[Mailman-Users] Problems with SMTPDirect / Security Bug?
Nigel Metheringham
Nigel.Metheringham at VData.co.uk
Tue May 23 10:30:11 CEST 2000
palsina at chasque.net said:
> Using SMTPDirect as delivery module just times out, not sending any
> mail out. I used Sendmail as MTA, and saw a few messages on this board
> suggesting that Postfix was faster, so I replaced sendmail with
> Postfix.
You are running a SMTP daemon on 127.0.0.1 [or actually on whatever
address SMTPHOST is set to]?
If you telnet to that address/port do you see the initial SMTP banner
in a reasonable length of time? Can you then go through the basic SMTP
commands that would be used for sending a message (HELO, MAIL FROM,
RCPT TO) and have it turn those round in reasonable time?
Its most likely the MTA that is misconfigured - either not listening,
or trying to verify everything and taking lots of time about it.
palsina at chasque.net said:
> Looking at the code, I see that the recipient list is not sanatized
> before invoking the shell. Unless I'm wrong, one could subscribe an
> 'larry;command_here;@none.com' and make the command_here to get
> executed!
Ugh. I'm going to repeat my comment that I don't think Sendmail.py is
ready for prime time.
> I'm going to try to patch the Sendmail.py to put each recipient
> between '' to avoid shell expansion. Hope that will do.
It would be better not to shell at all - the argument list should be
built up in python and then exec-ed across without a shell being
involved (since a shell has nothing to contribute here except burning
some CPU cycles and lousing up the argument lists.
Nigel.
--
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham Nigel.Metheringham at VData.co.uk ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
More information about the Mailman-Users
mailing list