Setting up sendmail on a firewall, Part 1

By Carole Fennelly, Unix Insider |  Networking

One of the greatest features of sendmail is the extreme flexibility
it provides the administrator. This is also one of its worst
features, the reason being that it is so often
misconfigured. Usually, a system administrator inherits a sendmail
configuration file that he or she is afraid to touch, lest it should
break. Over time, this file becomes hopelessly confusing,
contradictory, and redundant.

I began writing this column with the intention of providing a
simple, straightforward, "sendmail for dummies" approach. I ended up
appreciating how Bryan Costales must have felt when he wrote his handbook,
Sendmail for O'Reilly & Associates:
Nothing is simple in sendmail. I also
learned to appreciate just how powerful and flexible sendmail really
is. It's worth learning. It's also worth a few columns.
I'll devote this month's column to discussing some of the
background and new features in sendmail 8.9.3 as well as how to
build the source code. Next month we'll look into the
configuration file. If there is enough interest, I will add a third
column for special situations and testing techniques.

Sendmail on the firewall?

Like most security admins, I've always been told it's a bad idea to
run sendmail on the firewall. It's generally
considered better to run something like smap instead. Indeed, I ran
smap myself until I discovered a problem I couldn't fix with
smap. The problem was that company email was forwarded from an
internal mail gateway system to the firewall. The firewall could
only rewrite the external header to say the mail came from
"company.com." There was still an internal header that showed the
mail was routed through "mailgate.company.com," complete with the
mailgate internal IP address. I couldn't have the inside machine
masquerade as company.com because there were other internal mail
gateways it had to communicate with. (They couldn't all be
company.com.) But because sendmail is extremely flexible, open
source software, it's possible to add functionality to strip out
the inside header. Also, many of the security risks with sendmail
have to do with the fact that it's generally run setuid to root. It
isn't necessary to run it this way on a firewall because there are
no direct mail users on the firewall. For added security, I run
sendmail in a chrooted cell with the program mailer using the
sendmail restricted shell, smrsh.

Preliminaries

There are certain resources you should have available before you
start working with sendmail. This column isn't going to attempt to
cover all aspects of sendmail. For that, I direct you to Bryan Costales's
Sendmail, Second Edition. Aside from being an excellent resource, at more
than 1,000 pages this book can also double as a child's booster seat!

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

NetworkingWhite Papers & Webcasts

See more White Papers | Webcasts

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question