COMMAND

    sendmail

SYSTEMS AFFECTED

    RedHat 5.0, 5.1, 5.2

PROBLEM

    David Luyer  recently found  himself used  as mail  relays and put
    into the ORBS  mail relay blocking  system due to  a bug in  early
    anti-relay rulesets  as used  in both  our local  rules and RedHat
    5.0, 5.1  and 5.2.   It seems  that some  spammers out  there have
    discovered the power of:

        RCPT TO: <"target@destination.com"@relay.host.name>

    where relay.host.name is obtained by reverse DNS lookup.

    Some additional information about open relays and some problems
    they present can be found at:

        http://typhaon.ucs.uwa.edu.au/presentations.html

    under 'E-mail Security',  but hopefully everyone  is well-informed
    of the  issues by  now; that  paper is  quite dated  even if it is
    under a year old.

SOLUTION

    Users of  sendmail 8.9.x  of course  have no  problem, neither  do
    those  who  have  updated  their  mail  relay  prevention rulesets
    recently, but there are enough  RedHat 5.0, 5.1 and 5.2  users who
    are unaware  of the  problem to  make it  worth sending  this out.
    Be aware  that the  default install  of 8.9.3  does NOT  in and of
    itself fix this problem  (rulesets needed).  The  vulnerable rules
    seem  to  be  the  ones  from  Claus Aussman and many derived from
    them.  Daniele  Orlandi  fixed  them  by  replacing the part which
    checks for a local recipient with the more complex set from RedHat
    6.0 that appears to take care of dequoting the recipient  address.
    Hope this could be of help for users of home-made rules.

    # remove local part, maybe repeatedly
    R$*<@$=w.>$*                    $>3 $1 $3
    # If you want to use RelayTo uncomment the following line
    R$*<@$*$={RelayTo}.>$*          $>3 $1 $4
    R$*<@$+>$*                      $#error $@ 5.7.1 $: "571 Relay denied"

    Replace with:

    # remove local part, maybe repeatedly
    R$+                             $:$>removelocal $1
    # still something left?
    R$*<@$+>$*                      $#error $@ 5.7.1 $: "571 Relay denied"

    Sremovelocal
    # remove RelayTo part (maybe repeatedly)
    R$*<@$*$={RelayTo}.>$*          $>3 $1 $4
    R$*<@$=w.>$*                    $: $>removelocal $>3 $1 $3
    R$*<@$*>$*                      $@ $1<@$2>$3
    # dequote local part
    R$-                             $: $>3 $(dequote $1 $)
    R$*<@$*>$*                      $: $>removelocal $1<@$2>$3

    The  sendmail.cf  that  comes  with  RedHat  5.x  (sendmail 8.8.7)
    doesn't  work  against  the  open  relay problem, although it does
    contain most of the rules needed to do so.  The way to got  around
    it's  to  cut  out  the  Scheck_rcpt  and  Sremove_local  stuff in
    sendmail.cf and replace them with similar rulesets found at

        http://www.sendmail.org/~ca/email/check.html#check_rcpt

    The Scheck_rcpt  and Sremovelocal  sections listed  here will stop
    all of the (currently) known relaying methods.

    David put out a quick little script which fixes this.  The  script
    can be found at:

        ftp://typhaon.ucs.uwa.edu.au/pub/strobe-classb/RH5.0-5.2-patchscript

    This problem is checked for by my latest relay scanner at:

        ftp://typhaon.ucs.uwa.edu.au/pub/strobe-classb/strobe-classb-v1.8.tgz

    Note that both Postfix and  qmail are immune to this  problem even
    though the smtpd daemon answer "250" to the RCPT TO command.   Due
    to the architecture of both programs, smtpd has no way to validate
    or not the  "user" part of  the address and  the mail will  bounce
    (i.e. it will NOT be relayed).  Exim doesn't seem to be vulnerable
    (dixit  P.  Hazel  in  a  discussion  accross  postfix  and   exim
    mailing-lists).