Recently much attention has been paid to e-mail viruses transmitted by flaws in
certain client software. Up the line from most of those clients, however, is a
larger-scale server that transmits mail across the Internet. Some might say that
security starts at the server. Some of these servers process millions of
messages during a week’s time how do you know if the server is secure?
There are generally two types of Internet mail servers. Mail transfer agents
(MTAs) take care of routing your message to the right place on the Internet and
notifying you if the transfer can’t be accomplished. Mail user agents (MUAs)
bring mail directly to your mail client.
This article examines one MTA
and its equivalents and one of the primary protocols MUAs use for mail services.
Sendmail has been an integral part of the Internet for almost as long as there
has been an Internet. Internet Message Access Protocol (IMAP) is becoming one of
the more important and useful protocols used by MUAs. A number of measures can
be taken to run both services in a secure and reliable manner; this article
examines the related issues involved in establishing and maintaining server
security.
Sendmail and Security
E-mail has always been one
of the most useful and popular services on the Internet. A longtime player in
the e-mail arena is the Sendmail program, used by servers to transmit mail from
one place to another on the Internet. Unlike many programs, Sendmail has had a
relatively long history on the Internet. In its eon of Internet time, it has
progressed through eight major release numbers, and has been a subject of at
least 13 or more security advisories.
Although it is one of the most
widely used programs on the Internet, Sendmail may be one of the most insecure.
While all programs have vulnerabilities, the extent of their security is due
mostly to how they are implemented on a particular server. To understand the
vulnerabilities and security of Sendmail, it is necessary to examine its
history, its purpose, and its implementation in a mail routing
environment.
Sendmail’s History
Sendmail was
written by Eric Allman in 1979 while he was studying and working at the
University of California, Berkeley. That makes Sendmail older than most of
today’s Internet experts. At that time, there was no such thing as The (with a
capital T) Internet. Instead, there was a diverse collection of networks spread
over countries, computer architectures, and transport media. The ARPANET, the
historic progenitor of today’s Internet, was just one of these networks. There
were also DecNet, a collection of Digital Equipment VAX computers talking their
own protocol; UNIX-to- UNIX Copy Program (UUCP), a network of UNIX machines that
made dialup connections between one another to transfer information; and BITNET,
a store-and-forward network of mostly IBM mainframes that communicated using
IBM’s Remote Spooling Communications Subsystem (RSCS)
protocol.
Sendmail was written to operate in a dynamic and changing
network environment. Standards were minimal and inconsistently applied.
Addressing varied from network to network. To be useful, a mail routing program
had to be flexible and configurable. A new network might pop up and you had to
have a way to route mail to it. There were numerous gateway machines between
networks and sometimes you had to maintain a list of them and keep trying
different gateways until you found one that was listening on your network.
Instead of having to deal with one standard, like the Internet Protocol (IP)
that is familiar today, e-mail transmission had to account for multiple
standards on diverse networks.
It is not surprising that Sendmail allows
a great amount of control over configuration. Its configuration is its power to
adapt to a changing network landscape (and hence, its survival over the years).
With that configurability comes complexity, however, and Sendmail has always
been viewed as somewhat mysterious even by some of the more experienced computer
and network analysts. In recent years, it has matured and incorporated many
features that previously had to be programmed in, particularly those to control
unauthorized relay of messages (like spam) and to filter out specific messages
(like Robert Morris’ Internet worm).
Today Sendmail is well supported.
There is www.sendmail.org for distribution and support of the open source
version. www.sendmail.com is the home of Sendmail Inc., which offers a
commercially packaged and supported version and has Eric Allman as its chief
technology officer. www.sendmail.net is an information clearinghouse sponsored
by Sendmail Inc. It supports the open source version. Finally, many vendors,
such as Sun Microsystems, have developed their own versions of Sendmail based
upon the open source code and provide their own support and maintenance. If you
are using a vendor-specific version of Sendmail, such as the one found in
Sun’s Solaris operating system, consult your vendor for more
details.
Threats to SendMail Security
Threats to
security come in a number of forms. The most basic threat is a compromise of
your system, which causes you to lose reliable operation of service on that
machine. Such a threat could be accomplished by an unauthorized person who gains
privilege on your server and reads or replaces files that are key to the
system’s operation. Often, this type of threat is performed not so much to
hijack your service, but rather to exploit your server and use it as a platform
for further attacks elsewhere on the Internet.
Another type of security
threat is a denial of service attack. Usually such an attack is organized to
overload your server with junk requests, thereby rendering it useless for the
legitimate transfer of e-mail. It usually originates from an external point or
points on the network. It does not represent a compromise of your system, but
does interrupt the normal services that you are trying to provide. Because of
the transient nature of denial of service attacks, it is very hard to guard
against them, since new sources and methods of attack are continually being
developed. There are, however, steps you can take to minimize the impact of such
an attack on your server and its users.
