Setting up sendmail on a firewall, Part 3

RELATED TOPICS

This is the final installment of my three-part series on secure sendmail installations. There's plenty more to say, of course, but I don't want to turn this column into the Wizard's Guide to Sendmail.

To paraphrase an old saying, an example is worth a thousand words. This month, I'll elaborate on some optional features of sendmail and provide an example of a configuration I've used. While this example worked for me, I am by no means stating that it is the best or only solution to the problem. It's merely a solution that I successfully implemented. Hopefully, you can learn something from it. If you have a better way of solving the same problem, just send me mail and I'll post it. I'm always interested in learning something new. I'll also cover some testing and debugging techniques that might be useful.

Putting it into production

Several years ago, a friend of mine built a sendmail configuration for a firewall, but left the company before it was put into production. The administrator who took over the system didn't realize that the intention was to run sendmail in a restricted (

<font face="Courier">chroot</font>
ed) environment with no root privileges. When the firewall was put into production, it was quickly hacked because sendmail wasn't installed properly.

Where to install

I like to use

<font face="Courier">chroot</font>
to create a restricted padded cell to isolate sendmail from the rest of the system. Using
<font face="Courier">chroot</font>
is no guarantee of security, but it does limit exposures. If it's used in combination with tight permissions, it provides an effective security barrier.

For the sake of argument, let's say that the root of the cell is a filesystem called

<font face="Courier">/sendmail_cell</font>
that is mounted
<font face="Courier">nosuid</font>
. Normally, on Solaris, the sendmail binary is installed in
<font face="Courier">/usr/lib/sendmail</font>
and the configuration file is in
<font face="Courier">/etc/mail/sendmail</font>
. Since the configuration file used to be in
<font face="Courier">/etc</font>
, I put in a symbolic link
<font face="Courier">from
/etc/sendmail.cf</font>
to
<font face="Courier">/etc/mail/sendmail.cf</font>
. Because we're using a padded cell here, it will be in
<font face="Courier">/sendmail_cell/usr/lib/sendmail</font>
and
<font face="Courier">/sendmail_cell/etc/mail/sendmail.cf</font>
. The startup script (
<font face="Courier">/etc/rc2.d/S88sendmail</font>
on Solaris) is modified to start sendmail with
<font face="Courier">chroot</font>
. At the beginning of the startup file, define a variable for the padded cell directory:

<font face="Courier">PADDED_CELL=/sendmail_cell
</font>

Preface all paths with the padded cell variable as in:

<font face="Courier">(text deleted)

if [ -f ${PADDED_CELL}/usr/lib/sendmail -a -f ${PADDED_CELL}/etc/mail/se
ndmail.cf ]; then
	if [ -d ${PADDED_CELL}/var/spool/mqueue ]; then
		(cd ${PADDED_CELL}/var/spool/mqueue; rm -f nf* lf*)
else
		mkdir ${PADDED_CELL}/var/spool/mqueue
		chown root ${PADDED_CELL}/var/spool/mqueue
		chgrp staff ${PADDED_CELL}/var/spool/mqueue
		chmod 750 ${PADDED_CELL}/var/spool/mqueue
	fi
	/usr/sbin/chroot ${PADDED_CELL} /usr/lib/sendmail -bd -q15m;
	fi

(more text deleted)
</font>

Permissions

Sendmail will complain about directory permissions until you fix them:

<font face="Courier">chmod  go-w   /   /etc   /etc/mail   /usr   /var   /var/spool   /var/spool/mqueue
chown   root   /   /etc   /etc/mail   /usr   /var   /var/spool   /var/spool/mqueue
</font>

See the README file in the top sendmail distribution directory for a more complete explanation.

If you're using a padded cell, preface each directory above with the name of the cell known to the system, as in

<font face="Courier">/sendmail_cell</font>
,
<font face="Courier">/sendmail_cell/etc/mail</font>
, and so on.

