Re: Zmailer security.

[John Gardiner Myers <jgm+@CMU.EDU>]

mcr@milkyway.com writes:
>   We are looking at various MTA to use on our firewall product. For
> mostly marketing reasons, we prefer to rm /usr/lib/sendmail.

Unfortunately, running Zmailer would be trading security for marketing
reasons.

Whenever I've looked for security problems in Zmailer, I've found
them.  I haven't had time to do any serious vetting, I've just done
cursory checks.

Zmailer's design is inherently insecure.  It uses shell scripts for
configuration.  Forget to quote an address argument once in the set of
configuration files and an attacker can run an arbitrary program on
your machine by giving you an address with shell metacharacters in it.

Older versions of Zmailer shipped with configuration files which had
such security holes in them.  I don't know if this has been fixed yet,
but I did notify Matti of the problem quite some time ago.

The problem can be papered over by fixing the holes in the default
configuration files, but any administrator who tries modifying their
configuration can easily re-create the security hole.  The only way to
fix it properly is to redesign the configuration subsystem.

I would suggest going with sendmail 8.6.9 and disabling all of the
local delivery facilities.  That leaves one with a fairly minimal
system that has had a lot of security vetting.

-- 
_.John G. Myers		Internet: jgm+@CMU.EDU
			LoseNet:  ...!seismo!ihnp4!wiscvm.wisc.edu!give!up