Custom Search

Setting up a secure Linux server - Sendmail - after the installation

I switched to handwritten notes after printing this page, so it's
very incomplete. Read everything that comes with the current 
version, especially op.txt.
Most of this is copied verbatim.
makemap -v = verbose!
======================== options are defined in op.txt
                [P] If set, copies of error messages will be
                sent to  the  named  postmaster. 
                [p] Set the privacy options.  ``Privacy'' is
                really a misnomer; many of these are just  a
                way  of  insisting  on stricter adherence to
                the  SMTP  protocol.   The  options  can  be
                selected from:
                    public         Allow open access
                    needmailhelo   Insist on HELO or EHLO command before MAIL
                    needexpnhelo   Insist on HELO or EHLO command before EXPN
                    noexpn         Disallow EXPN entirely, implies noverb.
                    needvrfyhelo   Insist on HELO or EHLO command before VRFY
                    novrfy         Disallow VRFY entirely
                    noetrn         Disallow ETRN entirely
                    noverb         Disallow VERB entirely
                    restrictmailq  Restrict mailq command
                    restrictqrun   Restrict -q command line flag
                    restrictexpand Restrict -bv and -v command line flags
                    noreceipts     Don't return success DSNs20
                    nobodyreturn   Don't return the body of a message with DSNs
                    goaway         Disallow essentially all SMTP status queries
                    authwarnings   Put X-Authentication-Warning: headers in messages
                                   and log warnings
                The  "goaway"  pseudo-flag  sets  all  flags
                except     "noreceipts",    "restrictmailq",
                "restrictqrun", "restrictexpand",  "noetrn",
                and "nobodyreturn".  If mailq is restricted,
                only people in the same group as  the  queue
                directory  can  print  the  queue.  If queue
                runs are restricted, only root and the owner
                of  the  queue  directory can run the queue.
                The "restrictexpand"  pseudo-flag  instructs
                sendmail  to  drop  privileges  when the -bv
                option is given by  users  who  are  neither
                root  nor  the  TrustedUser  so users cannot
                read private aliases, forwards, or :include:
                files.  It will add the "NonRootSafeAddr" to
                the "DontBlameSendmail"  option  to  prevent
                misleading unsafe address warnings.  It also
                overrides  the  -v  (verbose)  command  line
                option   to   prevent  information  leakage.
                Authentication Warnings add  warnings  about
                various   conditions   that   may   indicate
                attempts to spoof the mail system,  such  as
                using a non-standard queue directory.
 one way to specify a  message  sub-
                mission  agent  (MSA)  that  always requires
                authentication is:  
  O DaemonPortOptions=Name=MSA, Port=587, M=Ea
	New M=S modifier for ClientPortOptions/DaemonPortOptions to turn off
		using/offering STARTTLS when delivering/receiving e-mail.
                a         always require authentication
                    b         bind to interface through which mail has been received
                    c         perform hostname canonification (.cf)
                    f         require fully qualified hostname (.cf)
                    u         allow unqualified addresses (.cf)
                    A         disable AUTH (overrides 'a' modifier)
                    C         don't perform hostname canonification
                    E         disallow ETRN (see RFC 2476)
                    O         optional; if opening the socket fails ignore it
                    S         don't offer STARTTLS
                The modifiers that are marked  with  "(.cf)"
                have  only effect in the standard configura-
                tion file, in which they are  available  via
                ${daemon_flags}.   Notice:  Do  not  use the
                ``a'' modifier on a public  accessible  MTA!
                It  should  only  be  used for a MSA that is
                accessed by  authorized  users  for  initial
                mail submission.  Users must authenticate to
                use a MSA which has this option  turned  on.
                The  flags  ``c''  and  ``C'' can change the
                default for hostname canonification  in  the
       file.  See the relevant documen-
                tation for FEATURE(nocanonify).   The  modi-
                fier  ``f''  disallows addresses of the form
                user@host   unless   they   are    submitted
                directly.  The flag ``u'' allows unqualified
                sender addresses, i.e., those without @host.
                ``b''  forces sendmail to bind to the inter-
                face  through  which  the  e-mail  has  been
                received for the outgoing connection.  WARN-
                ING: Use ``b'' only if outgoing mail can  be
                routed  through  the  incoming  connection's
                interface to its destination. No attempt  is
                made  to catch problems due to a misconfigu-
                ration of this parameter, use  it  only  for
                virtual hosting where each virtual interface
                can  connect  to  every  possible  location.
                This  will  also  override possible settings
                via ClientPortOptions.  Note, sendmail  will
                listen on a new socket for each occurence of
                the DaemonPortOptions option in a configura-
                tion  file.  The modifier ``O'' causes send-
                mail to ignore  a  socket  if  it  can't  be
                opened.   This  applies to failures from the
                socket(2) and bind(2) calls.
Forcing the Queue
