ORC Owl Logo 2  

Owl River Company

 
  Your IP is: 54.224.137.45

Up More Tips

   http://www.owlriver.com/tips/sendmail-tip/

Well, a pet peeve of mine is people who directly edit the .cf file instead of using the m4 configuration files. Don't do it! [laughs] I treat the .cf file as a binary file - you should too. -- Eric Allman, author of Sendmail, 18 Oct 1999
http://www.sendmail.net/interviews/interview001.shtml

From herrold@owlriver.com Sat Nov 17 18:07:00 2001
Date: Sat, 17 Nov 2001 17:52:19 -0500 (EST)
From: R P Herrold 
Reply-To: slug@nks.net
To: Slug List 
Subject: M4 and Sendmail cheat sheet  was: RE: [SLUG] mail server.
(clip and save)

On Sat, 17 Nov 2001, Jeff Barriault wrote:

> Sendmail happens to be running on the RedHat box too, but I 
> haven't figured out how to connect to it from my Win2K system. 
> Of course I've gotten a bunch of great advice from folks on 
> this mail list and am sitting here currently trying to figure
>  it all out.
> 
> Thanks Russ, and everyone else for helping,
Red Hat 7.1 and later ship with sendmail listening ONLY at 127.0.0.1 AND in non-daemon mode -- that is for locally originated email -- this is a security matter to prevent your host from being an open relay, and ALSO to make sendmail secure against the kind of external compromise mentioned earlier today. This topic (seeking to ship without remote exploit holes, as does OpenBSD [indeed, really seeking to ship without any holes]) was a _big_ issue to me in the RH 7.0 development phase, and RH 7.1 and following ship reasonably secure by default -- it takes an effort to make the base install of RH 7.1 and following vulnerable to crackers.

1 -- To be able to hand email TO it (on port 25), you will need packages:

    sendmail-cf

and
    m4

loaded. Check that they are present thus:

   rpm -q sendmail-cf  m4

(we are asking the package manager to confirm that they are present and their versions),

2. If not present, use your install media and install them

(how is beyond the scope of this piece)

3. Edit /etc/mail/sendmail.mc with your favorite text editor. Toward the bottom of that file is this stanza:

dnl This changes sendmail to only listen on the loopback  device 127.0.0.1
dnl and not on any other network devices. Comment this out if  you want
dnl to accept email over the network.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

... Note that the string "dnl " at the left margin is how comments are added to sendmail.mc -- this is an artifact of the ancient origins of sendmail and the m4 macro processor

Make it read as the text says "to accept email over the network":

dnl  DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')


(this is the last line quoted in the first stanza, now commented out.)

4. rebuild /etc/sendmail.cf from the revised /etc/mail/sendmail.mc thus:

  m4 /etc/mail/sendmail.mc > /etc/sendmail.cf


(This is considered Unix deep magic -- but all it does is have the m4 macro processor use the sendmail-cf recipies, and make a new well-formed sendmail.cf. Note that lower in the sendmail.mc file is an option to specify what hostname your mail server uses -- useful for pretending to be a server with a resolvable name.)

(Note also that /etc/sendmail.cf moves to become /etc/mail/sendmail.cf with sendmail-8.12.x and so that command will become m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf in later versions. But there are many other changes, including a separate non-privleged child process.)

5. Tell sendmail to listen all the time (in so-called daemon mode) instead of delivering just its own local mail queue just once an hour.

Edit /etc/sysconfig/sendmail

and change:

   DAEMON=no

to:

   DAEMON=yes

6. And restart sendmail

  cd /etc/mail
  make
  service sendmail restart

(Note: The make step is needed in some variants of Red Hat, as the automatic execution of the make is missing in some releases of the initscript package.)

7. Confirm it locally:

   netstat -an | grep 25 | grep tcp

yields:

   tcp        0      0 0.0.0.0:25         0.0.0.0:*         LISTEN

(which says the host is listening on ALL interfaces for connections ...)

[I undid step 5 and 6 -- and reran this test -- it yields -- nothing -- that it is NOT able to be connected to externally on port 25 -- and so THAT port is safe from a remote direct attack.]

8. Test locally (I list YOUR part OUT of []):

telnet localhost 25
[... banner]
HELO LOCALHOST
[... response]
QUIT


It went:

[root@couch herrold]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 couch.basement.net ESMTP Sendmail 8.11.6/8.11.6; Sat, 17 
     Nov 2001 17:10:39 -0500
HELO localhost
250 couch.basement.net Hello 
     IDENT:+yf0DRAJjMc1ZxKCEIv/Y7hCZQtbC55G@couch.basement.net 
     [127.0.0.1], pleased to meet you
QUIT
221 2.0.0 couch.basement.net closing connection
Connection closed by foreign host.
$


9. The acid test -- From another host test it (we'll restate the conversation, and hide the remote end's responses initially for clarity):

telnet couch.basement.net 25
HELO localhost
QUIT


Or more elaborately (I highlight your input in red):

[herrold@router herrold]$ telnet couch.basement.net 25
Trying 172.16.33.101...
Connected to 172.16.33.101.
Escape character is '^]'.
220 couch.basement.net ESMTP Sendmail 8.11.6/8.11.6; Sat, 17 
	Nov 2001 17:36:05 -0500
HELO localhost
250 couch.basement.net Hello router.basement.net 
      [172.16.33.2], pleased to meet you
MAIL FROM:<godzilla@localhost>
553 5.5.4 godzilla@localhost... Real domain name required for sender address
MAIL FROM:<godzilla@microsoft.com>
250 2.1.0 godzilla@microsoft.com... Sender ok
RCPT TO:<root@localhost>
250 2.1.5 root@localhost... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Linux rules.
.
250 2.0.0 fAHMajY07056 Message accepted for delivery
QUIT
221 2.0.0 couch.basement.net closing connection
Connection closed by foreign host.
[herrold@router herrold]$


.... that was successful -- note that the 'domain must resolve' rule for senders kicked in on the first part of the "MAIL FROM" offer -- this is an anti-spam feature. [Note the name look up's working -- I have working residence DHCP and DNS services on Linux ... ]. The X- header is added by procmail.

There is a forward rule in place for root, as recommended in an earlier post; Out at the end recipient host, we find:

Return-Path: 
Received: from couch.basement.net 
	(dhcp065-024-xx-xx.columbus.rr.com    [65.24.xx.xx])
        by swampfox.owlriver.com (8.11.6/8.11.6) with ESMTP id 
	fAHMbGu07271 for ; Sat, 17 Nov 
	2001 17:37:16  -0500
Received: from localhost (router.basement.net [172.16.33.2])
        by couch.basement.net (8.11.6/8.11.6) with SMTP id 
	fAHMajY07056
        for root@localhost; Sat, 17 Nov 2001 17:37:06 -0500
Date: Sat, 17 Nov 2001 17:37:06 -0500
From: godzilla@microsoft.com
Message-Id: <200111172237.fAHMajY07056@couch.basement.net>
X-Loop: herrold@owlriver.com

Linux rules.



-----------------------------------------------

Read the received lines from the bottom up --

We forged the sender as "godzilla@microsoft.com" -- spammers do this all the time, nothing new there; and offered to root@localhost -- The forward rule handed it for delivery to herrold@owlriver.com. Seems to work fine

As this demonstrated, this is probably not enough to suffice in production. Do NOT connect this to the outside world -- a bit more needs to be done --- As set, it will receive mail only with a final (as to the originator's perspective) destination at the localhost -- /etc/mail/access and /etc/mail/local-host-names need attention to receive mail for handling for others. But again, this is beyond the scope of this presentation.

And we reached the goal state. I don't need to expose the root password to receive the mail. And as I recall, that was your question.

-- Russ

ps: I don't do it much, but I've noted a copyright here -- private individual use only, please.

-- 
end
==================================
 .-- -... ---.. ... -.- -.--
Copyright (C) 2001 R P Herrold
      herrold@owlriver.com  NIC: RPH5 (US)
   My words are not deathless prose, 
      but they are mine.

       Owl River Company  
   "The World is Open to Linux (tm)"
   ... Open Source LINUX solutions ...
      info@owlriver.com 
         Columbus, OH


See also: RFC 2821, section 4.2.1 multi-line replies
     The format for multiline replies requires that every line, except the last,
     begin with the reply code, followed immediately by a hyphen, "-"
     (also known as minus), followed by text. The last line will begin with
     the reply code, followed immediately by , optionally some text,
     and . As noted above, servers SHOULD send the  if subsequent
     text is not sent, but clients MUST be prepared for it to be
     omitted. 

     For example: 

     123-First line 
     123-Second line 
     123-234 text beginning with numbers 
     123 The last line 

     In many cases the SMTP client then simply needs to search for a line
     beginning with the reply code followed by <SP> or <CRLF> and
     ignore all preceding lines. In a few cases, there is important data for
     the client in the reply "text". The client will be able to identify these
     cases from the current context. 
[Note: <SP> or <CRLF> are respectively a SPace and a Carriage Return/Line Feed sequence]


Thanks to our reviewer, 'range' for correction on RFC 821 syntax.


We make this available for non-commercial and individual use. Please respect our copyright, and consider contacting us for all your Open Source and *nix design, architect / systems analysis, and administration needs.


Copyright (C) 2002 R P Herrold
      herrold@owlriver.com  NIC: RPH5 (US)
   My words are not deathless prose,
      but they are mine.

       Owl River Company
   "The World is Open to Linux (tm)"
   ... Open Source LINUX solutions ...
      info@owlriver.com
         Columbus, OH
rev 020822 RPH
http://www.owlriver.com/tips/sendmail-tip/

Up More Tips
       

Back to Top Page
[legal] [ no spam policy ] [ Copyright] © 2008 Owl River Company
All rights reserved.

Last modified: Mon, 14 Jul 2008 14:34:05 -0400
http://www.owlriver.com/tips/sendmail-tip/index.php