Hardening Sendmail

Mick examines sendmail's security controversies and builds an SMTP gateway for handling internet mail.
Configuring Delivery Rules

That was the hard part. Now we only need to tell sendmail what to do with incoming mail, what local hostnames are legitimate and which users, networks and domains may use the SMTP gateway to relay mail not destined locally.

The mailertable is used to define delivery rules. It has a simple syntax, which is described in /usr/share/doc/sendmail/README.cf or /usr/share/sendmail/README depending on your distribution. In a nutshell, each line contains two parts: a destination identifier and an action. The destination identifier matches destination addresses or parts thereof; the action tells sendmail what to do with messages whose destinations match the identifier.

If the identifier begins with a “.”, then all e-mail source addresses ending in whatever follows the dot will match. If it doesn't, then everything following the “@” sign must be identical to the identifier. The e-mail address bobo@weird-al.polkatistas.org won't match the identifier polkatistas.org but will match .polkatistas.org.

The action takes the form agent:action where agent is either a mailer (defined in sendmail.mc/linux.mc in MAILER() statements) or the built-in agents “local” or “error”. The “local” agent, of course, means the mail should be delivered to a local user, specified after the colon (if nothing follows the colon, the user specified in the message itself will be used).

Below is a mailertable with two different actions:

polkatistas.org       smtp:internalmail.polkatistas.org
mail.polkatistas.org  local:postmaster

In addition to delivery rules, sendmail needs to know which e-mail destinations should be considered synonyms of the local (SMTP gateway's) hostname. These are specified in /etc/mail/local-host-names, one per line:

mail.polkatistas.org
weird-al.polkatistas.org
1.23.234.2
Finally, we need to define allowed relayers by editing /etc/mail/access. The syntax is simple. Each line contains a source name or address, paired with an action (again, see README.cf or its equivalent on your distribution for details). The action can be RELAY, REJECT, DISCARD, OK or ERROR. In practice, the most useful of these actions is RELAY. Because by default relaying is rejected, REJECT and DISCARD are only useful when defining exceptions to explicit RELAY rules.

Here is a simple access file:

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
192.168                         RELAY

Do you notice the absence of real hostnames in the example above? In this example, the SMTP gateway performs only outbound relays; inbound mail must be addressed to a local e-mail address, and outbound relays must originate from hosts whose IP addresses begin with the octets 192.168 (obviously a noninternet-routable network). I like this technique (using IP addresses) because then I can prevent IP address spoofing with my firewall rules, but I can't prevent forged From: addresses in e-mail (however, your needs may be different of course):

access
local-host-names
mailertable

More-Advanced Sendmail Security

SMTP AUTH (in sendmail version 8.10 and later) adds authentication to SMTP transactions, e.g., to determine whether to permit relaying. This is especially useful when systems or users don't run their own MTA but need to send mail, i.e., need to relay outbound mail through a central gateway.

If you're running an SMTP server that relays mail from other domains, you probably want this feature, as it's an important defense against unsolicited commercial e-mail, the perpetrators of which rely heavily on SMTP relays.

There's just one more file that may need tweaking: aliases. This file contains a map of e-mail aliases to user names. Usually an SMTP gateway doesn't need a very granular alias database; to translate entire domains' (or virtual domains') e-mail addresses you're better off using the user database (which, sadly, I don't have space to cover). It's fairly self-explanatory, though, so edit it if you need to.

Now three of the four files we've just discussed, mailertable, access and aliases, actually can't be used by sendmail directly; they must first be converted to databases. The /etc/mail file contains a handy Makefile for this purpose. To use it simply change your working directory to /etc/mail and enter this command:

Make access.db mailertable.db

Note that this won't work for aliases, which has its own utility, newaliases. Run newaliases without any flags to convert your changed /etc/aliases file into a new /etc/aliases.db file automatically.

And that's it for now. There's much I haven't covered, notably the smrsh shell (applicable mainly to local mail delivery, not to gateways). But hopefully I've given you some useful hints and pointers to more complete sources of information. Good luck!

Resources

Mick Bauer (mick@visi.com) is a network security consultant in the Twin Cities area. He's been a Linux devotee since 1995 and an OpenBSD zealot since 1997, and enjoys getting these cutting-edge OSes to run on obsolete junk.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

change /var/spool/mail

Luis Cuenca's picture

hi,
I need help abuot the configuration of the sendmail
what is the configuration to change the MAIL_DIR /var/spool/mail to other direcction?

sendmail Doubt

Dominic's picture

Hai,will sendmail work as SMTP server with out any authentication for
users those who are sitting remotely.i don't want put it as open rely.but only the @abc.com domain user can relay mail from both local and remote locations with out any authentication.Is it possible ?

Regards,
Dominic

Re: Paranoid Penguin: Hardening Sendmail

viking's picture

does sendmail support maildir.. using IMAP using old bsd format email load cpu usage high/.. i am using Postfix and Courier IMAP..

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Yes it does. It probably supports anything, you just have to tell Sendmail which filter it uses to make local deliveries. Especifically for maildirs you can use the maildrop delivery filter. Use Google to find out more about "maildrop".

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

This article is useless... What a waste of my time....

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Then don't read it... moron.

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Not to me, it really did help me

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Not useless in the least... you saved my newbie butt! I'm a complete newb with linux, but my company needed a simple mailserver (aside from our usual Novell boxes) to relay certain types of email (coming from specific servers) out the door. Linux and sendmail seemed to be the smart choice.

Your article helped me more than I can say. I've printing out and read pieces and parts of instructions from all overon how to deal with sendmail... and none of them explained it clearly enough (or in detail enough for a beginner) to get me started. Now that I understand the basics, I have plenty of experimenting I can do. Eventually I see us using a linux machine as a firewall for incoming email too.

I'm now in love with linux, and it's not in small part due to your article.

Thanks a ton,

Jason

Configuring Sendmail

Anonymous's picture

Check out Install-Sendmail which'll configure Sendmail. It's horribly easy to run and I'm going to look at some of the advice here for future improvements..

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

I wonder if it's a joke mistakingly posted two weeks in advance or if Bauer placed the wrong posting date by mistake. I am not kidding.

Cheers!

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

> Here is a simple access file:

> localhost.localdomain RELAY

> localhost RELAY

> 127.0.0.1 RELAY

You shouldn't use the entries above in your access db. They're useless as sendmail will work without it. On the other hand, most RBLs (e.g. ORDB) will detect your machine as open mail-relay and put it in their blackhole database. All entries above should be set to REJECT.

Regards

A. Danzer

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

This will only open your machine for relaying from localhost, although the top 2 lines are useless and can be exploited with some dns poisoning.

You shouldn't reject mail from 127.0.0.1 should you? Sounds stupid to me.

Baldur

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Setting these lines in the access.db doesn't block people from using the server to send junk to users on the local machine.

I'm looking for a solution to that problem if anyone is up for the chalange...

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

I have these lines in my sendmail access db; they've been there for years. I'm running the latest RedHat OEM'ed sendmail right now.

ORDB has just tested me for open relays and found nada, so there must be more to the problem than you think.

PS - my domain does both ingress and egress filtering, and those names are in the local DNS as well, so that may be why it works for me.

--The Rev

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Good overview article.

> ... sendmail must run as root if any portion of

> its required functionality does, i.e., writing

> mail to multiple users' home directories.

This isn't necessary. You can run sendmail as an ordinary user account and use group "mail" as the means to do the writing into /var/mail or other mail files.

The sendmail maintainers appear to have made a lot of progress in making sendmail's security more robust over the last several years.

Part of the reason its still so big as a whole is it can probably do more mail delivery tricks (processing, delivery means (TCP/IP, uucp, etc.), etc.) than other MTAs.

The default behavior since Sendmail 8.8 or so (as I recall) is to not relay mail.

If security is a real concern, you probably want an SMTP proxy host in front of your mail server. smtpd is a good solution. It acts as a store and forward mail gateway which strictly enforces the SMTP mail rules. You can also use tcp wrappers, and the MAPS Realtime Blackhole List with smtpd.

A well configured mail proxy on a secured system (OpenBSD or one of the security oriented linux distros make a great choice) talking to a mail host with a user mode chrooted sendmail for delivery will wear out most crackers before they compromise your mail server.

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Is there a free rbl site that has opened up in the wake of rbl requiring a contract with them (even for so-called free for individuals)?

robert

Re: Paranoid Penguin: Hardening Sendmail

Anonymous's picture

Sendmail does sanity checks on its environment at start up. A group writeable directory is considered to be a security issue, so sendmail will not start.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState