Recipe 10.7 Disabling Delivery to Files

Previous page
Table of content
Next page

Problem

Special configuration is required to block delivery directly to a file or device.

Solution

Check the flags set for the mailers used in the sendmail.cf configuration file. Here is an example of using grep and awk to display the mailer flags: 

 #  grep '^M' sendmail.cf  awk '{ print   }'  Mlocal,F=lsDFMAw5:/@qSPfhn9, Mprog,F=lsDFMoqeu9, Msmtp,F=mDFMuX, Mesmtp,F=mDFMuXa, Msmtp8,F=mDFMuX8, Mdsmtp,F=mDFMuXa%, Mrelay,F=mDFMuXa8, Mcyrus,F=lsDFMnPqAh5@/:, Mcyrusbb,F=lsDFMnPu,

Add a MODIFY_MAILER_FLAGS macro to the sendmail configuration to remove the / flag for each mailer that has that flag set. Given the listing of flags just shown, this system has the / flag set for both the local mailer and the cyrus mailer. To remove the / flag from these two mailers, add the following lines to the sendmail configuration: 

 dnl Remove the / flag with the cyrus mailer MODIFY_MAILER_FLAGS(`CYRUS', `-/') dnl Remove the / flag from the local mailer MODIFY_MAILER_FLAGS(`LOCAL', `-/')

Rebuild and reinstall sendmail.cf , and then restart sendmail. See Recipe 1.8 for an example of these steps.

Discussion

Every user who has a valid login shell is allowed to send mail to files or programs. This makes sense because anyone who has a login shell on the mail host already has greater access to the system than that which is granted via the prog mailer, particularly if smrsh is used for the prog mailer. Care should be taken to ensure that no user ID is given a login shell unless it is really needed. Controlling login access is clearly more important for security than anything that can be done in the sendmail configuration.

Additionally, as Recipe 10.4.3 of Recipe 10.5 points out, other sendmail features can give users the ability to run programs or write to files independent of which mailer flags are set. For example, using procmail as the local mailer gives the user access to all of the power of procmail , including the ability to write files. [4] Before you implement this recipe, make sure it is necessary, and make sure it will work in your environment. That said, removing the / flag from all sendmail.cf mailer definitions will disable delivery to files because sendmail only delivers to files and devices when the mailer used for that delivery has the / flag set.

[4] Recipe 10.8 shows how to avoid using procmail as the local mailer on a Linux system.

At this writing, only the local mailer and the cyrus mailer have this flag set by default, and most configurations don't use the cyrus mailer. Therefore, for most configurations, only the local mailer can deliver to files, and removing the / from the flags for the local mailer definition would completely disable this feature.

Use the MODIFY_MAILER_FLAGS macro to remove, add, or change mailer flags. Recipe 10.5 covers the syntax of the MODIFY_MAILER_FLAGS macro in some detail.

See Also

Recipe 10.5 shows another example of using MODIFY_MAILER_FLAGS to disable a sendmail feature. The sendmail book covers MODIFY_MAILER_FLAGS in Section 20.5.6.1.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
A+ Fast Pass
The Java Tutorial: A Short Course on the Basics, 4th Edition
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Programming Microsoft ASP.NET 3.5
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy