Home page logo
/

bugtraq logo Bugtraq mailing list archives

TcpWrappers and Sendmail
From: nharkins () WELL COM (Neil Harkins)
Date: Tue, 15 Apr 1997 11:42:45 -0700


On Tue, 15 Apr 1997, Alan Brown wrote:
Sendmail does not do a forward DNS crosscheck on the PTR record
associated with incoming IPs.
I've switched sendmail to being called out of inetd.conf with a PARANOID
hosts.deny entry.
Currently I have some 135 hosts.deny lines against sendmail to lockout
problem netblocks and domains. IMO if they're prevented from accessing the
sendmail process it's a good thing, particularly as when calling it with
-bs from inetd.conf, many of the load reducing checks are bypassed. :-(

I don't know how busy your mailserver is, but the additional overhead
of inetd exec-ing into a sendmail can bog a moderately busy mailserver
to death. Hence Eric added -DTCPWRAPPERS to sendmail 8.8.x. It works
nicely, BUT it allows EXPNs, VRFYs, etc from the "bad" sites, and only
disallows MAIL FROMs. Thus, I hacked 8.8.5 to have a two-tier wrapper that
can disallow a connection, and/or disallow MAIL FROMs, and obviously,
since it uses libwrap you can designate them as PARANOID in
/etc/hosts.allow to solve your problem/concerns. With the following patch,
you can have fields for "sendmail-connect" (what you are looking for), and
"sendmail-mailfrom" (the default 8.8.x wrapper functionality) in
/etc/hosts.allow:

diff -c sendmail-8.8.5/src//conf.c sendmail-8.8.5-neilhacks/src/conf.c
*** sendmail-8.8.5/src//conf.c  Tue Jan 21 07:47:33 1997
--- sendmail-8.8.5-neilhacks/src/conf.c Tue Apr  1 17:51:40 1997
***************
*** 4017,4032 ****

  #if DAEMON
  bool
! validate_connection(sap, hostname, e)
        SOCKADDR *sap;
        char *hostname;
        ENVELOPE *e;
  {
        if (rscheck("check_relay", hostname, anynet_ntoa(sap), e) != EX_OK)
                return FALSE;

  #if TCPWRAPPERS
!       if (!hosts_ctl("sendmail", hostname, anynet_ntoa(sap), STRING_UNKNOWN))
        {
  # ifdef LOG
                if (LogLevel >= 4)
--- 4018,4035 ----

  #if DAEMON
  bool
! validate_connection(sap, hostname, e, tcpdstring)
        SOCKADDR *sap;
        char *hostname;
        ENVELOPE *e;
+       char *tcpdstring;
  {
        if (rscheck("check_relay", hostname, anynet_ntoa(sap), e) != EX_OK)
                return FALSE;

  #if TCPWRAPPERS
! /*    if (!hosts_ctl("sendmail", hostname, anynet_ntoa(sap),STRING_UNKNOWN))*/
!       if (!hosts_ctl(tcpdstring, hostname, anynet_ntoa(sap),STRING_UNKNOWN))
        {
  # ifdef LOG
                if (LogLevel >= 4)


diff -c sendmail-8.8.5/src//daemon.c sendmail-8.8.5-neilhacks/src/daemon.c
*** sendmail-8.8.5/src//daemon.c        Tue Jan 14 18:01:05 1997
--- sendmail-8.8.5-neilhacks/src/daemon.c       Sun Mar  9 11:42:40 1997
***************
*** 383,391 ****

                        /* validate the connection */
                        HoldErrs = TRUE;
!                       nullconn = !validate_connection(&RealHostAddr,RealHostName, e);
                        HoldErrs = FALSE;
!                       if (nullconn)
                                break;

  #ifdef XLA
--- 384,396 ----

                        /* validate the connection */
                        HoldErrs = TRUE;
!                       if(!validate_connection(&RealHostAddr,RealHostName, e,"sendmail-connect")){
!                             /*fprintf(OutChannel,"\nAccess Denied.\n\n"); */
!                             exit(0);
!                         }
!                       nullconn = !validate_connection(&RealHostAddr,RealHostName, e,"sendmail-mailfrom");
                        HoldErrs = FALSE;
!                       if (nullconn)
                                break;

  #ifdef XLA
diff -c sendmail-8.8.5/src//sendmail.h
sendmail-8.8.5-neilhacks/src/sendmail.h
*** sendmail-8.8.5/src//sendmail.h      Tue Jan 14 17:51:49 1997
--- sendmail-8.8.5-neilhacks/src/sendmail.h     Tue Apr  1 15:36:38 1997
***************
*** 1014,1020 ****
  extern char   *hostnamebyanyaddr __P((SOCKADDR *));
  extern char   *anynet_ntoa __P((SOCKADDR *));
  # if DAEMON
! extern bool   validate_connection __P((SOCKADDR *, char *, ENVELOPE *));
  # endif

  #endif
--- 1014,1020 ----
  extern char   *hostnamebyanyaddr __P((SOCKADDR *));
  extern char   *anynet_ntoa __P((SOCKADDR *));
  # if DAEMON
! extern bool   validate_connection __P((SOCKADDR *, char *, ENVELOPE *, char *));
  # endif

  #endif
[END]

Enjoy, although be careful what you wrap out. Most POP Mail clients
that send using SMTP will hang indefinately if that connection closes
immediately after opening. Also, other mailservers sending to you will
simply queue the message and retry it, until it is time to give up.
(Actually, Sendmail will try your second MX host, if it exists, but qmail
(yuk) will queue it, and keep trying that first host, because it thinks
it screwed up on the HELO (Qmail author, please fix!)). Anyway, these are
probably the reasons why Eric wrapped only MAIL FROMs, to be considerate
of the other postmaster, and give them a message rather than fill up
their queue. But, this is a "bad" site, right? IMO, this is much better
than black hole-ing all net traffic from them, just what they abuse.

-Neil
_________________________________________________________________________
Neil Harkins                                            nharkins () well com
Network/System Administrator, The WELL                  415-281-6500-x204



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]