Mail and Messaging

Security vulnerability in sendmail

A security vulnerability has been found in sendmail, caused by an error in the sendmail.cf configuration file. A patch is available from the SCO ftp archive (ftp.sco.com) to correct this error:

• Cover letter (ASCII text)

• Tar archive

The latest information and fixes for security vulnerabilities are available from the SCO Secure Technologies Group site (http://www.sco.com/security/).

New MaxHeaderLines option in sendmail

sendmail (version 8.8.7) has been updated to include the MaxHeaderLines option from a patch issued by the Sendmail Consortium to address a denial of service vulnerability. The option prevents the denial of service attack by limiting both the number of header lines and the size of any individual header line. See:

Mail and Messaging Administering Mail and Messaging Sendmail Operation Guide O: set option

Netscape Messaging Server upgrade breaks sendmail link

If you have a UnixWare 7 Release 7.0.0 or 7.0.1 system with the Netscape Messaging Server installed, then upgrade the system to Release 7.1.0, the link to the version of sendmail provided by the Messaging Server will be broken.

To fix this problem, log into the system as root and issue the following commands:

mv /usr/lib/sendmail /usr/lib/sendmail.710
chmod 000 /usr/lib/sendmail.710
cp /usr/lib/sendmail.save /usr/lib/sendmail.orig
chmod 000 /usr/lib/sendmail.orig
cd /usr/lib
ln -s ../../usr/netscape/suitespot/bin/mail/server/bin/sendmail sendmail

This moves the sendmail provided by the update710 package to /usr/lib/sendmail.710, copies the original sendmail for your system to /usr/lib/sendmail.orig, and correctly links /usr/lib/sendmail to the Netscape Messaging Server sendmail. If you later remove the Messaging Server or the update710 package, you will have to manually replace /usr/lib/sendmail with the correct version and update its permissions and ownership. To create the correct permissions, log in as root,copy the correct file into place, then issue these commands:

chown root:bin /usr/lib/sendmail
chmod 4555 /usr/lib/sendmail

sendmail ruleset prevents an SMTP client from relaying a message

The check_rcpt ruleset in the sendmail.cf configuration file for UnixWare 7 can be used to prevent your machine from being used as an SMTP relay. It prevents spammers from making their mail appear as if it comes from your site. This feature is enabled by default on Release 7.1.0.

A problem in this feature prevents a local SMTP connection from sending outgoing mail. If you make a connection to the SMTP server from the same machine on which the server resides, you will not be able to send a message to another machine. The SMTP dialog will be dropped with the following error message:

    Relay mail from localhost to recipient.host.name denied

recipient.host.name is the name of the remote host to which the mail is addressed.

Example: If you have the Netscape Communicator or Navigator Messenger Mailbox configured with the local host as the "Outgoing mail (SMTP) server", the Netscape mail user agent attempts to make a direct SMTP connection to the local host to send outgoing mail, which fail swith the above error message.

To work around this problem:

1. Copy /etc/sendmail.cf to /etc/sendmail.cf.00.

2. With your favorite text editor, open /etc/sendmail.cf.

3. Locate the check_rcpt ruleset by searching for Scheck_rcpt. In that section, locate the line that contains:

      R$*       $: < $&{client_name} > $1       check connecting host
   

4. Immediately following this line, add these two lines:

   R<$=w>	$*	$@ ok	client is local
   R<localhost>	$*	$@ ok	client is local

   The left hand side, right hand side, and comment which make up the new lines in sendmail.cf must be separated by <Tab> characters, not spaces.

5. Stop and restart sendmail:
   
   /etc/mail/sendmailrc stop
   /etc/mail/sendmailrc start

Test the configuration, and if it succeeds remove your backup file, /etc/sendmail.cf.00.

An alternate solution is available at the SCO Support Library.