Subject: Re: localhost security hole
To: Alan Barrett <apb@cequrux.com>
From: Christian Limpach <chris@pin.lu>
List: current-users
Date: 06/29/2003 18:09:50
> > that may be, but it's specific to ipv4.  what about about ipv6
> > systems, where 127.0.0.1 is not a local ip address?
>
> Then use D{MTAHost}[::1] on IPv6 systems.

the sample submit.mc suggests:
dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
(see gnu/dist/sendmail/cf/cf/submit.mc)
I think the focus is on IPv6 "only" or are there really systems which have
"127.0.0.1 is not a local ip address"...

> > otoh, the name localhost maps to an address in both spaces.
>
> OK, so use D{MTAHost}[localhost.] (with a trailing dot).  This setting
> is used to create network connections from smmsp to sendmail on the
> local host; it is not used as part of any email address, so trailing
> dots are legal here.  Using localhost without a trailing dot means that it
is
> subject to sendmail's stupid host name qualification, so it could be
> redirected to the wrong IP address if localhost.${domain} does not map to
> 127.0.0.1 or ::1.

this won't work since sendmail ignores the trailing dot.  I had first
changed it to use `localhost.' but that didn't work.  The network connection
is created with the relay mailer and I guess it inherently strips trailing
dots.  I wouldn't consider this a feature :-(

-- 
Christian Limpach <chris@pin.lu>