Archive-Date: Mon, 2 Dec 2002 09:38:41 -0800 Date: Mon, 2 Dec 2002 09:38:37 -0800 From: Matt Madison Reply-To: MX-List@MadGoat.com To: mx-list@madgoat.com Message-ID: <00A17D6F.0DB4A63F.5@MadGoat.Com> Subject: Important Security Notice for all versions of MX MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="iso-8859-1" A potential security vulnerability has been discovered in all versions of MX V4 and V5, which could allow a malicious user to execute arbitrary DCL commands with elevated system privileges. ECO kits have been published for the following MX releases: Supported releases: MX V5.3: ftp://ftp.madgoat.com/mx/mx053/ecos/eco02_mx053.zip MX V5.2: ftp://ftp.madgoat.com/mx/mx052/ecos/eco09_mx052.zip Releases no longer supported: MX V5.1A: ftp://ftp.madgoat.com/mx/mx051-a/ecos/mx051-a_eco06.zip MX V5.1: ftp://ftp.madgoat.com/mx/mx051/ecos/mx051_eco17.zip MX V4.2 (freeware): ftp://ftp.madgoat.com/mx/mx042/secupd/mx042_secupd.zip If you are still running an unsupported V5 release, we recommend upgrading to MX V5.3 and installing the ECO 2 kit for V5.3; upgrades are covered by your existing MX V5 license at no additional charge. However, if an updgrade is not possible, the ECO kits listed above can be used to eliminate the potential vulnerability. Please note that as always, these ZIP files are in VMS ZIP format and must be unzipped on a VMS system to create files with the correct file attributes. A copy of VMS UNZIP is also available from ftp.madgoat.com. If you have trouble downloading or installing these updates, or are running a version of MX that is not listed here, please contact us at mx-secupd-help@madgoat.com. -- Matthew Madison | MadGoat Software | PO Box 556, Santa Cruz, CA 95061 USA madison@madgoat.com http://www.madgoat.com ================================================================================ Archive-Date: Thu, 5 Dec 2002 04:37:49 -0800 Message-ID: <001d01c29c5b$804110e0$c7130150@custom-pc> From: "Mark Iline" Reply-To: MX-List@MadGoat.com To: Subject: Possible problem from: Important Security Notice for all versions of MX Date: Thu, 5 Dec 2002 12:40:31 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Firstly, thanks to MadGoat for providing the ECO kits. Having installed the ECO (on MX 4.2 , OpenVMS Alpha v7.2-2 , Compaq TCP/IP V5.1 - ECO 4) , I've subsequently noticed a problem which I hadn't noticed before, so therefore may be related. I've noticed some e-mails that were "X-MX-Comment: QUOTED-PRINTABLE message automatically decoded" having sections of text that are truncated at about 250 characters in length. Unfortunately, I don't have the original (non-truncated) e-mails to see exactly what's happened Whilst previously I did occasionally see truncated text, it was fairly rare, and seemed to happen with some specific mailers and long-ish paragraphs - I'd guess >1024 characters. ie less frequently, and longer paragraphs than I'm now noticing. Given that I've noticed this after applying the ECO, and the images the ECO replaced, I wonder if they're related ? From our point of view, I think I'd be quite happy to turn off the automatic decoding of these messages, as most people here will read them via a pop3 mailer anyway. However, searching the docs and help, it wasn't obvious how to do this. Is this possible ? Thanks for any help. Mark Mark Iline IT Mgr UCL Mech Eng UK system@meng.ucl.ac.uk -----Original Message----- From: Matt Madison To: mx-list@madgoat.com Date: 02 December 2002 16:42 Subject: Important Security Notice for all versions of MX >A potential security vulnerability has been discovered in all >versions of MX V4 and V5, which could allow a malicious user >to execute arbitrary DCL commands with elevated system privileges. > >ECO kits have been published for the following MX releases: > >Supported releases: > MX V5.3: ftp://ftp.madgoat.com/mx/mx053/ecos/eco02_mx053.zip > MX V5.2: ftp://ftp.madgoat.com/mx/mx052/ecos/eco09_mx052.zip > >Releases no longer supported: > MX V5.1A: ftp://ftp.madgoat.com/mx/mx051-a/ecos/mx051-a_eco06.zip > MX V5.1: ftp://ftp.madgoat.com/mx/mx051/ecos/mx051_eco17.zip > MX V4.2 (freeware): ftp://ftp.madgoat.com/mx/mx042/secupd/mx042_secupd.zip > >If you are still running an unsupported V5 release, we recommend >upgrading to MX V5.3 and installing the ECO 2 kit for V5.3; upgrades >are covered by your existing MX V5 license at no additional charge. >However, if an updgrade is not possible, the ECO kits listed above >can be used to eliminate the potential vulnerability. > >Please note that as always, these ZIP files are in VMS ZIP format >and must be unzipped on a VMS system to create files with the >correct file attributes. A copy of VMS UNZIP is also available >from ftp.madgoat.com. > >If you have trouble downloading or installing these updates, or are >running a version of MX that is not listed here, please contact us >at mx-secupd-help@madgoat.com. > >-- >Matthew Madison | MadGoat Software | PO Box 556, Santa Cruz, CA 95061 USA >madison@madgoat.com http://www.madgoat.com > ================================================================================ Archive-Date: Thu, 5 Dec 2002 06:42:51 -0800 Date: Thu, 5 Dec 2002 06:42:46 -0800 From: Matt Madison Reply-To: MX-List@MadGoat.com To: MX-List@MadGoat.com CC: system@meng.ucl.ac.uk Message-ID: <00A17FB1.FC2BF0BC.1@MadGoat.Com> Subject: RE: Possible problem from: Important Security Notice for all versions of MX MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="iso-8859-1" >Firstly, thanks to MadGoat for providing the ECO kits. > >Having installed the ECO (on MX 4.2 , OpenVMS Alpha v7.2-2 , Compaq TCP/IP >V5.1 - ECO 4) , I've subsequently noticed a problem which I hadn't noticed >before, so therefore may be related. > >I've noticed some e-mails that were "X-MX-Comment: QUOTED-PRINTABLE message >automatically decoded" having sections of text that are truncated at about >250 characters in length. Unfortunately, I don't have the original >(non-truncated) e-mails to see exactly what's happened I have updated the kit for V4.2 to include the changes to eliminate the 255-character line-length limitation. Those changes were made in a prior patch kit, and I just hadn't updated my sources to include them. As before, the security update kit for V4.2 is at: ftp://ftp.madgoat.com/mx/mx042/secupd/mx042_secupd.zip -Matt -- Matthew Madison | MadGoat Software | PO Box 556, Santa Cruz, CA 95061 USA madison@madgoat.com http://www.madgoat.com ================================================================================ Archive-Date: Fri, 20 Dec 2002 05:16:20 -0800 Date: Fri, 20 Dec 2002 05:16:01 -0800 (PST) From: Alan Winston - SSRL Central Computing Subject: Relays, Listserv, and 4.2 To: mx-list@madgoat.com Reply-To: MX-List@MadGoat.com Message-ID: <01KQ8RTK7HLOAKTJY9@SSRL.SLAC.STANFORD.EDU> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-Transfer-Encoding: 7BIT MXers -- So I wanted to run LISTSERV-LITE Free Edition on my home VMS box (DSL connection, static IP address, essentially a hobbyist system), and it turns out that it needs MX or PMDF if you want to talk to it at all. With Arne V's help, I got MX 4.2 working (VMS AXP 7.2-2, TCP/IP Services 5.1-3) and now I can send mail to LISTSERV and get a response. I had formerly had the TCP/IP Services SMTP set up to recognize the other four boxes on my LAN and allow relaying from those, but from nowhere else. I still want to make the VMS box the mail gateway for my Mac and PC boxes. I think the MX SMTP Server has to run if the mail is going to go in and get passed appropriately to the LSV channel. But the 4.2 SMTP server doesn't appear to have any qualms about relaying for all and sundry. (If I had a second VMS box running I could install MX and Listserv Lite there with a non-routable 192... address and make the regular VMS box its mail gateway, but I don't.) I know payware versions of MX have all kinds of anti-spam stuff. At present I just need to be able to disable relaying from outside. Is there any way I can do this without spending money (or learning enough BLISS to rewrite SMTP)? I really don't want to pop $500 for MX just in order to run a free LISTSERV, especially when all I really need are the relay-tuning capabilities available in current versions of TCP/IP services. Thanks, -- Alan =============================================================================== Alan Winston --- WINSTON@SSRL.SLAC.STANFORD.EDU Disclaimer: I speak only for myself, not SLAC or SSRL Phone: 650/926-3056 Paper mail to: SSRL -- SLAC BIN 99, 2575 Sand Hill Rd, Menlo Park CA 94025 =============================================================================== ================================================================================ Archive-Date: Fri, 20 Dec 2002 05:42:29 -0800 From: "Kurt A. Schumacher" Reply-To: MX-List@MadGoat.com To: Subject: RE: Relays, Listserv, and 4.2 Date: Fri, 20 Dec 2002 14:42:13 +0100 Message-ID: <008701c2a82d$9ae0be90$14010a0a@home.schumi.ch> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit In-Reply-To: <01KQ8RTK7HLOAKTJY9@SSRL.SLAC.STANFORD.EDU> Alan, Make Matt a reasonable offer and I am convinced you get what you desire. Just curious: - What can LISTSERV-LITE better then MX for your distribution list members? - What for do you need a higher MX version when you have "all I really need are the relay-tuning capabilities available in current versions of TCP/IP services" and therefore a reasonable (but far from carrier class) SMTP environment? Beside the features you are missing in the free version, MX 5.3 has - A powerful Mailing List/file server, including archive, subscription list confirmation... - Delivery Status Notifications (DSNs): RFC 1891, 1892, 1893, 1894 - Remote Message Queue Starting (ETRN): RFC 1985 - Message Size Declaration (SIZE): RFC 1870 - SMTP Authentication: RFC 2554 - REJMAN facility to maintain a database of filters based on source addresses, source/destination address combinations, specific header contents. It also configures heuristic rules for filtering junk mail based on combinations of headers. - Domain Name System lookups of host names contained in source addresses can be required. - The SMTP server can be configured to prevent "relays" of messages, accepting only those messages coming from or going to one of your local systems. -Kurt. -----Original Message----- From: Alan Winston - SSRL Central Computing [mailto:winston@SLAC.Stanford.EDU] Sent: Friday, December 20, 2002 2:16 PM To: mx-list@madgoat.com Subject: Relays, Listserv, and 4.2 MXers -- So I wanted to run LISTSERV-LITE Free Edition on my home VMS box (DSL connection, static IP address, essentially a hobbyist system), and it turns out that it needs MX or PMDF if you want to talk to it at all. With Arne V's help, I got MX 4.2 working (VMS AXP 7.2-2, TCP/IP Services 5.1-3) and now I can send mail to LISTSERV and get a response. I had formerly had the TCP/IP Services SMTP set up to recognize the other four boxes on my LAN and allow relaying from those, but from nowhere else. I still want to make the VMS box the mail gateway for my Mac and PC boxes. I think the MX SMTP Server has to run if the mail is going to go in and get passed appropriately to the LSV channel. But the 4.2 SMTP server doesn't appear to have any qualms about relaying for all and sundry. (If I had a second VMS box running I could install MX and Listserv Lite there with a non-routable 192... address and make the regular VMS box its mail gateway, but I don't.) I know payware versions of MX have all kinds of anti-spam stuff. At present I just need to be able to disable relaying from outside. Is there any way I can do this without spending money (or learning enough BLISS to rewrite SMTP)? I really don't want to pop $500 for MX just in order to run a free LISTSERV, especially when all I really need are the relay-tuning capabilities available in current versions of TCP/IP services. Thanks, -- Alan ======================================================================== ======= Alan Winston --- WINSTON@SSRL.SLAC.STANFORD.EDU Disclaimer: I speak only for myself, not SLAC or SSRL Phone: 650/926-3056 Paper mail to: SSRL -- SLAC BIN 99, 2575 Sand Hill Rd, Menlo Park CA 94025 ======================================================================== ======= ================================================================================ Archive-Date: Fri, 20 Dec 2002 09:18:01 -0800 From: "Virginia Metze" Reply-To: MX-List@MadGoat.com To: Subject: RE: Relays, Listserv, and 4.2 Date: Fri, 20 Dec 2002 11:17:51 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit In-Reply-To: <01KQ8RTK7HLOAKTJY9@SSRL.SLAC.STANFORD.EDU> Are you running VMS on an Intel processor? How slow is it? I am very interested in this. I didn't realize that MX listserv was feature competitive with listserv-lite. Thanks for this information. I am concerned about interfacing to anti-virus protection as well. Ginny > -----Original Message----- > From: Alan Winston - SSRL Central Computing > [mailto:winston@SLAC.Stanford.EDU] > Sent: Friday, December 20, 2002 7:16 AM > To: mx-list@madgoat.com > Subject: Relays, Listserv, and 4.2 > > > MXers -- > > So I wanted to run LISTSERV-LITE Free Edition on my home VMS box (DSL > connection, static IP address, essentially a hobbyist system), > and it turns out > that it needs MX or PMDF if you want to talk to it at all. > > With Arne V's help, I got MX 4.2 working (VMS AXP 7.2-2, TCP/IP Services > 5.1-3) and now I can send mail to LISTSERV and get a response. > > I had formerly had the TCP/IP Services SMTP set up to recognize > the other four > boxes on my LAN and allow relaying from those, but from nowhere > else. I still > want to make the VMS box the mail gateway for my Mac and PC boxes. > > I think the MX SMTP Server has to run if the mail is going to go > in and get > passed appropriately to the LSV channel. But the 4.2 SMTP server doesn't > appear to have any qualms about relaying for all and sundry. > > (If I had a second VMS box running I could install MX and > Listserv Lite there > with a non-routable 192... address and make the regular VMS box its mail > gateway, but I don't.) > > I know payware versions of MX have all kinds of anti-spam stuff. > At present I > just need to be able to disable relaying from outside. Is there > any way I can > do this without spending money (or learning enough BLISS to > rewrite SMTP)? I > really don't want to pop $500 for MX just in order to run a free LISTSERV, > especially when all I really need are the relay-tuning > capabilities available > in current versions of TCP/IP services. > > Thanks, > > -- Alan > > > ================================================================== > ============= > Alan Winston --- WINSTON@SSRL.SLAC.STANFORD.EDU > Disclaimer: I speak only for myself, not SLAC or SSRL Phone: > 650/926-3056 > Paper mail to: SSRL -- SLAC BIN 99, 2575 Sand Hill Rd, Menlo > Park CA 94025 > ================================================================== > ============= > ================================================================================ Archive-Date: Sat, 21 Dec 2002 13:25:52 -0800 Date: Sat, 21 Dec 2002 12:52:38 -0800 (PST) From: Alan Winston - SSRL Central Computing Subject: re: Relays, Listserv, and 4.2 In-Reply-To: "Your message dated Sat, 21 Dec 2002 05:00:01 -0800" <00A18C36.4839C091.1@MadGoat.Com> To: MX-List Manager CC: MX-List-Digest@MadGoat.Com Reply-To: MX-List@MadGoat.com Message-ID: <01KQAN7TVHQMAKTJY9@SSRL.SLAC.STANFORD.EDU> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-Transfer-Encoding: 7BIT (I'm a digest subscriber, so didn't see the answers right away.) Virginia Metze asked: > Are you running VMS on an Intel processor? Nope, my home machine is an Alpha (EV56 533mhz); I bought it through Island Computers. Since I'm employed by a university I can use the EDU base VMS license; not having to buy the VMS license made it pretty cheap. Kurt wrote: > Make Matt a reasonable offer and I am convinced you get what you desire. Maybe I'll try that. > Just curious: > - What can LISTSERV-LITE better then MX for your distribution list > members? The feature comparison I've done was between the free LISTSERV-LITE and the free MX (which is 4.2). I'm quite familiar with 4.2, since I'm using it to run mailing lists on a machine at work, but that machine is behind a mail gateway that runs PMDF and thus doesn't have to worry about relays (or, since the gateway is configured to strip executable attachments, most viruses). What I find I need and don't have in mailing lists: (1) The ability to filter attachments so everything that goes to the list is text/plain. (2) A maximum size limit on each post. (3) The ability for the server to process user requests that come in text/html mailers. Other things Listserv offers that look good, although I don't strictly need them, include digests in chronological order within thread, optional mimeified digests that make each message separately replyable, and a fully-developed web-based administration and archive access tool. Oh, and the ability (via subscription confirmation) for people to unsubscribe old addresses, which I have to do manually now. What it doesn't have is a built-in way to get mail coming in from j-random SMTP server. It needs PMDF or MX; there is no free, EDU, or hobbyist PMDF (and PMDF is massive overkill for my little home LAN anyway), so it's MX. > - What for do you need a higher MX version when you have "all I really > need are the relay-tuning capabilities available in current versions of > TCP/IP services" and therefore a reasonable (but far from carrier class) > SMTP environment? > Beside the features you are missing in the free version, MX 5.3 has > - A powerful Mailing List/file server, including archive, subscription > list confirmation... > - Delivery Status Notifications (DSNs): RFC 1891, 1892, 1893, 1894 > - Remote Message Queue Starting (ETRN): RFC 1985 > - Message Size Declaration (SIZE): RFC 1870 > - SMTP Authentication: RFC 2554 > - REJMAN facility to maintain a database of filters based on source > addresses, source/destination address combinations, specific header > contents. It also configures heuristic rules for filtering junk mail > based on combinations of headers. > - Domain Name System lookups of host names contained in source addresses > can be required. > - The SMTP server can be configured to prevent "relays" of messages, > accepting only those messages coming from or going to one of your local > systems. But does it do what I need for mailing lists? -- Alan =============================================================================== Alan Winston --- WINSTON@SSRL.SLAC.STANFORD.EDU Disclaimer: I speak only for myself, not SLAC or SSRL Phone: 650/926-3056 Paper mail to: SSRL -- SLAC BIN 99, 2575 Sand Hill Rd, Menlo Park CA 94025 =============================================================================== ================================================================================ Archive-Date: Sat, 21 Dec 2002 13:47:09 -0800 From: "Kurt A. Schumacher" Reply-To: MX-List@MadGoat.com To: Subject: RE: Relays, Listserv, and 4.2 Date: Sat, 21 Dec 2002 22:46:21 +0100 Message-ID: <00c701c2a93a$68c4a3f0$14010a0a@home.schumi.ch> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit In-Reply-To: <01KQAN7TVHQMAKTJY9@SSRL.SLAC.STANFORD.EDU> (1) The ability to filter attachments so everything that goes to the list is text/plain. MCP> define list /text_only (yes, just kind of, the hotmail users will be locked out...) (2) A maximum size limit on each post. ... /maximum_message_size (3) The ability for the server to process user requests that come in text/html mailers. Nachricht

Help
review