In some cases you may find that the queue has gotten clogged for some reason. You can force a queue run using the -q flag (with no value). It is entertaining to use the -v flag (verbose) when this is done to watch what happens: 
/usr/sbin/sendmail -q -v
Logging Traffic
Many SMTP implementations do not fully implement the protocol. For example, some personal computer based SMTPs do not understand continuation lines in reply codes. These can be very hard to trace. If you suspect such a problem, you can set traffic logging using the -X flag. For example, 
/usr/sbin/sendmail -X /tmp/traffic -bd
will log all traffic in the file /tmp/traffic. 
This logs a lot of data very quickly and should NEVER be used during normal operations. After starting up such a daemon, force the errant implementation to send a message to your host. All message traffic in and out of sendmail, including the incoming SMTP traffic, will be logged in this file. 
      1.3.4.  /usr/bin/newaliases
              The newaliases command should just be  a  link
         to sendmail:
             rm -f /usr/bin/newaliases
             ln -s /usr/sbin/sendmail /usr/bin/newaliases
         This  can  be installed in whatever search path you
         prefer for your system.
      1.3.5.  /usr/bin/hoststat
              The hoststat command should just be a link  to
         sendmail, in a fashion similar to newaliases.  This
         command lists the status of the last mail  transac-
         tion  with all remote hosts.  The -v flag will pre-
         vent the status display from being  truncated.   It
         functions  only when the HostStatusDirectory option
         is set.
      1.3.6.  /usr/bin/purgestat
              This command is also a link to  sendmail.   It
         flushes  expired  (Timeout.hoststatus)  information
         that is stored in the HostStatusDirectory tree.
      1.3.8.  /var/spool/mqueue/.hoststat
              This is a typical value for the  HostStatusDi-
         rectory  option,  containing one file per host that
         this sendmail has chatted  with  recently.   It  is
         normally a subdirectory of mqueue.
The contents of the queue can be printed using the mailq command (or by specifying the -bp flag to sendmail): 
This will produce a listing of the queue id's, the size of the message, the date the message entered the queue, and the sender and recipients. 
       one     of    the    startup    files,    typically
             if [ -f /usr/sbin/sendmail -a -f /etc/mail/ ]; then
                  (cd /var/spool/mqueue; rm -f xf*)
                  /usr/sbin/sendmail -bd -q30m &
                  echo -n ' sendmail' >/dev/console
         The "cd" and "rm" commands insure  that  all  tran-
         script  files  have  been removed; extraneous tran-
         script files may be left around if the system  goes
         down  in  the  middle of processing a message.  The
         line that actually invokes sendmail has two  flags:
         "-bd"  causes  it  to  listen on the SMTP port, and
         "-q30m" causes it to run the queue every half hour.
      1.3.12.  /etc/mail/statistics
              If you wish to collect statistics  about  your
         mail   traffic,   you   should   create   the  file
             cp /dev/null /etc/mail/statistics
             chmod 644 /etc/mail/statistics
         This file does not grow.  It is  printed  with  the
         program  "mailstats/mailstats.c."   The actual path
         of this file is defined in  the  S  option  of  the file.
                [S] Log  summary  statistics  in  the  named
                file.    If   no  file  name  is  specified,
                "statistics" is used.  If not set,  no  sum-
                mary  statistics  are saved.  This file does
                not grow in size.  It can be  printed  using
                the mailstats(8) program.
As a convention, log  levels  under  ten  are considered generally "useful;"
         log levels above 64 are reserved for debugging purposes.
      10   Database expansion (alias,  forward,  and  userdb
           lookups) and authentication information.
      11   NIS errors and end of job processing.
      12   Logs all SMTP connections.
      13   Log  bad user shells, files with improper permis-
           sions, and other questionable situations.
      14   Logs refused connections.
      15   Log all incoming and outgoing SMTP commands.
      20   Logs attempts to run locked queue  files.   These
           are not errors, but can be useful to note if your
           queue appears to be clogged.
      30   Lost  locks  (only  if  using  lockf  instead  of
      Additionally,   values   above  64  are  reserved  for
      extremely verbose debugging output.   No  normal  site
      would ever set these.
           You  can  ask  sendmail to log a dump of the open
      files and the connection cache by sending it a SIGUSR1
      signal.  The results are logged at LOG_DEBUG priority.
 if you are using the genericstable, you should add any domains 
you wish to reverse-map to /etc/mail/generics-domains.
For a list  of  named debug categories in the sendmail binary, use
strings /usr/sbin/sendmail | grep Debug
Persistent Host Status Information
When HostStatusDirectory is enabled, information about the status of hosts is maintained on disk and can thus be shared between different instantiations of sendmail. The status of the last connection with each remote host may be viewed with the command: 
sendmail -bh
This information may be flushed with the command: 
sendmail -bH
Flushing the information prevents new sendmail processes from loading it, but does not prevent existing processes from using the status information that they already have. 

	The .cf file is chosen based on the operation mode. For -bm (default),
		-bs, and -t it is if it exists for all others it
		is (to be backward compatible).  This selection
		can be changed by the new option -Ac or -Am (alternative .cf
		file: client or mta).  See sendmail/SECURITY.

 /usr/sbin/sendmail -bd -q20m

mail = gid 12
/var/spool				755	  root.root
               /mail 				775    root.mail
		/mqueue			755    root.root
/usr/sbin/sendmail   root.bin ?
      Dumps the contents of the mail spool, along with the status of
      each message.
      Shows various usage stats.
      Displays current aliases.
      Auto-responder of sorts for when you're laying on the beach.

Custom Search