Smrsh for Sendmail security

Source: Internet
Author: User

SendmailIs the most important mail transmission agent. What does Sendmail rely on for security?Smrsh.

Set Sendmail to use "smrsh"

The smrsh program is used as an alternative shell for "/bin/sh" defined for sendmail in mailer. Smrsh is a restricted shell tool that explicitly specifies the list of executable files through the "/etc/smrsh" directory. In short, smrsh limits the Assembly that attackers can execute. When it is used with the sendmail program, smrsh effectively limits the range of programs that sendmail can execute to the smrsh directory.

Step 1:

Determines the list of commands that smrsh can allow sendmail to run. By default, the following commands should be included, but not limited:

"/Bin/mail" (if installed in your system)

"/Usr/bin/procmail" (if installed in your system)

Note: do not include command interpreter in the command list, such as sh (1), csh (1), perl (1), uudecode (1), and stream editor sed (1 ).

Step 2:

Create a symbolic connection for the program running sendmail in the "/etc/smrsh" directory.

Run the following command to allow the mail program "/bin/mail" to run:

[Root @ deep] # cd/etc/smrsh

[Root @ deep] # ln-s/bin/mail

Run the following command to allow the procmail program "/usr/bin/procmail" to run:

[Root @ deep] # cd/etc/smrsh

[Root @ deep] # ln-s/usr/bin/procmail

This allows users in ". forward" and "aliases" to run the mail and procmail programs using the "| program" syntax.

Step 3

Configure sendmail to use restricted shell. The mailer program has only one line in the configuration file "/etc/sendmail. cf" of sendmail. You must modify the line defined by "Mprog" in the "sendmail. cf" file. Replace "/bin/sh" with "/usr/sbin/smrsh ".

Edit the "sendmail. cf" file (vi/etc/sendmail. cf) and change the following line:

For example:

Mprog, P =/bin/sh, F = lsDFMoqeu9, S = 10/30, R = 20/40, D = $ z:/, T = X-Unix, A = sh-c $ u

Should be changed:

Mprog, P =/usr/sbin/smrsh, F = lsDFMoqeu9, S = 10/30, R = 20/40, D = $ z:/, T = X-Unix, A = sh-c $ u

Run the following command to manually restart the sendmail process:

[Root @ deep] #/etc/rc. d/init. d/sendmail restart

Through the article, we can probably know that the security of Sendmail cannot be ignored, and the use of Smrsh will help you enhance the security of Sendmail.

  • How to Set a virtual domain in Sendmail
  • Introduction to Sendmail
  • Illustration: Sendmail Working Environment
  • Learn more about installing the DNS + Sendmail service in Linux
  • How to install the Sendmail server in Linux
  • Linux Sendmail Configuration Guide
  • Solution to slow sendmail startup

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.