On Mon, Jul 16, 2001 at 02:55:15PM -0500, [EMAIL PROTECTED] wrote:
> On 16 Jul 2001, Trond Eivind [iso-8859-1] Glomsrød wrote:
>
> > [EMAIL PROTECTED] writes:
> >
> > > On 16 Jul 2001, Trond Eivind [iso-8859-1] Glomsrød wrote:
> > >
> > > > Bsst... it haven been allowing relays for a loong time (RHL 5.0?
> > > > Perhaps even earlier).
> > >
> > > WHOA! Whoa, whoa, whoa!
> > > I've been getting flamed for 2 days over wanting RedHat to install an
> > > open-relay mailserver.
> >
> > I think most people thought you meant the "don't accept connections
> > from outside your computer" security change.
> >
> > Installing with open relay is utterly and completely unacceptable, if
> > not restricted via firewalls or other measures.
>
> Sorry, I wasn't very clear. I do NOT want an open relay MTA. I meant
> that a lot of folks (OK, a couple of folks) on this list have flamed me
> for advocating a setup that allows relays. In fact, as you pointed out,
> accepting outside connections in no way forces an open relay.
>
> > > Now you're saying that mail relays aren't and weren't a problem. Back
> > > to my original question. what reasonable justification is there for not
> > > allowing the Mail Transport Agent to receive mail?
> >
> > Improve security - if a remote exploit is found, this configuration is
> > not vulnerable. At the same time, local users can still send mail.
>
> Yeah, they just can't get any. And it sounds like you're fixing a
> non-existent problem. I follow CERT pretty closely, and I'm unaware of
> any recent exploits against sendmail.
Just because the problem isn't documented today doesn't mean there won't be
a remote root exploit in 3 months. It is much better to install a secure
system by default rather than rely on everyone to keep on top of the
patches available for years. The remote bind exploit was very well
publicised for months before the worm came out to exploit it.
When I install a system the first thing I do is run
netstat -an | grep LISTEN
and shut down anything listening on ports that aren't needed.
(before actually connecting to the network)
I think there is very little chance of a remote compromise if there are no
apps listening on external IPs.
I applaud RH for allowing you to install packages without exposing yourself
before they are configured.
Not to long ago I came across an appliance used for caching stock quotes
from the stock markets.
They were intel based. The converted from an RTOS to RH linux. I was happy
with this decision until I realized they used a stock server install with
samba, apache, bind, telnet, rpcs etc all running and ready for exploit.
Of course they compounded the problem by using the same root passwords on
each box and setting up many customers on a VPN that allowed each box to
communicate with every other box. These machines tended to be installed
behind a production firewall. All other customers with the password could
telnet into our box and have full access to our network behind the
firewall. (actually we had a satellite link so we were not exposed, but
many customers were)
For security sake on production boxes I recommend the following polices:
1. don't install anything you don't need
2. don't run anything you don't need
3. don't listen on any ports you don't need.
If you follow this you will probably be safe from todays known exploits and
tomorrows.
Most people that want to receive mail need to tweak the configs anyway.
I would have suggested not even running sendmail but the solution RH came
up with of allowing connections from localhost is much better. You can
still use the local system to relay from netscape mail and receive mail
from fetchmail etc.
Redhat, keep up the good work!
Chuck Moss
p.s. sendmail has an unfounded reputation for having remote root exploits.
As far as I know there have not been any for years.
p.p.s. Doc, I understand your frustration with the docs. Hard to figure out
where to look for those type of details. Thank god for this mailing list
;-)
>
> See ya later,
> Doc
>
>
>
> _______________________________________________
> Seawolf-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/seawolf-list
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
