FW: (REPOST) Sendmail 8.11 configuration/security issue

Our moderator shot down my original post. So here's a slightly more G rated version.

-----Original Message-----
From: Keith T. Morgan
Sent: Sunday, January 05, 2003 9:55 PM
To: john65@pobox.com; security-basics@securityfocus.com Subject: RE: Sendmail 8.11 configuration/security issue

<snip>
> (What if

> 'Switching to Postfix', using a 'content security gateway,' or 'TLS' are
<snip>

You are in error sir. Please check out the feature sets of eSafe Content Security Gateway, Network Associate's security gateway and others. eSafe for example does indeed check that email originates on the correct interface for local users. I found out that the network associates CSG does the exact same thing on a penetration test just last week when the customer explicitly asked me to attempt to send a false directive in email by spoofing the sender's address to an executive's address. Not only do the content security gateways address this issue, but postfix addresses it specifically. SSL/TLS would be an encryption mechanism protecting client authentication which would also defeat this problem if auth were required to send mail.

The problem as I understand it:

spammer masquerading as fakeuser@yourdomain.com connects to mail.yourdomain.com and sends a message to any recipient. Additionally, this would be a way for an attacker to send false business directives, bogus or misleading communications etc... by pretending to be a member of your organization. (yes, I know about digital signatures and 90% of the organizations out there don't use them, nor do people look at headers as a rule).

All of the listed solutions prevent "spoofing" of internal email addresses by external resources. Authentication (via SSL/TLS) solves the problem of the roadwarrior using a dialup somewhere. Postfix has a specific configuration parameter limiting *@yourdomain.com to sending from a specific network.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

<snipped per moderator's suggestion/requirement> Here's some FM to R.

ftp://ftp.ealaddin.com/pub/manuals/esg/esg3.x/econsole_admin.pdf See page 113. The sections on "ANTI SPOOFING" and "ANTI RELAY" which talk about how to do EXACTLY what you claim it won't do.

Also see:
http://www.postfix.org/basic.html#mydomain Received on Mon Jan 6 20:10:39 2003