Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SA-03:04.sendmail Bin Update

From: "Charles M. Richmond" <cmr () iisc com>
Date: Wed, 05 Mar 2003 07:00:22 -0500

The following exchange covers a method of upgrading the sendmail
binaries while postponing redoing the CFs. If you have a bunch
of systems with varying configs then it might be a useful way
of getting the security fix in place with your old CFs. 

It will also allow you to test the install of the new binaries
without impacting current incoming email. I found some permissions
problems related to an incorrectly done smmsp group that would
have been a real problem if I had done the restart of sendmail
without doing the checks.

****************** Names removed ******************


Depends on how old. I was able to get it to work with an 8.9.0
sendmail.cf file with no problem. That let me get the binaries
in plce quickly and then play with a new config with extra
features. You will get a warning:



But was it really working?
I know that on at least some of the machines I'll be upgrading, things
like DNSBLs are handled much differently than in the latest versions,
both in the .mc and in the .cf.


I am using access list for IP, domain, host, and user@, rejection.
That is working perfectly. I was not using DSNBLs because I prefer
my own tailoring and prejudices :) So I can verify that many anti
SPAM features work fine, but I can not verify DSNBL.

The 'test' that I did will work for you also. Do the make and make
install but do not kill -HUP the sendmail that is running and do
not restart the sendmail. Now your incoming mail is still being
handled by the old sendmail but you can test the features of the 
new sendmail by doing:
        $ sendmail known@dsnbled.address
        some text
        ^d
This will attempt to send mail to a blocked address and should fail.
Also run 'mailq' and 'newalias' and verify the operation. If it works
then it is safe to 'kill -HUP' or restart sendmail and work out new
mc/cf files at your leisure. At least you will have the new binaries
in place and that is critical. 

Of course you could just patch your 8.9.3 binary. The instructions
are on the sendmail server:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch

Charles
ZX-6R

***********************************************************************
*   Charles Richmond    Implemented Integrated Systems Corporation    *
*   cmr () iisc com   cmr () acm org   YIM:cmriisc   http://www.iisc.com    *
*   O/S I18N Systems Development Process and Integration Providers    *
*         131 Bishop's Forest Drive , Waltham , Ma. USA 02452         *
*  (781) 647 2246   FAX (781) 647 3665   Cellular (781) 389 9777      *
***********************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: