Server Administration
  Home arrow Server Administration arrow Security Features of sendmail
Codewalker Forums 
  Tutorials  
Database Articles  
Miscellaneous  
Navigation Usability  
PEAR Articles  
Programming Basics  
Server Administration  
XML Tutorials  
  Reviews  
Database Book Reviews  
Linux Book Reviews  
Miscellaneous Reviews  
PHP Book Reviews  
PHP Software Reviews  
Server Admin Reviews  
SQL Tool Reviews  
  Code Gallery  
Content Management Code  
Contest Code  
Counters Code  
Database Code  
Date Time Code  
Discussion Board Code  
Email Code  
File Manipulation Code  
GUI Code  
Link Farm Code  
Miscellaneous Code  
Search Code  
Site Navigation Code  
User Management Code  
Mobile Linux 
App Generation ROI 
IBM® developerWorks 
Download TestComplete 
Forums Sitemap 
Weekly Newsletter 
 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid 
Request Media Kit
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
SERVER ADMINISTRATION

Security Features of sendmail
By: O'Reilly Media
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating: 5 stars5 stars5 stars5 stars5 stars / 1
    2008-05-08

    Table of Contents:
  • Security Features of sendmail
  • 4.6 The aliases File
  • 4.7 Forged Mail
  • 4.8 Security Features

  • Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
     
     
    ADVERTISEMENT


    Security Features of sendmail


    (Page 1 of 4 )

    In this third part of a four-part series on securing sendmail, you will learn about the aliases file, and we will turn our attention from security problems to security features. This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

    4.5.5 Don’t Blame sendmail

    In §24.9.39 on page 1009, we describe the DontBlameSendmail option, which can be used to allow looser permissions. We mention this option here because its misuse can lead to a weakening of security.

    Consider a site where you use group permissions to allow system administrators to edit :include:files, rather than allowing them to do so by becoming root. Note that these mailing lists include archive files—that is, entries that append messages to archive files.

    Unless you tell sendmail otherwise, it will refuse to run programs listed in such group-writable:include:files, and also refuse to append to any files listed in such:include:files (append to archive files). Every time mail is sent to such a mailing list, sendmail will log the following warning:

      /path: group writable :include: file, marked unsafe

    You can prevent this warning and allow running of disallowed programs and appending to disallowed files by declaring theDontBlameSendmailoption in your mc configuration file:

      define(`confDONT_BLAME_SENDMAIL´, `GroupWritableIncludeFileSafe´)

    This declaration tells sendmail that you consider it safe to append to archive files from inside:include:files, even when the:include:file is group-writable. The result is that you have streamlined your department’s operation, but you have done so at the price of security.

    The sendmail program is paranoid about group-writable permissions because such permissions open the door to intrusion by insiders. Group permissions are managed via the passwd and group files, and:include:files can be silently edited with no record made about what was done to them. Contrast this approach to one that uses sudo(8) or a similar program, to manage access to root and other privileges. The sudo(8) program executes programs (such as an editor to edit an:include:file) with special permissions (such as root) and logs a record of each command executed.

    It is vastly better to keep sendmail’s file permissions narrow and to use other security tools to manage those files. We recommend you never use theDontBlameSendmailoption to loosen permissions. If you think you need to do so, you should review your overall approach. Try to find a safe way to satisfy your needs, rather than loosening sendmail’s security behavior.

    More Server Administration Articles
    More By O'Reilly Media


       · This article is an excerpt from the book "sendmail, fourth edition," published by...
     

    Buy this book now. This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Check it out today at your favorite bookstore. Buy this book now.

    SERVER ADMINISTRATION ARTICLES

    - Processes in the UNIX Shell
    - Migrating from Windows to Wine
    - Wine: Not Another Emulator
    - Preventive Measures to Block SSH Attacks
    - Monitoring Temperatures with Cacti
    - Cacti: RRDTool-based Graphing Solution
    - Network Magic 5.0 Review
    - Netfilter and Iptables Overview
    - Installing and Configuring Squid
    - Clickfree PC Backup Systems Compared
    - Squid, the Caching Proxy
    - Regular Expressions in the Unix Shell
    - Source Code Version Control Solutions
    - OTRS: Open Source Ticket Request System
    - Clonezilla: Free Mass Disk-Cloning Utility





    © 2003-2009 by Developer Shed. All rights reserved. DS Cluster 4 Hosted by Hostway
    For more Enterprise Application Development news, visit eWeek