| |
 |
|
Owl River Company
|
|
|
|
Your IP is: 38.103.63.16
|
Up More Tips
http://www.owlriver.com/tips/sendmail-tip/
Well, a pet peeve of mine is people who
directly edit the .cf file instead of using the
m4 configuration files. Don't do it! [laughs]
I treat the .cf file as a binary file - you
should too.
-- Eric Allman, author of Sendmail, 18 Oct 1999
http://www.sendmail.net/interviews/interview001.shtml
From herrold@owlriver.com Sat Nov 17 18:07:00 2001
Date: Sat, 17 Nov 2001 17:52:19 -0500 (EST)
From: R P Herrold
Reply-To: slug@nks.net
To: Slug List
Subject: M4 and Sendmail cheat sheet was: RE: [SLUG] mail server.
(clip and save)
On Sat, 17 Nov 2001, Jeff Barriault wrote:
> Sendmail happens to be running on the RedHat box too, but I
> haven't figured out how to connect to it from my Win2K system.
> Of course I've gotten a bunch of great advice from folks on
> this mail list and am sitting here currently trying to figure
> it all out.
>
> Thanks Russ, and everyone else for helping,
Red Hat 7.1 and later ship with sendmail listening ONLY at
127.0.0.1 AND in non-daemon mode -- that is for locally
originated email -- this is a security matter to prevent your
host from being an open relay, and ALSO to make sendmail
secure against the kind of external compromise mentioned
earlier today. This topic (seeking to ship without remote exploit
holes, as does OpenBSD [indeed, really seeking to ship without
any holes]) was a _big_ issue to me in the RH 7.0
development phase, and RH 7.1 and following ship reasonably secure by
default -- it takes an effort to make the base install of
RH 7.1 and following vulnerable to crackers.
1 -- To be able to hand email TO it (on port 25), you will
need packages:
sendmail-cf
and
m4
loaded. Check that they are present thus:
rpm -q sendmail-cf m4
(we are asking the package manager to confirm that they are
present and their versions),
2. If not present, use your install media and install them
(how is beyond the scope of this piece)
3. Edit /etc/mail/sendmail.mc with your favorite text editor.
Toward the bottom of that file is this stanza:
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
... Note that the string "dnl " at the left margin is how
comments are added to sendmail.mc -- this is an artifact of
the ancient origins of sendmail and the m4 macro
processor
Make it read as the text says "to accept email over the
network":
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
(this is the last line quoted in the first stanza, now
commented out.)
4. rebuild /etc/sendmail.cf from the revised
/etc/mail/sendmail.mc thus:
m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
(This is considered Unix deep magic -- but all it does is have
the m4 macro processor use the sendmail-cf recipies, and make
a new well-formed sendmail.cf. Note that lower in the
sendmail.mc file is an option to specify what hostname your
mail server uses -- useful for pretending to be a server with
a resolvable name.)
(Note also that /etc/sendmail.cf moves to become
/etc/mail/sendmail.cf with sendmail-8.12.x and so that command
will become m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
in later versions. But there are many other changes, including
a separate non-privleged child process.)
5. Tell sendmail to listen all the time (in so-called daemon
mode) instead of delivering just its own local mail queue just
once an hour.
Edit /etc/sysconfig/sendmail
and change:
DAEMON=no
to:
DAEMON=yes
6. And restart sendmail
cd /etc/mail
make
service sendmail restart
(Note: The make step is needed in some variants of Red Hat, as the
automatic execution of the make is missing in some
releases of the initscript package.)
7. Confirm it locally:
netstat -an | grep 25 | grep tcp
yields:
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
(which says the host is listening on ALL interfaces for
connections ...)
[I undid step 5 and 6 -- and reran this test -- it yields --
nothing -- that it is NOT able to be connected to externally
on port 25 -- and so THAT port is safe from a remote direct
attack.]
8. Test locally (I list YOUR part OUT of []):
telnet localhost 25
[... banner]
HELO LOCALHOST
[... response]
QUIT
It went:
[root@couch herrold]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 couch.basement.net ESMTP Sendmail 8.11.6/8.11.6; Sat, 17
Nov 2001 17:10:39 -0500
HELO localhost
250 couch.basement.net Hello
IDENT:+yf0DRAJjMc1ZxKCEIv/Y7hCZQtbC55G@couch.basement.net
[127.0.0.1], pleased to meet you
QUIT
221 2.0.0 couch.basement.net closing connection
Connection closed by foreign host.
$
9. The acid test -- From another host test it (we'll restate the
conversation, and hide the remote end's
responses initially for clarity):
telnet couch.basement.net 25
HELO localhost
QUIT
Or more elaborately (I highlight your input in red):
[herrold@router herrold]$ telnet couch.basement.net 25
Trying 172.16.33.101...
