Kurt Seifried, [email protected]
This has got to be one of the worst and best features about Red Hat Linux 7.2. My first major complaint would be the lack of Postfix. Not only did they fail to ship it on the CD, they failed to include it in anything like powertools online. To make matters worse the Postfix RPM from 7.1 does not work properly as it expects older libraries, although you should be able to get it working with some effort. But instead of doing all that I thought I would give Sendmail a chance, I haven't used it in approximately 2-3 years, and it has been audited (very few remote root hacks in the last few months, although there were some local root hacks). There are several significant problems with the default sendmail configuration and scripts that manage it.
This is a nice "secureity feature" but horribly documented (i.e. not at all) and non trivial to fix. By default Red Hat 7.2's sendmail installation only listens on 127.0.0.1. It can receive mail sent locally on the system (i.e. pine) and it can send out mail, but if you want to send mail through it or recieve mail from other systems it will not work by default. You can tell if it is doing this by issuing a netstat command:
[[email protected] mail]# netstat -vatn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
After looking through several files I discovered how to fix it:
First you need to edit /etc/mail/sendmail.mc, find the following section:
dnl This changes sendmail to only listen on the loopback device 127.0.0.1 dnl and not on any other network devices. Comment this out if you want dnl to accept email over the network. DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
You will need to comment out the like with DAEMON_OPTIONS, using "dnl" at the begining of the line:
dnl This changes sendmail to only listen on the loopback device 127.0.0.1 dnl and not on any other network devices. Comment this out if you want dnl to accept email over the network. dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
You will then need to rebuild the file:
m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
Once you have done this sendmail will listen on all IP address on the system:
[[email protected] mail]# netstat -vatn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
And you can recieve mail from others, and send mail from your clients.
So you've got sendmail listening, and you've configured your access table, and restarted sendmail, but still cannot send mail. Do not worry, you've probably edited the access file correctly, the default script to handle sendmail is broken. Normally when you start sendmail with the script that is responsible, /etc/rc.d/init.d/sendmail, it will automatically rebuild the databases if they do not exist. This script does not work properly by default and I reccomend modifying it. Find the following section in /etc/rc.d/init.d/sendmail:
echo -n $"Starting $prog: " /usr/bin/newaliases > /dev/null 2>&1 if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then make -C /etc/mail -q else for i in virtusertable access domaintable mailertable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done fi
This section should rebuild the databases files if they do not exist, and if they do it leaves them alone if there is a Makefile present in /etc/mail. If this file is not present it builds the files and replaces the existing database files (so they are not preserved). I prefer to rebuild databases by default, if your site is large enough that this rebuild takes significant time do not do this and do it manually. Modifying the section so that it looks like this will force a rebuild of the configuraiton databases each time you start or restart sendmail:
echo -n $"Starting $prog: "
/usr/bin/newaliases > /dev/null 2>&1
cd /etc/mail
rm -f *.db
make
You must remove the "-q" option on make or it will not work (the option should only suppress messages, but for some reasons with the "-q" option make does not work at all). I also reccomend removing the "else" clause that manually rebuilds the files, as it is no longer needed. The Makefile in /etc/mail should look like:
These could be used by sendmail, but are not part of the default install.
# To use them you will have to generate your own sendmail.cf with
# FEATURE('whatever')
#
POSSIBLE += $(shell test -f bitdomain && echo bitdomain.db)
POSSIBLE += $(shell test -f uudomain && echo uudomain.db)
POSSIBLE += $(shell test -f genericstable && echo genericstable.db)
all: ${POSSIBLE} virtusertable.db access.db domaintable.db mailertable.db
virtusertable.db : virtusertable
@makemap -f hash $@ < $<
userdb.db : userdb
@makemap -f hash $@ < $<
%.db : %
@makemap hash $@ < $<
clean:
@rm -f *.db *~
And sendmail should be working like it is supposed to.
This file is probably the most critical file for sendmail security after keeping sendmail up to date. Rules consist of an IP address or a network block, a domain name, or an email address. The main targets for the rules are "OK", "RELAY", "REJECT" and "DISCARD", and the secondary targets are any RFC821 compliant message, or RFC 1893 compliant. Chances are you will only use the primary targets and not the secondary. To quote the documentation:
OK Accept mail even if other rules in the
running ruleset would reject it, for example,
if the domain name is unresolvable.
RELAY Accept mail addressed to the indicated domain or
received from the indicated domain for relaying
through your SMTP server. RELAY also serves as
an implicit OK for the other checks.
REJECT Reject the sender or recipient with a general
purpose message.
DISCARD Discard the message completely using the
$#discard mailer. If it is used in check_compat,
it affects only the designated recipient, not
the whole message as it does in all other cases.
This should only be used if really necessary.
### any text where ### is an RFC 821 compliant error code and
"any text" is a message to return for the command.
The string should be quoted to avoid surprises,
e.g., sendmail may remove spaces otherwise.
ERROR:### any text
as above, but useful to mark error messages as such.
ERROR:D.S.N:### any text
where D.S.N is an RFC 1893 compliant error code
and the rest as above.
The rules can be in the form:
127.0.0.1 OK 10.2.0 RELAY spam.com DISCARD annoying.org REJECT [email protected] OK [email protected] REJECT
I reccomend using DISCARD with known spammers, if you REJECT messages you will simply use up outgoing bandwidth. Spammers do not really care if the message gets through or not, and they do not bother to clean their lists to make sure names and domains are active.
Last updated 31/10/2001
Copyright Kurt Seifried 2001