> The FWTK has uses even on non-firewall systems. Take smapd, for example.
> Using that to receieve internet mail instead of sendmail has been enough
> to provide protection from a number of sendmail bugs (be nice if sendmail 8
>
> Darren
Not really. smap is quite good about letting in all sorts of headers
that do nasty things to sendmail - all it takes is one vulnerable
machine on the network that smap is willing to pass mail onto. In
fact, from my recolection smap doesn't touch anything after the DATA
command. See the obtuse smtpd sendmail wrapper (ftp.obtuse.com) for
a solution to this (smtpd runs chrooted and "sanitises" ALL headers before
passing them onto sendmail).
You can also run qmail for a single machine solution. Qmail has multiple
mutually untrusting co-operating components (under 7 different uid's) and
is generally well thought out and follows the unix paradigm.
-Julian A.
References:
|
|
