Shielding Vulnerable Clients With PMDF

Background

There is wide awareness of the recently discovered security vulnerability in clients such as Outlook Express, Internet Explorer, and Netscape Messenger, as documented in:

http://www.ciac.org/ciac/bulletins/i-077b.shtml

The Problem

It is clear that upgrading all of the software affected by this bug is going to be difficult. As such, some sites may find it useful to use filtering mechanisms to prevent problem messages from reaching flawed user agents. PMDF provides exactly such a mechanism.

Note that PMDF itself is not vulnerable to this sort of buffer overrun. PMDF uses counted strings rather than null terminated strings. PMDF has always been coded this way. This one fact alone eliminates all sorts of potential problems -- the sort of problems being found now in these clients and that have occurred in sendmail and sendmail-derived mail systems, for instance -- since PMDF programs tend to truncate things rather than overrunning buffers. PMDF also avoids using character pointers, preferring instead to use array constructs where run-time bounds checking is possible. So you end up with two layers of checking in PMDF, one explicitly coded in to the string primitives we use, the other provided by the language environment itself.

Many sites use PMDF either as a POP or IMAP server itself, or use PMDF as a backbone relaying to Microsoft Exchange or Netscape servers. In such configurations, PMDF provides centralized addressing schemes, support for legacy e-mail systems, and many functions for restructuring messages. One feature of message restructuring is that PMDF sanitizes messages passing through, presenting only "safe" messages to the vulnerable client environment.

defaults inner

in the PMDF configuration file as the first channel definition.