Package: sendmail Version: 8.15.2-6 Severity: normal Dear Maintainer,
If you put lines like this in the access file: GreetPause:localhost 0 This allows spammers to by-pass the greet pause by simply setting their reverse dns (PTR record) to 'localhost'. When this happens, I see lines like this in the log file: Oct 7 03:53:18 example sm-mta[9080]: NOQUEUE: connect from localhost [1.2.3.4] (may be forged) and greetpause gets bypassed. Simply by changing the line to use an ip address: GreetPause:127.0.0.1 0 causes the sendmail to properly allow only localhost (127.0.0.1) to bypass the greetpause. In other words, the access file did not do a dns lookup on 'localhost' in the access file before checking for a match. Secondly, and I think greetpause matched on the forged name rather than the real ip address from the network connection. -- Package-specific info: Output of /usr/share/bug/sendmail/script: ls -alR /etc/mail: /etc/mail: total 1060 drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 . drwxr-xr-x 145 root root 12288 Oct 15 07:27 .. -rwxr-xr-- 1 root smmsp 12681 Sep 24 04:27 Makefile -rw-r--r-- 1 root smmsp 59488 Oct 14 19:59 access -rw-r----- 1 smmta smmsp 86016 Oct 14 19:59 access.db -rw-r--r-- 1 root smmsp 59422 Oct 10 18:00 access.old -rw-r--r-- 1 smmta smmsp 281 Feb 11 2013 address.resolve -rw-r--r-- 1 smmta smmsp 17989 Oct 9 16:45 aliases -rw-r--r-- 1 smmta smmsp 40960 Oct 9 16:45 aliases.db -rw-r--r-- 1 root smmsp 17877 Oct 9 16:45 aliases.old drwxr-sr-- 2 smmta smmsp 4096 Mar 4 2016 certs -rw-r--r-- 1 smmta smmsp 16675 Mar 12 2014 charm.networkguild.org.mc -rw-r--r-- 1 root smmsp 3739 Sep 24 04:27 databases -rw-r----- 1 smmta smmsp 56 Mar 22 2015 default-auth-info -rw-r--r-- 1 root smmsp 235 Oct 9 16:45 genericstable -rw-r----- 1 root smmsp 12288 Oct 9 16:45 genericstable.db -rw-r--r-- 1 root smmsp 235 Oct 9 16:45 genericstable.old -rw-r--r-- 1 smmta smmsp 5659 May 10 2015 helpfile -rw-r--r-- 1 smmta smmsp 1419 Oct 9 16:45 local-host-names -rw-r--r-- 1 root smmsp 1419 Oct 9 16:45 local-host-names.old drwxr-sr-x 2 smmta smmsp 4096 Oct 15 07:24 m4 -rw-r--r-- 1 smmta smmsp 300 Oct 9 16:45 mailertable -rw-r----- 1 root smmsp 12288 Oct 9 16:45 mailertable.db -rw-r--r-- 1 root smmsp 300 Oct 9 16:45 mailertable.old drwxr-xr-x 2 smmta smmsp 4096 Sep 23 05:42 peers -rw-r--r-- 1 root smmsp 0 Dec 25 2015 relay-domains drwxr-xr-x 2 smmta smmsp 4096 May 20 2015 sasl -rw-r--r-- 1 root smmsp 84657 Sep 24 04:27 sendmail.cf -rw-r--r-- 1 root smmsp 84429 Jan 29 2016 sendmail.cf.backup-BD -rw-r--r-- 1 root root 84748 Sep 23 05:43 sendmail.cf.old -rw-r--r-- 1 root root 12236 Sep 23 05:43 sendmail.conf -rw-r--r-- 1 root smmsp 10742 Sep 24 04:27 sendmail.mc -rw-r--r-- 1 root smmsp 11061 Mar 4 2016 sendmail.mc- -rw-r--r-- 1 root smmsp 10704 Jan 29 2016 sendmail.mc.backup-BD -rw-r--r-- 1 smmta smmsp 149 Feb 11 2013 service.switch -rw-r--r-- 1 smmta smmsp 180 Feb 11 2013 service.switch-nodns drwxr-sr-x 2 smmta