sendmail Security Options - 4.8.2.6 The PostmasterCopy option
(Page 3 of 6 )
The PostmasterCopy option (§24.9.85 on page 1064) causes a copy of every bounced message to be delivered to a named user. Usually, that user is the person who handles email problems. But because clumsy intrusion attempts can result in bounced mail, there will be times when bounced mail should also be delivered to the security administrator. Consider the following:
----- Transcript of session follows -----
>>> RCPT To:<root@your.site.domain>
<<< 550 cannot open /tmp/.../getshell: No such file or directory
550 5.7.1 cannot open /tmp/.../getshell: No such file or directory
This bounced mail message indicates that someone tried to become root by breaking through your aliases database.
Users are added to the list of those who get copies of bounced messages with thePostmasterCopyoption:
O
PostmasterCopy=postmaster,securitymaster
↑
added
Here,securitymaster(probably an alias to a real user) was added.
4.8.2.7 The PrivacyOptions option
The PrivacyOptions option (§24.9.86 on page 1065) is used to limit the amount of information offered to the outside world and to limit other kinds of access. The most restrictive setting for the PrivacyOptions option is probably best:
define(`confPRIVACY_FLAGS´, ``goaway,restrictmailq,restrictqrun´´)
This setting disables the EXPN and VRFY SMTP commands, requires other sites to identify themselves before sending mail, and limits access to the mail queue directory. As a side effect, it also disables DSN parameters becausegoawayincludesnoreceipts. If that is a problem for you, you can manually set up everything thatgoawaydoes, but excludenoreceipts.* Note that the following line is split to fit the page:
define(`confPRIVACY_FLAGS´, ``needmailhelo,noexpn,novrfy,noverb,authwarnings,
restrictmailq,restrictqrun´´)
As a general rule, it is best to begin with tight security. This minimizes your risk from the beginning and allows you to cautiously ease restrictions at a comfortable rate. Beginning with loose restrictions can force you to tighten restrictions in a panic when it is least convenient to do so.
4.8.2.8 The SafeFileEnvironment option
Beginning with V8.7 sendmail, the SafeFileEnvironment option (§24.9.103 on page 1084) determines how delivery will be made to files. Ordinarily, sendmail will deliver to anything, provided that it has permission to do so (§12.2.2 on page 466). It can, for example, deliver by appending to ordinary files or by writing to a device such as /dev/log.
If theSafeFileEnvironmentoption is declared, sendmail will deliver only to ordinary files. This improves security by preventing anyone from scribbling over sensitive things, such as directories and devices. (Beginning with V8.8 sendmail, it is still OK to write to /dev/null even though this option is set.)
TheSafeFileEnvironmentoption can also be used to define a directory under which all files that will be appended to must exist. This might inconvenience some users but will generally improve the security of your site. We recommend:
O
SafeFileEnvironment=/path ← configuration file
define(`confSAFE_FILE_ENV´, `/path´) ← mc configuration
This takes care of both security enhancements. Of course, you will need to create the directory specified in/path and populate it with the appropriate files.
Note that, just before appending to a file, sendmail does a chroot(2) into/path. As a consequence, an entry such as the following requires that the full path exist, such as /path/admin/mail:
bob: \bob, /admin/mail/bob.archive
But sendmail is also clever, and if an aliases path begins with the same path as theSafeFileEnvironmentpath, and that latter path is removed before the write:
bob: \bob, /path/admin/mail/bob.archive
Here, because theSafeFileEnvironmentoption specifies /path, sendmail will perform the chroot(2) into /path, then will strip /path from the aliases file entry to form /admin/mail.
If all you want to do is prevent writing to directories and devices, and if you do not want to place all files in a special path, you can accomplish this by defining /path as the root directory:
O SafeFileEnvironment=/
4.8.2.9 The TempFileMode and QueueFileMode options
The TempFileMode option (§24.9.118 on page 1097) specifies the mode (file permissions) to give all temporary files and queue files. Beginning with V8.12, the QueueFileMode option (§24.9.90 on page 1071) specifies the permissions given to queue files. In general, all files that are created by sendmail should be considered proprietary for safety’s sake. We recommend a setting of:
O TempFileMode=0600 ← pre-V8.12, for all temp files and queue files
O QueueFileMode=0600 ← V8.12 and above, for queue files only, in sendmail.cf
O QueueFileMode=0660 ← V8.12 and above, for MSP queue files only, in submit.cf
With this narrow setting, the risk of accidental or malicious easing of permissions of your mail archive directories or queue becomes less of a risk.
Next: 4.8.3 The /etc/shells File >>
More Server Administration Articles
More By O'Reilly Media
|
 This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Check it out today at your favorite bookstore. Buy this book now.
|
|
