How does one solve the security problem of the Sendmail server?

Source: Internet
Author: User
Article Title: how to solve the security problem of the Sendmail server ?. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: ideal
  
Sendmail is the most widely used email sending/receiving proxy in Unix environments. Because the Sendmail mail server is powerful and complex, the following work is required to ensure the security of Sendmail.
  
1. Set Sendmail to use "smrsh"
The smrsh program is used as an alternative shell for "/bin/sh" defined for sendmail in mailer. Smrsh is a restricted shell tool that explicitly specifies the list of executable files through the "/etc/smrsh" directory. In short, smrsh limits the Assembly that attackers can execute. When it is used with the sendmail program, smrsh effectively limits the range of programs that sendmail can execute to the smrsh directory.
  
Step 1:
  
Determines the list of commands that smrsh can allow sendmail to run. By default, the following commands should be included, but not limited:
  
"/Bin/mail" (if installed in your system)
  
"/Usr/bin/procmail" (if installed in your system)
  
Note: do not include command interpreter in the command list, such as sh (1), csh (1), perl (1), uudecode (1), and stream editor sed (1 ).
  
Step 2:
  
Create a symbolic connection for the program running sendmail in the "/etc/smrsh" directory.
  
Run the following command to allow the mail program "/bin/mail" to run:
  
[Root @ deep] # cd/etc/smrsh
  
[Root @ deep] # ln-s/bin/mail
  
Run the following command to allow the procmail program "/usr/bin/procmail" to run:
  
[Root @ deep] # cd/etc/smrsh
  
[Root @ deep] # ln-s/usr/bin/procmail
  
This allows users in ". forward" and "aliases" to run the mail and procmail programs using the "| program" syntax.
  
Step 3
  
Configure sendmail to use restricted shell. The mailer program has only one line in the configuration file "/etc/sendmail. cf" of sendmail. You must modify the line defined by "Mprog" in the "sendmail. cf" file. Replace "/bin/sh" with "/usr/sbin/smrsh ".
  
Edit the "sendmail. cf" file (vi/etc/sendmail. cf) and change the following line:
  
For example:
  
Mprog, P =/bin/sh, F = lsDFMoqeu9, S = 10/30, R = 20/40, D = $ z:/, T = X-Unix, A = sh-c $ u
  
Should be changed:
  
Mprog, P =/usr/sbin/smrsh, F = lsDFMoqeu9, S = 10/30, R = 20/40, D = $ z:/, T = X-Unix, A = sh-c $ u
  
Run the following command to manually restart the sendmail process:
  
[Root @ deep] #/etc/rc. d/init. d/sendmail restart
  
2. "/etc/aliases" File
If not properly and strictly managed, the alias file is used to obtain privileges. For example, many release versions contain the "decode" alias in the alias file. This situation is getting fewer and fewer.
  
This aims to provide users with a convenient way to transmit binary files through mail. At the place where the email is sent, the user converts the binary file to the ASCII format with "uuencode" and delivers the result to the recipient's "decode" alias. The alias sends the mail message to the "/usr/bin/uuencode" program through an MPS queue. This program transfers the message from ASCII to the original binary file.
  
Delete the "decode" alias. Similarly, for all aliases used to execute programs that are not placed in the smrsh directory, you must carefully check them. They may be suspicious and should be deleted. To make your changes take effect, run:
  
[Root @ deep] #/usr/bin/newaliases
  
Edit the alias file (vi/etc/aliases) and delete the following lines:
  
# Basic system aliases -- these MUST be present.
  
MAILER-DAEMON: postmaster
  
Postmaster: root
  
# General redirections for pseudo do accounts.
  
Bin: root
  
Daemon: root
  
Games: root ?? Delete this row
  
Ingres: root ?? Delete this row
  
Nobody: root
  
System: root ?? Delete this row
  
Toor: root ?? Delete this row
  
Uucp: root ?? Delete this row
  
# Well-known aliases.
  
Manager: root ?? Delete this row
  
Dumper: root ?? Delete this row
  
Operator: root ?? Delete this row
  
# Trap decode to catch security attacks
  
Decode: root ?? Delete this row
  
# Person who shoshould get root's mail
  
# Root: marc
  
Finally, run the "/usr/bin/newaliases" program to make the change take effect.
  
3. avoid abuse of your Sendmail by unauthorized users
The latest version of Sendmail (8.9.3) adds a strong anti-spoofing feature. They can prevent unauthorized users from abusing your email server. Edit your "/etc/sendmail. cf" file and modify this configuration file so that your email server can block spoofing emails.
  
Edit the "sendmail. cf" file (vi/etc/sendmail. cf) and change the following line:
  
O PrivacyOptions = authwarnings
  
Changed:
  
O PrivacyOptions = authwarnings, noexpn, novrfy
  
Set "noexpn" to enable sendmail to disable all SMTP "EXPN" commands, which also causes sendmail to reject all SMTP "VERB" commands. Set "novrfy" to enable sendmail to disable all SMTP "VRFY" commands. Such changes can prevent attackers from using the "EXPN" and "VRFY" commands, which are abused by those who are not regular.
  
4. SMTP greetings
When sendmail accepts an SMTP connection, it sends a greeting message to the machine, which is used as the identity of the host, the first thing it does is to tell the other party that it is ready.
  
Edit the "sendmail. cf" file (vi/etc/sendmail. cf) and change the following line:
  
O SmtpGreetingMessage = $ j Sendmail $ v/$ Z; $ B
  
Changed:
  
O SmtpGreetingMessage = $ j Sendmail $ v/$ Z; $ B NO UCE C = xx L = xx
  
Now manually restart the sendmail process to make the changes take effect:
  
[Root @ deep] #/etc/rc. d/init. d/sendmail restart
  
The above changes will affect the flag information displayed when Sendmail receives a connection. You should replace "xx" in the "'C = xx L = xx" entry with your country and region code. The subsequent changes do not actually affect anything. However, this is a legal practice recommended by the "news.admin.net-abuse. email" newsgroup partners.
  
5. Restrict the personnel who can review the content of the mail queue
Generally, anyone can use the "mailq" command to view the content of the mail queue. To restrict the personnel who can review the content of the mail queue, you only need to specify the "restrictmailq" option in the "/etc/sendmail. cf" file. In this case, sendmail only allows users with the same group owner as the directory where the queue is located to view its content. This will allow 0700 of the mail queue directory to be fully protected, and the contents of the restricted legal users can still be seen.
  
Edit the "sendmail. cf" file (vi/etc/sendmail. cf) and change the following line:
  
O PrivacyOptions = authwarnings, noexpn, novrfy
  
Changed:
  
O PrivacyOptions = authwarnings, noexpn, novrfy, restrictmailq
  
Now we change the permissions of the mail queue directory to fully protect it:
  
[Root @ deep] # chmod 0700/var/spool/mqueue
  
Note: The "noexpn" and "novrfy" options have been added to the "PrivacyOptions =" line in sendmail. cf. Now we will add the "restrictmailq" option in this line.
  
Any unprivileged user attempts to view the content of the mail queue will receive the following message:
  
[User @ deep] $/usr/bin/mailq
  
You are not permitted to see the queue
  
6. Restrict the permission to process the mail queue to "root"
Generally, anyone can use the "-q" switch to process the mail queue. to limit that only the root user is allowed to process the mail queue, you must go to "/etc/sendmail. specify "restrictqrun" in the cf "file ".
  
Edit the "sendmail. cf" file (vi/etc/sendmail. cf) and change the following line:
  
O PrivacyOptions = authwarnings, noexpn, novrfy, restrictmailq
  
Changed:
  
O PrivacyOptions = authwarnings, noexpn, novrfy, restrictmailq, restrictqrun
  
Any unprivileged user attempts to process the content of the mail queue will receive the following information:
  
[User @ deep] $/usr/sbin/sendmail-q
  
You do not have permission to process the queue
  
7. Set unchangeable bits on important sendmail files
By using the "chattr" command, important Sendmail files are not modified without authorization, which improves system security. A file with the "+ I" attribute cannot be modified: it cannot be deleted or renamed, the link to the file cannot be created, and data cannot be written to the file. Only Super Users can set and clear this attribute.
  
Set unchangeable bits for the "sendmail. cf" file:
  
[Root @ deep] # chattr + I/etc/sendmail. cf
  
Set unchangeable bits for the "sendmail. cw" file:
  
[Root @ deep] # chattr + I/etc/sendmail. cw
  
Set unchangeable bits for the "sendmail. mc" file:
  
[Root @ deep] # chattr + I/etc/sendmail. mc
  
Set unchangeable bits for the "null. mc" file:
  
[Root @ deep] # chattr + I/etc/null. mc
  
Set unchangeable bits for the "aliases" file:
  
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.