FreeBSD Security Advisory FreeBSD-SA-06:13.sendmail

Chuck Swiger cswiger at mac.com
Fri Mar 24 13:56:53 UTC 2006 

Ruslan Ermilov wrote:
> On Thu, Mar 23, 2006 at 10:44:05AM +0200, Dmitry Pryanishnikov wrote:
[ ... ]
>>  This doesn't change sendmail's identification string - it's still "8.13.1"
>> on RELENG_4_11, which makes detection of unpatched systems more difficult
>> to sysadmin. Wouldn't be wise to add, say, "-p1" to this string in 
>> version.c?
>>
> It depends on what you think about whether it's good or not
> that it's undetectable.  I prefer it to be not-detectable.

Previous sendmail-based exploits involved hosts being compromised by automated
worms which try their attacks against every IP they can talk to on the SMTP
port, regardless of version number information displayed, or by malicious email
which exploited MIME header string buffer problems, a mechanism which also paid
no attention to the SMTP banner version info.

If someone wants to conceal the sendmail version info, there are mechanisms in
place to do so which solve that problem more effectively.  If you don't want the
sendmail version numbers to appear in the banner on port 25, the better solution
is to add this to your sendmail.mc file:

  define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b; no UCE; C=US, L=NY.')dnl

[ Adjust region, country code, and SMTP policy to suit your local needs. ]

If you also want to conceal version information in the mail headers, either
override the values of the $v and $Z macros, which are typically set like so:

  # Configuration version number
  DZ8.13.6

...or override the Received: header line being generated by changing this:

  HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
        $.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
        $.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}

                ^^^^^^^

I would like the output of "sendmail -d0.1" to correctly indicate what the
version actually is so I can track it, even if I felt it appropriate or
necessary to conceal that information from non-local users.

-- 
-Chuck

PS: I very much wish that software would not attempt to conceal which version it
actually is, because that fosters absurd situations like web browser User-agent
strings ("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)").  That version string is obscure all right, but hardly secure.

More information about the freebsd-security mailing list