netbsd-help: Re: sendmail (crackish?) error message question...

Subject: Re: sendmail (crackish?) error message question...
To: None <codewarrior@daemon.org>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: netbsd-help
Date: 12/17/1997 16:02:25

> >Dec 14 22:43:28 acheron sendmail[1464]: NOQUEUE: SYSERR: putoutmsg
> >(user844.theonramp.net): error on output channel sending "220
> >acheron.middleboro.ma.us ESMTP Sendmail 8.8.8/8.8.7; Sun, 14 Dec 1997
> >22:43:28 -0500 (EST)": Broken pipe
> >Dec 14 22:43:28 acheron sendmail[1464]: NOQUEUE: Null connection from
> >root@localhost
> 
> hmm...same pid.  although the first message notes the remote host (is
> that the remote host or you?),

That's the remote host.

> peculiar...it doesn't make sense.  that's not a "null connection from
> localhost".

It *is* rather confusing. The only way I can reproduce this is, as
was pointed out to me, by running sendmail from the command line as
root.

However, something to note is that, as you said, the two messages
show the same pid, and one of them references an outside system as
being the source of the connection. I'm starting to think that perhaps
my security *isn't* as swiss-cheesed as I thought. My guess is that
someone was trying to exploit a hole in sendmail that doesn't quite
work any more, with the new sendmail, anyway. I don't know enough
about sendmail to prove that, though.

> so...you're not even using sendmail?  perhaps you want to turn it off?
> or, like me, add a line like this to your cf file:
> 
>     O DaemonPortOptions=Addr=127.0.0.1

Hm. I *am* using sendmail, a couple ways. First, it checks its queue
every minute, as uucp dumps mail into sendmail's queue, rather than
invoking sendmail directly. Second, machines on my local network
use the sendmail when they send mail out. However, it looks like
DaemonPortOptions is just what I need. Thanks for pointing it out
to me! (I don't have the Bat Book, but I *do* have the Baby Bat Book,
and I was able to find that in there.)

> could be...that's certainly something i might do to someone i met on
> irc or a mud.  :)

Well, I can understand looking, but trying to grab root isn't exactly
sociable. :/ On the other hand, this is a wonderful excuse to stop
procrastinating over some security stuff I've been pondering.

> how much of a network do you have anyway?

It's not much, but I service a few Macs. I use ipnat, so it looks
like it'll be easy enough to use DaemonPortOptions to only allow
connections from inside, or connections from outside that have
been properly spoofed.

Thanks for the help!