Re: FreeBSD Security Advisory FreeBSD-SA-06:13.sendmail

Ruslan Ermilov wrote:
On Thu, Mar 23, 2006 at 10:44:05AM +0200, Dmitry Pryanishnikov wrote:
[ ... ]
This doesn't change sendmail's identification string - it's still "8.13.1"
on RELENG_4_11, which makes detection of unpatched systems more difficult
to sysadmin. Wouldn't be wise to add, say, "-p1" to this string in
version.c?

It depends on what you think about whether it's good or not
that it's undetectable. I prefer it to be not-detectable.

Previous sendmail-based exploits involved hosts being compromised by automated
worms which try their attacks against every IP they can talk to on the SMTP
port, regardless of version number information displayed, or by malicious email
which exploited MIME header string buffer problems, a mechanism which also paid
no attention to the SMTP banner version info.

If someone wants to conceal the sendmail version info, there are mechanisms in
place to do so which solve that problem more effectively. If you don't want the
sendmail version numbers to appear in the banner on port 25, the better solution
is to add this to your sendmail.mc file:

define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b; no UCE; C=US, L=NY.')dnl

[ Adjust region, country code, and SMTP policy to suit your local needs. ]

If you also want to conceal version information in the mail headers, either
override the values of the $v and $Z macros, which are typically set like so:

# Configuration version number
DZ8.13.6

...or override the Received: header line being generated by changing this:

HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
$.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}

^^^^^^^

I would like the output of "sendmail -d0.1" to correctly indicate what the
version actually is so I can track it, even if I felt it appropriate or
necessary to conceal that information from non-local users.

--
-Chuck

PS: I very much wish that software would not attempt to conceal which version it
actually is, because that fosters absurd situations like web browser User-agent
strings ("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)"). That version string is obscure all right, but hardly secure.

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: [PHP] sending mail from localhost
    ... raw connection to the SMTP server initiated by the PHP mail() ... But I don't use SMTP, only sendmail, so maybe PHP does *not* do all ... require a reply-to header is done in bad form. ...
    (php.general)
  • Re: Configure Sendmail so receiving systems have good Return-Path header
    ... >than any other email client like Outlook uses sendmail. ... They use SMTP ... >I'll take a look at the JavaMail API, but the real issue for me is what ... >triggers sendmail's use of the MAIL FROM envelope header (not the email ...
    (comp.mail.sendmail)
  • Re: Configure Sendmail so receiving systems have good Return-Path header
    ... I don't think Javamail is using sendmail to send its email any more ... They use SMTP ... I'll take a look at the JavaMail API, but the real issue for me is what ... triggers sendmail's use of the MAIL FROM envelope header (not the email ...
    (comp.mail.sendmail)
  • Re: How to send an e-mail
    ... with any smtp server. ... private string strEmailServer; ... public static NetworkStream nwstream; // public static so is thread safe ... public string SMTPServer ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Is it possible for me to have an alert pop-up when I open a do
    ... them and clean up the whole header. ... Dim TheWeekOfStr As String ... After I enabled macros and changed the security level, as per Dave Peterson, ... I got almost what I wanted, except that the pop-up box contains the font ...
    (microsoft.public.excel.misc)