Hi,

I do not use sendmail but have enclosed some messages that were posted in 
a similar thread at SuSE security.

HTH

mike

--- Schnipp ---
This Web page has alot of infos about mail abuse.
http://maps.vix.com/tsi/ar-test.html  SMTP Relay Tester

the way that I have tested our Sendmail configuration is to
1) connect to the host that the mail server is on
2) from there, telnet to a friendly host at "mail-abuse.org"
    telnet mail-abuse.org

3) the results are like ....
Relay test 17
>>> RSET
<<< 250 Reset state
>>> MAIL FROM:<spamtest@lufa-sp.vdlufa.de>
<<< 250 <spamtest@lufa-sp.vdlufa.de>... Sender ok
>>> RCPT TO:<mail-abuse.org!relaytest@lufa-sp.vdlufa.de>
<<< 550 <mail-abuse.org!relaytest@lufa-sp.vdlufa.de>... Relaying denied
Relay test result
All tests performed, no relays accepted.
Connection closed by foreign host.

This Web page has alot of infos about mail abuse.
http://maps.vix.com/tsi/ar-test.html  SMTP Relay Tester
--- Schnapp ---
--- Schnipp ---
There aer still a number of things in the default sendmail 8.9.x config 
that are insecure. These are fixed in the 8.10.0.Beta* public betas.

The relay methods are suitably obscure, but still exploitable. I ran my 
8.10.0.Beta* through ORBS and came up clean, so whatever the default is 
"now" it works. :)

I would recommend upgrading to the newer sendmail betas, from 
ftp://ftp.sendmail.org/
--- Schnapp ---



On 19 Apr 2000, at 12:06, Scott Burns wrote:

> Ok, I have just received my e-mail from orbs.org telling me that my shiny 
> new NetBSD/i386 V1.4.1 server has the open e-mail relay problem.
> So now what do I do. It would appear I have V8.8.8.4 of sendmail and their page
> says there are some weaknesses in it. Does V1.4.2 have a newer version of
> sendmail and associated cf files that are required to disable this properly ? I
> am not a sendmail expert and we have always used the sendmail setup as it came
> installed with NetBSD
> 
> Whats the easiest way for me to upgrade and plug this hole ?
> 
> Thanks in advance.
> 
> Scott Burns
>