Setting up sendmail on a firewall, Part 2

Unix Insider –

Last month, I started this series on sendmail 8.9.3 with the intention of pointing out the advantages of upgrading to this more secure version that includes antispam and antirelaying features. Little did I know at the time that the release of the Melissa virus would demonstrate the value of using an open source mail system such as sendmail. Accompanying the release of the CERT advisory regarding the virus was a method for filtering out the affected mail with sendmail -- even though sendmail wasn't the target in this case.

Aside from the Melissa virus, some of the systems I support were recently subjected to a surprise audit. The firewall that was running sendmail 8.9.3 thwarted every mail attack, in many cases because the source address was invalid. The auditors made quite an issue over the fact that systems not yet upgraded to sendmail 8.9.3 permitted mail relaying and were subject to spamming. The upgrade is in progress.

To continue where I left off last month, I'll describe the sendmail configuration file and explain the template file that works for me on my firewall. I use a variation of this template in most places with a few changes, depending on how I want to route mail. Generally, I do not recommend that the firewall handle routing to multiple mail gateways; if one of the mail gateways goes down, it can cause a denial-of-service problem on the firewall. I recommend that the firewall just send all mail for the company to one master mail gateway on the internal DMZ. This system can handle subdomain routing. This way, if the mail system gets flooded, other firewall services can still function. To keep things simple, I'll just describe the configuration file for the firewall.

The configuration file

Now comes the fun part -- creating the configuration file. I generate a new one every time I update sendmail to verify that I can create one from scratch, if required. This is not as complicated as it sounds, providing I have a template file that reflects my local configuration. Too often, I have seen sites with a legacy sendmail

<font face="Courier">cf</font>
file that was originally written by an administrator who left the company years ago. This configuration file usually becomes a hopelessly confusing set of redundant and conflicting rules that the current staff is afraid to clean up. I have found it much easier, in the long run, to start from scratch and create a new file. You will have to do this anyway if you are running a much older version of sendmail. While there is effort required in doing this the first time, subsequent releases are much easier because you can use the same template file.

m4 configuration

The open source version of sendmail comes with m4 macro configuration (

<font face="Courier">mc</font>
) template files to create a sendmail
<font face="Courier">cf</font>
file. These files are in
<font face="Courier">/usr/local/src/sendmail-8.9.3/cf/cf</font>
and have the suffix
<font face="Courier">mc</font>
. Using the template file (and keeping it up to date!) makes upgrading to new releases relatively painless. I keep my template files in a special directory and then copy them when I need them. If you are starting with an existing template file, make sure you test its validity by generating a sendmail
<font face="Courier">cf</font>
file with it and comparing it to your production sendmail
<font face="Courier">cf</font>
file. This will let you know if someone has edited the production sendmail
<font face="Courier">cf</font>
file without updating the
<font face="Courier">mc</font>
template file. I have to confess that I have been guilty of editing the sendmail
<font face="Courier">cf</font>
file live, but I usually go back and make sure the
<font face="Courier">mc</font>
file is updated.

Copy the generic template file for your operating system. If you're running Solaris 2x, the file is

<font face="Courier">generic-solaris2mc</font>
. If there isn't a generic template file for your OS, pick one and edit it to change the
<font face="Courier">OSTYPE()</font>
to match your OS (an
<font face="Courier">ls</font>
of the directory
<font face="Courier">/usr/local/src/sendmail-8.9.3/cf/ostype</font>
shows the available operating systems). For example, there is no Linux template file, but there is a
<font face="Courier">linux.m4</font>
file in the ostype directory. Just change
<font face="Courier">solaris2</font>
to "
<font face="Courier">linux</font>
<font face="Courier">OSTYPE</font>
. I usually copy this file to the system's name, as in
<font face="Courier"></font>
. You'll need to edit this file for your site's configuration. The example I am giving works on most firewalls I've configured that have to route mail to an internal mail gateway. There are, no doubt, other ways to do the same thing. Chapter 19 in Bryan Costales's book about sendmail has a very useful description of the sendmail m4 macros. It is very important to remember that sendmail expects tabs, not spaces between the fields in the rulesets. If you do a cut and paste, you will have to go back and change the spaces between the fields to tabs.

The remainder of this section describes the

<font face="Courier">mc</font>
file that I would typically use for a firewall. The actual lines from my
<font face="Courier">mc</font>
file are in bold face, and the description of their purpose follows. You could probably use this with modifications for your particular domain (represented here as
<font face="Courier"></font>

VERSIONID(`@(#) 8.9.3 (Wizard's Keys) 2/19/1999')

Edit the VERSIONID line to something meaningful for your site. This is not

necessary to make anything work, but it's good housekeeping.


The next line should be your operating system type. If you're running

Linux, replace

<font face="Courier">solaris2</font>
<font face="Courier">linux</font>
. I've configured for both. The

<font face="Courier">dnl</font>
(delete through new line) ending on each line keeps
<font face="Courier">m4</font>

inserting blank lines. It isn't necessary, just aesthetic.


You can have your own domain file for site-specific configuration

options. A generic file, as well as examples of other domain files, are

provided in the

<font face="Courier">endmail-8.9.3/cf/domain</font>
directory. This file isn't

required, but if you support multiple sendmail configurations at your

site (for example, an external firewall, an internal firewall, an

internal mail gateway, etc.), it can be very useful.

FEATURE in the mc file

This portion of the

<font face="Courier">mc</font>
file is where you can get creative and make sendmail do all sorts of things without you having to write a special rule. Make sure you read up on these features (I recommend you review both Costales's Sendmail and the site). I'll just go over the ones I typically use.


I don't have any

<font face="Courier">uucp</font>
-type addresses, so I don't see any point in


<font face="Courier">uucp</font>
rules that I don't need; however, there's no harm in

leaving in the

<font face="Courier">uucp</font>


It is recommended that this feature be used to force the local or

program mailer to fully qualify mail.


I use this feature on the firewall to force all mail to appear to

originate from the site's official domain name. However, I don't use

it on the internal mail gateway. You need to use this feature in

conjunction with

<font face="Courier">ASQUERADE_AS</font>


This feature forces any host within my domain to appear to come from

the same domain. I don't use this feature internally because I want

to make decisions based on subdomains. To the public Internet, I want

everything to appear to come from my top-level domain.


This feature causes the envelope to be masqueraded to and is useful for

centralizing error messages on one host. I use this feature on both the

internal mail gateway and the firewall.

FEATURE(smrsh, /usr/local/etc/smrsh)dnl

I run sendmail in a

<font face="Courier">chroot</font>
cell, but a little extra paranoia on the

firewall doesn't hurt. The source for smrsh (sendmail restricted

shell) comes with the release, but needs to be compiled and installed


<font face="Courier">/usr/local/etc/smrsh</font>
is used instead of
<font face="Courier">/bin/sh</font>
by the

program mailer. To have

<font face="Courier">smrsh</font>
execute a program, it must be placed

in the directory

<font face="Courier">/usr/adm/sm.bin</font>
(or by setting
<font face="Courier">CMDDIR</font>
to something

else in your site-config file).

<font face="Courier">smrsh</font>
will search this

directory to validate a requested program or script and will then


<font face="Courier">/bin/sh</font>
to execute that program or script. If the program or

script isn't in the directory, the request is rejected.


As I described last month, this feature allows any host within my

domain to relay mail through my system. For a private, small company

this approach is fine; for some larger clients with multiple

organizations, I won't use this feature.


I'm tired of getting mail directed to

<font face="Courier">www</font>
when I don't yet have

a Web server. (I've been a bit busy.) I use this feature to block mail sent to

<font face="Courier">www, nobody,</font>
<font face="Courier">guest</font>
. As I mentioned last month, you have to

set up the access database to use this feature.


Obviously, this is the value I want used for the masquerading

features I defined above.


Use this feature if you're known as many internal domains, but want to

appear to be from the domain you listed in

<font face="Courier">MASQUERADE_AS</font>


You can define your own macros for sendmail or use the one that are built in.

If you define your own, be careful not to pick a macro name (or letter)

that is already in use! It can cause some unexpected behavior. All

lowercase letters are reserved for sendmail as well as some uppercase

letters. (See Table 31-7 in Costales's Sendmail and also visit

the site.)


You definitely need this feature to deliver mail locally. Although

no users are on the firewall, you still have to be able to have
<font face="Courier">cron</font>

jobs send mail to root.


You need this feature to be able to process SMTP mail. You can add

other mailers if you use them.

LOCAL RULES in the mc file

This portion of the

<font face="Courier">mc</font>
file is where the (black) magic of sendmail comes in. You can make sendmail do almost anything, if you know how. A word of caution: If there is already a built-in feature to do what you want, use it. Try to avoid the temptation of adding complexity. Don't forget the period (.) after
<font face="Courier">{MyNames}</font>
. MyNames is a variable -- you can call it anything that's not reserved. Also, as I stated before, there must be a tab between
<font face="Courier">{MyNames} . ></font>
<font face="Courier">$#smtp</font>
to distinguish between the left side and the right side.

<font face="Courier">LOCAL_RULE_0
R$+  <  @  $*  $={MyNames}  .  >  	$#smtp   $@   $:   $1   < @  $m  >

Building the config file

If you've been following along, you should know have a template

<font face="Courier"></font>
file for your system in the directory
<font face="Courier">/usr/local/src/sendmail-8.9.3/cf/cf</font>
. To turn this into a sendmail
<font face="Courier">cf</font>
file, you have to use the m4 macro compiler:

	m4  ../m4/cf.m4  firewall
<font face="Courier">mc</font>
> firewall
<font face="Courier">cf</font>

If everything goes well, your new configuration file will be

<font face="Courier"></font>
. Copy this file to
<font face="Courier">/etc/mail/</font>
. After testing, you can copy or link it to
<font face="Courier">/etc/mail/</font>
(or wherever your system keeps its
<font face="Courier"></font>
file) with mode 600, owned by root.

What the heck is this?

It may look like line noise to you, but the following line is actually very important and warrants explanation:

<font face="Courier">R$+  <  @  $*  $={MyNames}  .  >  	 $#smtp   $@   $:  $  1<  @  $m  >

I was really trying to avoid explaining rulesets, as it has been covered done at length in Sendmail and other places. To summarize, here are some important things to remember:

1 2 Page 1
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon