[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

again a new dump of mea's sources...




I have these now running on Solaris 2.3 (SPARC), and SunOS 4.1.3 (SPARC)

ftp://ftp.funet.fi/pub/unix/mail/zmailer/zmailer-2.2.1-mea-940322.tar.gz


I was worried about a security problem that has been exploited on
BSD sendmail (5.x, and untill recent even 8.x..), but I don't have
anything conclusive on it.  Except that possibly my version of  cf
files opens up the hole, although latest test caught it somehow..

(some tests..)

...  Now I have something conclusive:
Security seems to depend upon your definition of 'NOBODY'.  "-2" in
there is better choice, than 65534.  This is because at some point
the error reply is thrown with sender identity "-2" instead of the
true value of the "NOBODY" in the  /etc/zmailer.conf (or where ever
you have it..)


Ok, that concluded I trust this beast not to leak via easily findable
holes, hopefully none.

Things it can do to you are numerous, including a usually successfull
fake of MIME-mail translation on flight.

Things I would like to have in there include:
	- Real MIME processing a'la  Emil  on sendmail (IDA, and 8.x)
	- Get rid of memory leakage on router
	- Have filters for  $MAILSHARE/lists/LISTNAME  processing
	  which  1) tell how to rewrite headers, 2) tell where to
	  route messages -- a step closer to Revised LISTSERV within
	  the mailer :-)
	- IETF-notary-wg delivery notifications...
	- Usage of GNU/Cygnus compilation configuration mechanism


On that aforementioned package you can find several READMEs on the
top-level directory. They are the little what I have documented my
sources -- plus some entries on the man-pages telling the most juicy bits.


Have fun, tell me if you have problems -- AND BE CAREFULL with configs...
my setup might not suit you :-)

	/Matti Aarnio	<mea@nic.funet.fi> <mea@utu.fi>