[nSLUG] Re: Mailing List Security
mctylr at privacy.nb.ca
Tue Mar 4 09:48:28 AST 2003
On Tue, Mar 04, 2003 at 09:31:35AM -0400, Tim Goodaire wrote:
> You could try "telnet localhost 25" and see what the banner says.
> On March 4, 2003 01:19 am, Mike Spencer wrote:
> > > http://www.cert.org/advisories/CA-2003-07.html
> > Um, how do I tell which version of sendmail I'm running?
The banner version is specificed in the config file (sendmail.cf),
so you cannot trust that.
If you use Internet addressed (not UUCP or X.400 or some other
ancient addressing) you should NOT be running sendmail. Period.
Exim, postfix are both far easier to configure, and far more
secure. Qmail is nice if you are willing to go through a lot
of pain to set it up.
This sendmail vulnrenability is NOT protected by firewalls,
and proxies, it is message based not transport based. So you
have to patch all internal servers as well. Except you
should migrate go to exim or postfix.
More information about the nSLUG