Recipe 10.1 Limiting the Number of sendmail Servers

Problem

Because every network service that accepts inbound connections is a potential target of security attacks, you want to limit the number of systems running a sendmail listener to reduce security vulnerability and maintenance.

Solution

Select a limited number of hosts to act as mail exchangers and mail relay hosts for your enterprise. Configure the selected systems as described in Chapter 2 and in Chapter 3. The other sendmail systems should be configured as described here.

Make a backup copy of the submit.mc file:

 #  cd /usr/local/src/sendmail-8.12.9/cf/cf  #  cp submit.mc submit.mc.original  

Edit the submit.mc file. Add the MASQUERADE_AS macro to the configuration so that replies to mail sent by the local host will go to a server that has an active SMTP port, and add the name of the mail relay host to the msp FEATURE command. Here are the active lines in the submit.mc file from the sendmail 8.12.9 distribution after the changes have been made:

 VERSIONID(`submit.mc modified for recipe 10.1') define(`confCF_VERSION', `Submit') define(`__OSTYPE_  _',`')dnl dirty hack to keep proto.m4 from complaining define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet define(`confTIME_ZONE', `USE_TZ') define(`confDONT_INIT_GROUPS', `True')dnl MASQUERADE_AS(`chef.wrotethebook.com') FEATURE(`msp', `chef.wrotethebook.com') 

Rebuild the submit.cf file and restart the MSP daemon. Here is an example from our sample Linux system:

 #  ./Build submit.cf  Using M4=/usr/bin/m4 rm -f submit.cf /usr/bin/m4 ../m4/cf.m4 submit.mc > submit.cf  ( rm -f submit.cf && exit 1 ) chmod 444 submit.cf #  cp submit.cf /etc/mail/submit.cf  #  kill -HUP `head -1 /var/spool/clientmqueue/sm-client.pid`  

Edit the system startup script. Change the command that starts the sendmail daemon by removing the -bd flag. For example, change this:

 /usr/sbin/sendmail -bd -q15m 

to this:

 /usr/sbin/sendmail -q15m 

Terminate the currently running daemon and rerun sendmail without the -bd flag:

 #  kill -TERM `head -1 /var/run/sendmail.pid`  #  /usr/sbin/sendmail -q15m  

Discussion

Most Unix startup configurations start the sendmail daemon as both an SMTP listener and a queue processor. The listener function, which is requested by the -bd command-line flag, binds sendmail to TCP ports where it listens for inbound mail. ^[1] The -bd option is only needed if the system collects inbound mail. Most Unix workstations do not need to collect inbound mail. A central server can collect and hold the mail for a large number of workstations, and users on the workstations can retrieve the mail using tools such as POP and IMAP.

^[1] The ports used by sendmail can be changed in the configuration, but the default ports are 25 and 587.

Limiting the SMTP listener to servers provides some security advantages. As Introduction points out, SMTP servers are targets for attack because they accept connections and data from unknown hosts via the SMTP port. Intruders scan networks looking for systems that respond to SMTP connections and target their attacks against those systems. Running an SMTP listener on a system means that the system becomes a possible target. Mail servers must run the SMTP listener, but on other systems, the listener is an unnecessary risk. Controlling the SMTP ports at the firewall and limiting the number of systems listening to those ports provides defense in depth . If an administrator fails to disable the ports on a host, the firewall should stop an attack. If the firewall fails, limiting the number of systems listening to the SMTP ports limits the number of targets.

Limiting the number of systems that run the SMTP listener not only reduces risk, it also reduces the security administrator's workload. Recipe 10.3 and Recipe 10.4 are good examples of this. They discuss applying fixes to sendmail to thwart an attack that comes through the SMTP port. Every system that accepts inbound SMTP connections is vulnerable to this attack. If only servers listen on that port, only servers are critically in need of the security maintenance necessary to fix this vulnerability. A site with thousands of desktop workstations might have only a handful of valid sendmail servers. Fixing a few servers is much easier than fixing thousands of desktops. Not only that, the skill level of the server administrators is generally high. Most of those administrators can handle the fix by themselves . Desktop users, on the other hand, require much more support. If anyone fails to correctly apply a critical security fix, the entire network remains in danger. Reducing the number of systems that require a critical fix is clearly a security and maintenance win.

This recipe describes changes to the submit.cf configuration. submit.cf is a special configuration used by sendmail when it acts as a mail submission program (MSP). The MSP configuration is an option available for systems running sendmail Version 8.12 and higher. When the submit.mc change is made and sendmail is restarted without the -bd flag, it is not necessary to update the sendmail.cf configuration. Recipe 10.2 shows an alternative to this recipe that changes the sendmail.cf configuration instead of the submit.cf configuration.

When a recipient replies to a message received from a system configured with this recipe, the reply must go to the server because replies sent directly to the workstation fail when the workstation does not have a listener on an SMTP port. Replies can be routed to the server with MX records, with masquerading on the workstation, or with masquerading on the server when all outbound mail is relayed through the server, as it is in this recipe's submit.mc configuration. Masquerading on the workstation is used here because it makes a simpler example and all configuration changes can be made in one file.

The msp feature in the submit.mc file configures sendmail as a mail submission program. By default, the MSP sends mail to the MTA by connecting to an SMTP port at 127.0.0.1 ”the local host address. In that case, the local host must be running an SMTP listener in order to send outbound mail. Adding a hostname to the msp FEATURE command causes the MSP to connect to the SMTP port on the specified host. This means that the client does not need a listener to send outbound mail because outbound mail goes directly from the MSP to the MTA on the specified host. In this recipe, the hostname chef.wrotethebook.com is added to the FEATURE(`msp') command. Therefore, all outbound mail is sent to chef.wrotethebook.com for delivery. chef must be configured to accept this mail, as described in Chapter 2 and Chapter 3.

After creating the new configuration, edit the system startup files to ensure that they do not start an SMTP listener when the system reboots. The currently running version of sendmail must be terminated to end the current listener. Finally, run sendmail from the command line with the -q flag but without the -bd flag to start a queue runner that will drain the queue.

See Also

Recipe 10.10 provides an additional example of the submit.mc configuration. Chapter 1 describes how the MSP configuration is initially created during the installation of the sendmail source code distribution. Recipe 10.2 discusses an alternative solution that does not require changes to the submit.mc configuration; evaluate Recipe 10.2 before implementing this recipe. Chapters Chapter 2, Chapter 3, and Chapter 4 provide related recipes for clients sending outbound mail through servers and for configuring those servers to accept that mail. The sendmail book covers the msp feature in Section 4.8.27 and the MASQUERADE_AS macro in Section 4.4.2.