Subject: Re: localhost security hole
To: Alan Barrett <>
From: Christian Limpach <>
List: tech-security
Date: 06/29/2003 18:09:50
> > that may be, but it's specific to ipv4.  what about about ipv6
> > systems, where is not a local ip address?
> Then use D{MTAHost}[::1] on IPv6 systems.

the sample suggests:
dnl If you use IPv6 only, change [] to [IPv6:::1]
(see gnu/dist/sendmail/cf/cf/
I think the focus is on IPv6 "only" or are there really systems which have
" is not a local ip address"...

> > otoh, the name localhost maps to an address in both spaces.
> OK, so use D{MTAHost}[localhost.] (with a trailing dot).  This setting
> is used to create network connections from smmsp to sendmail on the
> local host; it is not used as part of any email address, so trailing
> dots are legal here.  Using localhost without a trailing dot means that it
> subject to sendmail's stupid host name qualification, so it could be
> redirected to the wrong IP address if localhost.${domain} does not map to
> or ::1.

this won't work since sendmail ignores the trailing dot.  I had first
changed it to use `localhost.' but that didn't work.  The network connection
is created with the relay mailer and I guess it inherently strips trailing
dots.  I wouldn't consider this a feature :-(

Christian Limpach <>