I have a client who is currently running sendmail 8.9.3/8.8.7 (Thats whats
reported upon connection on port 25). They suffer from the percent hack - ie
people can relay via them simply by using username%domain [at] instead of
username [at] domain in the recipient address.

I don't want to have to upgrade them as my Redhat knowledge is limited -
they are running Redhat 6 currently and we plan to retire this server before
too long and go with Exchange Server. Is there an easy way to fix this issue
on this version of sendmail - I wondered about removing the % symbol from
the Do line (Delimiters) in sendmail.cf but without getting confirmation of
this I didn't want to play. They also send ndr's for all messages to invalid
local users where I would rather block during the smtp session but this
version does not do this I believe. I did a bit of playing to see if I could
upgrade them but the dependencies appeared to be HUGE - I then hoped I could
perhaps step them upto a newer redhat distro but this became a pain as
finding older versions of distro's is hard and from what I've read the
"upgrade" process for Redhat is not REALLY an upgrade - its a cludge so
doesn't sound like a good idea.

Does anyone have an easy fix for this problem as they are on a Relay
blocklist and obviously won't be taken off until we can patch this weakness.

Thanks

Matt

Matt Beechey wrote:
> I have a client who is currently running sendmail 8.9.3/8.8.7 (Thats whats
> reported upon connection on port 25). They suffer from the percent hack - ie
....

> I don't want to have to upgrade them as my Redhat knowledge is limited -

Sorry, that's not a good excuse. 8.9.3 is too old and has several
security holes. Upgrade to 8.12.11 or 8.13, versions older than
8.12.10 have security problems: http://www.sendmail.org/

In article <440233cc$1 [at] clear.net.nz>,
"Matt Beechey" <matt [at] mobius.co.nz> wrote:

> I have a client who is currently running sendmail 8.9.3/8.8.7 (Thats whats
> reported upon connection on port 25). They suffer from the percent hack - ie
> people can relay via them simply by using username%domain [at] instead of
> username [at] domain in the recipient address.
>
> I don't want to have to upgrade them as my Redhat knowledge is limited -

Then they need to find some other competent person to do the upgrade for
them. Not upgrading is not a reasonable option.

> they are running Redhat 6 currently and we plan to retire this server before
> too long and go with Exchange Server.

Probably not the wisest approach, but I guess a modern Exchange exterior
is better than an ancient sendmail one.

> Is there an easy way to fix this issue
> on this version of sendmail - I wondered about removing the % symbol from
> the Do line (Delimiters) in sendmail.cf but without getting confirmation of
> this I didn't want to play.

That would work after a fashion, but the breakage could be ugly.

> They also send ndr's for all messages to invalid
> local users where I would rather block during the smtp session but this
> version does not do this I believe.

Any version of Sendmail *can* reject invalid users in SMTP, but whether
it will do so is really a matter of what addresses it sees as local
users. If you have Sendmail acting purely as a relay between the outside
world and some inside mail system (e.g. Exchange) then you have to work
out a way for Sendmail to restrict relaying based on the full address
rather than just by domain.

> I did a bit of playing to see if I could
> upgrade them but the dependencies appeared to be HUGE - I then hoped I could
> perhaps step them upto a newer redhat distro but this became a pain as
> finding older versions of distro's is hard and from what I've read the
> "upgrade" process for Redhat is not REALLY an upgrade - its a cludge so
> doesn't sound like a good idea.
>
> Does anyone have an easy fix for this problem as they are on a Relay
> blocklist and obviously won't be taken off until we can patch this weakness.

Sounds reasonable to me.

They really should be shunned until they upgrade to a securable version
of Sendmail, and likely will be re-shunned repeatedly until they do so,
since there are other known attacks against Sendmail, some more serious
than simple spam relaying. if your client's machine is connected through
a responsibly-managed ISP, they run a real risk of being cut off
completely by running a box with such a severe security flaw.

--
Now where did I hide that website...

On Mon, 27 Feb 2006, in the Usenet newsgroup comp.mail.sendmail, in article
<440233cc$1 [at] clear.net.nz>, Matt Beechey wrote:

>I have a client who is currently running sendmail 8.9.3/8.8.7 (Thats whats
>reported upon connection on port 25).

Ancient release. Who was so incompetent as to not bother maintaining things?

