Date: Sat, 08 Apr 2006 19:06:54 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Gonzalo Suarez <gonzalo.llorente@gmail.com> Cc: questions@freebsd.org Subject: Re: about sendmail security update Message-ID: <4437FBBE.8090405@infracaninophile.co.uk> In-Reply-To: <b4941aac0604080825w170ba796h43c4e0b9c1e2ddda@mail.gmail.com> References: <b4941aac0604080825w170ba796h43c4e0b9c1e2ddda@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB54ABBD8311697846DA233F0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Gonzalo Suarez wrote: =20 > i'm a very new freebsd user/admin. i run my own server since 1 month ag= o, i > 've been told about a security issue with sendmail. i read about it on = the > security ad > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.send= mail.ascand > I don't know how could i get my system patch or upgraded. some people > tell me to quit using sendmail and try postfix, but i would like to fix= > sendmail and try to configure it... In my humble opinion, sendmail is fine on almost any server not intended to be primarily a mail server. Indeed on a machine where you trust everyone who has access and where you only need to send e-mail from, not receive it, then sendmail in the default configuration where it binds solely to the loopback interface is perfectly fine. However I'd think carefully about exposing sendmail listening on port 25 on an internet accessible interface. Don't do that unless you are confident of being able to apply upgrades in a timely fashion. Otherwise= , one of the other big 4 MTAs (sendmail, exim, postfix, qmail) may be more suitable for you. In answer to your question: you've got two options. Option 1 is to use FreeBSD Update: http://www.daemonology.net/freebsd-update/ which will let you apply binary updates to your system, incorporating all= of the various security advisories as they are produced. Note that this does not mix well with recompiling bits of the system locally -- read tha= t web page carefully. Note that this site is run by the current FreeBSD security officer. I believe that the intention is to make it into an official FreeBSD supported service eventually, but that the code that run= s the site is not in good enough shape to do that yet. Option 2 is to get hold of the system sources and recompile your world fr= om them. Which sounds like a terrible ordeal to the uninitiated, but is actually fairly plain sailing -- all it takes is the time and the disk sp= ace to do the compilations. The procedure is documented in the Handbook. First you will need to download the sources -- cvsup is the recommended way to do that: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html You will need to specify the appropriate CVS tag for the system version you want. In your case, I'd recommend RELENG_5_4 to pull down the latest= 5.4-RELEASE-pN code. But again, the Handbook explains how the different CVS tags and branches work: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.ht= ml Then you will want to compile all this code and install the results: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.h= tml See also /usr/src/UPDATING (after you've downloaded the sources with cvsu= p, clearly) for any special instructions etc. required by the latest code. And with that, you're done. All of the security fixes get committed to t= he supported RELEASE code branches, so doing a cvsup and {build,install}worl= d procedure after the specified date will always get you the required fixes= =2E Or else you can follow the instructions in the advisory which will genera= lly get you to the pretty much the same place by a different route; often wit= hout necessarily having to interrupt service for as long. > I installed the system with a freebsd5.4 release cd. i downloaded the p= atch > and when I excuted it i realized that i don't have the source code of > sendmail since i started the installation with de cd-rom standard > installation. what am i supposed to do now? patch or upgrade. what is t= he > easy way? i have compiled some little C code for college practices and > installed some bsd-ports with make install but now i'm a little bit lo= st > here... System sources are available on the standard CDs -- obviously, you get th= e sources the release was created from -- and there is an option in sysinst= all to install them. However, if you've got cvsup sorted you might as well u= se that from scratch to populate an empty /usr/src directory. There are pos= sible pitfalls if you don't 'adopt' the sources from the release CD correctly before updating them with cvsup, although those only happen in certain thankfully quite rare circumstances: http://www.cvsup.org/faq.html#adoptupgrade You'll need about 350--400MB available for the system sources, plus approximately another 500MB to hold the results of compiling all that. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigB54ABBD8311697846DA233F0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEN/vF8Mjk52CukIwRA/MwAJ9lcj9m1X2GoY368ofe5Ezqp7YZSQCdHUJ1 0mAgCaiF3o49AQMAbmlEFWQ= =bayG -----END PGP SIGNATURE----- --------------enigB54ABBD8311697846DA233F0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4437FBBE.8090405>