smmsp 4096 May 20 2015 smrsh lrwxrwxrwx 1 root root 15 Aug 29 17:14 spamassassin -> ../spamassassin -rw-r--r-- 1 root smmsp 44696 Sep 23 05:43 submit.cf -rw-r--r-- 1 root root 44695 Sep 23 05:43 submit.cf.old -rw-r--r-- 1 root smmsp 2453 Sep 23 05:43 submit.mc drwxr-xr-x 2 smmta smmsp 4096 Feb 24 2016 tls -rw-r--r-- 1 smmta smmsp 6 Jan 10 2015 trusted-users -rw-r--r-- 1 smmta smmsp 37416 Oct 9 16:45 virtusertable -rw-r----- 1 root smmsp 86016 Oct 9 16:45 virtusertable.db -rw-r--r-- 1 root smmsp 37256 Oct 9 16:45 virtusertable.old /etc/mail/certs: total 0 d????????? ? ? ? ? ? . d????????? ? ? ? ? ? .. l????????? ? ? ? ? ? 38d751eb.0 l????????? ? ? ? ? ? 6e803117.0 -????????? ? ? ? ? ? dh_2048.pem -????????? ? ? ? ? ? dh_4096.pem l????????? ? ? ? ? ? f131b364.0 -????????? ? ? ? ? ? geotrust-ca.crt -????????? ? ? ? ? ? networkguild.org.crt -????????? ? ? ? ? ? networkguild.org.csr -????????? ? ? ? ? ? networkguild.org.key -????????? ? ? ? ? ? strange.networkguild.org.crt -????????? ? ? ? ? ? strange.networkguild.org.csr -????????? ? ? ? ? ? strange.networkguild.org.key -????????? ? ? ? ? ? sub.class1.server.ca.pem /etc/mail/m4: total 12 drwxr-sr-x 2 smmta smmsp 4096 Oct 15 07:24 . drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 .. -rw-r--r-- 1 root root 789 Jul 3 2014 clamav-milter.m4 -rw-r----- 1 root smmsp 0 Mar 12 2014 dialup.m4 -rw-r----- 1 root smmsp 0 Mar 12 2014 provider.m4 /etc/mail/peers: total 12 drwxr-xr-x 2 smmta smmsp 4096 Sep 23 05:42 . drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 .. -rw-r--r-- 1 root root 328 Feb 11 2013 provider /etc/mail/sasl: total 16 drwxr-xr-x 2 smmta smmsp 4096 May 20 2015 . drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 .. -rw-r----- 1 smmta smmsp 885 May 20 2015 Sendmail.conf.2 -rwxr--r-- 1 root root 3689 Sep 23 05:43 sasl.m4 /etc/mail/smrsh: total 8 drwxr-sr-x 2 smmta smmsp 4096 May 20 2015 . drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 .. lrwxrwxrwx 1 root smmsp 26 May 20 2015 mail.local -> /usr/lib/sm.bin/mail.local lrwxrwxrwx 1 root smmsp 17 May 20 2015 procmail -> /usr/bin/procmail /etc/mail/tls: total 48 drwxr-xr-x 2 smmta smmsp 4096 Feb 24 2016 . drwxr-sr-x 8 smmta smmsp 4096 Oct 14 19:59 .. -rw-r--r-- 1 root root 7 May 20 2015 no_prompt -rw------- 1 root root 1191 May 20 2015 sendmail-client.cfg lrwxrwxrwx 1 root root 45 Aug 4 2015 sendmail-client.crt -rw------- 1 root root 1005 May 20 2015 sendmail-client.csr lrwxrwxrwx 1 root root 45 Aug 4 2015 sendmail-common.key -rw-r----- 1 root smmsp 1598 May 20 2015 sendmail-common.prm -rw------- 1 root root 1191 May 20 2015 sendmail-server.cfg lrwxrwxrwx 1 root root 45 Aug 4 2015 sendmail-server.crt -rw------- 1 root root 1005 May 20 2015 sendmail-server.csr -rwxr--r-- 1 root root 3264 Sep 23 05:43 starttls.m4 sendmail.conf: DAEMON_NETMODE="Static"; DAEMON_NETIF="eth0"; DAEMON_MODE="Daemon"; DAEMON_PARMS=""; DAEMON_HOSTSTATS="No"; DAEMON_MAILSTATS="No"; QUEUE_MODE="${DAEMON_MODE}"; QUEUE_INTERVAL="10m"; QUEUE_PARMS=""; MSP_MODE="Cron"; MSP_INTERVAL="20m"; MSP_PARMS=""; MSP_MAILSTATS="${DAEMON_MAILSTATS}"; MISC_PARMS=""; CRON_MAILTO="root"; CRON_PARMS=""; LOG_CMDS="No"; HANDS_OFF="No"; AGE_DATA=""; DAEMON_RUNASUSER="No"; DAEMON_STATS="${DAEMON_MAILSTATS}"; MSP_STATS="${MSP_MAILSTATS}"; sendmail.mc: divert(-1)dnl divert(0)dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $') OSTYPE(`debian') define(`_USE_ETC_MAIL_')dnl DOMAIN(`debian-mta')dnl undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= FEATURE(`no_default_msa')dnl DAEMON_OPTIONS(`Name=MTA, Port=smtp')dnl DAEMON_OPTIONS(`Name=MSP, Port=submission, M=Ea')dnl define(`confLOG_LEVEL', `12')dnl include(`/etc/mail/tls/starttls.m4')dnl include(`/etc/mail/sasl/sasl.m4')dnl define(`confAUTH_OPTIONS', `A,p,y')dnl define(`confDH_PARAMETERS',`/etc/mail/certs/dh_2048.pem') define(`confPRIVACY_FLAGS',dnl `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`60s')dnl define(`confBAD_RCPT_THROTTLE',`3')dnl define(`confMAX_DAEMON_CHILDREN', `100')dnl define(`confTO_IDENT', `0')dnl define(`confTO_COMMAND', `2m')dnl define(`confTO_ICONNECT', `15s')dnl define(`confTO_CONNECT', `3m')dnl define(`confTO_HELO', `2m')dnl define(`confTO_MAIL', `1m')dnl define(`confTO_RCPT', `1m')dnl define(`confTO_DATAINIT', `1m')dnl define(`confTO_DATABLOCK', `10m')dnl define(`confTO_DATAFINAL', `10m')dnl define(`confTO_RSET', `1m')dnl define(`confTO_QUIT', `1m')dnl define(`confTO_MISC', `1m')dnl define(`confTO_COMMAND', `1m')dnl define(`confTO_STARTTLS', `2m')dnl FEATURE(`delay_checks', `friend', `n')dnl FEATURE(`block_bad_helo') FEATURE(`badmx') FEATURE(`use_cw_file')dnl define(`confCW_FILE', `-o /etc/mail/local-host-names') FEATURE(mailertable, `hash -o /etc/mail/mailertable') FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access', `relaytofulladdress') FEATURE(virtusertable, `hash -o /etc/mail/virtusertable') FEATURE(blacklist_recipients) FEATURE(`greet_pause', `12000')dnl used to be 5 seconds, upped to 12 seconds in June 2015 per FEATURE(`conncontrol', `nodelay', `terminate')dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl FEATURE(local_lmtp) FEATURE(local_procmail) FEATURE(`genericstable')dnl GENERICS_DOMAIN(`example.com')dnl FEATURE(`always_add_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`nocanonify', `canonify_hosts') define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}, {auth_type}')dnl define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}, {auth_type}')dnl define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}') define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, {auth_type}, {greylist}')dnl INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass/spamass.sock, F=, T=S:4m;R:4m;E:10m')dnl INPUT_MAIL_FILTER(`greylist',`S=local:/var/run/milter-greylist/milter-greylist.sock, F=, T=S:1m;R:1m')dnl