>I don't want to have to upgrade them as my Redhat knowledge is limited -
>they are running Redhat 6 currently and we plan to retire this server before
>too long and go with Exchange Server.

There were three Red Hat 6 releases - all of which had sendmail-8.9.3

Red Hat 6.0 released April 1999 - support ended March 2001
Red Hat 6.1 released October 1999 - support ended March 2001
Red Hat 6.2 released March 2000 - support ended March 2003.

During the life of those releases, MANY things were updated, but it seems
that no one bothered to update this box. In theory, you might find a copy
of sendmail-8.11.6-1.62.3.i386.rpm which was the last update before support
ended.

>I did a bit of playing to see if I could upgrade them but the dependencies
>appeared to be HUGE - I then hoped I could perhaps step them upto a newer
>redhat distro

Red Hat Enterprise Linux is the current distribution, but your system is so
ancient, it's not worth updating as even the updates are obsolete. Fedora
would be another solution, available lots of places for free.

>but this became a pain as finding older versions of distro's is hard and
>from what I've read the "upgrade" process for Redhat is not REALLY an
>upgrade - its a cludge so doesn't sound like a good idea.

Why would you be looking for an old version? Get something current. If you
think the way to go is windoze - that's your decision. But your immediate
solution is to disconnect the idiots.

Old guy

It wouldn't actually be fronted by exchange - I've formulated a solution
using Debian, Postfix, Amavisd and Spamassassin that uses ldap to check
recipient addresses on the exchange server and sits in front for spam
filtering and virus scanning with Clam and Bitdefender (I say formulated - I
found a good writeup on the internet and extended it with LDAP lookups
rather than a static list on the debian box). I'm competent enough with
Debian to maintain and support this solution in that updates etc are easy
with apt-get but it's not that easy with such an outdated Redhat box. As its
being retired shortly I hoped there would be a simple stop-gap to stop the
percent hack problem as otherwise it seems solid enough (it was installed by
a local isp who is no longer interested as they've shifted thier business to
web design and hosting only and its been running for around 6 years at a
guess - it was installed on a purpose built Celeron 400 so that shows it's
age!)

Is there a simple process to download the latest sendmail distro and
unzip(tar?) it over the current version?

Matt


"Bill Cole" <bill [at] scconsult.com> wrote in message
news:bill-1287C5.10554527022006 [at] newsclstr02.news.prodigy.com ...
> In article <440233cc$1 [at] clear.net.nz>,
> "Matt Beechey" <matt [at] mobius.co.nz> wrote:
>
>> I have a client who is currently running sendmail 8.9.3/8.8.7 (Thats
>> whats
>> reported upon connection on port 25). They suffer from the percent hack -
>> ie
>> people can relay via them simply by using username%domain [at] instead of
>> username [at] domain in the recipient address.
>>
>> I don't want to have to upgrade them as my Redhat knowledge is limited -
>
> Then they need to find some other competent person to do the upgrade for
> them. Not upgrading is not a reasonable option.
>
>> they are running Redhat 6 currently and we plan to retire this server
>> before
>> too long and go with Exchange Server.
>
> Probably not the wisest approach, but I guess a modern Exchange exterior
> is better than an ancient sendmail one.
>
>> Is there an easy way to fix this issue
>> on this version of sendmail - I wondered about removing the % symbol from
>> the Do line (Delimiters) in sendmail.cf but without getting confirmation
>> of
>> this I didn't want to play.
>
> That would work after a fashion, but the breakage could be ugly.
>
>> They also send ndr's for all messages to invalid
>> local users where I would rather block during the smtp session but this
>> version does not do this I believe.
>
> Any version of Sendmail *can* reject invalid users in SMTP, but whether
> it will do so is really a matter of what addresses it sees as local
> users. If you have Sendmail acting purely as a relay between the outside
> world and some inside mail system (e.g. Exchange) then you have to work
> out a way for Sendmail to restrict relaying based on the full address
> rather than just by domain.
>
>> I did a bit of playing to see if I could
>> upgrade them but the dependencies appeared to be HUGE - I then hoped I
>> could
>> perhaps step them upto a newer redhat distro but this became a pain as
>> finding older versions of distro's is hard and from what I've read the
>> "upgrade" process for Redhat is not REALLY an upgrade - its a cludge so
>> doesn't sound like a good idea.
>>
>> Does anyone have an easy fix for this problem as they are on a Relay
>> blocklist and obviously won't be taken off until we can patch this
>> weakness.
>
> Sounds reasonable to me.
>
> They really should be shunned until they upgrade to a securable version
> of Sendmail, and likely will be re-shunned repeatedly until they do so,
> since there are other known attacks against Sendmail, some more serious
> than simple spam relaying. if your client's machine is connected through
> a responsibly-managed ISP, they run a real risk of being cut off
> completely by running a box with such a severe security flaw.
>
> --
> Now where did I hide that website...

"Moe Trin" <ibuprofin [at] painkiller.example.tld> wrote in message
news:slrne06nlr.qg7.ibuprofin [at] compton.phx.az.us...
> On Mon, 27 Feb 2006, in the Usenet newsgroup comp.mail.sendmail, in
> article
> <440233cc$1 [at] clear.net.nz>, Matt Beechey wrote:
>
>>I have a client who is currently running sendmail 8.9.3/8.8.7 (Thats whats
>>reported upon connection on port 25).
>
> Ancient release. Who was so incompetent as to not bother maintaining
> things?
>
>>I don't want to have to upgrade them as my Redhat knowledge is limited -
>>they are running Redhat 6 currently and we plan to retire this server
>>before
>>too long and go with Exchange Server.
>
> There were three Red Hat 6 releases - all of which had sendmail-8.9.3
>
> Red Hat 6.0 released April 1999 - support ended March 2001
> Red Hat 6.1 released October 1999 - support ended March 2001
> Red Hat 6.2 released March 2000 - support ended March 2003.
>
> During the life of those releases, MANY things were updated, but it seems
> that no one bothered to update this box. In theory, you might find a copy
> of sendmail-8.11.6-1.62.3.i386.rpm which was the last update before
> support
> ended.
>
>>I did a bit of playing to see if I could upgrade them but the dependencies
>>appeared to be HUGE - I then hoped I could perhaps step them upto a newer
>>redhat distro
>
> Red Hat Enterprise Linux is the current distribution, but your system is
> so
> ancient, it's not worth updating as even the updates are obsolete. Fedora
> would be another solution, available lots of places for free.
>
>>but this became a pain as finding older versions of distro's is hard and
>>from what I've read the "upgrade" process for Redhat is not REALLY an
>>upgrade - its a cludge so doesn't sound like a good idea.
>
> Why would you be looking for an old version? Get something current. If
> you
> think the way to go is windoze - that's your decision. But your immediate
> solution is to disconnect the idiots.
>
> Old guy

I wanted an old distro because that way I could step it up to fedora (or
that was my theory) - redhat 7 would upgrade from 6 and then I'd try and
find the steps from there - certainly the latest fedora core didn't want to
know about updating it. As I said in the other post - a local isp pitched it
to them and installed it and then promptly ignored it and later refused to
look at it because that side of the business was no longer in operation.
I've yet to meet a competent Linux technician in Christchurch who doesn't
need a translator between him and and client to A) Understand the clients
needs and B) Explain to the client what is needed - often the gifted linux
types just like to hide behind the monitor and then slip-away when
completed.

Matt

In article <4403c271$1 [at] clear.net.nz>,
"Matt Beechey" <matt [at] mobius.co.nz> wrote:

> It wouldn't actually be fronted by exchange - I've formulated a solution
> using Debian, Postfix, Amavisd and Spamassassin that uses ldap to check
> recipient addresses on the exchange server and sits in front for spam
> filtering and virus scanning with Clam and Bitdefender (I say formulated - I
> found a good writeup on the internet and extended it with LDAP lookups
> rather than a static list on the debian box). I'm competent enough with
> Debian to maintain and support this solution in that updates etc are easy
> with apt-get but it's not that easy with such an outdated Redhat box. As its
> being retired shortly I hoped there would be a simple stop-gap to stop the
> percent hack problem as otherwise it seems solid enough (it was installed by
> a local isp who is no longer interested as they've shifted thier business to
> web design and hosting only and its been running for around 6 years at a
> guess - it was installed on a purpose built Celeron 400 so that shows it's
> age!)
>
> Is there a simple process to download the latest sendmail distro and
> unzip(tar?) it over the current version?

You are likely to need to do some (possibly very small) compile-time
configuration of the build, so binary distributions of Sendmail worth
touching are rare.

