--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: sendmail: GreetPause:localhost in access file has unexpected consequences
- From: Michael Grant <mgrant@grant.org>
- Date: Sat, 15 Oct 2016 08:36:12 -0400
- Message-id: <147653497244.17679.13989678113839071829.reportbug@strange.networkguild.org>
Package: sendmail
Version: 8.15.2-6
Severity: normal
Dear Maintainer,
If you put lines like this in the access file:
GreetPause:localhost 0
This allows spammers to by-pass the greet pause by simply setting
their reverse dns (PTR record) to 'localhost'. When this happens, I
see lines like this in the log file:
Oct 7 03:53:18 example sm-mta[9080]: NOQUEUE: connect from localhost [1.2.3.4] (may be forged)
and greetpause gets bypassed.
Simply by changing the line to use an ip address:
GreetPause:127.0.0.1 0
causes the sendmail to properly allow only localhost (127.0.0.1) to
bypass the greetpause.
In other words, the access file did not do a dns lookup on 'localhost'
in the access file before checking for a match.
Secondly, and I think greetpause matched on the forged name rather
than the real ip address from the network connection.
-- Package-specific info:
Output of /usr/share/bug/sendmail/script:
ls -alR /etc/mail:
/etc/mail:
total 1060
drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 .
drwxr-xr-x 145 root root 12288 Oct 15 07:27 ..
-rwxr-xr-- 1 root smmsp 12681 Sep 24 04:27 Makefile
-rw-r--r-- 1 root smmsp 59488 Oct 14 19:59 access
-rw-r----- 1 smmta smmsp 86016 Oct 14 19:59 access.db
-rw-r--r-- 1 root smmsp 59422 Oct 10 18:00 access.old
-rw-r--r-- 1 smmta smmsp 281 Feb 11 2013 address.resolve
-rw-r--r-- 1 smmta smmsp 17989 Oct 9 16:45 aliases
-rw-r--r-- 1 smmta smmsp 40960 Oct 9 16:45 aliases.db
-rw-r--r-- 1 root smmsp 17877 Oct 9 16:45 aliases.old
drwxr-sr-- 2 smmta smmsp 4096 Mar 4 2016 certs
-rw-r--r-- 1 smmta smmsp 16675 Mar 12 2014 charm.networkguild.org.mc
-rw-r--r-- 1 root smmsp 3739 Sep 24 04:27 databases
-rw-r----- 1 smmta smmsp 56 Mar 22 2015 default-auth-info
-rw-r--r-- 1 root smmsp 235 Oct 9 16:45 genericstable
-rw-r----- 1 root smmsp 12288 Oct 9 16:45 genericstable.db
-rw-r--r-- 1 root smmsp 235 Oct 9 16:45 genericstable.old
-rw-r--r-- 1 smmta smmsp 5659 May 10 2015 helpfile
-rw-r--r-- 1 smmta smmsp 1419 Oct 9 16:45 local-host-names
-rw-r--r-- 1 root smmsp 1419 Oct 9 16:45 local-host-names.old
drwxr-sr-x 2 smmta smmsp 4096 Oct 15 07:24 m4
-rw-r--r-- 1 smmta smmsp 300 Oct 9 16:45 mailertable
-rw-r----- 1 root smmsp 12288 Oct 9 16:45 mailertable.db
-rw-r--r-- 1 root smmsp 300 Oct 9 16:45 mailertable.old
drwxr-xr-x 2 smmta smmsp 4096 Sep 23 05:42 peers
-rw-r--r-- 1 root smmsp 0 Dec 25 2015 relay-domains
drwxr-xr-x 2 smmta smmsp 4096 May 20 2015 sasl
