Maintain Security with sendmail - 4.3 SMTP Probes

(Page 3 of 4 )

Although SMTP probes can be legitimate uses of the network, they can also pose potential risks. They are sometimes used to see whether a bug remains unfixed. Sometimes they are used to try to gather user login names or to feed a program unexpected input in such a way that it breaks and gives away root privilege.

4.3.1   SMTP Debug

An “unfixed bug” probe can use the SMTP debug and showq commands. The SMTPdebugcommand allows the local sendmail to be placed into debugging mode (as with the-dcommand-line switch, §15.1 on page 530) from any other machine anywhere on the network. The SMTPshowq command allows outsiders to view the contents of the mail queue.

If SMTPDEBUG (§3.4.58 on page 144) is defined when sendmail is compiled, the SMTP debug and showq commands are allowed to work; otherwise, they are disabled. SMTPDEBUG should be defined only when modifying the sendmail code and testing a new version. It should never be defined in an official release of sendmail.To see whether it has been defined at your site, run the following command:

  % telnet localhost 25
  Trying 123.45.6.7 ...
  Connected to localhost.
  Escape character is '^]'.
  220 localhost sendmail 8.12 ready at Fri, 13 Dec 2002 06:36:12 -0800
  debug
  500 Command unrecognized
  quit
  221 localhost.us.edu closing connection
  Connection closed by foreign host.
  %

When connected, enter the commanddebug. If you get the answer500 Command unrecognized, you know that SMTPDEBUG is not enabled. If, on the other hand, you get the answer200 Debug set, SMTPDEBUG is defined on your system, and you should immediately take steps to correct the situation. Either contact your vendor and request a new version of sendmail, or get the sendmail source and compile it with SMTPDEBUG undefined.

When SMTPDEBUG is undefined and an outsider connects to the local machine and attempts to execute thedebug orshowqcommand, sendmail will syslog(3) a message such as the following:

  Jul 22 07:09:00 here.domain sendmail[192]: "debug" command from there.domain
        (123.45.67.89)

This message shows the name of the machine that attempts the probe, or there.domain, and the IP address of that machine. Note that this message is logged only if theLogLeveloption (§24.9.61 on page 1040) is nonzero.

4.3.2   SMTP VRFY and EXPN

You might be dismayed to learn that the login names of ordinary users can be used to break into a system. It is not, for example, all that unusual for a user to select a password that is simply a copy of his login name, first name, last name, or some combination of initials. A risk of attack can arise from outsiders guessing login names. Any that they find can be used to try to break in, and the SMTP VRFY gives an attacker the means to discover login names.

Login names are also a way to gather addresses for spam email messages. The SMTP VRFY command, too, can be used to collect names for that illicit use.

The SMTP VRFY command causes sendmail to verify that it will accept an address for delivery. If a user’s login name is given, the full name and login name are printed:

  vrfy george
  250 George Washington <george@wash.dc.gov>

Here, the 250 SMTP reply code (see RFC821) means a successful verification.* If the user is unknown, however, sendmail says so:

  vrfy foo
  550 5.7.1 foo... User unknown

The SMTP EXPN command is similar to the VRFY command, except that in the case of a mailing list, an aliases, or a ~/.forward file entry, it will show all the members. The SMTP EXPN command causes sendmail to expand (show all the recipients) of an address. To illustrate the risk, consider that many sites have aliases that include all or a large segment of users. Such aliases often have easily guessed names, such as all, everyone, or staff. A probe of all, for example, might produce something such as the following:

  expn all
  250-George Washington <george@wash.dc.gov>
  250-Thomas Jefferson <tj@wash.dc.gov>
  250-Ben Franklin <ben@here.us.edu>
  250-Betsy Ross <msflag@ora.com>
  250 John Q. Public <jqp@aol.com>

With well-designed passwords these full and login names can safely be given to the world at large. But if one user (say,jqp) has a poorly designed password (such as jqpublic), your site’s security can easily be compromised.† Note that not all uses of VRFY or EXPN represent probes. Some MUAs,‡ for example, routinely VRFY each recipient before sending a message.

SMTP VRFY and EXPN commands are individually logged in a form such as one of the following:

  Sep 22 11:40:43 yourhost sendmail[pid]: other.host: vrfy all
  Sep 22 11:40:43 yourhost sendmail[pid]: [222.33.44.55]: vrfy all
  Sep 22 11:40:43 yourhost sendmail[pid]: other.host: expn all
  Sep 22 11:40:43 yourhost sendmail[pid]: [222.33.44.55]: expn all

This shows that someone from the outside (other.hostin the first and third examples) attempted to probe for usernames in the mailing list namedall. In the second and last examples, the probing hostname could not be found, so the IP address is printed instead (in the square brackets). Note that this form of logging is enabled only if theLogLeveloption (§24.9.61 on page 1040) is greater than 5.

Pre-V8 versions of sendmail do not report SMTP VRFY or EXPN attempts at all. Some versions of sendmail (such as the HP-UX version) appear to verify but really only echo the address stated.

V8 sendmail allows VRFY and EXPN services to be accepted or rejected on the basis of the setting of thePrivacyOptionsoption (§24.9.86 on page 1065). For improved security, we recommend this setting for thePrivacyOptionsoption:

  O PrivacyOptions=novrfy,noexpn

V8.10 and above sendmail allow VRFY and EXPN services to be selectively accepted or rejected on the basis of rules in thecheck_vrfy( §19.9.3 on page 707) andcheck_expn( §19.9.3 on page 707) rule sets. If, for example, you wish to allow VRFY from internal hosts, but wish to deny it for all outside hosts, you can do so by omitting a definition of thePrivacyOptionsoption as explained earlier, and by designing appropriate rules for thecheck_vrfyrule set.

Next: 4.4 The Configuration File >>
 

More Server Administration Articles
More By O'Reilly Media

Comments On: Maintain Security with sendmail

· This article is an excerpt from the book "sendmail, fourth edition," published by...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Check it out today at your favorite bookstore. Buy this book now.