Setting up sendmail on a firewall, Part 3

By Carole Fennelly, Unix Insider |  Networking

This is the final installment of my three-part series on secure sendmail installations. There's plenty more to say, of course, but I don't want to turn this column into the Wizard's Guide to Sendmail.

To paraphrase an old saying, an example is worth a thousand words.
This month, I'll elaborate on some optional features of sendmail and
provide an example of a configuration I've used. While this example worked for me, I am by no means stating that it is the best or only
solution to the problem. It's merely a solution that I successfully
implemented. Hopefully, you can learn something from it. If you have
a better way of solving the same problem, just send me mail and I'll
post it. I'm always interested in learning something new. I'll also
cover some testing and debugging techniques that might be useful.

Putting it into production

Several years ago, a friend of mine built a sendmail
configuration for a firewall, but left the company before it was put
into production. The administrator who took over the system didn't
realize that the intention was to run sendmail in a restricted
(chrooted) environment with no root privileges. When the firewall was put into production, it was quickly hacked because sendmail wasn't installed properly.

Where to install

I like to use chroot to create a restricted padded cell to isolate sendmail from the rest of the system. Using chroot is no guarantee of security, but it does limit exposures. If it's used in combination with tight permissions, it provides an effective security barrier.

For the sake of argument, let's say that the root of the cell is a
filesystem called /sendmail_cell that is mounted nosuid. Normally, on Solaris, the sendmail binary is installed in /usr/lib/sendmail
and the configuration file is in /etc/mail/sendmail. Since the configuration file used to be in /etc, I put in a symbolic link from
/etc/sendmail.cf
to /etc/mail/sendmail.cf. Because we're using a padded cell here, it will be in /sendmail_cell/usr/lib/sendmail and
/sendmail_cell/etc/mail/sendmail.cf. The startup script (/etc/rc2.d/S88sendmail on Solaris) is modified to start sendmail with chroot.
At the beginning of the startup file, define a variable for the
padded cell directory:

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness