 |
» |
|
|
|
This section
discusses administering Sendmail security options. It discusses
the following topics: Using
the Sendmail Restricted Shell Program | |
Sendmail allows the aliases file or a user’s .forward file to specify programs to be run. These programs
are by default invoked through /usr/bin/sh -c. The Sendmail restricted shell (smrsh) program enables you to restrict the programs
that can be run through the aliases file or through a .forward file; only programs that are linked to the /var/adm/sm.bin directory can be invoked. To use the smrsh program, complete the following steps: In the /etc/mail/sendmail.cf file, comment the following lines by inserting
a pound sign (#) before each line: # Mprog, P=/usr/bin/sh, F=lsDFMoeu, S=10/30, R=20/40, D=$z:/, |
In the /etc/mail/sendmail.cf file, uncomment the following lines by deleting
the pound sign (#) before each line: Mprog, P=/usr/bin/smrsh, F=lsDFMoeu, S=10/30, R=20/40, D=$z:/, |
Create the directory /var/adm/sm.bin/ with root:bin ownership and 755 permissions. Place
the binaries of the programs that you want to allow into this directory.
Typically, programs such as vacation, rmail, and AutoReply are placed in this directory. (You can also specify
hard links to the binaries.) Do not place shells such as ksh, sh, csh, and perl in this directory because they have too many security
issues.
Turning
Off Standard Security Checks | |
Sendmail
has security checks that limit reading and writing to certain files
in a directory. These checks protect files that may reside in unsafe directories
or that may be tampered with by users other than the owner. You
can turn these safety checks off by editing the DontBlameSendmail option in the configuration file. In the sendmail.cf file, change DontBlameSendmail=option value, where option value is any of the options listed in Table 2-2 “Option Values for DontBlameSendmail”. The default option value is
safe. After you change option value, the new value becomes the default value. Table 2-2 Option Values for DontBlameSendmail Option Value | Description |
|---|
safe | Allows the files only in a safe directory.
All files accessed by Sendmail must be safe. | | AssumeSafeChown | Assumes that the chown system call is restricted to root. | | ClassFileInUnsafeDirPath | Allows class files that are in unsafe directories. | | ErrorHeaderInUnsafeDirPath | Allows the file named in the ErrorHeader option to be in an unsafe directory. | | ForwardFileInGroupWritableDirPath | Allows .forward files in group-writable directories. | GroupWrtableDirPathSafe | Considers group-writable directories to be safe.
Sendmail will read messages from group-writable directories. | | GroupWritableIncludeFileSafe | Accepts group-writable :include files | GroupWritableAliasFile | Allows group-writable alias files. | HelpFileinUnsafeDirPath | Allow Help file to be in unsafe directory. | | IncludeFileInGroupWritableDirPath | Allows :include: files in group-writable directories. | | ForwardFileInUnsafeDirPath | Allows a .forward file that is in an unsafe directory to include references
to programs and files. | IncludeFileInUnsafedirPathSafe | Allows an :include: file that is in an unsafe directory to include references
to programs and files. | MapInUnsafeDirPath | Allows maps (for example, hash, btree, and
dbm files) in unsafe directories. | | LinkedAliasFileInWritableDir | Allows an alias file that is a link in a writable
directory. | LinkedClassFileInWritableDir | Allows class files that are links in writable directories. | | LinkedForwardFileInWritableDir | Allows .forward files that are links in writable directories. | | LinkedIncludeFileInWritableDir | Allows :include: files that are links. | | LinkedMapInWritableDir | Allows map files that are links in writable directories. | | LinkedServiceSwitchFileInWritableDir | Allows the service switch file to be a link even
if the directory is writable. | FileDeliveryToHardLink | Allows delivery to files that are hard links. | FileDeliveryToSymLink | Allows delivery to files that are symbolic links. | WriteMapToHardLink | Allows writes to maps that are hard links. | WriteMapToSymLink | Allows writes to maps that are symbolic links. | WriteStatsToHardLink | Allows the status file to be a hard link. | WritesStatsToSymLink | Allows the status file to be a symbolic link. | RunProgramInUnsafeDirPath | Allows Sendmail to run programs that
are in writable directories. | RunWritableProgram | Allows Sendmail to run programs that are group-
or world-writable. | WorldWritableAliasFile | Accept world-writable alias files. |
Disabling
Privacy OptionsYou
can now disable the ETRN and VERB privacy options by using the noetrn and noverb flags: The noetrn flag disables the SMTP ETRN command, enabling Sendmail
to process its queue in a synchronous mode. The noverb flag disables the SMTP VERB command, turning off verbose
mode.
For more information on the different privacy options, see
the Sendmail configuration file /etc/mail/sendmail.cf. Enabling
SMTP Authentication Based on RFC 2554 | |
A
new option to set AUTH parameter in MAIL FROM command has been added in the sendmail.cf file. By default, this appears as follows: #O AuthOptions Sendmail supports SMTP AUTH as defined in RFC 2554 (SMTP Service Extension
for Authentication), which is based on Simple Authentication and
Security Layer - RFC 2222 (SASL). SMTP authentication provides a
robust tool to control relaying with maximum flexibility. SASL is mainly
used for roaming users whose IP address and host name changes repeatedly.
In this case, authorization is via a secret password, which is client
dependent. The authentication protocol exchange consists of a series
of server challenges (otherwise known as a ready response) and client
answers that are specific to the authentication mechanism. The AUTH parameter to the MAIL FROM command is set as follows: MAIL FROM: from-addr AUTH=addr-spec |
The addr-spec contains the identity that submitted the message
to the delivery system. If the server trusts the authenticated identity
of the client to assert that the message was originally submitted
by the supplied addr-spec, then the server must supply the same addr-spec in an AUTH parameter when relaying the message to any server
that supports the AUTH extension. You can specify the list of authentication mechanisms for AUTH in the AuthMechanisms option in the sendmail.cf file. By default, it appears in the sendmail.cf file as follows: #O AuthMechanisms=GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 |
If you set this option to A, the AUTH= parameter for the MAIL FROM command is issued only when authentication succeeds. DaemonPortOptions has a suboption called modifiers (M). The modifiers suboption contains an authentication flag a, which instructs the daemon to authenticate all
its connections. By default, it appears in the sendmail.cf file as: #O DefaultAuthInfo=/etc/mail/default-auth-info |
The DefaultAuthInfo option sets the file name, which by default contains
the authentication information for outgoing connections. It must
contain the authorization ID (userid), the authentication ID (authid), the password (plain text), and the realm to
use, each on a separate line. This information must be readable
only by root (or by the trusted user). If you do not specify a realm, $j is used. Support
for RFC 1413 (Identification Protocol) | |
identd is a server that implements the TCP/IP proposed
standard IDENT user identification protocol as specified in RFC
1413. identd listens on port 113 and operates by looking up
specific TCP/IP connections and returning the user owing the process
owning the connection. Sendmail uses identd as an advisory mechanism to log the identity of the
user name and host name of the Sendmail client. identd may cause additional traffic for collecting the
user name, which may adversely affect the performance of Sendmail. Enabling
identd on the Sendmail ServerYou can enable identd on the Sendmail server by uncommenting the following
entry in the /etc/mail/sendmail.cf file: By default, the identd timeout value is 5 seconds. You can disable identd to improve the performance of the system by commenting
out this entry. The following sections discuss disabling identd: Disabling identd
on the Remote ClientYou must comment out the following line in the /etc/inetd.conf file in the client system, by placing a pound
sign (#) in the first column as follows: #auth stream tcp wait bin /usr/lbin/identd identd |
The previous command denotes an IPv4 enabled system. If the
system is IPv6 enabled, then you must comment out the following
line: #auth stream tcp6 wait bin /usr/lbin/identd identd |
Then, execute the command inetd -c to restart the inetd daemon in the client system, thereby forcing inetd to reread the inetd.conf file. Disabling
identd from the Sendmail ServerThis is probably an easier way of disabling identd, because you need not be concerned about the remote
client having identd disabled. In the file /etc/mail/sendmail.cf on the Sendmail server, modify the following entry: as Now, you need to kill and restart Sendmail. |