One of the most common types of
security threats is misuse of your system. This misuse can be intentional, as in
the case of spam, or unintentional, such as a vacation program that generates a
mail loop. In any case, it is necessary for you to control your service so that
misuse does not get in the way of providing service. Even if you have a casual
attitude about spam, you may still feel adverse affects from a lack of action.
If you are a popular spam site, you might find your service overwhelmed by those
who are more than eager to take a free ride. Your server can also end up on a
number of anti-spam blacklists and be denied from delivering mail to any other
server on the Internet that subscribes to such a list.
Anatomy of a
Buffer Overflow
One common method used by hackers to gain access
to an Internet computer is to take advantage of a condition in Sendmail’s
operation called a buffer overflow. Many vulnerabilities reported have been due
to a buffer overflow, so while you may have heard the term, unless you are a
programmer yourself, you might not understand exactly what a buffer over- flow
is.
Simply put, a buffer overflow occurs when a program receives more
data than it has planned on storing. If a program doesn’t check the size of
the data it is receiving, it will go ahead and store what is received, but the
extra data will get stored in a location in memory that was not intended for
that data. In most cases, this would result in an error in, and possibly the
failure of, the program. However, if that extra data is meaningful to the
computer’s processor, it might result in the execution of some instructions
that were included in that same data.
Imagine you were playing cards with
three others at a table. Across from you sits your partner. Let’s say that in
this imaginary game the person holding the turn can call for a card to be passed
from each player to the player on their right. Your partner holds the turn and
calls for a card to be passed. Instead of passing a card one position to the
right, you manage to pass it two positions (you are cheating, but this is the
part that illustrates the buffer overflow you’ve managed to put a card in a
location where it wasn’t supposed to go). Your partner might use your card to
make a play in the game. In other words, your partner (Sendmail) held the turn
(root authority) and played the bogus card (executed the instruction), which
resulted in an unexpected and artificial control of the game (a hack of your
system).
If your opponents are watching you closely they’ll see your
attempt to go outside the rules (cheat) and not allow you that play (with
possible other ramifications, depending upon the type of crowd you hang out
with). Likewise, if Sendmail checks the size of a piece of data before storing
it in a location of a predefined size, the buffer overflow attempt will not be
successful. Remember that programs are written by humans who don’t always
remember to execute such a level of diligence. That explains how such
vulnerabilities make it into programs. To take advantage of the vulnerability
can require detailed knowledge of how the program is written (including the
opportunity to view the source code). It might also require some extensive trial
and error to determine the exact sequence of data that will accomplish more than
just an execution error in the program.
Stay
Current
One of the biggest security mistakes is to continue to
run an old and vulnerable version of Sendmail. While it is not always possible
(or advisable) to adopt a new version as soon as it is released, getting too far
behind can put your system at risk. New versions generally react to changing
technology and changing conditions on the network. The 1997 vulnerability in
Sendmail was in its MIME handling. The increased risk between then and now is
people’s increased familiarity with MIME. More mail programs can transmit MIME
messages and there are more software tools to manipulate MIME attachments. If
you can’t upgrade to the latest version of Sendmail, make sure you have
applied the latest patches. This is particularly true if you are using a version
of Sendmail supplied by an operating system vendor such as Sun Microsystems. If
you are paying for support of your operating systems, patches should be readily
available to you. Most vendors make security patches available even if you are
not paying for support. Find out where patches are available and make it a habit
to keep up with any new patches that are posted.
Stay
Informed
These days, no one is exempt from being informed about
Internet security issues. At whatever level you interact with the Internet,
there is a corresponding level of responsibility. Understanding that unknown
attachments from an out-of-context source could represent a threat to your PC
might be minimal knowledge for the casual Internet user. System managers have a
much greater degree of responsibility and should be actively monitoring security
alerts from different sources.
One of the best sources for security
information on the Internet is CERT (www.cert.org). This organization is part of
Carnegie Mellon University and has been in existence since the early days of the
Internet. CERT originally stood for Computer Emergency Response Team. CERT now
is a registered trademark of Carnegie Mellon University and the Web site is part
of the effort to provide security information to the Internet. CERT provides a
mailing list that broadcasts alerts, advisories, and other security
information.
Protect Your Resources
You can guard
against root compromises and buffer overflows, but if you don’t secure the
files that Sendmail uses in its operation, you are leaving a big door open to
your system. This means that you must pay attention to the permissions assigned
to various files and directories on your system.
Alternatives: Postfix
and Qmail
Although Sendmail performs a large share of the mail
routing that occurs on the Internet, competitors to Sendmail have appeared in
recent years. The development of these alternative mail routers was driven by
Sendmail’s perceived security weaknesses and by the potential to improve the
efficiency of mail routing software. Currently there are two programs that are
serious contenders for a Sendmail replacement. Both were written by academic
computer scientists and both are distributed as open source
software.
Be first to comment this article
