[description of DoS attacks via mail.local snipped] > Fix: > > It's stupid to make any part of sendmail package setuid. It's really > possible to make sendmail work with no setuid nor setgid, by arranging > proper communication with sendmail daemon, if running. Also, I suggest to > be at least careful with new features of recent Sendmail version :-) mail.local, while it is distributed with sendmail, is not part of sendmail. >From sendmail-8.9.0/README: :mail.local The source for the local delivery agent used for 4.4BSD. : THIS IS NOT PART OF SENDMAIL! and may not compile : everywhere, since it depends on some 4.4-isms. Warning: : it does mailbox locking differently than other systems. A better fix would be to use procmail, or /bin/mail, or some other program for local mail delivery. -JS
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:53 PDT