...does what's it's supposed to do for example. A "quit" at the end might avoid unness' feedback. Finally Matt will jump on your points after the holidays. -Kurt. -----Original Message----- From: Alan Winston - SSRL Central Computing [mailto:winston@SLAC.Stanford.EDU] Sent: Saturday, December 21, 2002 9:53 PM To: MX-List Manager Cc: MX-List-Digest@MadGoat.Com Subject: re: Relays, Listserv, and 4.2 (I'm a digest subscriber, so didn't see the answers right away.) Virginia Metze asked: > Are you running VMS on an Intel processor? Nope, my home machine is an Alpha (EV56 533mhz); I bought it through Island Computers. Since I'm employed by a university I can use the EDU base VMS license; not having to buy the VMS license made it pretty cheap. Kurt wrote: > Make Matt a reasonable offer and I am convinced you get what you > desire. Maybe I'll try that. > Just curious: > - What can LISTSERV-LITE better then MX for your distribution list > members? The feature comparison I've done was between the free LISTSERV-LITE and the free MX (which is 4.2). I'm quite familiar with 4.2, since I'm using it to run mailing lists on a machine at work, but that machine is behind a mail gateway that runs PMDF and thus doesn't have to worry about relays (or, since the gateway is configured to strip executable attachments, most viruses). What I find I need and don't have in mailing lists: (1) The ability to filter attachments so everything that goes to the list is text/plain. (2) A maximum size limit on each post. (3) The ability for the server to process user requests that come in text/html mailers. Other things Listserv offers that look good, although I don't strictly need them, include digests in chronological order within thread, optional mimeified digests that make each message separately replyable, and a fully-developed web-based administration and archive access tool. Oh, and the ability (via subscription confirmation) for people to unsubscribe old addresses, which I have to do manually now. What it doesn't have is a built-in way to get mail coming in from j-random SMTP server. It needs PMDF or MX; there is no free, EDU, or hobbyist PMDF (and PMDF is massive overkill for my little home LAN anyway), so it's MX. > - What for do you need a higher MX version when you have "all I really > need are the relay-tuning capabilities available in current versions > of TCP/IP services" and therefore a reasonable (but far from carrier > class) SMTP environment? > Beside the features you are missing in the free version, MX 5.3 has > - A powerful Mailing List/file server, including archive, subscription > list confirmation... > - Delivery Status Notifications (DSNs): RFC 1891, 1892, 1893, 1894 > - Remote Message Queue Starting (ETRN): RFC 1985 > - Message Size Declaration (SIZE): RFC 1870 > - SMTP Authentication: RFC 2554 > - REJMAN facility to maintain a database of filters based on source > addresses, source/destination address combinations, specific header > contents. It also configures heuristic rules for filtering junk mail > based on combinations of headers. > - Domain Name System lookups of host names contained in source > addresses can be required. > - The SMTP server can be configured to prevent "relays" of messages, > accepting only those messages coming from or going to one of your > local systems. But does it do what I need for mailing lists? -- Alan ======================================================================== ======= Alan Winston --- WINSTON@SSRL.SLAC.STANFORD.EDU Disclaimer: I speak only for myself, not SLAC or SSRL Phone: 650/926-3056 Paper mail to: SSRL -- SLAC BIN 99, 2575 Sand Hill Rd, Menlo Park CA 94025 ======================================================================== ======= ================================================================================ Archive-Date: Tue, 31 Dec 2002 06:04:06 -0800 Message-ID: <3E11A3DB.2080801@SMTP.DeltaTel.RU> Date: Tue, 31 Dec 2002 17:04:11 +0300 From: "Ruslan R. Laishev" Reply-To: MX-List@MadGoat.com MIME-Version: 1.0 To: MX-List@MadGoat.com Subject: HNY Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Happy New Year, Matt, and all MX users! -- Cheers, +OpenVMS [Sys|Net] HardWorker .......................................+ Delta Telecom Inc., NMT-450i, IMT-MC-450(CDMA) cellular operator Russia,191119,St.Petersburg,Transportny per. 3 Cel: +7 (812) 116-3222 +http://starlet.deltatel.ru ................. Frying on OpenVMS only +