1. Context 1.113.2 2 7 7 8 8 8 10 Alternatives to sendmail 10.1 The fabulous postfix . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2 The less fabulous qmail . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.113.2 Operate and perform basic configuration of sendmail Weight 4 Linux Professional Institute Certification — 102 11 References 12 License Of This Document 1 Context Topic 113 Networking Services [24] Nick Urbanik This document Licensed under GPL—see section 12 1.113.1 Configure and manage inetd, xinetd, and related services [4] 1.113.2 Operate and perform basic configuration of sendmail [4] 2005 November Outline 1.113.3 Operate and perform basic configuration of Apache [4] 1.113.4 Properly manage the NFS, smb, and nmb daemons [4] 1.113.5 Setup and configure basic DNS services [4] Contents 1 2 3 Context Objectives What is sendmail? 3.1 Some Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Sendmail 4.1 Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 The Big Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Example changing sendmail.mc . . . . . . . . . . . . . . . . . . . . . Restarting sendmail The Perils of Open Relays Forwarding and the ∼/.forward file Troubleshooting The AWFUL security record of sendmail 2 2 3 3 3 4 4 5 5 6 6 6 7 1.113.7 Set up secure shell (OpenSSH) [4] 2 Objectives 4 Description of Objective Candidate should be able to modify simple parameters in sendmail configuration files (including the "Smart Host" parameter, if necessary), create mail aliases, manage the mail queue, start and stop sendmail, configure mail forwarding and perform basic troubleshooting of sendmail. The objective includes checking for and closing open relay on the mailserver. It does not include advanced custom configuration of Sendmail. Key files, terms, and utilities include: /etc/aliases or /etc/mail/aliases /etc/mail/* ∼/.forward mailq sendmail newaliases 5 6 7 8 9 3. What is sendmail? 1.113.2 3 4.1 Aliases 1.113.2 4 3 What is sendmail? /etc/sendmail.cf The configuration file generated from sendmail.mc using the m4 macro preprocessor /etc/mail/aliases Gives alternative names for users 3.1 Some Terminology Some Terms MUA — Mail User Agent: a program to read, compose and dispose of email • Examples: mutt (my favourite), Evolution, Thunderbird, Mozilla mail, Eudora, . . . , and Outlook Express MTA — Mail Transfer Agent: a program that delivers mail and transports it between machines • Examples: sendmail, postfix, qmail MDA — Mail Delivery Agent: a program that receives the email message from the MTA and puts it into a local store. • Examples: procmail, mail.local (part of sendmail) What is sendmail? • sendmail is a MTA (mail transfer agent) 4.1 Aliases Aliases (thanks to userfriendly.org) • Your web site has links to various generic email addresses: webmaster@acme.com.au, sales@acme.com.au, tech@acme.com.au. • These should go to real humans; we do this in the /etc/mail/aliases file. • So if webmaster is aj and dustpuppy, and • greg, mike, pitr, miranda, sid are technical support, and • stef is sales, then we can put these lines into our /etc/mail/aliases webmaster: aj, dustpuppy tech: greg, mike, pitr, miranda, sid sales: stef • Finally we run Sender $ sudo newaliases ← MUA SMTP MTA SMTP (over the Internet) MTA MDA or $ sendmail -bi ← and now the email will go to the right people. 4.2 The Big Question Is Sendmail Configuration like Mr. Dithers Swearing? MUA Recipient POP IMAP POP/IMAP server message store • Here is a quote from the Second edition of [Sendmail]: The lines of text in a sendmail.cf file have been described by some as resembling modem noise and by others as resembling Mr. Dithers swearing in the comic strip Blondie. R$+@$=W ← ← ← sendmail.cf file modem noise Mr. Dithers swearing {$/{{.+ !@#!@@! 4 Configuring Sendmail Main Configuration Files /etc/mail/sendmail.mc The simple human edited configuration file • Some have also said that it resembles an explosion in a punctuation factory 4.3 Example changing sendmail.mc • I think they are all correct. 