Connected to 172.16.33.101.
Escape character is '^]'.
220 couch.basement.net ESMTP Sendmail 8.11.6/8.11.6; Sat, 17
Nov 2001 17:36:05 -0500
HELO localhost
250 couch.basement.net Hello router.basement.net
[172.16.33.2], pleased to meet you
MAIL FROM: godzilla@localhost
553 5.5.4 godzilla@localhost... Real domain name required for sender address
MAIL FROM: godzilla@microsoft.com
250 2.1.0 godzilla@microsoft.com... Sender ok
RCPT TO: root@localhost
250 2.1.5 root@localhost... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Linux rules.
.
250 2.0.0 fAHMajY07056 Message accepted for delivery
QUIT
221 2.0.0 couch.basement.net closing connection
Connection closed by foreign host.
[herrold@router herrold]$
.... that was successful -- note that the 'domain must
resolve' rule for senders kicked in on the first part of the
"MAIL FROM" offer -- this is an anti-spam feature. [Note the name look
up's working -- I have working residence DHCP and DNS services
on Linux ... ]. The X- header is added by procmail.
There is a forward rule in place for root, as recommended
in an earlier post; Out at the end recipient host, we find:
Return-Path:
Received: from couch.basement.net
(dhcp065-024-xx-xx.columbus.rr.com [65.24.xx.xx])
by swampfox.owlriver.com (8.11.6/8.11.6) with ESMTP id
fAHMbGu07271 for ; Sat, 17 Nov
2001 17:37:16 -0500
Received: from localhost (router.basement.net [172.16.33.2])
by couch.basement.net (8.11.6/8.11.6) with SMTP id
fAHMajY07056
for root@localhost; Sat, 17 Nov 2001 17:37:06 -0500
Date: Sat, 17 Nov 2001 17:37:06 -0500
From: godzilla@microsoft.com
Message-Id: <200111172237.fAHMajY07056@couch.basement.net>
X-Loop: herrold@owlriver.com
Linux rules.
-----------------------------------------------
Read the received lines from the bottom up --
We forged the sender as "godzilla@microsoft.com" -- spammers
do this all the time, nothing new there; and offered to
root@localhost -- The forward rule handed it for delivery
to herrold@owlriver.com. Seems to work fine
As this demonstrated, this is probably not enough to suffice in
production. Do NOT connect this to the outside world -- a bit more needs
to be done --- As set, it will receive mail only with a final
(as to the originator's perspective) destination at the
localhost -- /etc/mail/access
and /etc/mail/local-host-names
need attention to receive mail for handling for others. But
again, this is beyond the scope of this presentation.
And we reached the goal state. I don't need to expose the
root password to receive the mail. And as I recall, that was
your question.
-- Russ
ps: I don't do it much, but I've noted a copyright here --
private individual use only, please.
--
end
==================================
.-- -... ---.. ... -.- -.--
Copyright (C) 2001 R P Herrold
herrold@owlriver.com NIC: RPH5 (US)
My words are not deathless prose,
but they are mine.
Owl River Company
"The World is Open to Linux (tm)"
... Open Source LINUX solutions ...
info@owlriver.com
Columbus, OH
See also: RFC 2821,
section 4.2.1 multi-line replies
The format for multiline replies requires that every line, except the last,
begin with the reply code, followed immediately by a hyphen, "-"
(also known as minus), followed by text. The last line will begin with
the reply code, followed immediately by , optionally some text,
and . As noted above, servers SHOULD send the if subsequent
text is not sent, but clients MUST be prepared for it to be
omitted.
For example:
123-First line
123-Second line
123-234 text beginning with numbers
123 The last line
In many cases the SMTP client then simply needs to search for a line
beginning with the reply code followed by <SP> or <CRLF> and
ignore all preceding lines. In a few cases, there is important data for
the client in the reply "text". The client will be able to identify these
cases from the current context.
[Note: <SP> or <CRLF> are respectively a SPace and a Carriage
Return/Line Feed sequence]
We make this available for non-commercial and individual use.
Please respect our copyright, and consider contacting us for
all your Open Source and *nix design, architect / systems analysis, and
administration needs.
Copyright (C) 2002 R P Herrold
herrold@owlriver.com NIC: RPH5 (US)
My words are not deathless prose,
but they are mine.
Owl River Company
"The World is Open to Linux (tm)"
... Open Source LINUX solutions ...
info@owlriver.com
Columbus, OH
rev 020822 RPH
http://www.owlriver.com/tips/sendmail-tip/
Up More Tips
Back to Top Page
Last modified: Thu, 26 Sep 2002 01:41:45 -0400
http://www.owlriver.com/tips/sendmail-tip/index.php