-rw-r--r-- 1 root smmsp 84657 Sep 24 04:27 sendmail.cf
-rw-r--r-- 1 root smmsp 84429 Jan 29 2016 sendmail.cf.backup-BD
-rw-r--r-- 1 root root 84748 Sep 23 05:43 sendmail.cf.old
-rw-r--r-- 1 root root 12236 Sep 23 05:43 sendmail.conf
-rw-r--r-- 1 root smmsp 10742 Sep 24 04:27 sendmail.mc
-rw-r--r-- 1 root smmsp 11061 Mar 4 2016 sendmail.mc-
-rw-r--r-- 1 root smmsp 10704 Jan 29 2016 sendmail.mc.backup-BD
-rw-r--r-- 1 smmta smmsp 149 Feb 11 2013 service.switch
-rw-r--r-- 1 smmta smmsp 180 Feb 11 2013 service.switch-nodns
drwxr-sr-x 2 smmta smmsp 4096 May 20 2015 smrsh
lrwxrwxrwx 1 root root 15 Aug 29 17:14 spamassassin -> ../spamassassin
-rw-r--r-- 1 root smmsp 44696 Sep 23 05:43 submit.cf
-rw-r--r-- 1 root root 44695 Sep 23 05:43 submit.cf.old
-rw-r--r-- 1 root smmsp 2453 Sep 23 05:43 submit.mc
drwxr-xr-x 2 smmta smmsp 4096 Feb 24 2016 tls
-rw-r--r-- 1 smmta smmsp 6 Jan 10 2015 trusted-users
-rw-r--r-- 1 smmta smmsp 37416 Oct 9 16:45 virtusertable
-rw-r----- 1 root smmsp 86016 Oct 9 16:45 virtusertable.db
-rw-r--r-- 1 root smmsp 37256 Oct 9 16:45 virtusertable.old
/etc/mail/certs:
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
l????????? ? ? ? ? ? 38d751eb.0
l????????? ? ? ? ? ? 6e803117.0
-????????? ? ? ? ? ? dh_2048.pem
-????????? ? ? ? ? ? dh_4096.pem
l????????? ? ? ? ? ? f131b364.0
-????????? ? ? ? ? ? geotrust-ca.crt
-????????? ? ? ? ? ? networkguild.org.crt
-????????? ? ? ? ? ? networkguild.org.csr
-????????? ? ? ? ? ? networkguild.org.key
-????????? ? ? ? ? ? strange.networkguild.org.crt
-????????? ? ? ? ? ? strange.networkguild.org.csr
-????????? ? ? ? ? ? strange.networkguild.org.key
-????????? ? ? ? ? ? sub.class1.server.ca.pem
/etc/mail/m4:
total 12
drwxr-sr-x 2 smmta smmsp 4096 Oct 15 07:24 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 ..
-rw-r--r-- 1 root root 789 Jul 3 2014 clamav-milter.m4
-rw-r----- 1 root smmsp 0 Mar 12 2014 dialup.m4
-rw-r----- 1 root smmsp 0 Mar 12 2014 provider.m4
/etc/mail/peers:
total 12
drwxr-xr-x 2 smmta smmsp 4096 Sep 23 05:42 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 ..
-rw-r--r-- 1 root root 328 Feb 11 2013 provider
/etc/mail/sasl:
total 16
drwxr-xr-x 2 smmta smmsp 4096 May 20 2015 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 ..
-rw-r----- 1 smmta smmsp 885 May 20 2015 Sendmail.conf.2
-rwxr--r-- 1 root root 3689 Sep 23 05:43 sasl.m4
/etc/mail/smrsh:
total 8
drwxr-sr-x 2 smmta smmsp 4096 May 20 2015 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 ..
lrwxrwxrwx 1 root smmsp 26 May 20 2015 mail.local -> /usr/lib/sm.bin/mail.local
lrwxrwxrwx 1 root smmsp 17 May 20 2015 procmail -> /usr/bin/procmail
/etc/mail/tls:
total 48
drwxr-xr-x 2 smmta smmsp 4096 Feb 24 2016 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 ..
