On Wed, 16 Feb 2005 Valdis.Kletnieks@vt.edu wrote:
Um, you actually have to work somewhat to get sendmail to support unauthenticated submission on port 587. The default configuration is that port 25 is unauthenticated (albeit with some restrictions on relaying (only for local clients)) and port 587 is authenticated.
As such, I'm not sure why you seem to think that sendmail on port 587 is unauthenticated.
Umm.. because the Sendmail 8.13.3 tree has this:
DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')
Yup. I posted to another NANOG thread a little while ago about when I mentioned this failure of security to the Sendmail folks and was shot down voraciously by Claus and argued into oblivion by Neil. They don't see this as a security threat for some blissfully ignorant reason. I'm still sitting on a m4 patch that, by default, disallows MSA submission from any party not also permitted to *relay* (this means that IP list based auth works, not just SMTP AUTH). It uses a new DaemonPortOptions flag, and adds three ruleset lines. Here's the actual message in which I proposed this and provided the diff. The only thing missing here is one more op.me doc fix, but it's fuctionally correct. The patch still works on 8.13.x. ===== Date: Wed, 16 Jun 2004 22:29:12 -0400 (EDT) From: Todd Vierling <tv@duh.org> To: sendmail@sendmail.org Subject: MSA-not-like-MTA diff deux On Wed, 16 Jun 2004, Neil W Rickert wrote:
Relay permission is already logically necessary for legitimate users of the MSA port, so this aspect can and should be enforced as mandatory.
If "Relay permission is already logically necessary" then what we are already doing must meet your requirements.
Except that currently, the following part is not enforced:
3. MTAs should never contact the MSA port for anonymous mail delivery injection.
because remote systems are indeed being allowed to inject mail anonymously, so long as the RHS of the RCPT TO is "local".
You would have done better to just submit a patch with a brief explanation, and without the bogus claim that there is a security hole.
Those of us who are deluged by a flood by wormspew, and fighting back against it fiercely, consider this to be a huge security hole. Sendmail is [when using the default out-of-the-box settings] allowing at least one worm so far to propagate beyond the realm of port-25 filtering. This is why I started by asking a question about it in a security context, and was rather taken aback by what appeared (to me) to be denial of the problem's existence. Rather, it only appears to be that the members of the Sendmail author team haven't -- yet -- seen the detrimental effects of a MTA-as-MSA port to quite the degree that some others of us already have. I apologize for my misinterpretation. To level the issue a bit:
Maybe at this stage you should extend the patch to cover the documentation (cf/README and maybe doc/op/op.me (for the proposed new modifier for DaemonPortOptions). Then resubmit and see what Claus decides to do with it.
Attached below. Diff is against 8.12.11. I used modifier `L' as a "not Local" meaning, given that the other uppercase letters mean "not Something", but maybe that's not so intuitive?[*] If you think it should use a different option letter, let me know and I'll re-roll the diff. [*] As if rulesets are intuitive. But then, I did write a text search algo in m4 some ages ago.... 8-) ===== --- doc/op/op.me.orig Wed Jun 16 22:01:02 2004 +++ doc/op/op.me Wed Jun 16 22:11:05 2004 @@ -6457,11 +6457,15 @@ A disable AUTH (overrides 'a' modifier) C don't perform hostname canonification E disallow ETRN (see RFC 2476) +L treat all mail as nonlocal; require relay permission (.cf) O optional; if opening the socket fails ignore it S don't offer STARTTLS .)b -That is, one way to specify a message submission agent (MSA) that -always requires authentication is: +The standard message submission agent (MSA) uses the ``L'' +modifier to restrict message submission only to clients that have +mail relaying permission. +A way to specify a message submission agent (MSA) that +always requires SMTP AUTH based authentication is: .(b O DaemonPortOptions=Name=MSA, Port=587, M=Ea .)b @@ -6471,8 +6475,8 @@ .b ${daemon_flags} . Notice: Do .b not -use the ``a'' modifier on a public accessible MTA! -It should only be used for a MSA that is accessed by authorized +use the ``a'' and/or ``L'' modifiers on a publicly accessible MTA! +They should only be used for a MSA that is accessed by authorized users for initial mail submission. Users must authenticate to use a MSA which has this option turned on. The flags ``c'' and ``C'' can change the default for --- cf/m4/proto.m4.orig Sun Jan 11 12:54:06 2004 +++ cf/m4/proto.m4 Wed Jun 16 22:00:47 2004 @@ -347,7 +347,7 @@ ifelse(defn(`_DPO_'), `', `ifdef(`_NETINET6_', `O DaemonPortOptions=Name=MTA-v4, Family=inet O DaemonPortOptions=Name=MTA-v6, Family=inet6',`O DaemonPortOptions=Name=MTA')', `_DPO_') -ifdef(`_NO_MSA_', `dnl', `O DaemonPortOptions=Port=587, Name=MSA, M=E') +ifdef(`_NO_MSA_', `dnl', `O DaemonPortOptions=Port=587, Name=MSA, M=EL') # SMTP client options ifelse(defn(`confCLIENT_OPTIONS'), `', `dnl', @@ -2041,6 +2041,10 @@ ifelse(defn(`_NO_UUCP_'), `r', `R$* ! $* < @ $* > $: <REMOTE> $2 < @ BANG_PATH > R$* ! $* $: <REMOTE> $2 < @ BANG_PATH >', `dnl') +# do not implicitly trust local recipients on MSA port(s) +R$* $: $&{daemon_flags} $| $1 +R$* LL $* $| $* $@ NO +R$* $| $* $: $2 # anything terminating locally is ok ifdef(`_RELAY_ENTIRE_DOMAIN_', `dnl R$+ < @ $* $=m > $@ RELAY', `dnl') --- cf/README.orig Wed Jun 16 21:58:42 2004 +++ cf/README Wed Jun 16 21:59:46 2004 @@ -1345,7 +1345,7 @@ follow the colon. no_default_msa Don't generate the default MSA daemon, i.e., - DAEMON_OPTIONS(`Port=587,Name=MSA,M=E') + DAEMON_OPTIONS(`Port=587,Name=MSA,M=EL') To define a MSA daemon with other parameters, use this FEATURE and introduce new settings via DAEMON_OPTIONS(). @@ -4055,7 +4055,7 @@ If DAEMON_OPTIONS is not used, then the default is DAEMON_OPTIONS(`Port=smtp, Name=MTA') - DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') + DAEMON_OPTIONS(`Port=587, Name=MSA, M=EL') If you use one DAEMON_OPTIONS macro, it will alter the parameters of the first of these. The second will still be defaulted; it @@ -4072,7 +4072,7 @@ using the default SMTP port, use FEATURE(`no_default_msa') DAEMON_OPTIONS(`Name=MTA') - DAEMON_OPTIONS(`Port=987, Name=MSA, M=E') + DAEMON_OPTIONS(`Port=987, Name=MSA, M=EL') Note that if the first of those DAEMON_OPTIONS lines were omitted, then there would be no listener on the standard SMTP port. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>