Just curious how many of you have bothered to turn off the ident feature in sendmail - does it still default to on?
This is also the default behavior in courier. It was sometime before I discovered this serious security hole in my mail server. Unfortunately only after the email addresses on the server were extracted by spammers.
Brian D.
--- Jonathan Hutchins wrote:
Just curious how many of you have bothered to turn off the ident feature in sendmail - does it still default to on?
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Jack wrote:
This is also the default behavior in courier. It was sometime before I discovered this serious security hole in my mail server. Unfortunately only after the email addresses on the server were extracted by spammers.
It's also a major performance hit. Most mail servers (and clients) these days are behind firewalls. The ident request will get dropped nearly 100% of the time, resulting in a long pause while the attempt times out. I really wish Sendmail had a
FEATURE(`stop_pretending_its_still_1983')
configuration option.
On Tuesday 31 May 2005 08:11 am, Gerald Combs wrote:
It's also a major performance hit. Most mail servers (and clients) these days are behind firewalls. The ident request will get dropped nearly 100% of the time, resulting in a long pause while the attempt times out.
Default is 5 seconds.
I really wish Sendmail had a FEATURE(`stop_pretending_its_still_1983') configuration option.
How about define(`confTO_IDENT',`0')dnl for M4, or O Timeout.ident=0 for the raw sendmail.cf?
(That'll turn it off.)
Jonathan Hutchins wrote:
Default is 5 seconds.
I really wish Sendmail had a FEATURE(`stop_pretending_its_still_1983') configuration option.
How about define(`confTO_IDENT',`0')dnl for M4, or O Timeout.ident=0 for the raw sendmail.cf?
(That'll turn it off.)
How about disabling it by default (or not even implementing it) in the first place? Section 6 of RFC 1413 (which specifies ident) says:
"The Identification Protocol is not intended as an authorization or access control protocol. At best, it provides some additional auditing information with respect to TCP connections. At worst, it can provide misleading, incorrect, or maliciously incorrect information."
Finding a box that serves ident to the public internet these days is difficult. If you do find one, the information it serves will likely be bogus.
On Tuesday 31 May 2005 09:00 am, Gerald Combs wrote:
How about disabling it by default (or not even implementing it) in the first place?
That would be up to the packagers who supply the sendmail.cf file for your distribution. It's an optional feature, and there are docs that discuss it's potential usefulness on the sendmail site.
Remember that sendmail has been the defacto standard for internet mail almost as long as there's been an internet. Some of it's conventions may seem archaic to the neophyte, but there are reasons that they are there.
If something in the environment of the 'net, like the usefulnes of ident, sendmail admins are expected to be able to understand the need to change their tuning and configuration accordingly.
Quoting Gerald Combs gerald@ethereal.com:
It's also a major performance hit. Most mail servers (and clients) these days are behind firewalls. The ident request will get dropped nearly 100% of the time, resulting in a long pause while the attempt times out.
If you're running IP Tables, you can take this rule from one of my Red Hat servers and adapt it to your needs, doing so will drastically reduce the long pause:
# reject identd requests -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 113 -j REJECT --reject-with tcp-reset
Good luck.
-
Dave Hull -
Gerald Combs -
Jack -
Jonathan Hutchins