Great Circle Associates Majordomo-Users
(June 2006)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Security problem with 94.4
From: Daniel Liston <dliston @ sonny . org>
Date: Tue, 27 Jun 2006 10:53:47 -0500
To: Bill Ott <billott @ theotts . org>
Cc: majordomo-users @ greatcircle . com
In-reply-to: <44A127CE.8080604@theotts.org>
References: <449FD181.9080600@theotts.org> <44A0080B.1060000@sonny.org> <44A127CE.8080604@theotts.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

Bill Ott wrote:
> Daniel Liston wrote:
> 
>> Bill Ott wrote:
>>  
>>
>>> I just discovered that even though my list is restricted to list member,
>>> anyone can send mail to the list by appending "-list"to the end of the
>>> list name. I know this is a config problem on my part but have found no
>>> mention of the fix on the net. Any help is appreciated.  You can try it
>>> at phonelist @
 theotts .
 org  as phonelist-list @
 theotts .
 org
>>>
>>>     
>>
>>
>> If sendmail is your MTA, you can use the virtusertable to reject messages
>> sent directly to your -list aliases.
>>
>> phonelist-list @
 theotts .
 org    error:nouser User unknown
>>
>> Virtusertable has to be enabled in the sendmail.cf, and you will need to
>> use makemap to create a hash or db from the raw virtusertable for
>> sendmail
>> to recognize and use it.
>>
>> It is also better to use some other (unknown, or at least not to popular)
>> extension to your list delivery aliases, and prevent sendmail from adding
>> the name of the alias to "Received:" lines by appending a comma "," or
>> ",nobody" to your delivery alias too.  The latter assumes "nobody" to be
>> and alias to /dev/null.
>>
>> Dan Liston
>>
>>   
> 
> Thanks, Dan. It works great. One additional question. I tried  "-list@" 
> in virtusertable in the hopes that it would block the hole in all of my
> lists.  It appears that sendmail treated it as the complete name so
> phonelist-list passed through. Can I use regexp to cover all of the lists?
> 

To the best of my knowledge, sendmail does not have a regex engine for
the virtusertable.  I did cut my teeth on sendmail, but I have not kept
up to date with it for the last few years.  Maybe someone on one of the
sendmail support lists can answer more authoritively.

Dan Liston



References:
Indexed By Date Previous: Re: Security problem with 94.4
From: Bill Ott <billott@theotts.org>
Next:
From: (nil)
Indexed By Thread Previous: Re: Security problem with 94.4
From: Bill Ott <billott@theotts.org>
Next:
From: (nil)

Google
 
Search Internet Search www.greatcircle.com