Sendmail is the most widely used email sending/receiving proxy in Unix environments. Because the Sendmail mail server is powerful and complex, the following work is required to ensure the security of Sendmail.
1. Set Sendmail to use "smrsh"
The smrsh program is used as an alternative shell for "/bin/sh" defined for sendmail in mailer. Smrsh is a restricted shell tool that explicitly specifies the list of executable files through the "/etc/smrsh" directory. In short, smrsh limits the Assembly that attackers can execute. When it is used with the sendmail program, smrsh effectively limits the range of programs that sendmail can execute to the smrsh directory.
Step 1:
Determines the list of commands that smrsh can allow sendmail to run. By default, the following commands should be included, but not limited:
"/Bin/mail" (if installed in your system)
"/Usr/bin/procmail" (if installed in your system)
Note: do not include command interpreter in the command list, such as sh (1), csh (1), perl (1), uudecode (1), and stream editor sed (1 ).
Step 2:
Create a symbolic connection for the program running sendmail in the "/etc/smrsh" directory.
Run the following command to allow the mail program "/bin/mail" to run:
[root@deep]# cd /etc/smrsh
[root@deep]# ln -s /bin/mail mail |
Run the following command to allow the procmail program "/usr/bin/procmail" to run:
[root@deep]# cd /etc/smrsh
[root@deep]# ln -s /usr/bin/procmail procmail |
This allows users in ". forward" and "aliases" to run the mail and procmail programs using the "| program" syntax.
Step 3
Configure sendmail to use restricted shell. The mailer program has only one line in the configuration file "/etc/sendmail. cf" of sendmail. You must modify the line defined by "Mprog" in the "sendmail. cf" file. Replace "/bin/sh" with "/usr/sbin/smrsh ".
Edit the "sendmail. cf" file vi/etc/sendmail. cf) and modify the following line:
For example:
Mprog, P=/bin/sh, F=lsDFMoqeu9,
S=10/30, R=20/40,
D=$z:/, T=X-Unix,
A=sh -c $u |
Should be changed:
Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9,
S=10/30, R=20/40, D=$z:/,T=X-Unix, A=sh -c $u |
Run the following command to manually restart the sendmail process:
[Root @ deep] #/etc/rc. d/init. d/sendmail restart
2. "/etc/aliases" File
If not properly and strictly managed, the alias file is used to obtain privileges. For example, many release versions contain the "decode" alias in the alias file. This situation is getting fewer and fewer.
This aims to provide users with a convenient way to transmit binary files through mail. At the place where the email is sent, the user converts the binary file to the ASCII format with "uuencode" and delivers the result to the recipient's "decode" alias. The alias sends the mail message to the "/usr/bin/uuencode" program through an MPS queue. This program transfers the message from ASCII to the original binary file.
Delete the "decode" alias. Similarly, for all aliases used to execute programs that are not placed in the smrsh directory, you must carefully check them. They may be suspicious and should be deleted. To make your changes take effect, run:
[Root @ deep] #/usr/bin/newaliases
Edit the alias file vi/etc/aliases) and delete the following lines:
# Basic system aliases -- these MUST be present.
MAILER-DAEMON: postmaster
Postmaster: root
# General redirections for pseudo do accounts.
Bin: root
Daemon: root
Games: root ?? Delete this row
Ingres: root ?? Delete this row
Nobody: root
System: root ?? Delete this row
Toor: root ?? Delete this row
Uucp: root ?? Delete this row
# Well-known aliases.
Manager: root ?? Delete this row
Dumper: root ?? Delete this row
Operator: root ?? Delete this row
# Trap decode to catch security attacks
Decode: root ?? Delete this row
# Person who shoshould get root's mail
# Root: marc
Finally, run the "/usr/bin/newaliases" program to make the change take effect. |
3. avoid abuse of your Sendmail by unauthorized users
The latest version of Sendmail (8.9.3) adds a strong anti-spoofing feature. They can prevent unauthorized users from abusing your email server. Edit your "/etc/sendmail. cf" file and modify this configuration file so that your email server can block spoofing emails.
Edit the "sendmail. cf" file vi/etc/sendmail. cf) and change the following line:
O PrivacyOptions = authwarnings
Changed:
O PrivacyOptions = authwarnings, noexpn, novrfy |
Set "noexpn" to enable sendmail to disable all SMTP "EXPN" commands, which also causes sendmail to reject all SMTP "VERB" commands. Set "novrfy" to enable sendmail to disable all SMTP "VRFY" commands. Such changes can prevent attackers from using the "EXPN" and "VRFY" commands, which are abused by those who are not regular.
4. SMTP greetings
When sendmail accepts an SMTP connection, it sends a greeting message to the machine, which is used as the identity of the host, the first thing it does is to tell the other party that it is ready.
Edit the "sendmail. cf" file vi/etc/sendmail. cf) and change the following line:
O SmtpGreetingMessage = $ j Sendmail $ v/$ Z; $ B
Changed:
O SmtpGreetingMessage = $ j Sendmail $ v/$ Z; $ B NO UCE C = xx L = xx |
Now manually restart the sendmail process to make the changes take effect:
[Root @ deep] #/etc/rc. d/init. d/sendmail restart
The above changes will affect the flag information displayed when Sendmail receives a connection. You should replace "xx" in the "'C = xx L = xx" entry with your country and region code. The subsequent changes do not actually affect anything. However, this is a legal practice recommended by the "news.admin.net-abuse. email" newsgroup partners.
