Re: Qmail passing sendmail vulnerability downstream

[Bennett Todd <bet () rahul net>]

2003-03-10T14:12:04 Tim Thornton:
>   I understand that Qmail is not vulnerable to the
> recent Sendmail issue, but I want to know if Qmail will
> still forward the sendmail vulnerability "modified
> oversized header" downstream to other MTA's, thus
> leaving downstream sendmail servers open to the
> vulnerability.

I don't know if it _does_, but it would not be incorrect for it to
do so.

The message headers in question are odd, and unexpected, but this
isn't an issue of a technically illegal header that sendmail doesn't
defend against, it's a theoretically valid if extremely weird header
that provokes unexpected behavior from a real bug in sendmail.

Given qmail's componentized modular architecture, it should be
fairly reasonable to plug a filtering component in the mail flow
path. I haven't used qmail in a few years, don't know for sure what
API would be most convenient for such filtering, but if an
SMTP->SMTP passthrough proxy would be convenient I've got a
framework[1] for assembling such proxies that would make this pretty
easy. A proxy that quarantined any message that contained a long
string of <><> anywhere in the headers (i.e. before the first
\r\n\r\n of the DATA body) would have very few false positives and
would be quite straightforward.

-Bennett

Attachment: _bin
Description: