On Thu, 16 Apr 1998, Michael Slavitch wrote:
> The following patch changes resend to close a security hole
> in closed lists. Using resend like this:
>
> | /usr/local/majordomo/wrapper resend -l list outgoing-list
>
> meant that outgoing-list was a valid alias that the outside world
> could mail to. Worse, the alias appeared in mail headers.
Is the patch really needed? This is from the FAQ:
Sendmail 8.x will unfortunately log your -outgoing alias in the
"Received:" lines. To prevent this you need to specify more than one
address for the list name argument to resend. (for example
"mylist:|"/usr/local/lib/majordomo/wrapper resend -h foo.org -l mylist
mylist-seekrit,nobody"" where nobody is an alias for /dev/null) For
Sendmail 8.x you must not define an alias 'owner-mylist-seekrit' to be
something like 'owner-mylist,' (with the commma). Otherwise sendmail
will set the envelope address of outgoing mail to contain your secret
outgoing alias.
-----------------------------------------------------------------
Mats Dufberg Mats.Dufberg@abc.se
Follow-Ups:
References:
|
|
