sendmail how secure is it

Printable View

March 5th, 2003, 01:09 PM
phaza7

sendmail how secure is it

Yes I know that email is one of the most common used ports on a pc. How to secure it or will it ever be truly secure. I love open source. Sendmail seems to me always needing patches is this because attackers attack it or is it because it is open to the world I know developer's R working on fixing this or that within it. I was just wandering what AO thought about the security of the sendmail daemon. Should coders be taught how to write more secure code vs. just writing code that works. It's seems to me maybe OS's will be more better with security in mind. I know that no one is perfect, but excellence is attainable which some coders do acquire. What R'ur thoughts :george:
March 5th, 2003, 01:27 PM
MrLinus

If I was setting up a secure mail server I'd look to products like Qmail, which are designed towards security. That doesn't mean that products like Sendmail cannot be secure. Perhaps the sendmail team needs to do what Bind did: build from scratch all over again.
March 5th, 2003, 01:43 PM
phaza7

Now that seems like at great idea.
March 5th, 2003, 11:08 PM
dAggressor

Sendmail is used in more than 50% of mail servers on the internet. That in itself makes it a target of choice. Anytime you have something that is that widely used it will be attacked continuously. The problem with sendmail is that it is a very secure server ........... if you know how to use it. Sendmail is a beast and there are lots of other servers (Qmail and Postfix to name a few) that are secure in themselves and a lot easier to configure. Sendmail give you more flexibility (in my opinion) but required great understanding to use the flexibility.

In short, sendmail is usually as secure as the mail admin.
March 6th, 2003, 01:14 AM
sweet_angel

try postfix http://www.postfix.org/

Quote:

What is Postfix? It is Wietse Venema's mailer that started life as an alternative to the widely-used Sendmail program.

Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.

This software was formerly known as VMailer. It was released by the end of 1998 as the IBM Secure Mailer. From then on it has lived on as Postfix.

cheers
March 6th, 2003, 03:08 PM
phaza7

Pak it seems I posted it in the sendmail update post already plus more
March 6th, 2003, 11:14 PM
tampabay420

ISS Security Advisory - A remote root vulnerability has been discovered in Sendmail v5.79 to 8.12.7 in the crackaddr() function which is used to parse headers. This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack. CVE number CAN-2002-1337. Homepage: http://xforce.iss.net.
March 30th, 2003, 06:03 AM
spurious_inode

Fun for the whole family :)

Try this one out, I used to almost die laughing at my own pranks while in University at the kind of reaction I could get out of people with forged email. This of course was pre-spam days (1989), so people actually read their email back then.

1) Telent to a sendmail server. Commands are shown in bold.

$ telnet mail.geeks.net 25
Trying 219.221.xx.xx...
Connected to mail.geeks.net.
Escape character is '^]'.
220 mail.geeks.net ESMTP Sendmail 8.12.2/8.12.2; Sat, 29 Mar 2003 21:52:52 -0700 (MST)
ehlo 31337.h4x0rz.com
250-mail.geeks.net Hello XXXX.XXXX.com [132.41.1.88], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 34000000
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
mail from: [email protected]
250 2.1.0 [email protected]... Sender ok
rcpt to: [email protected]
250 2.1.5 [email protected]... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Look mom, UNIX is fun for the whole family.
.

250 2.0.0 h2U4qqoB003642 Message accepted for delivery
quit
221 2.0.0 mail.geeks.net closing connection
Connection closed by foreign host.

---
I'll leave it up to your imagination as to how you can have fun with this little
feature in sendmail.
March 30th, 2003, 07:41 AM
Trust_Not_123

So would i be correct in saying that IPAM clients, ie, Hotmail would be the most insecure way or sending and recieving emails??
March 30th, 2003, 08:42 AM
PuReExcTacy

Seems that sendmail is continually being worked on, but as dAggressor mentioned before, it's very widely used, that makes it a big target, so, even if it does get patched, you have to remember, you've got some of the brightest minds in the world thinking of nothing but that next exploit. So, that's something you might want to consider if you gonna run a mail server.

PuRe
March 30th, 2003, 08:57 AM
spurious_inode

Sendmail has been around in varying states and iterations since the mid-70's, and is basically the MTA on the internet. The good part is that at this point there are no real vulnerabilities common to all versions of sendmail, so a Sun box is not likely to have the same exploit as an AIX box at the same time, etc.

In this way it is kind of like BIND, while there have been all kinds of exploits for it over it's lifetime, there has yet to be an alternative that can provide the same or better service with less security risk.

