Recipe 10.2 Limiting the Number of Network Accessible Servers

Previous page
Table of content
Next page

Problem

Accepting SMTP connections from the network makes a system a potential target of network-based security attacks. Special configuration is required to prevent the sendmail daemon from accepting inbound email connections from the network.

Solution

Select a limited number of hosts to act as mail exchangers and mail relay hosts for your enterprise. Configure the selected systems as described in Chapter 2 and Chapter 3. The other sendmail systems should be configured as described here.

Add the no_default_msa feature to the sendmail configuration to prevent sendmail from creating a default MSA configuration. Then add DAEMON_OPTIONS macros to create your own configuration that limits inbound mail connections to the loopback address. Finally, add the MASQUERADE_AS macro to the configuration so that replies to mail sent by the local host will go to a server that has an active SMTP port. Here are sample lines that could be added to the sendmail configuration: 

 dnl Don't create a default MSA configuration FEATURE(`no_default_msa') dnl Limit the MSA to the loopback address DAEMON_OPTIONS(`Name=MSA, Port=587, Addr=127.0.0.1, M=E') dnl Limit the MTA to the 127.0.0.1 interface DAEMON_OPTIONS(`Name=MTA, Addr=127.0.0.1') dnl Make sure replies go to the mail host MASQUERADE_AS(`chef.wrotethebook.com')

Following the example in Recipe 1.8, rebuild and reinstall sendmail.cf , then restart sendmail.

Discussion

The DAEMON_OPTIONS macro sets values for the sendmail.cf DaemonPortOptions statements. A basic sendmail configuration has two DaemonPortOptions statements ”one for the MTA mode of the sendmail daemon and one for the MSA mode. A grep shows this: 

 #  grep 'DaemonPortOptions' generic-linux.cf  O DaemonPortOptions=Name=MTA O DaemonPortOptions=Port=587, Name=MSA, M=E

Both port 25, used by the MTA, and port 587, used by the MSA, are accessible from the network, and thus are potentially vulnerable to network attacks. This book contains many examples of connecting to port 25. Here is one to illustrate the network accessibility of port 587: 

 $  telnet chef 587  Trying 192.168.0.8... Connected to chef. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.4; Mon, 29 Sep 2003 10:45:59 - 0400  HELO rodent  250 chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to  meet you  MAIL From:<craig@rodent.wrotethebook.com>  250 2.1.0 <craig@rodent.wrotethebook.com>... Sender ok  RCPT To:<craig@chef.wrotethebook.com>  250 2.1.5 <craig@chef.wrotethebook.com>... Recipient ok  DATA  354 Enter mail, end with "." on a line by itself  Subject: 587 test   .  250 2.0.0 h8TEjxrm001514 Message accepted for delivery  QUIT  221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host.

The default Addr value used by DaemonPortOptions is INADDR_ANY , which means that the daemon accepts connections from any address. Identifying a specific address with the Addr value limits incoming connection to that specific address. Thus, setting Addr=127.0.0.1 means that only connections from the local host that come through the loopback interface will be accepted, which eliminates any inbound connections from the network. Rerunning the previous telnet test after completing this recipe shows that network connections are no longer allowed: 

 $  telnet chef 587  Trying 192.168.0.8... telnet: connect to address 192.168.0.8: Connection refused $  telnet chef 25  Trying 192.168.0.8... telnet: connect to address 192.168.0.8: Connection refused

These tests show that network connections are not accepted on either port 25 or port 587. However, mail can still be sent from the local host.

Note that the no_default_msa feature must be used before you can change the DaemonPortOptions settings of the MSA. The FEATURE macro must precede the DAEMON_OPTIONS macro in the configuration. This feature is not required when you are changing only MTA values.

Recipe 10.1 is an alternative to this recipe; it prevents sendmail from accepting SMTP connections from the network. In fact, that recipe prevents sendmail from accepting any SMTP connections ”even from the local host. Recipe 10.1 provides slightly more security than this recipe because even someone with login access to the local host cannot attack sendmail through the SMTP ports. However, Recipe 10.1 is more complex and difficult to implement than this recipe. Here, all changes take place in the sendmail configuration file; Recipe 10.1 requires changes to the sendmail configuration and to the system startup files. Thus, the increased security of Recipe 10.1 comes at the cost of increased complexity.

See Also

Recipe 7.8 covers the syntax of the DAEMON_OPTIONS macro and provides another example of its use. Recipe 10.1 discusses an alternative solution that changes the submit.mc configuration to accomplish a similar goal. Recipe 10.1 should be evaluated before implementing this recipe. Chapter 4 covers the MASQUERADE_AS macro. The sendmail book covers the DAEMON_OPTIONS macro in Section 24.9.24, the no_default_msa feature in Section 4.8.30, and the MASQUERADE_AS macro in Section 4.4.2.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
CompTIA Project+ Study Guide: Exam PK0-003
Introduction to 80x86 Assembly Language and Computer Architecture
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Junos Cookbook (Cookbooks (OReilly))
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy