|
|
HP-UX Mailing Services Administrator's Guide: HP-UX 11i v1 and HP-UX 11i v2 > Chapter 2 Configuring
and Administering SendmailSecurity |
|
This section discusses administering Sendmail security options. It discusses the following topics: Sendmail allows the aliases file or a user’s .forward file to specify programs to be run. These programs are by default invoked through /usr/bin/sh -c. The Sendmail restricted shell (smrsh) program enables you to restrict the programs that can be run through the aliases file or through a .forward file; only programs that are linked to the /var/adm/sm.bin directory can be invoked. To use the smrsh program, complete the following steps:
Sendmail has security checks that limit reading and writing to certain files in a directory. These checks protect files that may reside in unsafe directories or that may be tampered with by users other than the owner. You can turn these safety checks off by editing the DontBlameSendmail option in the configuration file. In the sendmail.cf file, change DontBlameSendmail=option value, where option value is any of the options listed in Table 2-2 “Option Values for DontBlameSendmail”. The default option value is safe. After you change option value, the new value becomes the default value. Table 2-2 Option Values for DontBlameSendmail
You can now disable the ETRN and VERB privacy options by using the noetrn and noverb flags:
For more information on the different privacy options, see the Sendmail configuration file /etc/mail/sendmail.cf. A new option to set AUTH parameter in MAIL FROM command has been added in the sendmail.cf file. By default, this appears as follows: #O AuthOptions Sendmail supports SMTP AUTH as defined in RFC 2554 (SMTP Service Extension for Authentication), which is based on Simple Authentication and Security Layer - RFC 2222 (SASL). SMTP authentication provides a robust tool to control relaying with maximum flexibility. SASL is mainly used for roaming users whose IP address and host name changes repeatedly. In this case, authorization is via a secret password, which is client dependent. The authentication protocol exchange consists of a series of server challenges (otherwise known as a ready response) and client answers that are specific to the authentication mechanism. The AUTH parameter to the MAIL FROM command is set as follows:
The addr-spec contains the identity that submitted the message to the delivery system. If the server trusts the authenticated identity of the client to assert that the message was originally submitted by the supplied addr-spec, then the server must supply the same addr-spec in an AUTH parameter when relaying the message to any server that supports the AUTH extension. You can specify the list of authentication mechanisms for AUTH in the AuthMechanisms option in the sendmail.cf file. By default, it appears in the sendmail.cf file as follows:
If you set this option to A, the AUTH= parameter for the MAIL FROM command is issued only when authentication succeeds. DaemonPortOptions has a suboption called modifiers (M). The modifiers suboption contains an authentication flag a, which instructs the daemon to authenticate all its connections. By default, it appears in the sendmail.cf file as:
The DefaultAuthInfo option sets the file name, which by default contains the authentication information for outgoing connections. It must contain the authorization ID (userid), the authentication ID (authid), the password (plain text), and the realm to use, each on a separate line. This information must be readable only by root (or by the trusted user). If you do not specify a realm, $j is used. identd is a server that implements the TCP/IP proposed standard IDENT user identification protocol as specified in RFC 1413. identd listens on port 113 and operates by looking up specific TCP/IP connections and returning the user owing the process owning the connection. Sendmail uses identd as an advisory mechanism to log the identity of the user name and host name of the Sendmail client. identd may cause additional traffic for collecting the user name, which may adversely affect the performance of Sendmail. You can enable identd on the Sendmail server by uncommenting the following entry in the /etc/mail/sendmail.cf file:
By default, the identd timeout value is 5 seconds. You can disable identd to improve the performance of the system by commenting out this entry. The following sections discuss disabling identd: You must comment out the following line in the /etc/inetd.conf file in the client system, by placing a pound sign (#) in the first column as follows:
The previous command denotes an IPv4 enabled system. If the system is IPv6 enabled, then you must comment out the following line:
Then, execute the command inetd -c to restart the inetd daemon in the client system, thereby forcing inetd to reread the inetd.conf file. This is probably an easier way of disabling identd, because you need not be concerned about the remote client having identd disabled. In the file /etc/mail/sendmail.cf on the Sendmail server, modify the following entry:
as
Now, you need to kill and restart Sendmail. |
|