Bug 6694 - Sendmail 8.8.7 bug allows unathorized relaying.
Sendmail 8.8.7 bug allows unathorized relaying.
Status: CLOSED DUPLICATE of bug 4217
Product: Red Hat Linux
Classification: Retired
Component: sendmail (Show other bugs)
5.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Cristian Gafton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-11-03 15:50 EST by Greg Retkowski
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-02-05 00:09:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Greg Retkowski 1999-11-03 15:50:53 EST
Sendmail version 8.8.7 has a bug which makes it openly relay
all mail. If the RCPT TO: address has quotes ("") around the
destination the mailer will relay it regardless of its
anti-relay configuration.

Quoting http://www.orbs.org/otherresources.cgi:

'several thousand sendmail 8.8 installations have been
exploited by a spammer using RCPT TO:<"victim@target"> -
with the "" in the envelope. If you have an ORBS notice with
"X-Envelope-Recipient: <"someone@example.org"> " in the last
few lines, then this is the test your sendmail installation
failed.'

This bug was confirmed on our redhat-5.1 mailserver.

RH 5.2 and 5.0 also ship with 8.8.7 and are likely
vulnerable.

The fix for our site was to download, build, and install the
sendmail 8.9.3 package from the redhat-6.1 distribution.
Comment 1 Eric Seppanen 1999-11-24 20:14:59 EST
Bug #4217 seems to be the same as this one.  It links to the web page:
http://www.informatik.uni-kiel.de/%7Eca/email/check.html
which contains new rules that prevent this.  The quick and dirty way to fix the
problem on Red Hat 5.2 is to copy the check_rcpt and removelocal rules from that
web page as replacements for the check_rcpt and removelocal rules in
sendmail.cf.

Or, for the truly lazy, a patch for sendmail.cf: (make sure tabs aren't lost,
otherwise sendmail will fail with "expected tab" errors!)

******************* beginning of patch

--- /etc/sendmail.bak	Thu May  6 14:00:51 1999
+++ /etc/sendmail.cf	Wed Nov 24 19:09:10 1999
@@ -870,25 +870,21 @@
 R$+			$: $(dequote "" $&{client_addr} $) $| $1
 R0 $| $*		$@ ok		client_addr is 0 for sendmail -bs
 R$={LocalIP}$* $| $*	$@ ok		from here
-# next: get client name
-R$* $| $+		$: $(dequote "" $&{client_name} $) $| $2
-R $| $*			$@ ok		no client name: directly invoked-#R$- $| $*		$@ ok		for those
without full DNS...
-R$*$=w $| $*		$@ ok		from here
-R$*$={LocalNames} $| $*	$@ ok		from allowed system
-# now check other side
+# not local, check rcpt
 R$* $| $*		$: $>3 $2
-# remove local part
-R$*<@$+.>$*		$: $>remove_local $1<@$2.>$3
+# remove local part, maybe repeatedly
+R$+			$:$>remove_local $1
 # still something left?
-R$*<@$+>$*		$#error $@ 5.7.1 $: 551 we do not relay
+R$*<@$*>$*		$#error $@ 5.7.1 $: 550 we do not relay

 Sremove_local
 # remove RelayTo part (maybe repeatedly)
-R$*<@$*$={RelayTo}.>$*		$>3 $1 $4
-R$*<@$=w.>$*			$: $>remove_local $>3 $1 $3
-
-
+R$*<@$*$={RelayTo}.>$*	$>3 $1 $4
+R$*<@$=w.>$*		$: $>remove_local $>3 $1 $3
+R$*<@$*>$*		$@ $1<@$2>$3
+# dequote local part
+R$-			$: $>3 $(dequote $1 $)
+R$*<@$*>$*		$: $>remove_local $1<@$2>$3

 SjunkIP
 # lookup IP in database

******************* end of patch
Comment 2 Eric Seppanen 1999-11-24 23:14:59 EST
Grrr.  Bugzilla or the html formatting seems to have eaten the tabs.  Sorry for
the length of these comments, but here's a gzipped, uuencoded version:

begin 664 sendmail.patch.gz
M'XL(",6W/#@``W-E;F1M86EL+G!A=&-H`'U336_:0!0\V[]B%*PJ8.S8?#3%
M:E(?>HG4(D0B]1@M]B.XK+W47D)1RG_OKC\(@03Y8,MO9MZ\>;N.X^"*9'15
M4!:G+.'NC"V-A\4:/]D6^`Q_$'A>,/3ACT8CT[;M(W@T-WY1C+%X1F^@0($W
M"GRO0H<AG"_77K<WA%V^?82AB:EE&X9A!;`N8_JS%I)P<0'KTTO$$\KD(XOC
M?`>K#>L?+%_AO?*KHS@AQ-(P#G!("GB8BQR-(SBS0O>X>?DA(L;O)CNK4_-K
M^CP7*1:4D^FTD-%?&>"))"I59"Q5A6E-LL\9U="]T9XB-3Z;3IDX5`T0)SE%
MDF^19,]B2;$R,+6<H^GT,'(A"L(F4>^UQ'S-.;Z/[UW7+9U9-YMCSNM(9;V:
M?:R:%KMWAF><BXW:6K$M)*5E#&*#:$'1$D(J'11)3*:M_TMPK=6MRWFTDCK>
MSMZ!BN>V7\[?0DZI>*:*@17+9>GG:VC9[NT>7($>*Y#EJVI/5?NZW0F_BY1M
M9Z0**V*28KXU[>;\G"B9:*&0B0JK$"G)19(]@=-<?MN[J$RT*,]5R"J1H7OM
M^E"NANJ$;PBQ*"?.B;.RD29USI"\$Q),W!_:TI[JJ:8:\"#*N7!Y/%>[,:G7
M5T-W=6HZ7]5QT$!N-E7AO3QK;-]TU&-_(/FJ:+]5/"?X-H^P7EV]N>:"'*Q>
MX1WC]8#L[Y!6:Q^I?7`NM+A.]/<Z6]Y-=)9<B.5ZA;N)ND.(F60S5I#Y'RJ4
&`[?'!```
`
end
Comment 3 Alec Voropay 1999-11-25 15:11:59 EST
Try new sendmail-8.9.3 from RawHide :
ftp://ftp.redhat.com/pub/rawhide/SRPMS/SRPMS/sendmail-8.9.3-15.src.rpm

 Download, install, build and upgrade your sendmail rpm.

 The new sendmail anti-spam features are good enought even for ORBS
(www.orbs.org) tests.
Comment 4 Cristian Gafton 2000-02-05 00:09:59 EST
*** This bug has been marked as a duplicate of 4217 ***

Note You need to log in before you can comment on or make changes to this bug.