Loading
Hardening Sendmail
Mick examines sendmail's security controversies and builds an SMTP gateway for handling internet mail.
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- Dynamic DNS—an Object Lesson in Problem Solving
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Download the Free Red Hat White Paper "Using an Open Source Framework to Catch the Bad Guy"
- Tech Tip: Really Simple HTTP Server with Python
- myip
58 min 47 sec ago - Keeping track of IP address
2 hours 49 min ago - Roll your own dynamic dns
8 hours 3 min ago - Please correct the URL for Salt Stack's web site
11 hours 14 min ago - Android is Linux -- why no better inter-operation
13 hours 29 min ago - Connecting Android device to desktop Linux via USB
13 hours 58 min ago - Find new cell phone and tablet pc
14 hours 56 min ago - Epistle
16 hours 25 min ago - Automatically updating Guest Additions
17 hours 34 min ago - I like your topic on android
18 hours 20 min ago
Poll
Comments
change /var/spool/mail
hi,
I need help abuot the configuration of the sendmail
what is the configuration to change the MAIL_DIR /var/spool/mail to other direcction?
sendmail Doubt
Hai,will sendmail work as SMTP server with out any authentication for
users those who are sitting remotely.i don't want put it as open rely.but only the @abc.com domain user can relay mail from both local and remote locations with out any authentication.Is it possible ?
Regards,
Dominic
Re: Paranoid Penguin: Hardening Sendmail
does sendmail support maildir.. using IMAP using old bsd format email load cpu usage high/.. i am using Postfix and Courier IMAP..
Re: Paranoid Penguin: Hardening Sendmail
Yes it does. It probably supports anything, you just have to tell Sendmail which filter it uses to make local deliveries. Especifically for maildirs you can use the maildrop delivery filter. Use Google to find out more about "maildrop".
Re: Paranoid Penguin: Hardening Sendmail
This article is useless... What a waste of my time....
Re: Paranoid Penguin: Hardening Sendmail
Then don't read it... moron.
Re: Paranoid Penguin: Hardening Sendmail
Not to me, it really did help me
Re: Paranoid Penguin: Hardening Sendmail
Not useless in the least... you saved my newbie butt! I'm a complete newb with linux, but my company needed a simple mailserver (aside from our usual Novell boxes) to relay certain types of email (coming from specific servers) out the door. Linux and sendmail seemed to be the smart choice.
Your article helped me more than I can say. I've printing out and read pieces and parts of instructions from all overon how to deal with sendmail... and none of them explained it clearly enough (or in detail enough for a beginner) to get me started. Now that I understand the basics, I have plenty of experimenting I can do. Eventually I see us using a linux machine as a firewall for incoming email too.
I'm now in love with linux, and it's not in small part due to your article.
Thanks a ton,
Jason
Configuring Sendmail
Check out Install-Sendmail which'll configure Sendmail. It's horribly easy to run and I'm going to look at some of the advice here for future improvements..
Re: Paranoid Penguin: Hardening Sendmail
I wonder if it's a joke mistakingly posted two weeks in advance or if Bauer placed the wrong posting date by mistake. I am not kidding.
Cheers!
Re: Paranoid Penguin: Hardening Sendmail
> Here is a simple access file:
> localhost.localdomain RELAY
> localhost RELAY
> 127.0.0.1 RELAY
You shouldn't use the entries above in your access db. They're useless as sendmail will work without it. On the other hand, most RBLs (e.g. ORDB) will detect your machine as open mail-relay and put it in their blackhole database. All entries above should be set to REJECT.
Regards
A. Danzer
Re: Paranoid Penguin: Hardening Sendmail
This will only open your machine for relaying from localhost, although the top 2 lines are useless and can be exploited with some dns poisoning.
You shouldn't reject mail from 127.0.0.1 should you? Sounds stupid to me.
Baldur
Re: Paranoid Penguin: Hardening Sendmail
Setting these lines in the access.db doesn't block people from using the server to send junk to users on the local machine.
I'm looking for a solution to that problem if anyone is up for the chalange...
Re: Paranoid Penguin: Hardening Sendmail
I have these lines in my sendmail access db; they've been there for years. I'm running the latest RedHat OEM'ed sendmail right now.
ORDB has just tested me for open relays and found nada, so there must be more to the problem than you think.
PS - my domain does both ingress and egress filtering, and those names are in the local DNS as well, so that may be why it works for me.
--The Rev
Re: Paranoid Penguin: Hardening Sendmail
Good overview article.
> ... sendmail must run as root if any portion of
> its required functionality does, i.e., writing
> mail to multiple users' home directories.
This isn't necessary. You can run sendmail as an ordinary user account and use group "mail" as the means to do the writing into /var/mail or other mail files.
The sendmail maintainers appear to have made a lot of progress in making sendmail's security more robust over the last several years.
Part of the reason its still so big as a whole is it can probably do more mail delivery tricks (processing, delivery means (TCP/IP, uucp, etc.), etc.) than other MTAs.
The default behavior since Sendmail 8.8 or so (as I recall) is to not relay mail.
If security is a real concern, you probably want an SMTP proxy host in front of your mail server. smtpd is a good solution. It acts as a store and forward mail gateway which strictly enforces the SMTP mail rules. You can also use tcp wrappers, and the MAPS Realtime Blackhole List with smtpd.
A well configured mail proxy on a secured system (OpenBSD or one of the security oriented linux distros make a great choice) talking to a mail host with a user mode chrooted sendmail for delivery will wear out most crackers before they compromise your mail server.
Re: Paranoid Penguin: Hardening Sendmail
Is there a free rbl site that has opened up in the wake of rbl requiring a contract with them (even for so-called free for individuals)?
robert
Re: Paranoid Penguin: Hardening Sendmail
Sendmail does sanity checks on its environment at start up. A group writeable directory is considered to be a security issue, so sendmail will not start.