Security Features of sendmail - 4.8 Security Features
(Page 4 of 4 )
We now turn our attention from security problems to security features. Many security features are discussed in the various README files supplied with the sendmail source distribution. In this section, we discuss the most common security features:
TheT configuration command (classt) defines which users are allowed to use the-fcommand-line switch to override the sender address with one of their own, and which users are allowed to rebuild the aliases database.
The smrsh program replaces /bin/sh as the program run by theprogdelivery agent to execute programs. The smrsh program is simple yet immensely valuable. We recommend that it be routinely installed on all your machines. The smrsh program is described in detail in §10.8 on page 379.
Several options can be used to tighten security and to provide reports of security violations.
The /etc/shells file prevents ordinary users from running programs on your mail server.
4.8.1 Trusted Users
Under pre-V8 sendmail, trusted users are those who are allowed to use the -f command-line switch (§6.7.24 on page 241) to override the sender address with one of their own. V8.1 sendmail eliminated this configuration command. V8.7 restored it, but as a class, and uses that class only to suppress warning headers. V8.11 and above allow only users in that class to rebuild the aliases database.
Trusted users are necessary for certain kinds of mail to flow properly. For example, the rmail(8) program of the UUCP suite of programs runs set-user-id to uucp.If rmail were not to use the-fcommand-line switch, all mail from UUCP would wrongly appear to come from the uucp user. To circumvent this problem, rmail runs
sendmail as:
/usr/lib/sendmail -f reallyfrom
This tells sendmail to show, in both the header and envelope, the message as being from reallyfrom, rather than from uucp.
The concept of a trusted user is intended to prevent ordinary users from changing the sender address and thereby forging mail. Although that intention is laudable and good for UUCP, it can cause problems with mailing lists. Consider the following:
list: "|/usr/lib/sendmail -oi -flist-request -odi list-real"
list-real: :include:/export/share/mail-lists/list.list
The intention here is for all mail sent to the mailing list namedlistto be dispatched as though it were sent from the addresslist-request(the-f). This causes errors to be returned to the maintainer of the list (thelist-request), but replies still go to the real sender.
Unfortunately, this scheme fails when mail is posted tolistfrom the local machine. Recall that only trusted users can change the identity of the sender with-f. This is why V8.1 sendmail eliminated the concept of the trusted user (anyone could use the-fswitch).
4.8.1.1 Declare trusted users (ignored V8.1 through V8.6)
Trusted users are defined by those lines in the sendmail.cf file that begin with the uppercase letter T. Only trusted users can use the sendmail program’s -f command-line switch to specify who sent the message. Beginning with V8.7 sendmail, the class t can also be used.
TheTsendmail.cf command must begin a line. One or more space-delimited user-names then follow on that same line. There can be multipleTcommands in a
sendmail.cf file, each adding names to the list of trusted users. Prior to V8 there could be, at most,MAXTRUST trusted users, whereMAXTRUSTwas defined in conf.h when you compiled sendmail. Beginning with V8.7, there is no limit:
| T uucp | ←legal in V8.1 through V8.6 but ignored |
|---|
| Troot daemon | ←legal in V8.1 through V8.6 but ignored |
|---|
| Ct uucp | ←ignored pre-V8.7 |
|---|
| Ctroot daemon | ←ignored pre-V8.7 |
|---|
| define(`confTRUSTED_USERS´,`root daemon´) | ←V8.7 and above in mc file |
|---|
The twoTcommands show that there might optionally be whitespace between theTand the first name in any list of names. They indicate that uucp, root, and daemon are trusted and have been added to the list of trusted users in that order. The two class declarations show a similar declaration for use beginning with V8.7 sendmail (but note that V8.7 and above can still use the old syntax).
Prior to V8 sendmail, if you listed more thanMAXTRUST trusted users, sendmail printed and syslog(3)’ed a message such as this:
sendmail: too many T lines, 32 max
This message was not fatal. The sendmail program issued it for each excessT line (ignored those trusted users) and continued to run. V8 sendmail has implemented trusted users as a class, and there is no longer any limit imposed.
Prior to V8 sendmail, if a user who was not trusted attempted to use the-fswitch, that attempt was silently ignored (silently disallowed). Beginning with V8.7 sendmail, if a user who is not trusted attempts to use the-fswitch, that attempt can produce anX-Authentication-Warning: header (§25.12.40 on page 1167) if thePrivacyOptionsoption (§24.9.86 on page 1065) hasauthwarningslisted.
Even though some users find them annoying, we recommend that you always enableX-Authentication-Warning: headers. They warn of suspicious behavior. If the behavior is legitimate, modify that behavior to eliminate the header instead of eliminating the more valuable warning headers.
Please check back next week for the conclusion to this series.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
|
 This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Check it out today at your favorite bookstore. Buy this book now.
|
|
