Robert Harker
2006-04-27 06:08:22 UTC
At most sites the most common use of sendmail is to act as a
message submission agent on all of the various Linux and Unix
servers on the network. These servers are only SMTP clients.
They do not accept incoming mail and they do no local delivery
of mail. The only mail they deal with is locally generated mail
from various administrative accounts, root, operator, oracle,
web, etc..., and all of this local mail is always forwarded to
a SMTP relay.
Assuming that you really want sendmail to only act as an SMTP client,
then what I recommend in my "Managing Internet Mail" class is to
only use the submit.cf file (from the submit.mc file) Since the host
would not be receiving any inbound mail, there would be no reason
to run the SMTP server (sendmail -bd) and since the SMTP server
is not running there would be no reason to use /var/spool/mqueue,
hence no reason to run the root owned queue daemon. What is nice
about this about this configuration is that there is no sendmail
running on the system as root. Sendmail is completely blocked as
an attack vector. It can't be used for a remote exploit since it
is not listening to any port, not even localhost. It can't be used
as a local exploit because it never runs as root.
To configure a sendmail SMTP client, you modify the submit.cf
file to forward the mail to the remote/central SMTP server,
smtprelay.your.dom, rather than trying to use the local SMTP server
listening to the loopback interface. You do this by changing the
"msp" (message submission program) feature:
From: FEATURE(`msp', `[127.0.0.1]')
To: FEATURE(`msp', `smtprelay.your.dom')
The "msp" feature only applies to mail addressed to the host itself,
an unqualified "user" or "***@thishost.dom". For non-local mail
you would still need to set the SMART_HOST relay in your
sendmail.mc file:
define(`SMART_HOST',`smtprelay.your.dom')
I also assume you would like local mail addresses generated
on this host to be masqueraded as the domain "***@your.dom".
So use masquerading:
MASQUERADE_AS(`your.dom')
FEATURE(`allmasquerade')
FEATURE(`masquerade_envelope')
and to make sure all addresses leave with a domain name
(just in case):
FEATURE(always_add_domain)
If there are some administrative accounts that it would be useful
to see the hostname in the address, then add them to the Exposed
User class, $=E, with:
EXPOSED_USER(`root operator')
You would also want some of the other stuff in the original
submit.mc file:
VERSIONID(`submit.mc Robert Harker, ***@harker.com 060424')
define(`confCF_VERSION', `Client')
dnl dirty hack to keep proto.m4 from complaining
define(`__OSTYPE__',`')
define(`confTIME_ZONE', `USE_TZ')
define(`confDONT_INIT_GROUPS', `True')
Since this is an SMTP client, all forwarding and aliasing should
be done by the remote SMTP server, smtprelay.your.dom. The "msp"
feature automatically sets them both to a null path.
You should also set the Maximum message size to be consistent with the
your site-wide conventions or the next SMTP relay,smtprelay.your.dom:
define(`confMAX_MESSAGE_SIZE',`10000000')
RedHat, Fedora, and CentOS set the default user and group ID:
define(`confDEF_USER_ID',``8:12'')
This needs to be before the MAILER() definitions or the "msp"
feature.
Finally a few other things: don't waste time probing network
interfaces and don't waist time with Delivery Status Notifications:
define(`confDONT_PROBE_INTERFACES',true)
define(`confTO_QUEUEWARN_DSN',`')
define(`confTO_QUEUERETURN_DSN',`12h')
So putting it all together as a client.mc file:
VERSIONID(`client.mc Robert Harker, ***@harker.com
060424')
define(`confCF_VERSION', `client')dnl
dnl dirty hack to keep proto.m4 from complaining
define(`__OSTYPE__',`')
define(`confTIME_ZONE', `USE_TZ')dnl
MASQUERADE_AS(`your.dom')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(always_add_domain)dnl
EXPOSED_USER(`root operator')dnl
define(`SMART_HOST',`smtprelay.your.dom')dnl
define(`confMAX_MESSAGE_SIZE',`10000000')dnl
define(`confDONT_INIT_GROUPS', `True')dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`confTO_QUEUEWARN_DSN',`')dnl
define(`confTO_QUEUERETURN_DSN',`12h')dnl
FEATURE(`msp', `smtprelay.your.dom')dnl
Now that you are not running a sendmail queue daemon or a sendmail
SMTP server there is no need for a real sendmail.cf file. You can
use submit.cf for both:
cd /etc/mail
mv sendmail.cf sendmail.cf.orig
ln -s submit.cf sendmail.cf
You also want to turn off the standard sendmail SMTP server
and queue daemon. In Linux this is normally configured in
/etc/sysconfig/sendmail:
DAEMON=no
QUEUE=
SMQUEUE=p1h
Set DAEMON=no and QUEUE= to null. You can tune the queue daemon
with SMQUEUE=<time>. The "p" before "1h" tells sendmail to run
the queue as a persistent queue daemon.
Now you have a nice generic sendmail configuration which disables
both local and remote exploits in sendmail. It also is generic
enough to deploy on any OS running sendmail 8.12 or 8.13.
Hope this helps
RLH
For info about our "Managing Internet Mail, Setting Up and Trouble
Shooting sendmail and DNS" and a schedule of dates and locations,
please send email to ***@harker.com, or visit www.harker.com
message submission agent on all of the various Linux and Unix
servers on the network. These servers are only SMTP clients.