-rw-r--r-- 1 root root 7 May 20 2015 no_prompt
-rw------- 1 root root 1191 May 20 2015 sendmail-client.cfg
lrwxrwxrwx 1 root root 45 Aug 4 2015 sendmail-client.crt
-rw------- 1 root root 1005 May 20 2015 sendmail-client.csr
lrwxrwxrwx 1 root root 45 Aug 4 2015 sendmail-common.key
-rw-r----- 1 root smmsp 1598 May 20 2015 sendmail-common.prm
-rw------- 1 root root 1191 May 20 2015 sendmail-server.cfg
lrwxrwxrwx 1 root root 45 Aug 4 2015 sendmail-server.crt
-rw------- 1 root root 1005 May 20 2015 sendmail-server.csr
-rwxr--r-- 1 root root 3264 Sep 23 05:43 starttls.m4
sendmail.conf:
DAEMON_NETMODE="Static";
DAEMON_NETIF="eth0";
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="No";
DAEMON_MAILSTATS="No";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="10m";
QUEUE_PARMS="";
MSP_MODE="Cron";
MSP_INTERVAL="20m";
MSP_PARMS="";
MSP_MAILSTATS="${DAEMON_MAILSTATS}";
MISC_PARMS="";
CRON_MAILTO="root";
CRON_PARMS="";
LOG_CMDS="No";
HANDS_OFF="No";
AGE_DATA="";
DAEMON_RUNASUSER="No";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";
sendmail.mc:
divert(-1)dnl
divert(0)dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $')
OSTYPE(`debian')
define(`_USE_ETC_MAIL_')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS=
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Name=MTA, Port=smtp')dnl
DAEMON_OPTIONS(`Name=MSP, Port=submission, M=Ea')dnl
define(`confLOG_LEVEL', `12')dnl
include(`/etc/mail/tls/starttls.m4')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `A,p,y')dnl
define(`confDH_PARAMETERS',`/etc/mail/certs/dh_2048.pem')
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
define(`confCONNECTION_RATE_THROTTLE', `3')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`60s')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
define(`confMAX_DAEMON_CHILDREN', `100')dnl
define(`confTO_IDENT', `0')dnl
define(`confTO_COMMAND', `2m')dnl
define(`confTO_ICONNECT', `15s')dnl
define(`confTO_CONNECT', `3m')dnl
define(`confTO_HELO', `2m')dnl
define(`confTO_MAIL', `1m')dnl
define(`confTO_RCPT', `1m')dnl
define(`confTO_DATAINIT', `1m')dnl
define(`confTO_DATABLOCK', `10m')dnl
define(`confTO_DATAFINAL', `10m')dnl
define(`confTO_RSET', `1m')dnl
define(`confTO_QUIT', `1m')dnl
define(`confTO_MISC', `1m')dnl
define(`confTO_COMMAND', `1m')dnl
define(`confTO_STARTTLS', `2m')dnl
FEATURE(`delay_checks', `friend', `n')dnl
FEATURE(`block_bad_helo')
FEATURE(`badmx')
FEATURE(`use_cw_file')dnl
define(`confCW_FILE', `-o /etc/mail/local-host-names')
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access', `relaytofulladdress')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
FEATURE(blacklist_recipients)
FEATURE(`greet_pause', `12000')dnl used to be 5 seconds, upped to 12 seconds in June 2015 per
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
FEATURE(local_lmtp)
FEATURE(local_procmail)
FEATURE(`genericstable')dnl
GENERICS_DOMAIN(`example.com')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`nocanonify', `canonify_hosts')
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}, {auth_type}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}, {auth_type}')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, {auth_type}, {greylist}')dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass/spamass.sock, F=, T=S:4m;R:4m;E:10m')dnl
INPUT_MAIL_FILTER(`greylist',`S=local:/var/run/milter-greylist/milter-greylist.sock, F=, T=S:1m;R:1m')dnl
FEATURE(dnswl, `list.dnswl.org')
FEATURE(dnswl, `accredit.habeas.com')
FEATURE(dnswl, `query.bondedsender.org')
FEATURE(dnswl, `whitelist.surriel.com')
FEATURE(dnswl, `dnswl.inps.de')
FEATURE(dnsbl, `b.barracudacentral.org', `"550 Mail from " $&{client_addr} " BLOCKED/BRBL -- see http://www.barracudacentral.org/lookups/ip-reputation?ip=" $&{client_addr}')
FEATURE(dnsbl, `zen.spamhaus.org', `"550 Mail from " $&{client_addr} " BLOCKED/ZEN -- see http://www.spamhaus.org/query/ip/" $&{client_addr}')
FEATURE(rhsbl, `dbl.spamhaus.org',`"550 Mail from domain " $`'&{RHS} " BLOCKED/DBL -- see http://www.spamhaus.org/query/domain/" $`'&{RHS}')
FEATURE(dnsbl, `inv-sip.localhost', `"550 Mail from " $&{client_addr} " BLOCKED/INVSIP -- see http://dnsbl.invaluement.com/lookup/?item=" $&{client_addr}')
FEATURE(dnsbl, `inv-sip24.localhost', `"550 Mail from " $&{client_addr} " BLOCKED/INVSIP24 -- see http://dnsbl.invaluement.com/lookup/?item=" $&{client_addr}')
FEATURE(rhsbl, `inv-uri.localhost',`"550 Mail from domain " $`'&{RHS} " BLOCKED/INVURI -- see http://dnsbl.invaluement.com/lookup/?item=" $`'&{RHS}')
FEATURE(dnsbl, `rbl-r.localhost', `"550 Mail from " $&{client_addr} " BLOCKED/RBL+ -- see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=" $&{client_addr}')
FEATURE(dnsbl, `spam.dnsbl.anonmails.de', `"550 Mail from " $&{client_addr} " BLOCKED/ANDE -- see http://anonmails.de/dnsbl.php?ip=" $&{client_addr}')
FEATURE(dnsbl, `rbl-q.localhost', `"450 Mail from " $&{client_addr} " BLOCKED/QIL -- see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=" $&{client_addr}')
MAILER_DEFINITIONS
MAILER(procmail)
MAILER(`smtp')dnl
submit.mc...
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: submit.mc, v 8.14.8-1 2014-10-03 13:06:30 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-msp')dnl
define(`confDIRECT_SUBMISSION_MODIFIERS', `C')dnl
FEATURE(`msp', `[127.0.0.1]', `25')dnl
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (750, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.5.5-x86_64-linode69 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sendmail depends on:
ii sendmail-base 8.15.2-6
ii sendmail-bin 8.15.2-6
ii sendmail-cf 8.15.2-6
ii sensible-mda 8.15.2-6
sendmail recommends no packages.
Versions of packages sendmail suggests:
pn rmail <none>
pn sendmail-doc <none>
Versions of packages sensible-mda depends on:
ii libc6 2.24-3
ii procmail 3.22-25
ii sendmail-bin [mail-transport-agent] 8.15.2-6
Versions of packages libmilter1.0.1 depends on:
ii libc6 2.24-3
Versions of packages sendmail-bin depends on:
ii debconf 1.5.59
ii libc6 2.24-3
ii libdb5.3 5.3.28-12
ii libldap-2.4-2 2.4.42+dfsg-2+b3
ii liblockfile1 1.09-6
ii libsasl2-2 2.1.26.dfsg1-15
ii libssl1.0.2 1.0.2j-1
ii libwrap0 7.6.q-25
ii procps 2:3.3.12-2
ii sendmail-base 8.15.2-6
ii sendmail-cf 8.15.2-6
Versions of packages sendmail-bin suggests:
ii libsasl2-modules 2.1.26.dfsg1-15
ii openssl 1.0.2j-1
ii sasl2-bin 2.1.26.dfsg1-15
pn sendmail-doc <none>
-- no debconf information
--- End Message ---