Smrsh for Sendmail security

SendmailIs the most important mail transmission agent. What does Sendmail rely on for security?Smrsh.

Set Sendmail to use "smrsh"

The smrsh program is used as an alternative shell for "/bin/sh" defined for sendmail in mailer. Smrsh is a restricted shell tool that explicitly specifies the list of executable files through the "/etc/smrsh" directory. In short, smrsh limits the Assembly that attackers can execute. When it is used with the sendmail program, smrsh effectively limits the range of programs that sendmail can execute to the smrsh directory.

Step 1:

Determines the list of commands that smrsh can allow sendmail to run. By default, the following commands should be included, but not limited:

"/Bin/mail" (if installed in your system)

"/Usr/bin/procmail" (if installed in your system)

Note: do not include command interpreter in the command list, such as sh (1), csh (1), perl (1), uudecode (1), and stream editor sed (1 ).

Step 2:

Create a symbolic connection for the program running sendmail in the "/etc/smrsh" directory.

Run the following command to allow the mail program "/bin/mail" to run:

[Root @ deep] # cd/etc/smrsh

[Root @ deep] # ln-s/bin/mail

Run the following command to allow the procmail program "/usr/bin/procmail" to run:

[Root @ deep] # cd/etc/smrsh

[Root @ deep] # ln-s/usr/bin/procmail

This allows users in ". forward" and "aliases" to run the mail and procmail programs using the "| program" syntax.

Step 3

Configure sendmail to use restricted shell. The mailer program has only one line in the configuration file "/etc/sendmail. cf" of sendmail. You must modify the line defined by "Mprog" in the "sendmail. cf" file. Replace "/bin/sh" with "/usr/sbin/smrsh ".

Edit the "sendmail. cf" file (vi/etc/sendmail. cf) and change the following line:

For example:

Mprog, P =/bin/sh, F = lsDFMoqeu9, S = 10/30, R = 20/40, D = $ z:/, T = X-Unix, A = sh-c $ u

Should be changed:

Mprog, P =/usr/sbin/smrsh, F = lsDFMoqeu9, S = 10/30, R = 20/40, D = $ z:/, T = X-Unix, A = sh-c $ u

Run the following command to manually restart the sendmail process:

[Root @ deep] #/etc/rc. d/init. d/sendmail restart

Through the article, we can probably know that the security of Sendmail cannot be ignored, and the use of Smrsh will help you enhance the security of Sendmail.

• How to Set a virtual domain in Sendmail
• Introduction to Sendmail
• Illustration: Sendmail Working Environment
• Learn more about installing the DNS + Sendmail service in Linux
• How to install the Sendmail server in Linux
• Linux Sendmail Configuration Guide
• Solution to slow sendmail startup