Hi,
Earlier this week I had posted the following question to the group
regarding Sendmail.
>
> I came across a "feature" in sendmail where a user can send a mail message
> out to others under a ficticious name. Our domain is "beaver.edu" so if
> a student types "telnet beaver.edu 25" they can send a message to anyone
> under any name they want, and the recepiant will have no idea from whom the
> message is. Is there a way to prevent this ?
>
Most of the replies I got pointed to the direction that nothing can be
done about this potential problem, but some did give useful suggestions,
which are;
I. From pas_at_keokuk.unh.eduFri Jun 2 14:23:18 1995
I believe the standard answer is ``no, not really.'' If you're willing
to do some work, you can get Berkeley sendmail (ftp.cs.berkeley.edu)
and configure it to ask for and record the identity of the user connecting to
your host. The user's real identity winds up in the mail header.
(This works if the sending host is running identd, or something
similar, otherwise it doesn't help you.)
II. From: Don McKillican <dmckilli_at_QC.Bell.CA>
This is a general problem, not with sendmail, but rather with the
entire SMTP protocol: it provides no way to authenticate the sender
or contents of a message.
The only real thing you can do about it is to use some form of
public-key/private-key encryption and authentication such as PGP
or PEM. These allow you to check, when you receive a message,
that it really was from the person it says it is, and that it
has not been tampered with since he signed it. As an added bonus,
these packages also allow you to encrypt a message when you send
it, so that only the recipients will be able to read it.
III. From: Ross Alexander <rwa_at_cs.athabascau.ca>
One solution is to hack sendmail to do a pidentd call and refuse
non-root connections. You'll need the sendmail sources for this - I
think they live at gatekeeper.dec.com. You'll also need to tack up a
pidentd server, which you can find at the same place.
Alternatively, teach your users to view From: lines with some
suspicion. Or use one of the various digital signature packages, like
PGP.
IV. From: nicolis_at_celfi.phys.univ-tours.fr
Yes-get the latest version of sendmail, 8.6.12. Any version greater or equal
to 8.6.9 prevents the problem you mention-those after that correct some
other stuff.
******************************************************************************
Param Bedi Phone : (215)572-4019
Information Systems & Networking Manager FAX: (215)572-0240
Beaver College
bedi_at_beaver.edu
To err is human; to really screw up it takes a computer.
*****************************************************************************
Received on Fri Jun 02 1995 - 21:16:14 NZST