it, then install the rpm it creates:
Hey, thank you for very much for the tip! It gave me an idea how to resolve problem with trying to apt-get gnome2 dev packages - the problem is that the pango package for SuSE 8.0 on SuSE repository is built with filesystem dependency. I just built another fake package (filesystem) and everything is installed :-)) Sincerely, Gour
Buildarch: noarch # Change below if you want to protect something other # than qmail. For example, for postfix, put qmail in, but leave # postfix out. Leaving out the MTA you want to protect, will # let you install the MTA from an rpm---if that is what you want. Conflicts: sendmail, postfix Group: Productivity/Networking/Email/Servers License: GPL Name: fake_mta Provides: smtp_daemon Release: 1LSB Summary: fake package to protect my MTA Version: 1
%description
A fake package so that foreign MTAs like sendmail will not be installed on my system (messing up my non-rpm MTA install). For example, a system upgrade will install sendmail if it thinks you do not have an MTA/smtpdaemon installed.
%changelog * Wed Mar 5 2003 Christopher Mahmood
- LSB requires smtp_daemon, not smtpdaemon * Fri Sep 6 2002 Mate Wierdl - First cut %files
--
-ckm
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Gour gour@mail.inet.hr Registered Linux User #278493
last nite I downloaded the patch for "sendmail" However, i have my copy of "sendmail" turned off, put I was planning to turn it on soon, when I saw Martin's post and wondered how many have switched to Wietse Venema's "postmix, which SuSE has a version for my 8.0 box, and probably for 8.1 too--- i tried to load "postfix" but it conflicts w/send mail -- so .....what to do??? comments, anyone.
--> In what way does it conflict with sendmail ? You can only run one MTA at a time. Though it should be ok to have both installed. So: "rpm -Uhv postfix..." should work Then stop sendmail "rcsendmail stop" before starting postfix. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Hi, I had to run "newaliases" one time after I switched from sendmail to postfix on my SuSE 7.2 box. Maybe s.th. similar in 8.x? Regards, Jürgen
-----Ursprüngliche Nachricht----- Von: Armin Schoech [mailto:schoech@iap-kborn.de] Gesendet am: Mittwoch, 5. März 2003 08:41 An: suse-security@suse.com Betreff: RE: AW: [suse-security] SuSE Security Announcement: sendmail (SuSE-SA:2003:013)
last nite I downloaded the patch for "sendmail" However, i have my copy of "sendmail" turned off, put I was planning to turn it on soon, when I saw Martin's post and wondered how many have switched to Wietse Venema's "postmix, which SuSE has a version for my 8.0 box, and probably for 8.1 too--- i tried to load "postfix" but it conflicts w/send mail -- so .....what to do??? comments, anyone.
--> In what way does it conflict with sendmail ? You can only run one MTA at a time. Though it should be ok to have both installed. So: "rpm -Uhv postfix..." should work
Then stop sendmail "rcsendmail stop" before starting postfix.
HTH, Armin
-- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Wednesday 05 March 2003 10:29, Jürgen Kaupe wrote:
I had to run "newaliases" one time after I switched from sendmail to postfix on my SuSE 7.2 box. Maybe s.th. similar in 8.x?
Yep. I had to run "sendmail -bi" (which is newaliases) and I had to "cd /etc/mail; make" in order to get going again after the upgrade. Kristian
To run make in the directory /etc/mail should be enough. The Makefile there does include the rebuild of /etc/aliases.db. ;-) On Mittwoch, 5. März 2003 13:46, Kristian Köhntopp wrote:
I had to run "sendmail -bi" (which is newaliases) and I had to "cd /etc/mail; make" in order to get going again after the upgrade.
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
Jürgen Kaupe escribió:
Hi,
I had to run "newaliases" one time after I switched from sendmail to postfix on my SuSE 7.2 box. Maybe s.th. similar in 8.x?
How i do it the "update" on "running" server with sendmail (7.2 and 8.1)
- Make a "backup of critical files" : sendmail.cf,aliases, access
mailertable,local-host-names,relay-domains,virtusertables, etc.
(On 8.1 make a backup of /etc/sysconfig/(mail and sendmail)
- Stop sendmail : /etc/init.d/sendmail stop
- "rpm -Fhv /some_path/sendmail-XYZ.bug_patched.rpm"
- Now exec: "newaliases" and "makemap hash access
On Wed, 05 Mar 2003, GarUlbricht7 said:
Hi Uli and Martin --- <... last nite I downloaded the patch for "sendmail" However, i have my copy of "sendmail" turned off, put I was planning to turn it on soon, when I saw Martin's post and wondered how many have switched to Wietse Venema's "postmix, which SuSE has a version for my 8.0 box, and probably for 8.1 too--- i tried to load "postfix" but it conflicts w/send mail -- so .....what to do??? comments, anyone.
Postfix is a very fast, complete and easily understandable MTA, with many (very good) anti-UCE options (90% of the arriving spam here is rejected by Postfix with DNSBL, valid host/domainname checks, domain blacklist etc.). The version supplied with SuSe is 1.1.10 afaik, the source on postfix.org is at 2.0.4 now, with a lot of further improvements and features. Building a rpm for yourself is easy; after 'make', instead of 'make install' use checkinstall (also on the CDs) and a line for 'provides' (smtp_daemon postfix) to build and install Postfix. Remove sendmail, change two or three config variables in main.cf (well documented) and do 'postfix start'. I for one will never touch sendmail again after experiencing the relaxed way in which I can use a complex product like a MTA in the Postfix way. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. SuSE 8.0 x86 Kernel k_Athlon 2.4.19-4GB See headers for PGP/GPG info.
participants (9)
-
Armin Schoech
-
Christopher Mahmood
-
David Huecking
-
GarUlbricht7@netscape.net
-
Gour
-
J.J.Gallardo
-
Jürgen Kaupe
-
Kristian Köhntopp
-
Theo v. Werkhoven