Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 6694 - Sendmail 8.8.7 bug allows unathorized relaying.
Summary: Sendmail 8.8.7 bug allows unathorized relaying.
Keywords:
Status: CLOSED DUPLICATE of bug 4217
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: sendmail
Version: 5.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Cristian Gafton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-11-03 20:50 UTC by Greg Retkowski
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-02-05 05:09:51 UTC


Attachments (Terms of Use)

Description Greg Retkowski 1999-11-03 20:50:53 UTC
Sendmail version 8.8.7 has a bug which makes it openly relay
all mail. If the RCPT TO: address has quotes ("") around the
destination the mailer will relay it regardless of its
anti-relay configuration.

Quoting http://www.orbs.org/otherresources.cgi:

'several thousand sendmail 8.8 installations have been
exploited by a spammer using RCPT TO:<"victim@target"> -
with the "" in the envelope. If you have an ORBS notice with
"X-Envelope-Recipient: <"someone@example.org"> " in the last
few lines, then this is the test your sendmail installation
failed.'

This bug was confirmed on our redhat-5.1 mailserver.

RH 5.2 and 5.0 also ship with 8.8.7 and are likely
vulnerable.

The fix for our site was to download, build, and install the
sendmail 8.9.3 package from the redhat-6.1 distribution.

Comment 1 Eric Seppanen 1999-11-25 01:14:59 UTC
Bug #4217 seems to be the same as this one.  It links to the web page:
http://www.informatik.uni-kiel.de/%7Eca/email/check.html
which contains new rules that prevent this.  The quick and dirty way to fix the
problem on Red Hat 5.2 is to copy the check_rcpt and removelocal rules from that
web page as replacements for the check_rcpt and removelocal rules in
sendmail.cf.

Or, for the truly lazy, a patch for sendmail.cf: (make sure tabs aren't lost,
otherwise sendmail will fail with "expected tab" errors!)

******************* beginning of patch

--- /etc/sendmail.bak	Thu May  6 14:00:51 1999
+++ /etc/sendmail.cf	Wed Nov 24 19:09:10 1999
@@ -870,25 +870,21 @@
 R$+			$: $(dequote "" $&{client_addr} $) $| $1
 R0 $| $*		$@ ok		client_addr is 0 for sendmail -bs
 R$={LocalIP}$* $| $*	$@ ok		from here
-# next: get client name
-R$* $| $+		$: $(dequote "" $&{client_name} $) $| $2
-R $| $*			$@ ok		no client name: directly invoked-#R$- $| $*		$@ ok		for those
without full DNS...
-R$*$=w $| $*		$@ ok		from here
-R$*$={LocalNames} $| $*	$@ ok		from allowed system
-# now check other side
+# not local, check rcpt
 R$* $| $*		$: $>3 $2
-# remove local part
-R$*<@$+.>$*		$: $>remove_local $1<@$2.>$3
+# remove local part, maybe repeatedly
+R$+			$:$>remove_local $1
 # still something left?
-R$*<@$+>$*		$#error $@ 5.7.1 $: 551 we do not relay
+R$*<@$*>$*		$#error $@ 5.7.1 $: 550 we do not relay

 Sremove_local
 # remove RelayTo part (maybe repeatedly)
-R$*<@$*$={RelayTo}.>$*		$>3 $1 $4
-R$*<@$=w.>$*			$: $>remove_local $>3 $1 $3
-
-
+R$*<@$*$={RelayTo}.>$*	$>3 $1 $4
+R$*<@$=w.>$*		$: $>remove_local $>3 $1 $3
+R$*<@$*>$*		$@ $1<@$2>$3
+# dequote local part
+R$-			$: $>3 $(dequote $1 $)
+R$*<@$*>$*		$: $>remove_local $1<@$2>$3

 SjunkIP
 # lookup IP in database

******************* end of patch

Comment 2 Eric Seppanen 1999-11-25 04:14:59 UTC
Grrr.  Bugzilla or the html formatting seems to have eaten the tabs.  Sorry for
the length of these comments, but here's a gzipped, uuencoded version:

begin 664 sendmail.patch.gz
M'XL(",6W/#@``W-E;F1M86EL+G!A=&-H`'U336_:0!0\V[]B%*PJ8.S8?#3%
M:E(?>HG4(D0B]1@M]B.XK+W47D)1RG_OKC\(@03Y8,MO9MZ\>;N.X^"*9'15
M4!:G+.'NC"V-A\4:/]D6^`Q_$'A>,/3ACT8CT[;M(W@T-WY1C+%X1F^@0($W
M"GRO0H<AG"_77K<WA%V^?82AB:EE&X9A!;`N8_JS%I)P<0'KTTO$$\KD(XOC
M?`>K#>L?+%_AO?*KHS@AQ-(P#G!("GB8BQR-(SBS0O>X>?DA(L;O)CNK4_-K
M^CP7*1:4D^FTD-%?&>"))"I59"Q5A6E-LL\9U="]T9XB-3Z;3IDX5`T0)SE%
MDF^19,]B2;$R,+6<H^GT,'(A"L(F4>^UQ'S-.;Z/[UW7+9U9-YMCSNM(9;V:
M?:R:%KMWAF><BXW:6K$M)*5E#&*#:$'1$D(J'11)3*:M_TMPK=6MRWFTDCK>
MSMZ!BN>V7\[?0DZI>*:*@17+9>GG:VC9[NT>7($>*Y#EJVI/5?NZW0F_BY1M
M9Z0**V*28KXU[>;\G"B9:*&0B0JK$"G)19(]@=-<?MN[J$RT*,]5R"J1H7OM
M^E"NANJ$;PBQ*"?.B;.RD29USI"\$Q),W!_:TI[JJ:8:\"#*N7!Y/%>[,:G7
M5T-W=6HZ7]5QT$!N-E7AO3QK;-]TU&-_(/FJ:+]5/"?X-H^P7EV]N>:"'*Q>
MX1WC]8#L[Y!6:Q^I?7`NM+A.]/<Z6]Y-=)9<B.5ZA;N)ND.(F60S5I#Y'RJ4
&`[?'!```
`
end

Comment 3 Alec Voropay 1999-11-25 20:11:59 UTC
Try new sendmail-8.9.3 from RawHide :
ftp://ftp.redhat.com/pub/rawhide/SRPMS/SRPMS/sendmail-8.9.3-15.src.rpm

 Download, install, build and upgrade your sendmail rpm.

 The new sendmail anti-spam features are good enought even for ORBS
(www.orbs.org) tests.

Comment 4 Cristian Gafton 2000-02-05 05:09:59 UTC
*** This bug has been marked as a duplicate of 4217 ***


Note You need to log in before you can comment on or make changes to this bug.