Bugtraq mailing list archives
TcpWrappers and Sendmail
From: nharkins () WELL COM (Neil Harkins)
Date: Tue, 15 Apr 1997 11:42:45 -0700
On Tue, 15 Apr 1997, Alan Brown wrote:
Sendmail does not do a forward DNS crosscheck on the PTR record associated with incoming IPs. I've switched sendmail to being called out of inetd.conf with a PARANOID hosts.deny entry. Currently I have some 135 hosts.deny lines against sendmail to lockout problem netblocks and domains. IMO if they're prevented from accessing the sendmail process it's a good thing, particularly as when calling it with -bs from inetd.conf, many of the load reducing checks are bypassed. :-(
I don't know how busy your mailserver is, but the additional overhead of inetd exec-ing into a sendmail can bog a moderately busy mailserver to death. Hence Eric added -DTCPWRAPPERS to sendmail 8.8.x. It works nicely, BUT it allows EXPNs, VRFYs, etc from the "bad" sites, and only disallows MAIL FROMs. Thus, I hacked 8.8.5 to have a two-tier wrapper that can disallow a connection, and/or disallow MAIL FROMs, and obviously, since it uses libwrap you can designate them as PARANOID in /etc/hosts.allow to solve your problem/concerns. With the following patch, you can have fields for "sendmail-connect" (what you are looking for), and "sendmail-mailfrom" (the default 8.8.x wrapper functionality) in /etc/hosts.allow: diff -c sendmail-8.8.5/src//conf.c sendmail-8.8.5-neilhacks/src/conf.c *** sendmail-8.8.5/src//conf.c Tue Jan 21 07:47:33 1997 --- sendmail-8.8.5-neilhacks/src/conf.c Tue Apr 1 17:51:40 1997 *************** *** 4017,4032 **** #if DAEMON bool ! validate_connection(sap, hostname, e) SOCKADDR *sap; char *hostname; ENVELOPE *e; { if (rscheck("check_relay", hostname, anynet_ntoa(sap), e) != EX_OK) return FALSE; #if TCPWRAPPERS ! if (!hosts_ctl("sendmail", hostname, anynet_ntoa(sap), STRING_UNKNOWN)) { # ifdef LOG if (LogLevel >= 4) --- 4018,4035 ---- #if DAEMON bool ! validate_connection(sap, hostname, e, tcpdstring) SOCKADDR *sap; char *hostname; ENVELOPE *e; + char *tcpdstring; { if (rscheck("check_relay", hostname, anynet_ntoa(sap), e) != EX_OK) return FALSE; #if TCPWRAPPERS ! /* if (!hosts_ctl("sendmail", hostname, anynet_ntoa(sap),STRING_UNKNOWN))*/ ! if (!hosts_ctl(tcpdstring, hostname, anynet_ntoa(sap),STRING_UNKNOWN)) { # ifdef LOG if (LogLevel >= 4) diff -c sendmail-8.8.5/src//daemon.c sendmail-8.8.5-neilhacks/src/daemon.c *** sendmail-8.8.5/src//daemon.c Tue Jan 14 18:01:05 1997 --- sendmail-8.8.5-neilhacks/src/daemon.c Sun Mar 9 11:42:40 1997 *************** *** 383,391 **** /* validate the connection */ HoldErrs = TRUE; ! nullconn = !validate_connection(&RealHostAddr,RealHostName, e); HoldErrs = FALSE; ! if (nullconn) break; #ifdef XLA --- 384,396 ---- /* validate the connection */ HoldErrs = TRUE; ! if(!validate_connection(&RealHostAddr,RealHostName, e,"sendmail-connect")){ ! /*fprintf(OutChannel,"\nAccess Denied.\n\n"); */ ! exit(0); ! } ! nullconn = !validate_connection(&RealHostAddr,RealHostName, e,"sendmail-mailfrom"); HoldErrs = FALSE; ! if (nullconn) break; #ifdef XLA diff -c sendmail-8.8.5/src//sendmail.h sendmail-8.8.5-neilhacks/src/sendmail.h *** sendmail-8.8.5/src//sendmail.h Tue Jan 14 17:51:49 1997 --- sendmail-8.8.5-neilhacks/src/sendmail.h Tue Apr 1 15:36:38 1997 *************** *** 1014,1020 **** extern char *hostnamebyanyaddr __P((SOCKADDR *)); extern char *anynet_ntoa __P((SOCKADDR *)); # if DAEMON ! extern bool validate_connection __P((SOCKADDR *, char *, ENVELOPE *)); # endif #endif --- 1014,1020 ---- extern char *hostnamebyanyaddr __P((SOCKADDR *)); extern char *anynet_ntoa __P((SOCKADDR *)); # if DAEMON ! extern bool validate_connection __P((SOCKADDR *, char *, ENVELOPE *, char *)); # endif #endif [END] Enjoy, although be careful what you wrap out. Most POP Mail clients that send using SMTP will hang indefinately if that connection closes immediately after opening. Also, other mailservers sending to you will simply queue the message and retry it, until it is time to give up. (Actually, Sendmail will try your second MX host, if it exists, but qmail (yuk) will queue it, and keep trying that first host, because it thinks it screwed up on the HELO (Qmail author, please fix!)). Anyway, these are probably the reasons why Eric wrapped only MAIL FROMs, to be considerate of the other postmaster, and give them a message rather than fill up their queue. But, this is a "bad" site, right? IMO, this is much better than black hole-ing all net traffic from them, just what they abuse. -Neil _________________________________________________________________________ Neil Harkins nharkins () well com Network/System Administrator, The WELL 415-281-6500-x204
Current thread:
- Sendmail Vulnerability. Alan Brown (Apr 14)
- TcpWrappers and Sendmail Neil Harkins (Apr 15)
- Handy change I made in ltread.c Nathan D. Faber (Apr 15)
- NIS+ and signed directory objects Sun Security Coordination (Apr 15)
- Update on PHP/FI hole Shamanski (Apr 16)
- Buffer overflow in sperl5.003 Murphy (Apr 17)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- Re: Buffer overflow in sperl5.003 Jon Lewis (Apr 19)
- [NTSEC] ALERT - NT security flaw announcement Aleph One (Apr 18)
- Beta testers wanted for new security tool! Alfred Huger (Apr 18)
- IRIX 6.x /cgi-bin/wrap bug J.A. Gutierrez (Apr 19)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- PHP/FI command line buffer overflow David Sacerdote (Apr 17)
(Thread continues...)