[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sendmail & localhost rDNS

On Monday, 2009-08-10 at 14:35:06 +0200, Bernhard R. Link wrote:
> * Lupe Christoph <lupe@lupe-christoph.de> [090810 13:53]:
> > On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote:

> > > last week, there was an article on heise security about MTAs[1] which  
> > > relay mails for hosts having a reverse resolution of 'localhost'. Doing  
> > > a small test shows that sendmail on etch seems to be vulnerable, too. I  
> > > need to have a localhost RELAY line in my access file (which is not  
> > > default AFAIK).

> > > Will there be a DSA on this issue, since it seems to turn Sendmail  
> > > installations with allowed localhost RELAYing into Open Relays?

> > Are you saying you want a DSA for a package that does not have that
> > particular vulnerability, but allows a user to create it?

> > "Doctor, it hurts when I do this!" "Don't do it, then."

> "Help, help my computer does funny things!" "Don't power it up, then."

That's not what I meant. Admitted, the quote is more funny than exact
(and it isn;t particularly funny...). What I mean is that a lot of
software allows the user to shoot himself in various body parts. One
such example is rm. As in "rm * .o". Oooops.

More related to the OP, sendmail allows you to configure an open relay
in a number of ways, not all of them as easily identified as the
"localhost" problem. It has a built-in write-only language...

But why would the posssibility to configure the package to open a relay
warrant a DSA? It would IMNSHO only when the package came preconfigured
to do that.

> Almost all security holes need to user to do something. (If only to
> power up the machine, to install some packages, to connect to the
> internet, to give accounts to users). The question cannot be that
> something has to be done do make people vulnerable, but whether properly
> sane and educated people can guess that something opens a security
> problem.

I interpret this to mean that there should be DSAs for all problems *made
possible* by Debian packages, rather than those *caused* by the package.

Lupe Christoph
| There is no substitute for bad design except worse design.                   |
| /me                                                                          |

Reply to: