From owner-freebsd-questions@FreeBSD.ORG  Sat Apr  8 18:07:13 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C945716A401
	for <questions@freebsd.org>; Sat,  8 Apr 2006 18:07:13 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk
	[81.187.76.162])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 17BCF43D46
	for <questions@freebsd.org>; Sat,  8 Apr 2006 18:07:12 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from [IPv6:::1] (localhost [IPv6:::1])
	by smtp.infracaninophile.co.uk (8.13.6/8.13.6) with ESMTP id
	k38I71uq033817; Sat, 8 Apr 2006 19:07:01 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
Message-ID: <4437FBBE.8090405@infracaninophile.co.uk>
Date: Sat, 08 Apr 2006 19:06:54 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 1.5 (X11/20060401)
MIME-Version: 1.0
To: Gonzalo Suarez <gonzalo.llorente@gmail.com>
References: <b4941aac0604080825w170ba796h43c4e0b9c1e2ddda@mail.gmail.com>
In-Reply-To: <b4941aac0604080825w170ba796h43c4e0b9c1e2ddda@mail.gmail.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
	protocol="application/pgp-signature";
	boundary="------------enigB54ABBD8311697846DA233F0"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2
	(smtp.infracaninophile.co.uk [IPv6:::1]);
	Sat, 08 Apr 2006 19:07:01 +0100 (BST)
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,NO_RELAYS 
	autolearn=ham version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on 
	happy-idiot-talk.infracaninophile.co.uk
Cc: questions@freebsd.org
Subject: Re: about sendmail security update
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Apr 2006 18:07:13 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB54ABBD8311697846DA233F0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Gonzalo Suarez wrote:
=20
> i'm a very new freebsd user/admin. i run my own server since 1 month ag=
o, i
> 've been told about a security issue with sendmail. i read about it on =
the
> security ad
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.send=
mail.ascand
> I don't know how could i get my system patch or upgraded. some people
> tell me to quit using sendmail and try postfix, but i would like to fix=

> sendmail and try to configure it...

In my humble opinion, sendmail is fine on almost any server not intended
to be primarily a mail server.  Indeed on a machine where you trust
everyone who has access and where you only need to send e-mail from, not
receive it, then sendmail in the default configuration where it binds
solely to the loopback interface is perfectly fine.

However I'd think carefully about exposing sendmail listening on port
25 on an internet accessible interface.   Don't do that unless you are
confident of being able to apply upgrades in a timely fashion.  Otherwise=
,
one of the other big 4 MTAs (sendmail, exim, postfix, qmail) may be more
suitable for you.

In answer to your question: you've got two options.  Option 1 is to use
FreeBSD Update:

    http://www.daemonology.net/freebsd-update/

which will let you apply binary updates to your system, incorporating all=

of the various security advisories as they are produced.  Note that this
does not mix well with recompiling bits of the system locally -- read tha=
t
web page carefully.  Note that this site is run by the current FreeBSD
security officer.  I believe that the intention is to make it into an
official FreeBSD supported service eventually, but that the code that run=
s
the site is not in good enough shape to do that yet.

Option 2 is to get hold of the system sources and recompile your world fr=
om
them.  Which sounds like a terrible ordeal to the uninitiated, but is
actually fairly plain sailing -- all it takes is the time and the disk sp=
ace
to do the compilations.  The procedure is documented in the Handbook.

First you will need to download the sources -- cvsup is the recommended
way to do that:

   http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

You will need to specify the appropriate CVS tag for the system version
you want.  In your case, I'd recommend RELENG_5_4 to pull down the latest=

5.4-RELEASE-pN code.  But again, the Handbook explains how the different
CVS tags and branches work:

    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.ht=
ml

Then you will want to compile all this code and install the results:

    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.h=
tml

See also /usr/src/UPDATING (after you've downloaded the sources with cvsu=
p,
clearly) for any special instructions etc. required by the latest code.

And with that, you're done.  All of the security fixes get committed to t=
he
supported RELEASE code branches, so doing a cvsup and {build,install}worl=
d
procedure after the specified date will always get you the required fixes=
=2E
Or else you can follow the instructions in the advisory which will genera=
lly
get you to the pretty much the same place by a different route; often wit=
hout necessarily having to interrupt service for as long.

> I installed the system with a freebsd5.4 release cd. i downloaded the p=
atch
> and when I excuted it i realized that i don't have the source code of
> sendmail since i started the installation with de cd-rom standard
> installation. what am i supposed to do now? patch or upgrade. what is t=
he
> easy way? i have compiled some little C code for college practices and
> installed some bsd-ports with make install but  now i'm a little bit lo=
st
> here...

System sources are available on the standard CDs -- obviously, you get th=
e
sources the release was created from -- and there is an option in sysinst=
all
to install them.  However, if you've got cvsup sorted you might as well u=
se
that from scratch to populate an empty /usr/src directory.  There are pos=
sible
pitfalls if you don't 'adopt' the sources from the release CD correctly
before updating them with cvsup, although those only happen in certain
thankfully quite rare circumstances:

    http://www.cvsup.org/faq.html#adoptupgrade

You'll need about 350--400MB available for the system sources, plus
approximately another 500MB to hold the results of compiling all that.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW


--------------enigB54ABBD8311697846DA233F0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEN/vF8Mjk52CukIwRA/MwAJ9lcj9m1X2GoY368ofe5Ezqp7YZSQCdHUJ1
0mAgCaiF3o49AQMAbmlEFWQ=
=bayG
-----END PGP SIGNATURE-----

--------------enigB54ABBD8311697846DA233F0--