TUCoPS :: Unix :: Various Flavours :: bt1444.txt

AIX sendmail open relay



----- Original Message ----- 
From: "Tom Perrine" <tep@sdsc.edu>
To: <BUGTRAQ@securityfocus.com>
Sent: Tuesday, May 13, 2003 8:53 AM
Subject: AIX sendmail open relay


> This is a relatively minor problem as things go, but after almost 4
> years and at IBM's unofficial request (see the last para.)...
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> SDSC Security Note  - March 13, 2003
> IBM AIX sendmail an open-relay by default
> http://security.sdsc.edu/advisories/2003.05.13-AIX-sendmail.txt
> 
> 
> I. BACKGROUND
> 
> IBM's AIX is the flagship IBM UNIX offering.  Almost all versions, up
> to the latest 5.2, deliberately ship as open email relays.  Some IBM
> patches and upgrades for Sendmail have discarded local site changes
> and re-installed the vulnerable sendmail.cf.
> 
> IBM has been notified of this problem via several channels, at various
> times since October 1999.
> 
> 
> II. DESCRIPTION
> 
> IBM has chosen to ship a sendmail configuration for AIX that makes
> servers as an open SMTP relay.  Even though they are shipping newer
> versions of Sendmail software that are not are not open by default,
> IBM intentionally discards the non-relay configuration file and ships
> a default sendmail.cf that makes the system an open relay.
> 
> SDSC and other customers have notified IBM about this problem at
> almost every AIX release since at least 1999.  It has been an "open
> issue" with IBM since that time.
> 
> IBM's comments in 1999 (and since) have boiled down to "put your
> systems behind firewalls".  Later responses have been "users are
> responsible for the configuration of their systems", and "our other
> users insist on this default configuration".
> 
> While we agree that users *are* responsible for the configurations of
> their systems, it is unfriendly to customers to ship software that,
> from the open source community is safe, but has been intentionally
> made unsafe from IBM.  This violates the principle of least
> astonishment, and only adds to the user's workload.
> 
> 
> III. ANALYSIS
> 
> Any IBM AIX system that uses the default sendmail.cf from IBM will be
> an open relay.
> 
> SDSC discovered this and reported it for the first time in October
> 1999, when we discovered during installation that our new
> supercomputer (bluehorizon.sdsc.edu, an 1152 processor SP2) had the
> capability to be the world's fastest SPAM relay.  We replaced the
> sendmail.cf with a more rational one.
> 
> Many of IBM's AIX upgrades, have silently over-written our sendmail.cf
> with a vulnerable file from IBM.  We have notified IBM of this issue
> at every OS release.
> 
> As you can see from this ".mc" file from AIX 5.2, IBM has
> intentionally turned on the "promiscuous_relay",
> "accept_unresolvable_domains" and "accept_unqualified_senders"
> features.  All of these are SPAM-friendly.
> 
> # Sample AIX file
> divert(0)dnl
> OSTYPE(aixsample)dnl
> FEATURE(genericstable)dnl
> FEATURE(mailertable)dnl
> FEATURE(virtusertable)dnl
> FEATURE(domaintable)dnl
> FEATURE(allmasquerade)dnl
> FEATURE(promiscuous_relay)dnl
> FEATURE(accept_unresolvable_domains)dnl
> FEATURE(accept_unqualified_senders)dnl
> FEATURE(no_default_msa)
> DOMAIN(generic)dnl
> MAILER(local)dnl
> MAILER(smtp)dnl
> MAILER(uucp)
> 
> 
> IV.  SUMMARY
> 
> After trying to work this through various support channels, we were
> finally told, by anonymous IBM support and developers, "very
> unofficially", that the only way to get this resolved would be to make
> this announcement.
> 
> Tom E. Perrine <tep@SDSC.EDU> | San Diego Supercomputer Center 
> http://www.sdsc.edu/~tep/     | 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>
> 
> iQCVAwUBPsEiMRTSxpWcaAFRAQGubgP+PULT6GXYtDRvS+Qw6Sc0IJbEOq2gG4yz
> /9tMEzs692eYftt0SmC0y8tmPfe3pfG2xgad/hfnMJeEG4oTld+vElO1wKzPp3f5
> oNCFKy3eaBiiRZgN3+SjXV2EjPUT+7W1dpeoCMxl0ESFPPokbAik1JOXZWvqsZQe
> kE08GUO2gME=
> =LCUX
> -----END PGP SIGNATURE-----
> 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH