Re: about sendmail security update

[Matthew Seaman]

Gonzalo Suarez wrote:
 
 i'm a very new freebsd user/admin. i run my own server since 1 month ago, i
 've been told about a security issue with sendmail. i read about it on the
 security ad
 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.sendmail.ascand
 I don't know how could i get my system patch or upgraded. some people
 tell me to quit using sendmail and try postfix, but i would like to fix
 sendmail and try to configure it...

In my humble opinion, sendmail is fine on almost any server not intended
to be primarily a mail server.  Indeed on a machine where you trust
everyone who has access and where you only need to send e-mail from, not
receive it, then sendmail in the default configuration where it binds
solely to the loopback interface is perfectly fine.

However I'd think carefully about exposing sendmail listening on port
25 on an internet accessible interface.   Don't do that unless you are
confident of being able to apply upgrades in a timely fashion.  Otherwise,
one of the other big 4 MTAs (sendmail, exim, postfix, qmail) may be more
suitable for you.

In answer to your question: you've got two options.  Option 1 is to use
FreeBSD Update:

http://www.daemonology.net/freebsd-update/

which will let you apply binary updates to your system, incorporating all
of the various security advisories as they are produced.  Note that this
does not mix well with recompiling bits of the system locally -- read that
web page carefully.  Note that this site is run by the current FreeBSD
security officer.  I believe that the intention is to make it into an
official FreeBSD supported service eventually, but that the code that runs
the site is not in good enough shape to do that yet.

Option 2 is to get hold of the system sources and recompile your world from
them.  Which sounds like a terrible ordeal to the uninitiated, but is
actually fairly plain sailing -- all it takes is the time and the disk space
to do the compilations.  The procedure is documented in the Handbook.

First you will need to download the sources -- cvsup is the recommended
way to do that:

   http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

You will need to specify the appropriate CVS tag for the system version
you want.  In your case, I'd recommend RELENG_5_4 to pull down the latest
5.4-RELEASE-pN code.  But again, the Handbook explains how the different
CVS tags and branches work:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html

Then you will want to compile all this code and install the results:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html

See also /usr/src/UPDATING (after you've downloaded the sources with cvsup,
clearly) for any special instructions etc. required by the latest code.

And with that, you're done.  All of the security fixes get committed to the
supported RELEASE code branches, so doing a cvsup and {build,install}world
procedure after the specified date will always get you the required fixes.
Or else you can follow the instructions in the advisory which will generally
get you to the pretty much the same place by a different route; often without 
necessarily having to interrupt service for as long.

 I installed the system with a freebsd5.4 release cd. i downloaded the patch
 and when I excuted it i realized that i don't have the source code of
 sendmail since i started the installation with de cd-rom standard
 installation. what am i supposed to do now? patch or upgrade. what is the
 easy way? i have compiled some little C code for college practices and
 installed some bsd-ports with make install but  now i'm a little bit lost
 here...

System sources are available on the standard CDs -- obviously, you get the
sources the release was created from -- and there is an option in sysinstall
to install them.  However, if you've got cvsup sorted you might as well use
that from scratch to populate an empty /usr/src directory.  There are possible
pitfalls if you don't 'adopt' the sources from the release CD correctly
before updating them with cvsup, although those only happen in certain
thankfully quite rare circumstances:

http://www.cvsup.org/faq.html#adoptupgrade

You'll need about 350--400MB available for the system sources, plus
approximately another 500MB to hold the results of compiling all that.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
  Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: about sendmail security update

[Jonathan Horne]

On Saturday 08 April 2006 10:25, Gonzalo Suarez wrote:
 hello!

 i'm a very new freebsd user/admin. i run my own server since 1 month ago, i
 've been told about a security issue with sendmail. i read about it on the
 security ad
 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.sendmail
.ascand I don't know how could i get my system patch or upgraded. some
 people tell me to quit using sendmail and try postfix, but i would like to
 fix sendmail and try to configure it...

 I installed the system with a freebsd5.4 release cd. i downloaded the patch
 and when I excuted it i realized that i don't have the source code of
 sendmail since i started the installation with de cd-rom standard
 installation. what am i supposed to do now? patch or upgrade. what is the
 easy way? i have compiled some little C code for college practices and
 installed some bsd-ports with make install but  now i'm a little bit lost
 here...

 thanks for your help.

 Gonzalo.
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]

here is how i updated my system, just yesterday.  mine is 6.0, but im pretty 
sure its pretty close to the same (actually, before i clicked send here, i did 
this same thing on an unused 5.4 dev box i had, and ive determined that these 
instructions worked on 5.4 as well).

1) cvsup your /usr/src directories.  if they are empty, this will cause them 
to populate.  if there is anything already there, this will update your 
sources to latest.

# pkg_add -r cvsup-without-gui
# pkg_add -r fastest_cvsup
# cp /usr/share/examples/cvsup/stable-supfile /root
# cvsup -L 2 -h `(fastest_cvsup -q -c us )` /root/stable-supfile

that should update your entire sources tree.  take a look at the 
stable-supfile, it can be edited to be more brief about which portions of the 
src tree its going to pull down.  no edits = the whole thing.

2) recompile sendmail

# cd /usr/src/lib/libsm
# make obj  make depend  make
# cd /usr/src/lib/libsmutil
# make obj  make depend  make
# cd /usr/src/usr.sbin/sendmail/
# make obj  make depend  make  make install
# cd /etc/mail
# make all install restart

i generally also restart sendmail from the rc.d script as well, just to be 
sure.

# /etc/rc.d/sendmail restart

now, when you telnet to hostname.domain 25, you will see:

220 locahost.domain ESMTP Sendmail 8.13.6/8.13.3; Sat, 8 Apr 2006 
13:18:24 -0500 (CDT)

good luck!
jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: about sendmail security update

[Bill Moran]

Matthew Seaman [EMAIL PROTECTED] wrote:

 In my humble opinion, sendmail is fine on almost any server not intended
 to be primarily a mail server.

Now, I don't want to start a pro/anti sendmail flame war, but when I read
that sentence, I laughed so hard I almost choked.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]