+++ This bug was initially created as a clone of Bug #171838 +++ Description of problem: When an external SMTP session is established, and an address of "xxx" is specified on the MAIL FROM: line, sendmail blindly accepts this as valid. Note that "xxx@localhost" is rejected by sendmail. Version-Release number of selected component (if applicable): sendmail-8.13.1-2 How reproducible: Always Steps to Reproduce: 1. from a remote host, telnet host 25 2. EHLO foobar.redhat.com 3. MAIL FROM: <xxx> Actual results: 220 vaccine1.NoDak.edu ESMTP Sendmail 8.13.1/8.13.1; Wed, 26 Oct 2005 16:17:42 - 0500 EHLO nate.cc.ndsu.nodak.edu 250-vaccine1.NoDak.edu Hello nate.cc.ndsu.NoDak.edu [134.129.106.131], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 26214400 250-DSN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP MAIL FROM: root@localhost 553 5.5.4 root@localhost... Real domain name required for sender address MAIL FROM: root 250 2.1.0 root... Sender ok Expected results: 220 vaccine1.NoDak.edu ESMTP Sendmail 8.13.1/8.13.1; Wed, 26 Oct 2005 16:17:42 - 0500 EHLO nate.cc.ndsu.nodak.edu 250-vaccine1.NoDak.edu Hello nate.cc.ndsu.NoDak.edu [134.129.106.131], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 26214400 250-DSN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP MAIL FROM: root@localhost 553 5.5.4 root@localhost... Real domain name required for sender address MAIL FROM: root 553 5.5.4 root... Real domain name required for sender address Additional info: In /etc/mail/sendmail.cf, checks are made for various "localhost" addresses. "localhost.localdomain" is missing: # handle case of @localhost on address R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost > The following line wants adding to this: R<@> < $* @ localhost.localdomain > $: < ? $&{client_name} > < $1 @ localhost.localdomain > Note that localhost.localdomain still remains valid for local use, but not for remote SMTP use. -- Additional comment from twoerner on 2006-09-28 05:18 EST -- We used localhost.localdomain since RHEL2.1. So it affects all RHEL releases.
low severity; defer until other update for sendmail needed.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0237 https://rhn.redhat.com/errata/RHSA-2010-0237.html
This issue was fixed in sendmail packages in Red Hat Enterprise Linux 4 and 5: https://www.redhat.com/security/data/cve/CVE-2006-7176.html There's no plan to address it in Red Hat Enterprise Linux 3 sendmail packages.