1.113.2 5 6. The Perils of Open Relays 1.113.2 6 6 The Perils of Open Relays • If you let anyone use your sendmail to relay email, then you are an open relay • Spammers can use open relays to send their spam to millions of inocents • Your mail server domain will end up on a black list • Don’t edit sendmail.cf; just gaze in awe and wonder. • Edit /etc/mail/sendmail.mc instead, then, after backing up sendmail.rc, do: # m4 sendmail.mc > sendmail.cf ← Open Relays 4.3 Example changing sendmail.mc SMART_HOST in sendmail.mc • SMART_HOST: If you send your email through your ISP, or you are behind a firewall and your company mail server is smtp.acme.com.au, then you would put this into your sendmail.mc file: define(‘SMART_HOST’,‘smtp.acme.com.au’) • You would remove any “dnl ” from the beginning of the line. • You would then run m4 as shown before: # m4 sendmail.mc > sendmail.cf ← or $ sudo sh -c ’m4 sendmail.mc > sendmail.cf’ ← • You always need to reload sendmail for it to re-read sendmail.cf: $ sudo service sendmail reload ← • sendmail will then relay all outgoing email via smtp.acme.com.au • You will find that many people cannot receive email from you. • If your sendmail.mc contains any one of the following: FEATURE(promiscuous_relay) FEATURE(loose_relay_check) FEATURE(relay_local_from) . . . then you are an open relay. • Turn your mail server off immediately, then read http://www.sendmail.org/ tips/relaying.html 7 Forwarding and the ∼/.forward file • Each user can create a file in their home directory to determine whether mail is sent on to a different address: $ echo nicku@nicku.org > ∼/.forward ← • After doing this in my account on a mail server, all email sent to my email address on that mail server would go to my email address nicku@nicku.org • I wish I could do that with my TAFE mail account, but they run Windows :-) The ∼/.forward file 5 Restarting sendmail 8 • You restart sendmail the same way as any other service: • Red Hat: $ sudo service sendmail restart ← • Debian, Ubuntu and Red Hat: $ sudo /etc/init.d/sendmail restart ← Restarting sendmail Troubleshooting • The log files are in /var/log/maillog • The command $ mailq ← or $ sendmail -bp ← show the list of emails that are ready to be sent, but which have not yet been sent – This list should be short, preferably empty • The mailstat program can summarise the sendmail log files nicely Troubleshooting 9. The AWFUL security record of sendmail 1.113.2 7 10.2 The less fabulous qmail 1.113.2 8 9 The AWFUL security record of sendmail • The first known worm on the Internet (the Morris worm) exploited a security flaw in sendmail • Since then, sendmail has had more security flaws than just about any piece of software • Before version 8.12, it was a huge mess of code, all running Set User ID to root • Buffer overflows in the code gave remote root access • A security nightmare • Since 8.12, there have been some separation of code, and the main sendmail executable no longer runs SUID root, but I still don’t trust it. • Use postfix instead. 10.2 The less fabulous qmail . . . or hold your nose and use qmail • qmail is a well written piece of software, also with much better security than sendmail – Almost any software has a better security record than sendmail :-) • Unfortunately, its author, Dan J. Bernstein, does not allow you to redistribute modified copies • Therefore it is not free software • Therefore I have very little interest in it. The AWFUL security record of sendmail 11 References Operate and perform basic configuration of sendmail [4] 10 Alternatives to sendmail 10.1 The fabulous postfix The wonderful postfix • I use and recommend postfix, written carefully with security in mind by Wietse Venema, author of tcpwrappers • Configuration easy (no swearing) • Written using lots of simple communicating programs . . . – rather than the one huge mess that is sendmail • . . . using minimum privilege required to do the job • It is fairly sendmail compatible • Ubuntu, Debian, Red Hat and Fedora users can use Debian alternatives to have both postfix and sendmail installed, and select one of them to operate. References [1] Bryan Costales with Eric Allman. Sendmail, Third Edition O’Reilly 2003. [Sendmail] Bryan Costales with Eric Allman. Sendmail, Second Edition O’Reilly January 1997. [Sendmail website] Sendmail Website. http://www.sendmail.org/ [Sendmail FAQ] Sendmail FAQ. http://www.sendmail.org/faq/ [Relaying in sendmail] Allowing controlled SMTP relaying. http://www.sendmail. org/tips/relaying.html 12 License Of This Document License Of This Document Copyright c 2005 Nick Urbanik You can redistribute modified or unmodified copies of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation — either version 2 of the License or (at your option) any later version.