I shouldn't even have to say this, but make sure the

<font face="Courier">sendmail.cf</font>
file isn't world-writable. In fact, it shouldn't be world-readable either, unless you're running a POP or IMAP server on the firewall. Mine is owned by root and is readable only by root:

<font face="Courier">-r--------   1 root     bin        27626 Mar 19 12:59 /etc/mail/sendmail.cf
</font>

The most common misconception about sendmail is that the binary has to run

<font face="Courier">setuid</font>
to root. While this is true on an internal mail host, it isn't true on a firewall. Because there are no users actually receiving mail on the firewall, sendmail doesn't need to read users' home directories to look for
<font face="Courier">forward</font>
or
<font face="Courier">vacation</font>
files. Therefore, it doesn't need to be
<font face="Courier">setuid</font>
to root:

<font face="Courier">-rwxr-xr-x   1 root     other     343846 Apr 16  1998 sendmail
</font>

Security in the configuration file

By default, the sendmail config file sets options such as file creation mode (

<font face="Courier">O TempfileMode=600</font>
) to be secure. Do not change these without understanding the consequences. You may want to turn off
<font face="Courier">vrfy</font>
and
<font face="Courier">expn</font>
to prevent someone from trying to verify valid user IDs on the system. Of course, if you're using
<font face="Courier">chroot</font>
to run sendmail in a cell, the copy of the
<font face="Courier">passwd</font>
file that is in the cell shouldn't be the real one. In my recent column, "Audits from hell," I used this fact to have a little fun with the penetration team. They usually get the name of the site contact and try a combination to find out the user ID. In this example, assume that "Carole Fennelly" and "Jon Klein" are in the WHOIS database -- juvenile, I know, but fun:

<font face="Courier">root:x:0:1:Welcome Penetration Test Team!:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
smtp:x:0:0:Mail Daemon User:/:
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Give up!:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
fennelly:x:7000:7000: Carole doesn't live here. Good try though:/tmp:/usr/local/
etc/noshell
cfennell:x:7001:7001: We don't let Carole out during the day. Try at night:/tmp:/
usr/local/etc/noshell
jklein:x:7001:7001:We don't let Jon out at all. He bites:/tmp:/usr/local/etc/n
oshell
</font>

A

<font face="Courier">vrfy</font>
on the SMTP port yields:

<font face="Courier"><strong>vrfy root</strong><br>
250 Welcome Penetration Test Team! <root@company.com>
<strong>vrfy cfennell</strong><br>
250 We don't let Carole out during the day. Try at night.  <cfennelly@company.com>
<strong>vrfy jklein</strong><br>
250 We don't let Jon out at all. He bites.  <jklein@company.com>
</font>

Anyway, if you want to turn off

<font face="Courier">vrfy</font>
and
<font face="Courier">expn</font>
, put the following line in your
<font face="Courier">m4</font>
configuration file. (I used
<font face="Courier">firebox.mc</font>
in my example last month):

<font face="Courier">define(`confPRIVACY_FLAGS', `noexpn,novrfy')
</font>

The access database

The access database provides the administrator with a mechanism to set up specific access lists to control the sender and relayers of mail. It provides more granularity than the sender/relayer rules.

An access database is an ASCII file that is converted into a database that is in

<font face="Courier">dbm</font>
format (
<font face="Courier">ndbm</font>
), hash, or
<font face="Courier">btree</font>
format (Berkeley DB). It is up to the reader to decide which database to use. For the purposes of this article, we're using a
<font face="Courier">dbm</font>
database.

A database record consists of two parts: the key and the action. The key can be a username, domain name, or network address. The action could be

<font face="Courier">OK</font>
,
<font face="Courier">RELAY</font>
,
<font face="Courier">REJECT</font>
,
<font face="Courier">DISCARD</font>
or an
<font face="Courier">RFC821</font>
message. Below is a sample access database list taken from the
<font face="Courier">README</font>
file in sendmail-8.9.3/cf.

