Re: Security problem with 94.4

[Bill Ott <billott @ theotts . org>]

Daniel Liston wrote:
> Bill Ott wrote:
>   
> > I just discovered that even though my list is restricted to list member,
> > anyone can send mail to the list by appending "-list"to the end of the
> > list name. I know this is a config problem on my part but have found no
> > mention of the fix on the net. Any help is appreciated.  You can try it
> > at phonelist @
theotts .
org  as phonelist-list @
theotts .
org
> >     
>
> If sendmail is your MTA, you can use the virtusertable to reject messages
> sent directly to your -list aliases.
>
> phonelist-list @
theotts .
org	error:nouser User unknown
> Virtusertable has to be enabled in the sendmail.cf, and you will need to
> use makemap to create a hash or db from the raw virtusertable for sendmail
> to recognize and use it.
>
> It is also better to use some other (unknown, or at least not to popular)
> extension to your list delivery aliases, and prevent sendmail from adding
> the name of the alias to "Received:" lines by appending a comma "," or
> ",nobody" to your delivery alias too.  The latter assumes "nobody" to be
> and alias to /dev/null.
>
> Dan Liston
>
>   
Thanks, Dan. It works great. One additional question. I tried  "-list@"  
in virtusertable in the hopes that it would block the hole in all of my 
lists.  It appears that sendmail treated it as the complete name so 
phonelist-list passed through. Can I use regexp to cover all of the lists?

--
Regards,
Bill Ott

Email: Mailto://billott @
theotts .
org
Website: http://www.theotts.org