[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
again a new dump of mea's sources...
I have these now running on Solaris 2.3 (SPARC), and SunOS 4.1.3 (SPARC)
ftp://ftp.funet.fi/pub/unix/mail/zmailer/zmailer-2.2.1-mea-940322.tar.gz
I was worried about a security problem that has been exploited on
BSD sendmail (5.x, and untill recent even 8.x..), but I don't have
anything conclusive on it. Except that possibly my version of cf
files opens up the hole, although latest test caught it somehow..
(some tests..)
... Now I have something conclusive:
Security seems to depend upon your definition of 'NOBODY'. "-2" in
there is better choice, than 65534. This is because at some point
the error reply is thrown with sender identity "-2" instead of the
true value of the "NOBODY" in the /etc/zmailer.conf (or where ever
you have it..)
Ok, that concluded I trust this beast not to leak via easily findable
holes, hopefully none.
Things it can do to you are numerous, including a usually successfull
fake of MIME-mail translation on flight.
Things I would like to have in there include:
- Real MIME processing a'la Emil on sendmail (IDA, and 8.x)
- Get rid of memory leakage on router
- Have filters for $MAILSHARE/lists/LISTNAME processing
which 1) tell how to rewrite headers, 2) tell where to
route messages -- a step closer to Revised LISTSERV within
the mailer :-)
- IETF-notary-wg delivery notifications...
- Usage of GNU/Cygnus compilation configuration mechanism
On that aforementioned package you can find several READMEs on the
top-level directory. They are the little what I have documented my
sources -- plus some entries on the man-pages telling the most juicy bits.
Have fun, tell me if you have problems -- AND BE CAREFULL with configs...
my setup might not suit you :-)
/Matti Aarnio <mea@nic.funet.fi> <mea@utu.fi>