5. Restrict the personnel who can review the content of the mail queue
Generally, anyone can use the "mailq" command to view the content of the mail queue. To restrict the personnel who can review the content of the mail queue, you only need to specify the "restrictmailq" option in the "/etc/sendmail. cf" file. In this case, sendmail only allows users with the same group owner as the directory where the queue is located to view its content. This will allow 0700 of the mail queue directory to be fully protected, and the contents of the restricted legal users can still be seen.
Edit the "sendmail. cf" file vi/etc/sendmail. cf) and change the following line:
O PrivacyOptions = authwarnings,
Noexpn, novrfy
Changed:
O PrivacyOptions = authwarnings,
Noexpn, novrfy, restrictmailq |
Now we change the permissions of the mail queue directory to fully protect it:
[Root @ deep] # chmod 0700/var/spool/mqueue
Note: The "noexpn" and "novrfy" options have been added to the "PrivacyOptions =" line in sendmail. cf. Now we will add the "restrictmailq" option in this line. Any unprivileged user attempts to view the content of the mail queue will receive the following message:
[user@deep]$ /usr/bin/mailq
You are not permitted to see the queue |
6. Restrict the permission to process the mail queue to "root"
Generally, anyone can use the "-q" switch to process the mail queue. to limit that only the root user is allowed to process the mail queue, you must go to "/etc/sendmail. specify "restrictqrun" in the cf "file ".
Edit the "sendmail. cf" file vi/etc/sendmail. cf) and change the following line:
O PrivacyOptions = authwarnings, noexpn, novrfy,
Restrictmailq
Changed:
O PrivacyOptions = authwarnings, noexpn, novrfy,
Restrictmailq, restrictqrun |
Any unprivileged user attempts to process the content of the mail queue will receive the following information:
[user@deep]$ /usr/sbin/sendmail -q
You do not have permission to process the queue |
7. Set unchangeable bits on important sendmail files
By using the "chattr" command, important Sendmail files are not modified without authorization, which improves system security. A file with the "+ I" attribute cannot be modified: it cannot be deleted or renamed, the link to the file cannot be created, and data cannot be written to the file. Only Super Users can set and clear this attribute.
Set unchangeable bits for the "sendmail. cf" file:
[Root @ deep] # chattr + I/etc/sendmail. cf
Set unchangeable bits for the "sendmail. cw" file:
[Root @ deep] # chattr + I/etc/sendmail. cw
Set unchangeable bits for the "sendmail. mc" file:
[Root @ deep] # chattr + I/etc/sendmail. mc
Set unchangeable bits for the "null. mc" file:
[Root @ deep] # chattr + I/etc/null. mc
Set unchangeable bits for the "aliases" file:
[Root @ deep] # chattr + I/etc/aliases
Set unchangeable bits for the "access" file:
[Root @ deep] # chattr + I/etc/mail/access
|
8. Prevent email relay in the Sendmail environment
From version 8.9, mail relay is not allowed by default. The simplest way to allow Email Forwarding is to set it in the file/etc/mail/relay-domains. All emails in the domain name listed in this file can be forwarded through the local server.
For more precise settings, you can add the following parameters in sendmail. mc to allow you to set Mail forwarding:
· FEATURE (relay_hosts_only ). generally, hosts with domain names listed in the file/etc/mail/relay-domains can be forwarded through local machines, this setting indicates that each host that allows Mail forwarding through the local machine must be listed.
· FEATURE (relay_entire_domain). This parameter indicates that Email Forwarding is allowed in all regions through the local machine.
· FEATURE (access_db). This parameter specifies whether to allow a host to forward emails locally using the hash database/etc/mail/access.
· FEATURE (blacklist_recipients). If this parameter is set, you can check the Sending address and recipient address of the email when deciding whether to allow a host to forward the email.
· FEATURE (rbl). Allows denied by blacklists (Realtime Blackhole List) based on maps.vix.com to prevent spam.
· FEATURE (accept_unqualified_senders). allows you to accept messages from a sender address that do not include a domain name, such as a user, instead of a user@ B .NET.
· FEATURE (accept_unresolvable_domains). Generally, sendmail rejects emails that cannot be resolved by the host specified by the sender's email address through DNS, and this parameter allows receiving such emails.
· FEATURE (relay_based_on_MX ). this parameter allows you to forward the MX record of the mail recipient's address to a local mail, for example, locally receiving a mail with a destination address of user@ B .com, while the MX record of the B .com domain name points to a local machine, the local machine is allowed to forward the email.
The following features may have security vulnerabilities. Generally, the email server should be used only when it is in the firewall, because these parameters may make your system easy to use by spammers.
· FEATURE (relay_local_from). This parameter specifies that if the message claimed to be from the local region, the email can be forwarded.
· FEATURE (promiscuous_relay). Open the forwarding of all emails. |
After the macro configuration file "sendmail. mc" is set successfully, you can use the following command to create the sendmail configuration file:
[root@deep]# cd /var/tmp/sendmail-version/cf/cf/
[root@deep]# m4 ../m4/cf.m4 /etc/sendmail.mc > /etc/sendmail.cf |
Note: "../m4/cf. m4" indicates the default configuration file path of the m4 program.