<font face="Courier">cyberspammer.com        			550 We don't accept mail from spammers
okay.cyberspammer.com  		 	OK
sendmail.org          		  	OK
128.32					RELAY
</font>

Additionally, we'll add a few more records:

<font face="Courier">foobar.com				REJECT
garbage@spam.org			DISCARD
</font>

In the above examples, mail coming from

<font face="Courier">cyberspammer.com</font>
is rejected, and the 550 message is sent back to the originator. If, however, the mail comes from host
<font face="Courier">okay.cyberspammer.com</font>
, then the mail is accepted. Mail from host
<font face="Courier">sendmail.org</font>
is accepted. Mail from any host in the
<font face="Courier">128.32</font>
class B is allowed for relay (and thus is accepted as OK). Mail from
<font face="Courier">foobar.com</font>
is rejected and sender gets an access-denied message. Mail from
<font face="Courier">garbage@spam.org</font>
is accepted from the sender's perspective but is actually thrown away by the recipient mailer. The sender thinks the mail was sent satisfactorily when in fact it wasn't.

To enable the access database, add to your

<font face="Courier">mc</font>
file:

<font face="Courier">
<!--need this empty comment before every 'feature' -- do not remove-->FEATURE(`access_db')dnl
</font>

This will create an entry in the

<font face="Courier">cf</font>
file to use the hash database:

<font face="Courier">Kaccess hash -o  /etc/mail/access
</font>

To override this, you can add a second parameter to the feature. In our case, we want to use a

<font face="Courier">dbm</font>
-type database so we would enter:

<font face="Courier">
FEATURE(`access_db',`dbm -o /etc/mail/access')dnl
</font>

The

<font face="Courier">-o</font>
option specifies that the map is optional. (If it can't be opened it will be ignored.) If it's important that the access database be used, don't specify
<font face="Courier">-o</font>
. This will create an entry in the sendmail
<font face="Courier">cf</font>
file in the form:

<font face="Courier">Kaccess dbm -o /etc/mail/aliases
</font>

Remember, that you must build and use the

<font face="Courier">makemap</font>
command to generate the access database. For our example, we had a source list called
<font face="Courier">/etc/mail/access.list</font>
. By running the command

<font face="Courier">makemap dbm /etc/mail/access < /etc/mail/access.list
</font>

we would generate an

<font face="Courier">access.dir</font>
and
<font face="Courier">access.pag</font>
in the
<font face="Courier">/etc/mail</font>
directory. This is the file that sendmail will use for the database.

Here's a test with our sample access database:

<font face="Courier">220 mgate.wkeys.com ESMTP Sendmail 8.9.3/8.9.3; Sun, 23 May 1999 21:53:13 -0400 (
EDT)
helo wkeys.com
250 mgate.wkeys.com Hello merlin.wkeys.com [190.70.70.50], pleased to meet you
<strong>mail from: <klein@cyberspammer.com></strong><br>
550 <klein@cyberspammer.com>... We don't accept mail from spammers
<strong>mail from: <klein@foobar.com></strong><br>
550 <klein@foobar.com>... Access denied
<strong>mail from: <klein@okay.cyberspammer.com></strong><br>
250 <klein@okay.cyberspammer.com>... Sender ok
<strong>rcpt to: <klein@wkeys.com></strong><br>
250 <klein@wkeys.com>... Recipient ok
<strong>data</strong><br>
354 Enter mail, end with "." on a line by itself
<strong>test
.</strong><br>
250 VAA07870 Message accepted for delivery
<strong>quit</strong><br>
221 mgate.wkeys.com closing connection

220 mgate.wkeys.com ESMTP Sendmail 8.9.3/8.9.3; Sun, 23 May 1999 21:54:08 -0400 (
EDT)
<strong>helo wkeys.com</strong><br>
250 rahl.wkeys.com Hello merlin.wkeys.com [190.70.70.50], pleased to meet you
<strong>mail from: <garbage@spam.org></strong><br>
250 <garbage@spam.org>... Sender ok
<strong>rcpt to: <klein@wkeys.com></strong><br>
250 <klein@wkeys.com>... Recipient ok
<strong>data</strong><br>
354 Enter mail, end with "." on a line by itself
<strong>test
.</strong><br>
250 VAA07876 Message accepted for delivery
<strong>quit</strong><br>
221 mgate.wkeys.com closing connection
</font>

Here's the log file information on the test:

RELATED TOPICS
1 2 3 Page
Top 10 Hot Internet of Things Startups
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies