Subject: Re: sendmail, identd, and firewalls (was: RE: More info: NetBSD 1.1 and sendmail, why is it so slow)
To: Jim Reid <jim.reid@eurocontrol.be>
From: Laine Stump <laine@MorningStar.Com>
List: netbsd-users
Date: 04/23/1997 21:13:49
Jim Reid writes:
> Laine> They should keep in mind that enabling outgoing identd is a
> Laine> security *plus*, not a minus.
>
> Nope. identd is at best security-neutral. You have no way of knowing
> if you can trust the information that the daemon returns unless you
> control the system running it. It can also be argued that the
> information handed out by identd - OS, user names and the like - is a
> security weakness and may violate data protection laws.
Please note that I said "outgoing". Allowing outgoing ident does not
allow anyone on the outside to know anything about *your* system, only
for you to learn about *their* system. The fact that ident hands out
this stuff is a good reason for you to turn off *incoming* ident, but
not outgoing - outgoing doesn't tell anything, it only learns. (If you
do turn it off in either direction, make sure your firewall does it
correctly, by responding with an ICMP Port Unreachable, so the other end
doesn't sit waiting for a timeout).
Also, as I said in my original message, if the person who has attempted
to connect to your sendmail has root access on the machine they are
using (or if it's just a PC), they can cause their machine to return any
username they like. However, using ident *does* catch attempts to spoof
by non-root users on systems with trustworthy operators. As long as you
don't make the mistake of believing ident will 100% guarantee you will
never receive spoofed mail messages, you can at least have some small
amount of comfort with the fact that it will catch *some* spoofed
messages from *some* systems; This is still much better than catching
*no* spoofed messages from *any* systems. So, it's not something to rely
on, but it will catch some attempts, and there's certainly no harm in that.