What is Sendmail?
Vulnerable versions of Sendmail
Does my SGI do
mail delivery for unwanted systems?
Solutions to Sendmail
vulnerabilities
For more information
Sendmail is the program used by your Silicon Graphics computer to deliver and receive mail. It can handle mail delivery from your system to itself as well as all Internet hosts. Electronic mail involves hosts contacting and exchanging information from potentially any site on the Internet. As such, any vulnerabilities in Sendmail could be exploited to use your system in an unauthorized way. For example, if you have a version of sendmail below 8.9 that isn't configured to reject third-party relaying, another host on the Internet could use your host to deliver mail for it to a third party. Spammers have taken advantage of this vulnerability to send unwanted mail usually to solicit everything from life insurance to pornography. When the recipient receives the mail, it may have a bogus return address, but your host will be recorded as relaying the mail, and this may bring complaint emails to you and Penn. Allegedly, some spammers will scan entire subnets looking for hosts that allow open relaying, and if yours allows open relaying, and having your host open may encourage attempts against other machines in your department. This is not to say that all relaying should always be turned off. Many people depend on this service to send mail. For example, when I send mail using Netscape Communicator, the PC on my desk needs another host, in this case mail.sas.upenn.edu, to perform the mail delivery. If mail.sas turned off all relaying, I would either have to keep my computer on most of the time with a mail program running, or find another computer to do what mail.sas currently does. There are ways to restrict the hosts to whom you allow relaying. See below.
Vulnerable versions of Sendmail
The Sendmail organization is the best place to look for finding out about Sendmail issues. As of this writing, Sendmail versions less than 8.8 should not be used due to various vulnerabilities and problems. As of Sendmail 8.9, third-party relaying is turned off by default, and there are numerous additional security features that are a significant improvement to Sendmail. Sendmail's latest version at this writing is 8.9.3, and it contains fixes to bugs in previous 8.9 releases and other improvements.
Does my SGI do mail delivery for unwanted systems?
As of March 1999, this site is available to check to see whether your
host will do third-party relaying from outside the University.
Click here
Solutions to Sendmail vulnerabilities
I would recommend upgrading your SGI to use the latest version of Sendmail. While there are ways to eliminate relaying and other security vulnerabilities with the Sendmail program SGI makes itself and delivers with its operating system, I don't believe it is the most reliable method, and I've had difficulty getting it to work properly with PennNet. I have described below how to adjust your SGI's sendmail configuration file (/etc/sendmail.cf) to do some checking that should eliminate most third-party relaying.
Here are rough directions on how to update to the latest version of Sendmail (8.9.3 as of March 99):
The Information Security office at Penn has provided some helpful information on dealing with spam mail and other security issues. The UUGP list at Penn is helpful. It reported an exponential increase in spam mail over a period of several months. Here are some references I recommend for help with Sendmail issues:
Installing Security Programs Security Patches SGI System Administration
last updated 990319, Martin McCormick, martinm@sas.upenn.edu