Sendmail out-of-box secure enough?
Hello list, Here is a question perhaps a little naive :-) I am not sendmail expert at all and I do wonder... Is sendmail in SuSE Linux out-of-thebox secure enough for a with permanent connection to inet? I mean just setting the configuration "Host with permanent network connection" in Yast2... In case it is not (I guess) what minimal config do you propose to run a sendmail to just deliver emails from localhost to inet and to allow receiving only emails for its own domain? Any good recommendations? Cheers Pep Serrano.
Yep, and you can update Sendamil as is the case with all packages with Yast on-line update. Regards, Jon ----- Original Message ----- From: "Pep Serrano" <pep@serrano.net> To: <suse-security@suse.com> Sent: Saturday, April 13, 2002 11:59 AM Subject: [suse-security] Sendmail out-of-box secure enough?
Hello list,
Here is a question perhaps a little naive :-) I am not sendmail expert at all and I do wonder...
Is sendmail in SuSE Linux out-of-thebox secure enough for a with permanent connection to inet? I mean just setting the configuration "Host with permanent network connection" in Yast2...
In case it is not (I guess) what minimal config do you propose to run a sendmail to just deliver emails from localhost to inet and to allow receiving only emails for its own domain? Any good recommendations?
Cheers Pep Serrano.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Sorry for being so faithless... Even not a warning? I can just run it out-of-box and leave it connected to the wild inet? Thats great! On Saturday 13 April 2002 23:29, Jon wrote:
Yep, and you can update Sendamil as is the case with all packages with Yast on-line update.
And what solution is out there for a secure POP server? SSH forwarding? Pep Serrano
Well thousands do use Sendmail. Security look more at the mail IMAP/POP access rather than the MTA. I always recommend Portforwarding over SSH tunnel for any access, you can set up POPS and IMAPS, that is fairly easy, but if your access is only a few folks, have them SSH into the accoutn, and then Portforward from the remote client to the POP or IMAP remote ports. This can all be placed in the ssh conf for the local user, or systemwide, like I do on a Laptop. Regards, Jon ----- Original Message ----- From: "Pep Serrano" <pep@serrano.net> To: <suse-security@suse.com> Sent: Saturday, April 13, 2002 3:22 PM Subject: Re: [suse-security] Sendmail out-of-box secure enough?
Sorry for being so faithless... Even not a warning? I can just run it out-of-box and leave it connected to the wild inet? Thats great!
On Saturday 13 April 2002 23:29, Jon wrote:
Yep, and you can update Sendamil as is the case with all packages with Yast on-line update.
And what solution is out there for a secure POP server? SSH forwarding?
Pep Serrano
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi, On 13-Apr-02 Jon wrote:
Well thousands do use Sendmail.
and use an old and not secured mailserver. Change to qmail and you will have a secure mailserver that needs less ressources and if you follow the instructions of lifewithqmail you are independent from inetd, because qmail use Dan Bernsteins tcpserver. Suse.com itselve runs Qmail and this list is handled by ezmlm the listserver that Dan Bernstein suggests for qmail. Regards, Ruprecht ---------------------------------- E-Mail: Ruprecht Helms <rhelms@mayn.de> Date: 14-Apr-02 Time: 09:50:30 to be informed -> http://www.rheyn.de <- This message was sent by XFMail ----------------------------------
I would suggest reading the documentation for Qmail and Sendmail to see what you wish to use. It's a myth that Sendmail is insecure. The problem usually is between the keyboard and the chair. I have 6 large mailsevers at work that process about 2 million pieces of mail a day and Sendmail rocks. Your right about SuSE using qmail and ezmlm for this list..but most of SuSE runs on Postfix...which is another good MTA to look at. ::On 13-Apr-02 Jon wrote: ::> Well thousands do use Sendmail. :: ::and use an old and not secured mailserver. ::Change to qmail and you will have a secure mailserver that ::needs less ressources and if you follow the instructions ::of lifewithqmail you are independent from inetd, because ::qmail use Dan Bernsteins tcpserver. :: ::Suse.com itselve runs Qmail and this list is handled by ezmlm ::the listserver that Dan Bernstein suggests for qmail. :: ::Regards, ::Ruprecht -=Ben --=====-----=====-- mailto:ben@whack.org --=====-- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -GC --=====-----=====--
Right, all myth, fact is Qmail AND Postfix are slow comparred to Sendmail 8.12, and sheer volume, Sendmail Servers are moving 120 messages a second in places using the MMA Milter. Regards, Jon ----- Original Message ----- From: "Ben Rosenberg" <ben@whack.org> To: <suse-security@suse.com> Sent: Sunday, April 14, 2002 1:34 AM Subject: Re: [suse-security] Sendmail out-of-box secure enough?
I would suggest reading the documentation for Qmail and Sendmail to see what you wish to use. It's a myth that Sendmail is insecure. The problem usually is between the keyboard and the chair.
I have 6 large mailsevers at work that process about 2 million pieces of mail a day and Sendmail rocks.
Your right about SuSE using qmail and ezmlm for this list..but most of SuSE runs on Postfix...which is another good MTA to look at.
::On 13-Apr-02 Jon wrote: ::> Well thousands do use Sendmail. :: ::and use an old and not secured mailserver. ::Change to qmail and you will have a secure mailserver that ::needs less ressources and if you follow the instructions ::of lifewithqmail you are independent from inetd, because ::qmail use Dan Bernsteins tcpserver. :: ::Suse.com itselve runs Qmail and this list is handled by ezmlm ::the listserver that Dan Bernstein suggests for qmail. :: ::Regards, ::Ruprecht
-=Ben
--=====-----=====-- mailto:ben@whack.org --=====-- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -GC --=====-----=====--
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
well I got my fingers burnt with sendmail where my site was relayingmessages. Some good help from the folks on this list, but in the end I've switched sendmail off for now. Some of my main problems however were derived from scripts I was using, e.g. Matt's scripts (which have now been updated), and phpmydmin In article <010401c1e3e6$01aef130$1900a8c0@minniemouse>, Jon <marsaro@interearth.com> wrote:
Right, all myth, fact is Qmail AND Postfix are slow comparred to Sendmail8.12, and sheer volume, Sendmail Servers are moving 120 messages a second in places using the MMA Milter.
-- Dr. Delia Wakelin Tel: 44 (0) 191 227 4958 Division of Psychology email mailto:d.wakelin@unn.ac.uk University of Northumbria www http://www.unn.ac.uk/~evdw3 Newcastle upon Tyne NE1 8ST
* Jon wrote on Sun, Apr 14, 2002 at 11:55 -0700:
Right, all myth, fact is Qmail AND Postfix are slow comparred to Sendmail 8.12,
Are you sure? Did you really *good* testing? I've heard the opposite some time ago...
and sheer volume, Sendmail Servers are moving 120 messages a second in places using the MMA Milter.
What is a "MMA Milter"? I have no real testing, since on most cases the networks or remote MTAs are much slower, by this I think postfix, qmail and sendmail are at least fast enough :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
* Steffen Dettmer (steffen@dett.de) [020415 01:56]: :: ::What is a "MMA Milter"? I have no real testing, since on most ::cases the networks or remote MTAs are much slower, by this I ::think postfix, qmail and sendmail are at least fast enough :) :: When you see "milter" think of mail filter. As far as the MMA milter I would check out sendmails site. As far as relaying is concerned you should most likely specify in /etc/mail/access who can relay and deny all others. I don't believe this is configured by default in SuSE. I've also bitched for years that they should stop having it start with the -bd switch. Taking the -bd switch out of the options for when sendmail starts will make it so it doesn't accept connections..it just sends mail out. If you have a webserver or something else that isn't a mailserver at all..then you don't need to accept mail, just send. :) -=Ben --=====-----=====-- mailto:ben@whack.org --=====-- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -GC --=====-----=====--
Mass Mailer Array, part of the HVMS stuff: http://store.sendmail.com/pdfs/datasheets/ds_hvms.pdf Basically a way to pump mail out in huge volumes or time sensitive windows, like account updates for Banks or Airline info for ticket tracking. This says 500k per hour (CYA), but on SuSE SLES I have seen 9.5 million over 8 hours in the Lab, better than FreeBSD with Soft updates, simply because of the threading advantages in SMP. Regards, Jon ----- Original Message ----- From: "Ben Rosenberg" <ben@whack.org> To: <suse-security@suse.com> Sent: Monday, April 15, 2002 11:08 AM Subject: Re: [suse-security] Sendmail out-of-box secure enough?
* Steffen Dettmer (steffen@dett.de) [020415 01:56]: :: ::What is a "MMA Milter"? I have no real testing, since on most ::cases the networks or remote MTAs are much slower, by this I ::think postfix, qmail and sendmail are at least fast enough :) ::
When you see "milter" think of mail filter. As far as the MMA milter I would check out sendmails site.
As far as relaying is concerned you should most likely specify in /etc/mail/access who can relay and deny all others. I don't believe this is configured by default in SuSE. I've also bitched for years that they should stop having it start with the -bd switch. Taking the -bd switch out of the options for when sendmail starts will make it so it doesn't accept connections..it just sends mail out. If you have a webserver or something else that isn't a mailserver at all..then you don't need to accept mail, just send. :)
-=Ben
--=====-----=====-- mailto:ben@whack.org --=====-- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -GC --=====-----=====--
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Mon, 15 Apr 2002, Ben Rosenberg wrote: br> * Steffen Dettmer (steffen@dett.de) [020415 01:56]: br> :: br> ::What is a "MMA Milter"? I have no real testing, since on most br> ::cases the networks or remote MTAs are much slower, by this I br> ::think postfix, qmail and sendmail are at least fast enough :) br> :: br> br> When you see "milter" think of mail filter. As far as the MMA milter I br> would check out sendmails site. br> br> As far as relaying is concerned you should most likely specify in br> /etc/mail/access who can relay and deny all others. I don't believe this I had to also add my windows computers to the 'relay-domains' file in order for them (outlook express or mozilla mail) to be able to send mail. The linux computers worked fine with just 'access' being modified. br> is configured by default in SuSE. I've also bitched for years that br> they should stop having it start with the -bd switch. Taking the -bd br> switch out of the options for when sendmail starts will make it so it br> doesn't accept connections..it just sends mail out. Alsways wondered about that, never quite understood the reasoning for it being the default. br> If you have a webserver or something else that isn't a mailserver at br> all..then you don't need to accept mail, just send. :) br> br> -=Ben br> br> -- S.Toms - smotrs at mindspring.com - www.mindspring.com/~smotrs SuSE Linux v7.3+ - Kernel 2.4.10-4GB
On Mon, 15 Apr 2002, S.Toms wrote:
br> is configured by default in SuSE. I've also bitched for years that br> they should stop having it start with the -bd switch. Taking the -bd br> switch out of the options for when sendmail starts will make it so it br> doesn't accept connections..it just sends mail out.
Alsways wondered about that, never quite understood the reasoning for it being the default.
br> If you have a webserver or something else that isn't a mailserver at br> all..then you don't need to accept mail, just send. :) br>
Thanks, Ben, for the warning. Usually I have a simple sendmail using SuSE defaults to send only (fetchmail for incoming) no intentional relaying. I have this in sendmail.rc.config SENDMAIL_ARGS="-bd -om" SENDMAIL_EXPENSIVE="yes" If I change to simply : SENDMAIL_ARGS="-om" will I have the correct set up? Regards, dproc
On Tue, 16 Apr 2002 dproc@dol.net wrote: d> On Mon, 15 Apr 2002, S.Toms wrote: d> d> > br> is configured by default in SuSE. I've also bitched for years that d> > br> they should stop having it start with the -bd switch. Taking the -bd d> > br> switch out of the options for when sendmail starts will make it so it d> > br> doesn't accept connections..it just sends mail out. d> > d> > Alsways wondered about that, never quite understood the reasoning for it d> > being the default. d> > d> d> If I change to simply : d> d> SENDMAIL_ARGS="-om" d> Yep, that should work just fine. d> will I have the correct set up? d> d> Regards, dproc d> -- S.Toms - smotrs at mindspring.com - www.mindspring.com/~smotrs SuSE Linux v7.3+ - Kernel 2.4.10-4GB
Way back on Mon, Apr 15, 2002 at 11:08:28AM -0700, Ben Rosenberg wrote:
As far as relaying is concerned you should most likely specify in /etc/mail/access who can relay and deny all others. I don't believe this is configured by default in SuSE.
