[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2.99.50s17 available as tarball. SECURITY WARNING

To: <zmailer@nic.funet.fi>
Subject: 2.99.50s17 available as tarball. SECURITY WARNING
From: Matti Aarnio <mea@nic.funet.fi>
Date: Tue, 11 May 1999 01:39:43 +0300

Location:

    ftp://ftp.funet.fi/pub/unix/mail/zmailer/src/

There are new things:

    - There is a SECURITY FAULT in all ZMailer smtpservers that
      allow running router in interactive mode to assist/do address
      analysis with user inputs.  This fault exists in *ALL* versions
      of ZMailer previous to this one! (even 2.2.1 !)

	Circumvention:
      DO NOT allow running router for EXPN, VRFY, MAIL FROM, RCPT TO !
      You can disable those by removing characters 'e v f t' from the
      style flags at the  $MAILSHARE/smtpserver.conf
      (Or to -s option of the smtpserver either.  Default for that
       option is 've', so you MUST supply option:  -s ''  which
       zeroes the enable flag set.)

	Fix:
      That fault is corrected at this release, but if you tinker with
      your router configuration scripts, you may open up new holes.
      That is why running of the interactive router is made *difficult*,
      you *have to* be aware that you are doing it!

      ( C.Y.A. -- or rather C.M.A. ... )


    - Smtpserver speaks TLSv1/SSLv3 at the SMTP socket, if desired.
      (uses OpenSSL library, very new source version..)

    - Smtpserver Implements "AUTH LOGIN" in a way which is compatible
      with plaintext implemented by M$ Outlook Express (at IE4 ?  or IE5 ?)
      The TLS/SSL works here too.

    - Smtpserver Implements "AUTH=LOGIN" in a way which is for the
      Netscape Communicator per NS specs;  TLS/SSL works too.

    - A bug-circumvention for Linux/i386 glibc 2.1.1 library problem.
      (smtpserver thing this too)

    - smtpserver reports normally only single-line replies for all
      protocol replies; Many (all?) M$ things seem to be unable to
      understand RFC 821 Appendix E multiline replies :-(

    - smtpserver has RBL machinery for IPv6 too, propably way ahead
      of its time...

    (things before that are in 2.99.50s15)

And of course there are known bugs which I haven't fixed yet:
(but they aren't fatal for common usage cases)

    router:
	Input header:
		Cc: "\"\\"\\\"\\\\"\\\\\"'\\\\\\"Prof. dr J. Wil Foppen\\\\\\" <wfoppen@rsm.nl>' \\\\\"
		   <\\\\\"Prof. dr J. Wil Foppen\\\\\"\\\\"\\\"\\"\"" <wfoppen@rsm.nl>
	--> SEGV

    scheduler:

	mailq reported accounting counters seem to leak about recipients 
	storage gauge:

Kids: 168  Idle: 153  Msgs: 1986  Thrds:  58  Rcpnts: 2499  Uptime: 22d20h
Msgs in 73760 out 71774 stored 1986 Rcpnts in 4424888 out 4422854 stored 774896

/Matti Aarnio <mea@nic.funet.fi>

Follow-Ups:
- Re: 2.99.50s17 available as tarball. SECURITY WARNING
  - From: "Daryle A. Tilroe" <daryle@amc.ab.ca> (Tue, 11 May 1999 01:57:55 +0300)

Prev by Date: Recent things; STARTTLS and AUTH LOGIN at smtpserver...
Next by Date: Re: 2.99.50s17 available as tarball. SECURITY WARNING
Prev by thread: Recent things; STARTTLS and AUTH LOGIN at smtpserver...
Next by thread: Re: 2.99.50s17 available as tarball. SECURITY WARNING
Index(es):
- Date
- Thread