Jeff Weston - CS 312 - SysAdm Web Site - Paper #1

Security Issues Regarding Sendmail

How to Avoid Relaying Email, and How to Reject Email from Invalid Hostnames.

Sendmail is a very powerful and complicated Unix email handler. It's size and complexity lends itself to several security concerns. Some of these concerns involve spam, unsolicited commercial email. Sendmail is a useful tool for combating spam, since it can be used to reject spam before someone sees it. Sendmail can also be abused by spam since, if configured improperly, spam can be routed through you, and its source can be hidden. I will focus primarily on rejecting email with bogus information in the "from" header, as well as preventing relaying of mail through your site.

Every email message has a set of required headers. One of these headers is the "from" header, which tells you who sent that particular email. spam traditionally tries to hide the original sender, so that the response from the spam cannot be directed to the people who sent it. This involves forging, or putting bogus information, into the "from" header. Sendmail can be configured to perform DNS lookups on the hostname listed in the "from" header. With the addition of a few simple rules, you can configure Sendmail to reject mail from any hostnames that don't exist. Below is an example of how to configure Sendmail to reject invalid hostnames.

LOCAL_CONFIG

LOCAL_RULESETS
Scheck_mail

# check for valid domain name (incompatible with DeliveryMode=defer)
R$*                     $: <?> $>3 $1             make domain canonical
R<?> $* < @ $+ . >      $: <OK>                   tag resolved names
R<?> $* < @ $+ >        $#error $: 451 Domain must resolve
ROK                     $@ OK
R$+                     $#error $: 551 $1
Sendmail versions prior to 8.9 were configured by default to permit relaying of email through your site. This presented an open gateway for spammers since it meant they could use your computer to send their spam, and hide their identity. With the addition of a few simple rules, Sendmail can be configured to prohibit relaying of email through your site. Care must be taken to ensure that email from your own domain can still be relayed through your Sendmail server. This is important for users of certain email clients like Eudora that look for an SMPT relay on the local network to do outgoing mail submission. Below is an example of how to configure Sendmail to prevent the relaying of email.

LOCAL_CONFIG
FR-o /etc/sendmail.cR

LOCAL_RULESETS
Scheck_rcpt
# anything terminating locally is ok
R$*                     $: $>Parse0 $>3 $1
R$+ < @ $* . > $*       $: $1 < @ $2 >
R$+ < @ $=w >           $@ OK
R$+ < @ $=R >           $@ OK

# anything originating locally is ok
R$*                     $: $(dequote "" $&{client_name} $)
R$=w                    $@ OK
R$=R                    $@ OK
R$@                     $@ OK

# anything else is bogus
R$*                     $#error $: "550 Relaying Denied"
There are many more security concerns regarding Sendmail than just that of preventing spam. Sendmail is generally configured to run as a suid root process. That, combined with the fact that Sendmail is in wide usage, makes Sendmail a likely target for hackers at your system.

One form of attack is an SMTP probe. It tries to use commands on your server that will provide information about your system. The DEBUG command places Sendmail into a debugging mode. The command SHOWQ allows outsiders to view the contents of your mail queue. These commands should be disabled on all release versions of Sendmail. The VRFY and EXPN commands can be used to find names of users on your server. The option "PrivacyOptions" can be set to prohibit user names from being gathered in this fashion.

Since Sendmail runs as root, a poor configuration may lead to problems. Sendmail doesn't provide any sanity checks when it writes to its log files. Sendmail could be configured to overwrite critical system files. If the log file is in a directory that is writeable by users, they could create the log file as a link to another file (perhaps the kernel) and Sendmail would write over it. The Sendmail configuration file must be writeable only by root, since system security can be compromised if just anyone could alter it.

Sendmail is a large and complex program. New bugs are being found all of the time that could compromise system security. A system administrator should always remain current with the latest releases of Sendmail (and any other software). This will help to plug security holes as they are found.

Sendmail is a large and complex program, that presents a large variety of security concerns. It presents your first line of defense against spam, since all email to your system comes through email. Sendmail should be configured to prevent relaying of mail through your system, as well as rejecting mail with invalid hostnames in the "from" header. Sendmail is a likely target for hackers since it is large, complex, and runs as root. Sendmail must be protected against hack attempts.

Back