Great Circle Associates Majordomo-Users
(March 2004)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: security hole
From: Nicholas Anderson <nicholas @ fiocruz . br>
Date: Mon, 29 Mar 2004 09:50:58 -0300
To: "MajorDomo Administrator, MSER:EX" <Majordomo . Admin @ gems1 . gov . bc . ca>
Cc: Majordomo-Users <Majordomo-Users @ GreatCircle . COM>
In-reply-to: <78C662A57529A14FAD49FC8819F5E2D40F6CE106@swan.bcsc.gov.bc.ca>
References: <78C662A57529A14FAD49FC8819F5E2D40F6CE106@swan.bcsc.gov.bc.ca>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

I had this problem in my servers too but, unfortunatelly, i'm  not a 
programming expert, so i could not make a patch.
Since then, i was looking for a solution for this problem, and what i've 
found is that its possible to block message recipients through the 
"access" file in sendmail.
what i had to do was put a line like   " To: 
list-outgoing@mydomain.com   REJECT "  in sendmail's access file.
With this option i stopped receiving this bullshit notification email, 
and my lists kept working.

If u use postfix u gotta add in your  "smtpd_recipient_restrictions"  
section a line like    "check_recipient_access 
hash:/etc/postfix/recipient,"  in your main.cf, and create the 
"/etc/postfix/recipient" file with alll the recipients u want to block, 
in this case,  lists-outgoings@yourdomain.com


This is working for me and i guess it will work for you, although its 
not a patch.


Nick



MajorDomo Administrator, MSER:EX wrote:

>We noticed a bad security hole with our majordomo lists.  It was brought to
>our attention by the list subscribers who were getting spoofed virus
>rejections.  The rejections were going to the listname-outgoing address and
>therefore bypassing the requirement for moderation.
>
>Has anyone else had this problem and how did they patch it?
>
>a template of aliases file config
>
>owner-l_tk_testlist: l_tk_testlist-owner
>l_tk_testlist: "|/home/majordomo/wrapper resend -l l_tk_testlist -h
>listsserver.ca -f l_tk_testlist-owner l_tk_testlist-outgoing"
>l_tk_testlist-owner: me@myaddress
>l_tk_testlist-approval: l_tk_testlist-owner
>owner-l_tk_testlist-approval: l_tk_testlist-owner
>l_tk_testlist-outgoing: :include:/home/majordomo/lists/l_tk_testlist
>owner-l_tk_testlist-outgoing: l_tk_testlist-owner
>
>Thanks,
>Majordomo Support   
>mailto:Majordomo.Admin@gems1.gov.bc.ca
>
>  
>


-- 

Nicholas Anderson
Administrador Linux/Unix
Rede Fiocruz
http://www.redefiocruz.fiocruz.br
e-mail: nicholas@fiocruz.br
Tel:(21)2598-4499




References:
  • security hole
    From: "MajorDomo Administrator, MSER:EX" <Majordomo.Admin@gems1.gov.bc.ca>
Indexed By Date Previous: Re: Archiving
From: Daniel Liston <dliston@sonny.org>
Next: turning off help replies
From: Ezra Bick <ebick@etzion.org.il>
Indexed By Thread Previous: Re: security hole (not) - bounces - law
From: Alvin Oga <alvin@Planet.fef.com>
Next: Security hole
From: mp@gtt-technologies.de

Google
 
Search Internet Search www.greatcircle.com