Re: sendmail & localhost rDNS
On Monday, 2009-08-10 at 14:35:06 +0200, Bernhard R. Link wrote:
> * Lupe Christoph <firstname.lastname@example.org> [090810 13:53]:
> > On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote:
> > > last week, there was an article on heise security about MTAs which
> > > relay mails for hosts having a reverse resolution of 'localhost'. Doing
> > > a small test shows that sendmail on etch seems to be vulnerable, too. I
> > > need to have a localhost RELAY line in my access file (which is not
> > > default AFAIK).
> > > Will there be a DSA on this issue, since it seems to turn Sendmail
> > > installations with allowed localhost RELAYing into Open Relays?
> > Are you saying you want a DSA for a package that does not have that
> > particular vulnerability, but allows a user to create it?
> > "Doctor, it hurts when I do this!" "Don't do it, then."
> "Help, help my computer does funny things!" "Don't power it up, then."
That's not what I meant. Admitted, the quote is more funny than exact
(and it isn;t particularly funny...). What I mean is that a lot of
software allows the user to shoot himself in various body parts. One
such example is rm. As in "rm * .o". Oooops.
More related to the OP, sendmail allows you to configure an open relay
in a number of ways, not all of them as easily identified as the
"localhost" problem. It has a built-in write-only language...
But why would the posssibility to configure the package to open a relay
warrant a DSA? It would IMNSHO only when the package came preconfigured
to do that.
> Almost all security holes need to user to do something. (If only to
> power up the machine, to install some packages, to connect to the
> internet, to give accounts to users). The question cannot be that
> something has to be done do make people vulnerable, but whether properly
> sane and educated people can guess that something opens a security
I interpret this to mean that there should be DSAs for all problems *made
possible* by Debian packages, rather than those *caused* by the package.
| There is no substitute for bad design except worse design. |
| /me |