Building from source is not terribly rough. The tarballs can be found at
sendmail.org. One roadblock to updating Sendmail is that the modern
version has enough core design changes to make it dangerous to just try
to drop a new binary in place.

--
Now where did I hide that website...

On Tue, 28 Feb 2006, in the Usenet newsgroup comp.mail.sendmail, in article
<4403c35a$1 [at] clear.net.nz>, Matt Beechey wrote:

>I wanted an old distro because that way I could step it up to fedora (or
>that was my theory) - redhat 7 would upgrade from 6 and then I'd try and
>find the steps from there - certainly the latest fedora core didn't want to
>know about updating it.

OK - that's really not the best way to go, but see below. What we've
always done is to set up a "test" box and experiment on that until we
get a configuration we can live with. THEN we pour that installation
over our production boxes in a 'wipe and install' mode. Our data is
on file servers, on separate partitions. Our operating system is thus
pretty much independent.

You need to find old versions? Hopefully, this isn't going to line wrap:

http://ftp.sunet.se/pub/Linux/distributions/redhat/redhat-ar chive/redhat/linux/

ftp://archive.download.redhat.com/pub/redhat/linux/

Both sites have older versions, including the .iso files for later versions
that you can burn directly to CD. I don't recommend this route, as it's
as much of a hassle as simply biting the bullet and installing Fedora Core
directly. By the way, FC5 is in beta, and will likely be released in mid
March if they keep to their published timetable.

>As I said in the other post - a local isp pitched it to them and installed
>it and then promptly ignored it and later refused to look at it because
>that side of the business was no longer in operation.

That does make for difficulties. Sorry to hear that. The problem is that
_no_ operating system operates totally without maintenance.

>I've yet to meet a competent Linux technician in Christchurch who doesn't
>need a translator between him and and client to A) Understand the clients
>needs and B) Explain to the client what is needed - often the gifted linux
>types just like to hide behind the monitor and then slip-away when
>completed.

http://tldp.org/guides.html
2. Linux Consultants Guide
http://tldp.org/LDP/lcg/html/index.html

That document lists 17 addresses in New Zealand, four of which seem to
indicate they are in Christchurch. I have no idea how good or bad they
may be (I'm literally a third of a way round the world from there, and
have no way of knowing). All I'm doing is suggesting a resource to look
at.

In your "Tue, 28 Feb 2006 16:26:29 +1300" to Bill Cole, you ask:

>Is there a simple process to download the latest sendmail distro and
>unzip(tar?) it over the current version?

The normal mechanism is to use the package manager - this being Red Hat
that would be 'rpm'. The problem is that 6.x is so ancient. They were all
2.2.x kernels, and used glibc2.1.x. Any precompiled package you'd find
today is (at the very least) compiled with a glibc2.3.x which has some
significant compatibility issues. You mention Debian - would you try to
install a .deb from Sarge on a box running Slink without expecting major
problems? Same deal.

You _probably_ can grab a source tarball (in theory you might even be able
to get a source rpm from Fedora) and build that on the ancient box. The
rpm build idea has at best a slim chance of working (so many changes in
dependencies), while the tarball may have a better chance. However there are
so many _other_ things that need updating for security reasons (the kernel,
zlib, the glibc libraries, just to mention a few) that it's really better to
bite that bullet and replace the box. Oh, and there is nothing wrong with
a Celeron 400 - half the boxes at home are older than that, and the firewall
is what remains of a 386SX-16 laptop of undetermined origins - sans case,
keyboard, display...

Old guy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 27 Feb 2006 12:05:39 +1300, Matt Beechey wrote:

> I have a client who is currently running sendmail 8.9.3/8.8.7 (Thats
> whats
> reported upon connection on port 25). They suffer from the percent hack -
> ie
> people can relay via them simply by using username%domain [at] instead of
> username [at] domain in the recipient address.

> I don't want to have to upgrade them as my Redhat knowledge is limited -
> they are running Redhat 6 currently

You might want to try <http://dag.wieers.com/packages/sendmail/>. There is
a binary rpm of 8.12.8 with security patches from 8.12.9 included.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEC3l5L6j7milTFsERAoN+AJ41GEN/vwCwxp7ZvpiEMR2fFpphlgCc DTTY
Q/fJVgN3W9ka6joTU1ZQp7I=
=fKOp
-----END PGP SIGNATURE-----