2.99.50s17 available as tarball. SECURITY WARNING (fwd)

Date: Mon, 10 May 1999 20:23:34 -0300 (ADT)
From: Michael Smith <michael@csuite.ns.ca>
To: csuite-dev@chebucto.ns.ca
Precedence: bulk
Return-Path: <csuite-dev-mml-owner@chebucto.ns.ca>

next message in archive
no next message in thread
previous message in archive
Index of Subjects


Apparently a security vulnerability has been discovered in all releases of
ZMailer up until today. So far no information on the hole has been
disclosed. The workaround is simple though.

Edit $CS_ROOT/etc/zmailer.conf . Around line 14 you'll see:

SMTPOPTIONS="-asve -l /var/csuite/log/mail/smtpserver"

Change the "-asve" to "-a -s ''":

SMTPOPTIONS="-a -s '' -l /var/csuite/log/mail/smtpserver"

Then restart the smtpserver with
# /var/csuite/etc/mail/bin/zmailer kill smtpserver
# /var/csuite/etc/mail/bin/zmailer smtpserver

---------- Forwarded message ----------
Date: Tue, 11 May 1999 01:39:43 +0300
From: Matti Aarnio <mea@nic.funet.fi>
To: zmailer@nic.funet.fi
Subject: 2.99.50s17 available as tarball. SECURITY WARNING

Location:

    ftp://ftp.funet.fi/pub/unix/mail/zmailer/src/

There are new things:

    - There is a SECURITY FAULT in all ZMailer smtpservers that
      allow running router in interactive mode to assist/do address
      analysis with user inputs.  This fault exists in *ALL* versions
      of ZMailer previous to this one! (even 2.2.1 !)

	Circumvention:
      DO NOT allow running router for EXPN, VRFY, MAIL FROM, RCPT TO !
      You can disable those by removing characters 'e v f t' from the
      style flags at the  $MAILSHARE/smtpserver.conf
      (Or to -s option of the smtpserver either.  Default for that
       option is 've', so you MUST supply option:  -s ''  which
       zeroes the enable flag set.)

	Fix:
      That fault is corrected at this release, but if you tinker with
      your router configuration scripts, you may open up new holes.
      That is why running of the interactive router is made *difficult*,
      you *have to* be aware that you are doing it!

      ( C.Y.A. -- or rather C.M.A. ... )


    - Smtpserver speaks TLSv1/SSLv3 at the SMTP socket, if desired.
      (uses OpenSSL library, very new source version..)

    - Smtpserver Implements "AUTH LOGIN" in a way which is compatible
      with plaintext implemented by M$ Outlook Express (at IE4 ?  or IE5 ?)
      The TLS/SSL works here too.

    - Smtpserver Implements "AUTH=LOGIN" in a way which is for the
      Netscape Communicator per NS specs;  TLS/SSL works too.

    - A bug-circumvention for Linux/i386 glibc 2.1.1 library problem.
      (smtpserver thing this too)

    - smtpserver reports normally only single-line replies for all
      protocol replies; Many (all?) M$ things seem to be unable to
      understand RFC 821 Appendix E multiline replies :-(

    - smtpserver has RBL machinery for IPv6 too, propably way ahead
      of its time...

    (things before that are in 2.99.50s15)

And of course there are known bugs which I haven't fixed yet:
(but they aren't fatal for common usage cases)

    router:
	Input header:
		Cc: "\"\\"\\\"\\\\"\\\\\"'\\\\\\"Prof. dr J. Wil Foppen\\\\\\" <wfoppen@rsm.nl>' \\\\\"
		   <\\\\\"Prof. dr J. Wil Foppen\\\\\"\\\\"\\\"\\"\"" <wfoppen@rsm.nl>
	--> SEGV

    scheduler:

	mailq reported accounting counters seem to leak about recipients 
	storage gauge:

Kids: 168  Idle: 153  Msgs: 1986  Thrds:  58  Rcpnts: 2499  Uptime: 22d20h
Msgs in 73760 out 71774 stored 1986 Rcpnts in 4424888 out 4422854 stored 774896

/Matti Aarnio <mea@nic.funet.fi>








next message in archive
no next message in thread
previous message in archive
Index of Subjects