On Sat, 28 Jun 2003, William Allen Simpson wrote:
> Having proved beyond all shadow of a doubt that sending mail to 
> root@localhost leaves a security leak a mile wide, what should be done?
> 
> The zone administrator (or DNS spoofer) can redirect all root mail, by 
> adding a zone entry "localhost.dom.ain." that points to some other 
> place than 127.0.0.1.  Is this considered a feature?

I can confirm that this flaw exists, and I think it's a bug in sendmail,
or sendmail's default configuration on NetBSD.  Applications like ping,
telnet and ssh do not exhibit the problem.

How to repeat:

  1. Configure a machine with hostname test.example.net, running
     sendmail and smmsp.
  2. Make test.example.net an authoritative nameserver for example.net.
  3. In the example.net DNS zone, add "localhost.example.net. A 10.2.3.4"
  4. In /etc/resolv.conf on test.example.net, place "search example.net"
     and "nameserver 127.0.0.1".
  5. Run tcpdump to capture all traffic to 10.2.3.4 (including ARP requests).
  6. ping localhost.  Observe that it pings 127.0.0.1, and does not attempt
     to contact 10.2.3.4.
  7. Similarly, try "ssh localhost" and "telnet localhost".  They attempt
     to connect to 127.0.0.1 and/or IPv6 ::1.
  8. echo test | mail root@localhost
     Observe that something (presumably sendmail) tries to connect to
     10.2.3.4.

> I proposed PR install/21999, to modify the /etc/hosts file to include 
> "localhost.dom.ain", right next to the "host.dom.ain host" line.
> 
> So far, most commentators oppose this change.
>
> Alternatives?

The default sendmail.cf tries to handle "localhost" as a special case.
It seems to be getting it wrong somehow.  I think we should find out why
and fix it.

We should also check whether postfix has a similar problem.

--apb (Alan Barrett)