11.5 Bogus qf Files
For security reasons, V8
sendmail performs a number of checks on each
qf file before trusting its contents. If any
qf file fails to be trustworthy,
sendmail converts the leading
q in its name to an uppercase
Q. We discuss each possible problem in the sections that
follow.
Note that when sendmail renames a
qf file into a Qf file, it logs
that it did so. In the following, qffile is the
full path and filename of the qf file, before it
was renamed:
Losing qffile: reason here
Also note that, although sendmail checks the
qf file for a number of plausible errors, its
checking is by no means exhaustive. The checks we describe here are
no substitute for a well-managed system.
11.5.1 Badly Formed qf Filename
V8.6 sendmail always checks the form of the
qf filename for correctness. V8.7 through V8.9
sendmail also check the qf
filename but do so only if PICKY_QF_NAME_CHECK is defined when
building sendmail (PICKY_HELO_CHECK). V8.10 and above no longer check the form of
the qf filename for correctness.
Prior to V8.10, if the qf filename is incorrectly
formed (Section 11.2.1), sendmail
presumes that some other program placed the file in the queue and
rejects it:
orderq: bogus qf name bogus name here
For V8.7 through V8.9, sendmail made this check
only if PICKY_QF_NAME_CHECK was defined when building
sendmail. This was introduced because some sites
allow legitimate programs (other than sendmail)
to write into sendmail's queue.
To fix this problem, either undefine PICKY_QF_NAME_CHECK when you
build sendmail (if your site allows other
programs to write into the queue directory), or trace down the
process that is placing badly formed qf names in
your queue and fix it.
11.5.2 Bad qf Owner or Permissions
Each qf file must be
owned by the effective user ID under which
sendmail runs (usually
root). A qf file must not be
group- or world-writable. If a qf file fails
either test, it is considered bogus and is renamed to a
Qf file. Then sendmail logs
these messages:
id: bogus queue file, uid=owner, mode=perms
Losing qffile: bogus file uid in mqueue
Here, id is the identifier portion of the
qf filename, owner is
the uid of the user that owns the
qf file, and perms are
the file permissions of the qf file, printed in
octal.
This problem might point to bad queue directory permissions that
allow anyone (or some group) to place files there. Or it might
indicate that some process other than sendmail
is writing to your queue.
11.5.3 Extra Data at End of qf File
One form of attack against
sendmail is to append additional control lines
to the end of an existing qf file. V8.7
sendmail specifically checks for additional text
and rejects the qf file if any is found:
SECURITY ALERT: extra data in qf: first bogus line printed here
Losing qffile: bogus queue line
V8.7 sendmail terminates its legitimate list of
qf control lines by placing a dot on a line by
itself. Any text following that line, including comments and blank
lines, is considered an error. This can represent a serious attack
against your machine or site. If you get this message, investigate at
once.
11.5.4 Unknown Control Character in qf File
Each line in a qf
file must begin with a known control letter or character (Section 11.11). If a line begins with any other character,
it is considered bad, and the whole file is rejected:
readqf: qffile: line num: bad line bogus line here
Losing qffile: unrecognized line
Note that this error is to be anticipated if you go backward, from a
later release to an earlier release of sendmail.
11.5.5 Funny Flag Bits in qf File
An
F line in a qf file is used to
save and restore envelope flag bits. Unfortunately, the first line of
a Unix-style mailbox also begins with an F:
From someone@site
If a qf file's
F line begins with the five characters
"From ", V8.7
and above sendmail will reject the file and log
a possible attack:
SECURITY ALERT: bogus qf line bogus line here
Losing qffile: bogus queue line
This might represent a serious attack against your machine or site.
If you get this message, investigate at once.
11.5.6 Savemail Panic
In the rare event that
sendmail cannot dispose of a bounced message, it
will preserve the qf file as a
Qf file and log the message:
savemail: cannot save rejected email anywhere
Losing qffile: savemail panic
The sendmail program tries everything possible
to avoid this state (including bouncing the message, sending it to
the postmaster, and saving it to a
dead.letter file). Only if all else fails will
it preserve the qf file as a Qf
file.
In general this points to an alias problem with the user named
postmaster or the owner of a mailing list. Such
users are special. They must be able to receive email messages no
matter what. They should be the names of real people, not the names
of further mailing lists.
|