about sendmail security update

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Apr 8 18:07:13 UTC 2006 

Gonzalo Suarez wrote:
 
> i'm a very new freebsd user/admin. i run my own server since 1 month ago, i
> 've been told about a security issue with sendmail. i read about it on the
> security ad
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.sendmail.ascand
> I don't know how could i get my system patch or upgraded. some people
> tell me to quit using sendmail and try postfix, but i would like to fix
> sendmail and try to configure it...

In my humble opinion, sendmail is fine on almost any server not intended
to be primarily a mail server.  Indeed on a machine where you trust
everyone who has access and where you only need to send e-mail from, not
receive it, then sendmail in the default configuration where it binds
solely to the loopback interface is perfectly fine.

However I'd think carefully about exposing sendmail listening on port
25 on an internet accessible interface.   Don't do that unless you are
confident of being able to apply upgrades in a timely fashion.  Otherwise,
one of the other big 4 MTAs (sendmail, exim, postfix, qmail) may be more
suitable for you.

In answer to your question: you've got two options.  Option 1 is to use
FreeBSD Update:

    http://www.daemonology.net/freebsd-update/

which will let you apply binary updates to your system, incorporating all
of the various security advisories as they are produced.  Note that this
does not mix well with recompiling bits of the system locally -- read that
web page carefully.  Note that this site is run by the current FreeBSD
security officer.  I believe that the intention is to make it into an
official FreeBSD supported service eventually, but that the code that runs
the site is not in good enough shape to do that yet.

Option 2 is to get hold of the system sources and recompile your world from
them.  Which sounds like a terrible ordeal to the uninitiated, but is
actually fairly plain sailing -- all it takes is the time and the disk space
to do the compilations.  The procedure is documented in the Handbook.

First you will need to download the sources -- cvsup is the recommended
way to do that:

   http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

You will need to specify the appropriate CVS tag for the system version
you want.  In your case, I'd recommend RELENG_5_4 to pull down the latest
5.4-RELEASE-pN code.  But again, the Handbook explains how the different
CVS tags and branches work:

    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html

Then you will want to compile all this code and install the results:

    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html

See also /usr/src/UPDATING (after you've downloaded the sources with cvsup,
clearly) for any special instructions etc. required by the latest code.

And with that, you're done.  All of the security fixes get committed to the
supported RELEASE code branches, so doing a cvsup and {build,install}world
procedure after the specified date will always get you the required fixes.
Or else you can follow the instructions in the advisory which will generally
get you to the pretty much the same place by a different route; often without necessarily having to interrupt service for as long.

> I installed the system with a freebsd5.4 release cd. i downloaded the patch
> and when I excuted it i realized that i don't have the source code of
> sendmail since i started the installation with de cd-rom standard
> installation. what am i supposed to do now? patch or upgrade. what is the
> easy way? i have compiled some little C code for college practices and
> installed some bsd-ports with make install but  now i'm a little bit lost
> here...

System sources are available on the standard CDs -- obviously, you get the
sources the release was created from -- and there is an option in sysinstall
to install them.  However, if you've got cvsup sorted you might as well use
that from scratch to populate an empty /usr/src directory.  There are possible
pitfalls if you don't 'adopt' the sources from the release CD correctly
before updating them with cvsup, although those only happen in certain
thankfully quite rare circumstances:

    http://www.cvsup.org/faq.html#adoptupgrade

You'll need about 350--400MB available for the system sources, plus
approximately another 500MB to hold the results of compiling all that.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060408/9fbe118b/signature.pgp

More information about the freebsd-questions mailing list