As for IMAP, it is not really all that insecure by nature, but as with all daemons it has had it's share of vulnerabilities. Also, the same applies to IMAP as does any of service; the specifics of the vulnerability are usually in the implementation and isolated to one vendors version.
March 30th, 2003, 12:27 PM
slarty

Quote:

Originally posted by spurious_inode
Fun for the whole family :)...
I'll leave it up to your imagination as to how you can have fun with this little
feature in sendmail. [/B]

It is not a bug, it's a feature. Any MTA would do the same.

You don't understand. Internet email has no authentication on the sender, so email servers *have* to trust and accept any email which looks vaguely plausible.

"Vaguely plausible" varies from site to site, needless to say it's not usually very difficult to make it sound plausible. Usually all that's required is an originating address in a domain that exists and the target doesn't know any better.

It cannot possibly distinguish you from the mail relay from foo.net - so it has to accept the message.
March 30th, 2003, 02:34 PM
spurious_inode

Quote:

Originally posted here by slarty
It is not a bug, it's a feature. Any MTA would do the same.

Great point Slarty, .... oh yeah that's right, I actually said:

Quote:

I'll leave it up to your imagination as to how you can have fun with this little feature in sendmail.

I didn't call it a bug, I called it a feature. Then I was corrected and told that it is not a bug, it's a feature. hmmmmmm.....

Your right, MTA's will do this because in the example given the commands manually step through the process of one MTA delivering mail to another. This does not take away from the fact that it is still fun to do.

Quick to succor and slow to flame I always say. I'll just chalk this one up to good intentions.

Thanks Slarty.
March 30th, 2003, 11:36 PM
ConsummatumEst

When I first got into computer security, I remember sendmail being the joke of the industry. Sendmail has a very spotty past in the computer security world. It's reputation then is probably comparable to IIS's reputation today. Lots of people use it, but no one ever really trusts it. In the past few years, though, it seemed like the folks who develop sendmail had learned from past mistakes and sendmail was actually beginning to look like a fairly secure product. Then someone went and found two serious exploits in under a month and any illusions I had were shattered. I guess it's time for me to take another look at Qmail et al.
March 31st, 2003, 12:50 AM
Mizo

what i suggest ist most simple thing , just go to www.download.com and download a mail server ! u can host it at your own pc and send and deliver mails . and u can secure your home pc better :>>> and those web -based mails ... sorry but sux !

Mizo

Knowlege is like fountain, students are there to drunk! :>>>
March 31st, 2003, 05:56 AM
smirc

Sendmail has been around for a while and has a reputation for having more holes than Swiss cheese. This is probably unfair since it has always been one of the most popular deamons used on the Internet, and so has had plenty of time for people to test it's security. Sendmail also took a major blow after the 1998 Morris worm crippled the Internet using a sendmail exploit.

Sendmail is also highly configurable which can be a good thing but it also makes it very hard to secure. If you want an idea of just how configurable sendmail is, it is the only mail deamon that I've ever heard of that can be reconfigured to effectively run as a web server, which is obviously not it's intended use. No I'm not making this up. ;)

When you think about it though, just about every major deamon has root exploit vulnerabilities found in the source including bind, wuftpd, proftpd, apache and dhcpd but has this stopped them from being the most popular deamons for their respected services? Not really.

The fact is, CERT has given network administrators the opportunity to effectively neutralise the impact of most root expoits because they can be patched relatively quickly allowing only a small window of opportunity for the kiddies to exploit new found bugs to their advantages. Zero day exploits are not all that common and are usually given high priority and fixed quickly. I'd be more worried about how quick my administrator is to apply patches and configure services properly, rather than the type of software being used.

Having said this there are those people with less than honourable intentions who find security holes, don't report them and use them to their advantage. But these sorts of people aren't your average script kiddies. They know what they're doing and don't feel the need to advertise their activities. If they really want to get into your system, they will, sendmail or not.
April 3rd, 2003, 08:30 PM
vescovono

We have used sendmail for years, and work to keep it up to date for security. It's like any kind of software or program, it needs to be maintained. Here are some of the more recent issues we are working on:

http://www.cert.org/advisories/CA-2003-07.html

http://www.cert.org/advisories/CA-2003-12.html

The problem being that with any of these alerts, we have to investigate and test the solution before we roll out into production and have to be especially weary of any patches that would overwrite sendmail.cf (HPUX) as we have modified that file for our use.

Also - these are listed in the advisories, but in case you just want these links and don't have them:

http://www.sendmail.com/security/

http://www.sendmail.org

Sendmail is a target, but it has worked for us since at least '96 so again, not the best, but it can be fixed... and fixed... and fixed.