sendmail how secure is it
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: sendmail how secure is it

  1. #1
    Banned
    Join Date
    Dec 2002
    Posts
    394

    sendmail how secure is it

    Yes I know that email is one of the most common used ports on a pc. How to secure it or will it ever be truly secure. I love open source. Sendmail seems to me always needing patches is this because attackers attack it or is it because it is open to the world I know developer's R working on fixing this or that within it. I was just wandering what AO thought about the security of the sendmail daemon. Should coders be taught how to write more secure code vs. just writing code that works. It's seems to me maybe OS's will be more better with security in mind. I know that no one is perfect, but excellence is attainable which some coders do acquire. What R'ur thoughts

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    If I was setting up a secure mail server I'd look to products like Qmail, which are designed towards security. That doesn't mean that products like Sendmail cannot be secure. Perhaps the sendmail team needs to do what Bind did: build from scratch all over again.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Banned
    Join Date
    Dec 2002
    Posts
    394
    Now that seems like at great idea.

  4. #4
    Member
    Join Date
    Jul 2001
    Posts
    62
    Sendmail is used in more than 50% of mail servers on the internet. That in itself makes it a target of choice. Anytime you have something that is that widely used it will be attacked continuously. The problem with sendmail is that it is a very secure server ........... if you know how to use it. Sendmail is a beast and there are lots of other servers (Qmail and Postfix to name a few) that are secure in themselves and a lot easier to configure. Sendmail give you more flexibility (in my opinion) but required great understanding to use the flexibility.

    In short, sendmail is usually as secure as the mail admin.
    dAggressor

    It\'s a long life, until you die

  5. #5
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    try postfix http://www.postfix.org/
    What is Postfix? It is Wietse Venema's mailer that started life as an alternative to the widely-used Sendmail program.


    Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.


    This software was formerly known as VMailer. It was released by the end of 1998 as the IBM Secure Mailer. From then on it has lived on as Postfix.
    cheers
    Not an image or image does not exist!
    Not an image or image does not exist!

  6. #6
    Banned
    Join Date
    Dec 2002
    Posts
    394
    Pak it seems I posted it in the sendmail update post already plus more

  7. #7
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    ISS Security Advisory - A remote root vulnerability has been discovered in Sendmail v5.79 to 8.12.7 in the crackaddr() function which is used to parse headers. This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack. CVE number CAN-2002-1337. Homepage: http://xforce.iss.net.
    yeah, I\'m gonna need that by friday...

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    Fun for the whole family

    Try this one out, I used to almost die laughing at my own pranks while in University at the kind of reaction I could get out of people with forged email. This of course was pre-spam days (1989), so people actually read their email back then.

    1) Telent to a sendmail server. Commands are shown in bold.

    $ telnet mail.geeks.net 25
    Trying 219.221.xx.xx...
    Connected to mail.geeks.net.
    Escape character is '^]'.
    220 mail.geeks.net ESMTP Sendmail 8.12.2/8.12.2; Sat, 29 Mar 2003 21:52:52 -0700 (MST)
    ehlo 31337.h4x0rz.com
    250-mail.geeks.net Hello XXXX.XXXX.com [132.41.1.88], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-EXPN
    250-VERB
    250-8BITMIME
    250-SIZE 34000000
    250-DSN
    250-ETRN
    250-DELIVERBY
    250 HELP
    mail from: prankstar@foo.net
    250 2.1.0 prankster@foo.net... Sender ok
    rcpt to: a_real_user@geeks.net
    250 2.1.5 a_real_user@geeks.net... Recipient ok
    data
    354 Enter mail, end with "." on a line by itself
    Look mom, UNIX is fun for the whole family.
    .

    250 2.0.0 h2U4qqoB003642 Message accepted for delivery
    quit
    221 2.0.0 mail.geeks.net closing connection
    Connection closed by foreign host.

    ---
    I'll leave it up to your imagination as to how you can have fun with this little
    feature in sendmail.
    Get OpenSolaris http://www.opensolaris.org/

  9. #9
    Senior Member
    Join Date
    Nov 2002
    Posts
    482
    So would i be correct in saying that IPAM clients, ie, Hotmail would be the most insecure way or sending and recieving emails??
    - Trying is the first step towards failure. the moral is never try.
    - It\'s like something out of that twilighty show about that zone.
    ----Homer J Simpson----

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    Seems that sendmail is continually being worked on, but as dAggressor mentioned before, it's very widely used, that makes it a big target, so, even if it does get patched, you have to remember, you've got some of the brightest minds in the world thinking of nothing but that next exploit. So, that's something you might want to consider if you gonna run a mail server.



    PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •