Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!spool.mu.edu!uwm.edu!linac!mp.cs.niu.edu!rickert From: rickert@mp.cs.niu.edu (Neil Rickert) Newsgroups: comp.mail.sendmail Subject: Re: Security in sendmail and SMTP? Keywords: sendmail security SMTP From authentication Message-ID: <1991Jun3.142858.12756@mp.cs.niu.edu> Date: 3 Jun 91 14:28:58 GMT References: <1443@idcapd.idca.tds.philips.nl> Organization: Northern Illinois University Lines: 95 In article <1443@idcapd.idca.tds.philips.nl> dejong@idca.tds.PHILIPS.nl (Hans de Jong) writes: >I am trying to find out about security in sendmail and SMTP. What I see is: > >1) Sendmail has no possibility to change headers in a mail item. It can add > header lines, but will not affect them when they are present. If you use a vanilla sendmail compiled from Berkeley sources, the following headers will be rewritten: To: Cc: Apparently-To: From: Reply-To: Return-Receipt-To: Errors-To: Sender: Bcc: Resent-To: Resent-Cc: Resent-From: Resent-Reply-To: Resent-Sender: Resent-Bcc: With a standard configuration file, if the addresses are all standard Internet addresses, and the destination is an Internet destination, these addresses should all be rewritten to the same value as they originally had, except the Bcc: and Resent-Bcc: headers will be deleted. But it is possible for almost any transformation, reasonable or not, to be programmed into 'sendmail.cf'. Not merely the machine address, but anything can be changed. >2) The only exception seems to be the From: line, but only the machine name > part of the address. Changing that requires root permission. > But the user can directly set the username as well as the full name. I am not sure what you mean by this. Root, or some similar permission is "required" to specify the '-f' option on the command line. But this has nothing whatsoever to do with changing the headers. If the message entering sendmail already has a 'From:' header, the '-f' option is unlikey to change that. Anybody can construct a message with whatever headers they wish and pipe it into sendmail. There is no restriction on that. The '-f' option has to do with the SMTP envelope sender address, not with the 'From:' header. Of course, if there is no 'From:' header in the entering mail, and if the 'sendmail.cf' specifications define one, they will usually define it in terms of the envelope sender. Note my quoting of "required" in the preceding paragraph. There are definitely ways around this restriction. >3) SMTP uses no passwords. So any machine that can connect to another machine > will be accepted as the machine it pretends to be (i.e., whatever is in > the HELO command or MAIL FROM: command is accepted. Correct. And I believe this is the proper behavior. A properly configured sendmail adds a 'Received:' header identifying the machine from which it received the message. It is reasonably for 'sendmail' to in effect say that sender authentication is the province of the sending machine, so the address should be accepted with a 'Received:' header added to identify the originating host. >My questions are: > >1) Are my observations correct? >2) Are there options in sendmail to avoid that the user can pretend to send > mail as someone else? There are options which allow you to invoke sendmail with your own 'sendmail.cf' configuration. I don't recommend trying them because it is quite easy to screw up. But if you are willing to deal with the fact that sendmail will then run without its usual root privileges, you more or less have carte blanche. >3) Reading RFC821, the From: line may be set to indicate another user than the > one actually sending. In that case there should be a Sender: line present > to indicate who the actual sender is. But sendmail doesn't seem to enforce > this. At the same time, it doesn't allow for a different machine name in > From: than the own machine (unless I am superuser). As I indicated above, 'sendmail' will accept at face value whatever is on the 'From:' line of incoming mail, regardless of whether you are root. It is only the SMTP envelope address it is fussy about. > Is there literature outside RFC821 that describes how the From:, Sender:, > Resent-From: and Resent-Sender: lines have to be treated. Try RFC822. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940