They do not accept incoming mail and they do no local delivery
of mail. The only mail they deal with is locally generated mail
from various administrative accounts, root, operator, oracle,
web, etc..., and all of this local mail is always forwarded to
a SMTP relay.
Assuming that you really want sendmail to only act as an SMTP client,
then what I recommend in my "Managing Internet Mail" class is to
only use the submit.cf file (from the submit.mc file) Since the host
would not be receiving any inbound mail, there would be no reason
to run the SMTP server (sendmail -bd) and since the SMTP server
is not running there would be no reason to use /var/spool/mqueue,
hence no reason to run the root owned queue daemon. What is nice
about this about this configuration is that there is no sendmail
running on the system as root. Sendmail is completely blocked as
an attack vector. It can't be used for a remote exploit since it
is not listening to any port, not even localhost. It can't be used
as a local exploit because it never runs as root.
To configure a sendmail SMTP client, you modify the submit.cf
file to forward the mail to the remote/central SMTP server,
smtprelay.your.dom, rather than trying to use the local SMTP server
listening to the loopback interface. You do this by changing the
"msp" (message submission program) feature:
From: FEATURE(`msp', `[127.0.0.1]')
To: FEATURE(`msp', `smtprelay.your.dom')
The "msp" feature only applies to mail addressed to the host itself,
an unqualified "user" or "***@thishost.dom". For non-local mail
you would still need to set the SMART_HOST relay in your
sendmail.mc file:
define(`SMART_HOST',`smtprelay.your.dom')
I also assume you would like local mail addresses generated
on this host to be masqueraded as the domain "***@your.dom".
So use masquerading:
MASQUERADE_AS(`your.dom')
FEATURE(`allmasquerade')
FEATURE(`masquerade_envelope')
and to make sure all addresses leave with a domain name
(just in case):
FEATURE(always_add_domain)
If there are some administrative accounts that it would be useful
to see the hostname in the address, then add them to the Exposed
User class, $=E, with:
EXPOSED_USER(`root operator')
You would also want some of the other stuff in the original
submit.mc file:
VERSIONID(`submit.mc Robert Harker, ***@harker.com 060424')
define(`confCF_VERSION', `Client')
dnl dirty hack to keep proto.m4 from complaining
define(`__OSTYPE__',`')
define(`confTIME_ZONE', `USE_TZ')
define(`confDONT_INIT_GROUPS', `True')
Since this is an SMTP client, all forwarding and aliasing should
be done by the remote SMTP server, smtprelay.your.dom. The "msp"
feature automatically sets them both to a null path.
You should also set the Maximum message size to be consistent with the
your site-wide conventions or the next SMTP relay,smtprelay.your.dom:
define(`confMAX_MESSAGE_SIZE',`10000000')
RedHat, Fedora, and CentOS set the default user and group ID:
define(`confDEF_USER_ID',``8:12'')
This needs to be before the MAILER() definitions or the "msp"
feature.
Finally a few other things: don't waste time probing network
interfaces and don't waist time with Delivery Status Notifications:
define(`confDONT_PROBE_INTERFACES',true)
define(`confTO_QUEUEWARN_DSN',`')
define(`confTO_QUEUERETURN_DSN',`12h')
So putting it all together as a client.mc file:
VERSIONID(`client.mc Robert Harker, ***@harker.com
060424')
define(`confCF_VERSION', `client')dnl
dnl dirty hack to keep proto.m4 from complaining
define(`__OSTYPE__',`')
define(`confTIME_ZONE', `USE_TZ')dnl
MASQUERADE_AS(`your.dom')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(always_add_domain)dnl
EXPOSED_USER(`root operator')dnl
define(`SMART_HOST',`smtprelay.your.dom')dnl
define(`confMAX_MESSAGE_SIZE',`10000000')dnl
define(`confDONT_INIT_GROUPS', `True')dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`confTO_QUEUEWARN_DSN',`')dnl
define(`confTO_QUEUERETURN_DSN',`12h')dnl
FEATURE(`msp', `smtprelay.your.dom')dnl
Now that you are not running a sendmail queue daemon or a sendmail
SMTP server there is no need for a real sendmail.cf file. You can
use submit.cf for both:
cd /etc/mail
mv sendmail.cf sendmail.cf.orig
ln -s submit.cf sendmail.cf
You also want to turn off the standard sendmail SMTP server
and queue daemon. In Linux this is normally configured in
/etc/sysconfig/sendmail:
DAEMON=no
QUEUE=
SMQUEUE=p1h
Set DAEMON=no and QUEUE= to null. You can tune the queue daemon
with SMQUEUE=<time>. The "p" before "1h" tells sendmail to run
the queue as a persistent queue daemon.
Now you have a nice generic sendmail configuration which disables
both local and remote exploits in sendmail. It also is generic
enough to deploy on any OS running sendmail 8.12 or 8.13.
Hope this helps
RLH
For info about our "Managing Internet Mail, Setting Up and Trouble
Shooting sendmail and DNS" and a schedule of dates and locations,
please send email to ***@harker.com, or visit www.harker.com