Re: Percent Hack

It wouldn't actually be fronted by exchange - I've formulated a solution
using Debian, Postfix, Amavisd and Spamassassin that uses ldap to check
recipient addresses on the exchange server and sits in front for spam
filtering and virus scanning with Clam and Bitdefender (I say formulated - I
found a good writeup on the internet and extended it with LDAP lookups
rather than a static list on the debian box). I'm competent enough with
Debian to maintain and support this solution in that updates etc are easy
with apt-get but it's not that easy with such an outdated Redhat box. As its
being retired shortly I hoped there would be a simple stop-gap to stop the
percent hack problem as otherwise it seems solid enough (it was installed by
a local isp who is no longer interested as they've shifted thier business to
web design and hosting only and its been running for around 6 years at a
guess - it was installed on a purpose built Celeron 400 so that shows it's
age!)

Is there a simple process to download the latest sendmail distro and
unzip(tar?) it over the current version?

Matt


"Bill Cole" <bill@xxxxxxxxxxxxx> wrote in message
news:bill-1287C5.10554527022006@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In article <440233cc$1@xxxxxxxxxxxx>,
"Matt Beechey" <matt@xxxxxxxxxxxx> wrote:

I have a client who is currently running sendmail 8.9.3/8.8.7 (Thats
whats
reported upon connection on port 25). They suffer from the percent hack -
ie
people can relay via them simply by using username%domain@ instead of
username@domain in the recipient address.

I don't want to have to upgrade them as my Redhat knowledge is limited -

Then they need to find some other competent person to do the upgrade for
them. Not upgrading is not a reasonable option.

they are running Redhat 6 currently and we plan to retire this server
before
too long and go with Exchange Server.

Probably not the wisest approach, but I guess a modern Exchange exterior
is better than an ancient sendmail one.

Is there an easy way to fix this issue
on this version of sendmail - I wondered about removing the % symbol from
the Do line (Delimiters) in sendmail.cf but without getting confirmation
of
this I didn't want to play.

That would work after a fashion, but the breakage could be ugly.

They also send ndr's for all messages to invalid
local users where I would rather block during the smtp session but this
version does not do this I believe.

Any version of Sendmail *can* reject invalid users in SMTP, but whether
it will do so is really a matter of what addresses it sees as local
users. If you have Sendmail acting purely as a relay between the outside
world and some inside mail system (e.g. Exchange) then you have to work
out a way for Sendmail to restrict relaying based on the full address
rather than just by domain.

I did a bit of playing to see if I could
upgrade them but the dependencies appeared to be HUGE - I then hoped I
could
perhaps step them upto a newer redhat distro but this became a pain as
finding older versions of distro's is hard and from what I've read the
"upgrade" process for Redhat is not REALLY an upgrade - its a cludge so
doesn't sound like a good idea.

Does anyone have an easy fix for this problem as they are on a Relay
blocklist and obviously won't be taken off until we can patch this
weakness.

Sounds reasonable to me.

They really should be shunned until they upgrade to a securable version
of Sendmail, and likely will be re-shunned repeatedly until they do so,
since there are other known attacks against Sendmail, some more serious
than simple spam relaying. if your client's machine is connected through
a responsibly-managed ISP, they run a real risk of being cut off
completely by running a box with such a severe security flaw.

--
Now where did I hide that website...


.

Relevant Pages

  • Re: Sendmail AUTH to Exchange 5.5
    ... > I'm having trouble getting sendmail to authenticate to Exchange 5.5. ... > I would love to upgrade the 5.5 box but will not be able to for some ...
    (comp.mail.sendmail)
  • RE: Single Server Upgrade Exchange Question
    ... The Exchange Migration Wizard can migrate all user mailboxes. ... server and then import them to the destination server. ... Single Server Upgrade Exchange Question ...
    (microsoft.public.windows.server.sbs)
  • Re: Sendmail, Procmail and (ugh) Exchange
    ... Due to the crappy filtering available in Exchange, I want to still use procmail. ... We also still want to use sendmail for handling some other issues ... First remember that Procmail is a "Local Delivery Agent" that Sendmail calls for local delivery. ...
    (comp.mail.sendmail)
  • RE: Upgrading from Exchange 2K Ent edition to Exchange 2K3 Ent edition
    ... Exchange2k3 environment and upgrade the existing win2k DCs to win2k3. ... Please understand that this newsgroup mainly focus on the migration of the ... As for the Exchange part, I would like to suggest that you ... As for the Windows part, since you want to in-place upgrade the existing ...
    (microsoft.public.windows.server.migration)
  • RE: Upgrading Exchange 5.5 + W2k to SBS 2003 Right path?
    ... we cannot upgrade Exchange 5.5 to Exchange 2003 directly. ... server to SBS 2003 server. ... It is recommended that you strictly follow Microsoft white paper to perform ...
    (microsoft.public.windows.server.sbs)