Newsgroups: comp.mail.sendmail
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!malgudi!osc.edu!karl.kleinpaste
From: karl.kleinpaste@osc.edu
Subject: Re: Security in sendmail and SMTP?
Message-ID: <1991Jun3.132342.16685@oar.net>
Sender: news@oar.net
Nntp-Posting-Host: ashley.osc.edu
Organization: Viento Gigabit Testbed, Ohio Supercomputer Center
References: <1443@idcapd.idca.tds.philips.nl>
Date: Mon, 3 Jun 1991 14:21:56 GMT
Lines: 82

dejong@idca.tds.philips.nl writes:
   1) Sendmail has no possibility to change headers in a mail item. It can add
      header lines, but will not affect them when they are present.
   2) The only exception seems to be the From: line, but only the machine name
      part of the address. Changing that requires root permission. 
      But the user can directly set the username as well as the full name.

When suitably (mis-)configured, sendmail can hack on nearly any header
present.  It will definitely hack on Sender:, From:, To:, Cc:, and (I
believe) Reply-To:.  Your particular installation may leave more
things alone that someone else's.  This has to do with how much there
is to your rulesets such as S1 and S2 in particular, and whether S3 is
particularly relevant to how your installation canonicalizes.  For
myself, S3 is nearly the entire universe of hacking, and S[12] are
empty.

   3) SMTP uses no passwords. So any machine that can connect to another
      machine will be accepted as the machine it pretends to be (i.e.,
      whatever is in the HELO command or MAIL FROM: command is accepted.

It will be accepted, yes; but the Received: header will normally
reflect what sendmail believed to be the case regarding the host to
which it was speaking at the time; for example:

Received: from bogus.name.org (real.entity.edu) by my.host.com

What you see there is that the originating SMTP speaker identified
itself during HELO as bogus.name.org.  Regardless of the speaker's
claims, sendmail knows the IP addr of the origin, and it calls
gethostbyaddr() to learn that it was really real.entity.edu which was
connected at the time.

   1) Are my observations correct?

Partly.

   2) Are there options in sendmail to avoid that the user can pretend to send
      mail as someone else?

There is no fundamental way to prevent the sending of mail as someone
other than oneself; anyone can "telnet desti.nation.edu smtp" and
find themselves speaking to the right program, and can speak the SMTP
dialogue as well as an SMTP-speaking program.  If you're careful, you
can do a very complete forgery.

See RFCs 1113, 1114, and 1115 for details on privacy-enhanced mail.  I
am not aware of much yet in the way of implementations of these, but
progress is being made -- I think there's an IETF group working on the
problem.

   3) Reading RFC821, the From: line may be set to indicate another
      user than the one actually sending. In that case there should be
      a Sender: line present to indicate who the actual sender is. But
      sendmail doesn't seem to enforce this.

In that case, your sendmail is broken somehow.  The only way that
sendmail should allow a modified From: field to pass is if the sending
user is one of the "trusted users" (T entry in sendmail.cf).
Otherwise, a Sender: identifying the real user is added -- mine does it.

      At the same time, it
      doesn't allow for a different machine name in From: than the own
      machine (unless I am superuser).

That's a question of the configuration.  You can do many, varied, and
weird things to what sorts of origin hostnames you identify in From:
via suitable hacks to sendmail.cf, and I don't know why any of it
would necessarily be affected by superuser status (except as a trusted
user again, but I don't think this falls into those categories).  A
common thing for a configuration to do is to hide individual hostnames
for a set of hosts within a single (sub)domain, if the user is
reachable at the host which is the "domain head."  In such a case, the
Received: and Message-Id: headers may contain notations of individual
hosts, but things like From: and Reply-To: will generally contain only
a top-level domain name.

      Is there literature outside RFC821 that describes how the From:, Sender:,
      Resent-From: and Resent-Sender: lines have to be treated.

See RFC1123, in part.

--karl