FEATURE(dnswl, `list.dnswl.org') FEATURE(dnswl, `accredit.habeas.com') FEATURE(dnswl, `query.bondedsender.org') FEATURE(dnswl, `whitelist.surriel.com') FEATURE(dnswl, `dnswl.inps.de') FEATURE(dnsbl, `b.barracudacentral.org', `"550 Mail from " $&{client_addr} " BLOCKED/BRBL -- see http://www.barracudacentral.org/lookups/ip-reputation?ip=" $&{client_addr}') FEATURE(dnsbl, `zen.spamhaus.org', `"550 Mail from " $&{client_addr} " BLOCKED/ZEN -- see http://www.spamhaus.org/query/ip/" $&{client_addr}') FEATURE(rhsbl, `dbl.spamhaus.org',`"550 Mail from domain " $`'&{RHS} " BLOCKED/DBL -- see http://www.spamhaus.org/query/domain/" $`'&{RHS}') FEATURE(dnsbl, `inv-sip.localhost', `"550 Mail from " $&{client_addr} " BLOCKED/INVSIP -- see http://dnsbl.invaluement.com/lookup/?item=" $&{client_addr}') FEATURE(dnsbl, `inv-sip24.localhost', `"550 Mail from " $&{client_addr} " BLOCKED/INVSIP24 -- see http://dnsbl.invaluement.com/lookup/?item=" $&{client_addr}') FEATURE(rhsbl, `inv-uri.localhost',`"550 Mail from domain " $`'&{RHS} " BLOCKED/INVURI -- see http://dnsbl.invaluement.com/lookup/?item=" $`'&{RHS}') FEATURE(dnsbl, `rbl-r.localhost', `"550 Mail from " $&{client_addr} " BLOCKED/RBL+ -- see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=" $&{client_addr}') FEATURE(dnsbl, `spam.dnsbl.anonmails.de', `"550 Mail from " $&{client_addr} " BLOCKED/ANDE -- see http://anonmails.de/dnsbl.php?ip=" $&{client_addr}') FEATURE(dnsbl, `rbl-q.localhost', `"450 Mail from " $&{client_addr} " BLOCKED/QIL -- see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=" $&{client_addr}') MAILER_DEFINITIONS MAILER(procmail) MAILER(`smtp')dnl submit.mc... divert(-1)dnl divert(0)dnl define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: submit.mc, v 8.14.8-1 2014-10-03 13:06:30 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-msp')dnl define(`confDIRECT_SUBMISSION_MODIFIERS', `C')dnl FEATURE(`msp', `[127.0.0.1]', `25')dnl -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (750, 'testing'), (50, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.5.5-x86_64-linode69 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sendmail depends on: ii sendmail-base 8.15.2-6 ii sendmail-bin 8.15.2-6 ii sendmail-cf 8.15.2-6 ii sensible-mda 8.15.2-6 sendmail recommends no packages. Versions of packages sendmail suggests: pn rmail <none> pn sendmail-doc <none> Versions of packages sensible-mda depends on: ii libc6 2.24-3 ii procmail 3.22-25 ii sendmail-bin [mail-transport-agent] 8.15.2-6 Versions of packages libmilter1.0.1 depends on: ii libc6 2.24-3 Versions of packages sendmail-bin depends on: ii debconf 1.5.59 ii libc6 2.24-3 ii libdb5.3 5.3.28-12 ii libldap-2.4-2 2.4.42+dfsg-2+b3 ii liblockfile1 1.09-6 ii libsasl2-2 2.1.26.dfsg1-15 ii libssl1.0.2 1.0.2j-1 ii libwrap0 7.6.q-25 ii procps 2:3.3.12-2 ii sendmail-base 8.15.2-6 ii sendmail-cf 8.15.2-6 Versions of packages sendmail-bin suggests: ii libsasl2-modules 2.1.26.dfsg1-15 ii openssl 1.0.2j-1 ii sasl2-bin 2.1.26.dfsg1-15 pn sendmail-doc <none> -- no debconf information