I've read many, many places that as of v8.9.3, sendmail does not relay by default. To my surprise, I was informed by a relay testing server that I was running an open relay, and, sure enough, my sendmail DOES relay. I had a line "127 RELAY" in /etc/mail/access, so I removed that line, leaving access empty, but upon retesting, I'm still relaying. It's not a huge exposure, dynamic IP, brief connections, but it's not right, and I intend to fix it. I receive my mail via fetchmail, which hands off to sendmail on port 25, and I send to my smarthost, via delayed queueing, and flush the queue when fetchmail is connected anyway. So, with these simple needs, I should be able to restrict sendmail to relaying only to or from localhost. I thought that's what the oft-mentioned "by default no relay" remarks meant. If someone knows offhand, maybe they can reduce my research: Has SuSE done something to enable relaying by default? Do I need some stuff in my access database to restrict relaying, even if I really don't want to relay anything from outside to outside? If so, what's the access line for "deny all except to/from localhost"? The docs and faqs I'm reading all go into elaborate detail on the subject of allowing controlled relaying, whereas I'm more interested in NO relaying.
I've also bitched for years that they should stop having it start with the -bd switch. Taking the -bd switch out of the options for when sendmail starts will make it so it doesn't accept connections..it just sends mail out. If you have a webserver or something else that isn't a mailserver at all..then you don't need to accept mail, just send. :)
I tried turning off the sendmail daemon, per the above reasoning. But then fetchmail began failing, and per the fetchmail FAQ, I needed to have an SMTP listener for fetchmail to pass the mail to. When I was first setting up fetchmail, I tried using procmail as the mda, but for reasons now long forgotten, I went back to sendmail. I think there were problems parsing mailing lists, and my wife's mail stream, that made sendmail receive mail better. And in any case, I'd like to take charge of this important part of my system. FWIW, I'm still running SuSE 6.3, sendmail 8.9.3, and my settings are as follows: /etc/mail/{access,mailertable,userdb,virtusertable} are all empty /etc/mail/service-nodns.switch contains: hosts files aliases files /etc/{rc.config,rc.config.d/sendmail.rc.config} settings: DHCPD_INTERFACE="" DHCRELAY_SERVERS="127.0.0.1 127.0.0.2" FQHOSTNAME="not.a.registered.domain" FROM_HEADER="eskimo.com" FW_START="no" SENDMAIL_ARGS="-bd -om" SENDMAIL_DIALUP="yes" SENDMAIL_EXPENSIVE="yes" SENDMAIL_GENERICS_DOMAIN="" SENDMAIL_LOCALHOST="localhost" SENDMAIL_NOCANONIFY="yes" SENDMAIL_NODNS="yes" SENDMAIL_RELAY="" SENDMAIL_SMARTHOST="smtp:mail.eskimo.com" SENDMAIL_TYPE="yes" SMTP="yes" USEPEERDNS=yes and the resulting .mc file, before m4 renders it into sendmail.cf is: divert(-1) include(`/usr/share/sendmail/m4/cf.m4') divert(0)dnl VERSIONID(`@(#)Setup for SuSE Linux 8.9.3-0.1 (SuSE Linux) 26/10/1999') OSTYPE(`suse-linux')dnl define(`SMART_HOST', `smtp:mail.eskimo.com')dnl FEATURE(`expensive')dnl FEATURE(`nocanonify')dnl HACK(`nodns')dnl FEATURE(`dialup', `not.a.registered.domain')dnl MASQUERADE_AS(`eskimo.com')dnl FEATURE(`masquerade_envelope')dnl MAILER(`local')dnl MAILER(`procmail')dnl MAILER(`smtp')dnl MAILER(`uucp')dnl MAILER(`bsmtp')dnl MAILER(`fido')dnl LOCAL_CONFIG Cw localhost Anyone see an "ENABLE RELAYING" statement in that config? TIA, Jim
I can't answer your questions but I might be able to solve your problem! You can configure fetchmail to distribute local mail using procmail instead of sendmail (I believe sendmail uses procmail in the long run anyway). Here is an example from my fetchmail configuration: set logfile "/var/log/fetchmail" set postmaster "root" set properties "" set daemon 300 poll smtp.your.isp.com proto pop3 user "your_pop3_userid" pass "your_pop3_password" is your_local_userid fetchall mda "/usr/bin/procmail -d %T" If this works for you then I think (based on your description of what you are doing) you can simply stop running sendmail as a daemon. -- Robert C. Paulsen, Jr. robert@paulsenonline.net
On Sun, 19 May 2002 19:10:27 -0700 Jim Osborn <jimo@eskimo.com> wrote:
I've read many, many places that as of v8.9.3, sendmail does not relay by default.
Yes, this is true. I am using SuSE's Sendmail 8.12.3 and it passes all the test at: http://www.abuse.net/relay.html All the domains and hosts that are allowed to relay are now put in /etc/mail/relay-domains.
To my surprise, I was informed by a relay testing server that I was running an open relay, and, sure enough, my sendmail DOES relay.
This is really strange, do you have a proxy or a forwarder sitting between the Internet and the mailer daemon? This will give false positives, I can attest to that first hand. You might also want to check your sendmail.cf to see if for some strange reason: promiscuous_relay is turned on.
I had a line "127 RELAY" in /etc/mail/access,
This line is a default and does not affect things. If you want to you can send me your sendmail.cf and submit.cf and see if I can find anything. Charles -- "Nature abhors a Vacuum" -- Brian Behlendorf on OSS (Open Sources, 1999 O'Reilly and Associates)
On Sun, 19 May 2002, Jim Osborn wrote:
[...] To my surprise, I was informed by a relay testing server that I was running an open relay, and, sure enough, my sendmail DOES relay. I had a line "127 RELAY" in /etc/mail/access, so I removed that line, leaving access empty, but upon retesting, I'm still relaying. It's not a huge exposure, dynamic IP, brief connections, but it's not right, and I intend to fix it.
This line does no harm. Leave it in the access db. You could start sendmail with an additional -O DaemonPortOptions=Addr=127.0.0.1 to make it listen only on your loopback interface. This is default on SuSE since 8.0 (i think). Another approach would be to block incoming connections for port 25 with some filter rules.
If someone knows offhand, maybe they can reduce my research: Has SuSE done something to enable relaying by default? Do I need some stuff in my access database to restrict relaying, even if I really don't want to relay anything from outside to outside? If so, what's the access line for "deny all except to/from localhost"?
The docs and faqs I'm reading all go into elaborate detail on the subject of allowing controlled relaying, whereas I'm more interested in NO relaying.
The problem are the dialup specific features/hacks. See below.
I tried turning off the sendmail daemon, per the above reasoning. But then fetchmail began failing, and per the fetchmail FAQ, I needed to have an SMTP listener for fetchmail to pass the mail to. When I
Recent versions of fetchmail use the procmail or sendmail binary if there is no listener on port 25. Don't know if your fetchmail does the same. See man fetchmail and look for keyword `mda'.
FEATURE(`expensive')dnl FEATURE(`nocanonify')dnl HACK(`nodns')dnl FEATURE(`dialup', `not.a.registered.domain')dnl
These features/hacks turn off several rulesets needed for spam detection and relaying. They indirectly call delay_all_checks, nocanonify, .... Have a look at the corresponding files in /usr/share/sendmail and the README file. (btw. you probably only need FEATURE(`expensive')) Hope that helps. -- Best regards / Mit freundlichen Gruessen, Andreas Amann < andreas.amann@epost.de >
* Ben Rosenberg wrote on Sun, Apr 14, 2002 at 01:34 -0700:
I would suggest reading the documentation for Qmail and Sendmail to see what you wish to use. It's a myth that Sendmail is insecure.
I think sendmail ist much more difficult to configure than qmail. But sendmail has some features, i.e. address-rewritings, that cannot be configured simple since they are compliciated by itself :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Ruprecht Helms wrote:
Hi,
On 13-Apr-02 Jon wrote:
Well thousands do use Sendmail.
and use an old and not secured mailserver. Change to qmail and you will have a secure mailserver that needs less ressources and if you follow the instructions of lifewithqmail you are independent from inetd, because qmail use Dan Bernsteins tcpserver.
[...] some versions of sendmail had their share of problems, but neither the actual version, nor most of the older 8.x variants are unsafe in terms of security holes; the ones which are vulnerable (e. g. to certain BoF attacks) have been patched in no time. Unauthorized relaying is another issue, but that has been changed per v8.9 (sendmail does not relay out-of-the-box anymore). I agree that it might be a better approach for really small mail setups not to use the relatively big sendmail as a primary MTA (for practical reasons, not because of lacking security), but in most other cases, sendmail provides reliable mail services, with high performance, stability and security, and a bunch of features you can't afford to miss if you implement bigger scale solutions.
Regards, Ruprecht
Boris Lorenz <bolo@lupa.de> ---
participants (13)
-
Andreas Amann -
Ben Rosenberg -
Boris Lorenz -
Charles Philip Chan -
Delia Wakelin -
dproc@dol.net -
Jim Osborn -
Jon -
Pep Serrano -
Robert C. Paulsen Jr. -
Ruprecht Helms -
S.Toms -
Steffen Dettmer