Re: qmail smtp-auth bug allows open relay

From: David A. Ulevitch (daviduat_private)
Date: Wed Jul 16 2003 - 15:48:03 PDT

Next message: Kevin Patz: "Re: TROJAN: Symantec: New Serious Virus found. (fwd)"

Previous message: Johnson, April: "RE: Patched IIS/frontpage host compromised 7-1-2003"
In reply to: Frank Knobbe: "Re: qmail smtp-auth bug allows open relay"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<quote who="Frank Knobbe">
> On Tue, 2003-07-15 at 18:14, Roberto Cardona wrote:
>> Is the patch needed if the implementation of the auth module is correct?
>> I
>> checked and my conf files for qmail are setup correctly so I wonder if
>> it's worth applying the patch. Thank you.
>
> From what I understand, the patch just ensures that the system is not
> vulnerable if you accidentally do not set it up correctly. I haven't
> looked at the code, but according to the description, it checks for the
> presence of all three command line arguments, and refuses to relay if
> one is missing.
>
> In other words, it's not a patch per se (i.e. to get rid of a bug), but
> an added safety precaution. If you are confident, that you won't
> misconfigure it by mistake, you don't need to apply the patch. Your
> risk, your choice.
>

In addition to what you just said and what I posted previously, Uwe Ohse
and others have pointed out that this patch is inappropriate in that it
checks things which should NOT be checked and it acts as if there is only
one way to start qmail-smtp.

As a result I would not recommend that this patch be applied in any
situation as the system administrator should just be doing his/her job and
ensuring that it is configured correctly and securely.

-davidu


----------------------------------------------------
   David A. Ulevitch -- http://david.ulevitch.com
  http://everydns.net -+- http://communitycolo.net
Campus Box 6957 + Washington University in St. Louis
----------------------------------------------------

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Kevin Patz: "Re: TROJAN: Symantec: New Serious Virus found. (fwd)"
Previous message: Johnson, April: "RE: Patched IIS/frontpage host compromised 7-1-2003"
In reply to: Frank Knobbe: "Re: qmail smtp-auth bug allows open relay"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 21:55:46 PDT