home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Previous Section Next Section

11.5 Bogus qf Files

For security reasons, V8 sendmail performs a number of checks on each qf file before trusting its contents. If any qf file fails to be trustworthy, sendmail converts the leading q in its name to an uppercase Q.[8] We discuss each possible problem in the sections that follow.

[8] This letter might change from a Q to a different letter in the future.

Note that when sendmail renames a qf file into a Qf file, it logs that it did so. In the following, qffile is the full path and filename of the qf file, before it was renamed:

Losing qffile: reason here 

Also note that, although sendmail checks the qf file for a number of plausible errors, its checking is by no means exhaustive. The checks we describe here are no substitute for a well-managed system.

11.5.1 Badly Formed qf Filename

V8.6 sendmail always checks the form of the qf filename for correctness. V8.7 through V8.9 sendmail also check the qf filename but do so only if PICKY_QF_NAME_CHECK is defined when building sendmail (PICKY_HELO_CHECK). V8.10 and above no longer check the form of the qf filename for correctness.

Prior to V8.10, if the qf filename is incorrectly formed (Section 11.2.1), sendmail presumes that some other program placed the file in the queue and rejects it:

orderq: bogus qf name bogus name here

For V8.7 through V8.9, sendmail made this check only if PICKY_QF_NAME_CHECK was defined when building sendmail. This was introduced because some sites allow legitimate programs (other than sendmail) to write into sendmail's queue. To fix this problem, either undefine PICKY_QF_NAME_CHECK when you build sendmail (if your site allows other programs to write into the queue directory), or trace down the process that is placing badly formed qf names in your queue and fix it.

11.5.2 Bad qf Owner or Permissions

Each qf file must be owned by the effective user ID under which sendmail runs (usually root). A qf file must not be group- or world-writable. If a qf file fails either test, it is considered bogus and is renamed to a Qf file. Then sendmail logs these messages:

id: bogus queue file, uid=owner, mode=perms
Losing qffile: bogus file uid in mqueue

Here, id is the identifier portion of the qf filename, owner is the uid of the user that owns the qf file, and perms are the file permissions of the qf file, printed in octal.

This problem might point to bad queue directory permissions that allow anyone (or some group) to place files there. Or it might indicate that some process other than sendmail is writing to your queue.

11.5.3 Extra Data at End of qf File

One form of attack against sendmail is to append additional control lines to the end of an existing qf file. V8.7 sendmail specifically checks for additional text and rejects the qf file if any is found:

SECURITY ALERT: extra data in qf: first bogus line printed here
Losing qffile: bogus queue line

V8.7 sendmail terminates its legitimate list of qf control lines by placing a dot on a line by itself. Any text following that line, including comments and blank lines, is considered an error. This can represent a serious attack against your machine or site. If you get this message, investigate at once.

11.5.4 Unknown Control Character in qf File

Each line in a qf file must begin with a known control letter or character (Section 11.11). If a line begins with any other character, it is considered bad, and the whole file is rejected:

readqf: qffile: line num: bad line bogus line here 
Losing qffile: unrecognized line

Note that this error is to be anticipated if you go backward, from a later release to an earlier release of sendmail.

11.5.5 Funny Flag Bits in qf File

An F line in a qf file is used to save and restore envelope flag bits. Unfortunately, the first line of a Unix-style mailbox also begins with an F:

From someone@site

If a qf file's F line begins with the five characters "From ", V8.7 and above sendmail will reject the file and log a possible attack:

SECURITY ALERT: bogus qf line bogus line here
Losing qffile: bogus queue line

This might represent a serious attack against your machine or site. If you get this message, investigate at once.

11.5.6 Savemail Panic

In the rare event that sendmail cannot dispose of a bounced message, it will preserve the qf file as a Qf file and log the message:

savemail: cannot save rejected email anywhere
Losing qffile: savemail panic

The sendmail program tries everything possible to avoid this state (including bouncing the message, sending it to the postmaster, and saving it to a dead.letter file). Only if all else fails will it preserve the qf file as a Qf file.

In general this points to an alias problem with the user named postmaster or the owner of a mailing list. Such users are special. They must be able to receive email messages no matter what. They should be the names of real people, not the names of further mailing lists.

    Previous Section Next Section