M4 and Sendmail cheat sheet was: RE: [SLUG] mail server.

From: R P Herrold (herrold@owlriver.com)
Date: Sat Nov 17 2001 - 17:52:19 EST


(clip and save)

On Sat, 17 Nov 2001, Jeff Barriault wrote:

> Sendmail happens to be running on the RedHat box too, but I haven't figured
> out how to connect to it from my Win2K system. Of course I've gotten a bunch
> of great advice from folks on this mail list and am sitting here currently
> trying to figure it all out.
>
> Thanks Russ, and everyone else for helping,

RH 7.1 and later ship with sendmail listening ONLY at
127.0.0.1 AND in non-daemon mode -- that is for locally
originated email -- this is a security matter to prevent your
host from being an open relay, and ALSO to make sendmail
secure against the kind of external compromise mentioned
earlier today. This topic (shipping without remote exploit
holes, as does OpenBSD) was a _big_ issue to me in the RH 7.0
development phase, and RH 7.1 and following ship secure by
default -- it takes an effort to make RH 7.1 and following
vulnerable to crackers.

1 -- To be able to hand email TO it (on port 25), you will
need packages:

    sendmail-cf and
    m4

loaded. Check that they are present thus:

   rpm -q sendmail-cf m4

(we are asking the package manager to confirm that they are
present and their versions)

2. If not present, use your install media and install them

(how is beyond the scope of this piece)

3. Edit /etc/mail/sendmail.mc with your favorite text editor.
Toward the bottom of that file is this stanza:

dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

... note that the string "dnl " at the left margin is how
comments are added to sendmail.mc -- this is an artifact of
the ancient origins of sendmail and the m4 macro processessor

Make it read as the text says "to accept email over the
network":

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

(this is the last line quoted in the first stanza, now
commented out.)

4. rebuild /etc/sendmail.cf fropm the revised
/etc/mail/sendmail.mc thus:

  m4 /etc/mail/sendmail.mc > /etc/sendmail.cf

(This is considered Unix deep magic -- but all it does is have
the m4 macro processor use the sendmail-cf recipies, and make
a new well-formed sendmail.cf. Note that lower in the
sendmail.mc file is an option to specify what hostname your
mail server uses -- useful for pretending to be a server with
a resolvable name.)

5. Tell sendmail to listen all the time (in so-called daemon
mode) instead of delivering just its own local mail queue just
once an hour.

Edit /etc/sysconfig/sendmail

and change:

   DAEMON=no

to:

   DAEMON=yes

6. And restart sendmail

  service sendmail restart

7. Confirm it locally:

   netstat -an | grep 25 | grep tcp

yields:

   tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN

(which says the host is listening on ALL interfaces for
connections ...)

[I undid step 5 and 6 -- and reran this test -- it yields --
nothing -- that it is NOT able to be connected to externally
on port 25 -- and so THAT port is safe from a remote direct
attack.]

8. Test locally (I list YOUR part OUT of []):

telnet localhost 25
[... banner]
HELO LOCALHOST
[... response]
QUIT

It went:

[root@couch herrold]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 couch.basement.net ESMTP Sendmail 8.11.6/8.11.6; Sat, 17
     Nov 2001 17:10:39 -0500
HELO localhost
250 couch.basement.net Hello
     IDENT:+yf0DRAJjMc1ZxKCEIv/Y7hCZQtbC55G@couch.basement.net
     [127.0.0.1], pleased to meet you
QUIT
221 2.0.0 couch.basement.net closing connection
Connection closed by foreign host.
$

8. The acid test -- From another host test it:

telnet couch.basement.net 25
HELO localhost
QUIT

Or more elaborately:

[herrold@router herrold]$ telnet couch.basement.net 25
Trying 172.16.33.101...
Connected to 172.16.33.101.
Escape character is '^]'.
220 couch.basement.net ESMTP Sendmail 8.11.6/8.11.6; Sat, 17
        Nov 2001 17:36:05 -0500
HELO localhost
250 couch.basement.net Hello router.basement.net
      [172.16.33.2], pleased to meet you
MAIL FROM: godzilla@localhost
553 5.5.4 godzilla@localhost... Real domain name required for sender address
MAIL FROM: godzilla@microsoft.com
250 2.1.0 godzilla@microsoft.com... Sender ok
RCPT TO: root@localhost
250 2.1.5 root@localhost... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Linux rules.
.
250 2.0.0 fAHMajY07056 Message accepted for delivery
QUIT
221 2.0.0 couch.basement.net closing connection
Connection closed by foreign host.
[herrold@router herrold]$

.... that was successful -- note that the 'domain must
resolve' rule for senders kicked in on the first part of the
offer -- this is an anti-spam feature. [Note the name look
up's working I have working residence DHCP and DNS services
on Linux ... ]

There is a forward rule in place for root, as recommended
earlier; Out at the end recipient host, we find:

Return-Path: <godzilla@microsoft.com>
Received: from couch.basement.net
        (dhcp065-024-xx-xx.columbus.rr.com [65.24.xx.xx])
        by swampfox.owlriver.com (8.11.6/8.11.6) with ESMTP id
        fAHMbGu07271 for <herrold@owlriver.com>; Sat, 17 Nov
        2001 17:37:16 -0500
Received: from localhost (router.basement.net [172.16.33.2])
        by couch.basement.net (8.11.6/8.11.6) with SMTP id
        fAHMajY07056
        for root@localhost; Sat, 17 Nov 2001 17:37:06 -0500
Date: Sat, 17 Nov 2001 17:37:06 -0500
From: godzilla@microsoft.com
Message-Id: <200111172237.fAHMajY07056@couch.basement.net>
X-Loop: herrold@owlriver.com

Linux rules.

-----------------------------------------------

Read the received lines from the bottom up --

offered to root@localhost -- handed to herrold@owlriver.com
 
Do NOT connect this to the outside world -- a bit more needs
to be done --- As set, it will receive mail only with a final
(as to the originator's perspective) destination at the
localhost -- /etc/mail/access and /etc/mail/local-host-names
need attention to receive mail for handling for others. But
again, this is beyond the scope of this presentation.

And we reached the goal state. I don't need to expose the
root password to receive the mail. And as I recall, that was
your question.

-- Russ

ps: I don't do it much, but I've noted a copyright here --
private individual use only, please.

-- 
end
==================================
 .-- -... ---.. ... -.- -.--
Copyright (C) 2001 R P Herrold
      herrold@owlriver.com  NIC: RPH5 (US)
   My words are not deathless prose, 
      but they are mine.

Owl River Company "The World is Open to Linux (tm)" ... Open Source LINUX solutions ... info@owlriver.com Columbus, OH



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:23:40 EDT