Free Essay

Linux Admin Sendmail.Docx

In: Computers and Technology

Submitted By acefrehley
Words 11213
Pages 45
[TYPE THE COMPANY NAME]

Sendmail

IT 302 Virtual Library

Michael Gigliotti

8/8/2012

Virtual library assignment, covering sendmail and alternatives.

Sendmail is the program used by UNIX, and some of its offshoots like BSD, Linux, SunOS, ULTRIX to handle email. Sendmail was created by Eric Allman (Vixie and Aviolo) to solve the problem of address mapping between the email system and the network. Sendmail routes mail between a UA-mail user agent, a program used to read and send email, and an MTA-message transfer agent, program used to move mail between hosts using a particular network language/protocol. A design goal of sendmail is to accommodate the addition of new UAs and MTAs with only minor configuration changes. (Vixie and Aviolo) Sendmail supports distribution lists in the form of aliases for people or sets of people, the use of individual user .forward files to allow the forwarding of incoming e-mail to programs or other mailboxes. Sendmail also facilitates the rewriting of e-mail addresses to allow for a gateway to deliver mail between different kinds of mail networks and provide a mechanism for bridging between different systems. Sendmail provides for message queuing when a retry able error is encountered, plus automatic routing and returning the e-mail to the sender when an unrecoverable error is encountered. (Vixie and Aviolo) The software used by sendmail to locate domains on the DNS server is the resolver. The resolver is built into C libraries as a directly callable function and as stubs hidden behind the gethostbyname and gethostbyaddr functions. (Vixie and Aviolo) Most of the options of the resolver are turned on by default. One option is DNSRCH, this option tells the resolver to try partial name matches by adding the local domain to the requested domain. When sendmail tries to deliver mail to a domain it first searches for the mail exchanger domain resource records for the domain name. If there are not any mail exchanger domain resource records sendmail searches for address domain resource records. If sendmail finds an address resource records, it responds as if there is a single mail exchange domain resource record for the domain, pointing at the domain at priority zero proceeding as if the mail exchange domain resource record had been found in the DNS. (Vixie and Aviolo) When sendmail has mail exchanger resource records for a domain it sorts them by priority from low to high. Then it scans the list for its own name. If it finds a mail exchange host matching its own name it removes the mail exchange domain resource records and all other records with an equal or lower(equal or higher number) mail exchange priority. This is how sendmail does not see itself on a mail exchange domain resource record and route mail through the mail exchange resource records. (Vixie and Aviolo) Once sendmail has a sorted mail exchange domain resource record list, sendmail delivers the mail using the highest priority (lowest numbered) mail exchange domain resource record first, then continuing down the list. Sendmail will load balance if several mail exchange resource records have the same priority by reordering at random. Sendmail is meant to be configurable because no one configuration can work for every possible host, site or network. Issues when planning a sendmail configuration include network connectivity, mail protocols, error handling, and administration. (Vixie and Aviolo) When designing a sendmail configuration take into account the overall design of a company’s email system. There are five main types of mail configurations. (Vixie and Aviolo) In the mail hub, a host is a relay between gateway hosts and other mail hubs. Mail hubs are concentration points in the flow of email distributed geographically based upon network population. Hubs gather mail from client hosts and forward it to other hubs closer to the destination or mail gateway. In the mail gateway, a host or a process is between one environment and at least one other environment. This host or process relays the mail as its primary job. Today all internet email passes through email gateways. (Vixie and Aviolo) Email gateways provide many services. An email gateway serves as a connector through the internet firewall. Mail gateways act as mail exchangers for their own or other domains. A virtual domain is a domain not actually mapping to IP host or network addresses. Gateways can handle mail for existing domains and virtual domains. A mail gateway can be used for header translation. If a private network is isolated from the internet the mail gateway is the mail exchange service for the hosts in its domain. In a simple client configuration, a client handles local mail. All other mail is sent without processing to a mail hub. Incoming mail is received by a hub offering mail to the simple client using NFS of POP. In smart client, an end host must be able to speak at least one network protocol, at least one mail protocol, and be connected to at least one physical network. A smart client may deliver some mail directly by itself, the rest is sent to a hub. A smart client can handle mail to a subset of the email network. It will send mail directly to all mailboxes within its domain and use a hub for mail outside of its domain and external mail. In a mail cluster a group of mail hosts share a common user name space and a common aliases database. Mail sent to a user on any of the hosts in the cluster will get to the proper mailbox. In a mail cluster a provision can be made for nonglobal mail addresses. Most groups of hosts today are aggregated into mail clusters. Before sitting down to write or modify a sendmail.cf file, we have to ask ourselves some questions and gather some data. This includes our parent domain name for the sendmail configuration. This is usually everything following the first dot (.) in our own fully qualified host name. The parent domain name will usually be the same for most of our hosts, or at least most hosts of a given mail hub. If this host is known by any other name, or if this host should treat any other host names as local, these names are our pseudonyms. These are taken into account as we configure sendmail. We might have pseudonyms because of the consolidation of hosts and need old addresses to continue to work, or a mail hub needs to accept mail addressed to its generic domain name or names. (Vixie and Aviolo) The sendmail configuration file is sendmail.cf, it tells sendmail how to parse mail addresses, rewrite mail addresses, what MTAs sendmail should know about, how to route mail, and to set options and other values. The directory /etc/mail contains all the sendmail configuration files. There are four files on the server to be of concern. /etc/mail/access set per host and per domain access controls for the mail server. /etc/mail/aliases contains a map of email redirections for the local host. /etc/mail/mailertable allows the override of MX records for the mail server. /etc/mail/relay-domains lists domain names and addresses the server will relay email for. (Lucas) A line type is determined by the first character. Blank lines are ignored and are used for readability. Lines beginning with a tab are continuations from the preceding line. # is a comment line ignored by sendmail. C is class definitions. Classes are sets of tokens used for matching the left hand side/pattern side of a rule. (Vixie and Aviolo) Classes are used to test if part of an address matches one of a set of words or tokens. D is for macro definitions, variables when defined and used are treated like string constants in the form of DXvalue. Where X is a single character and value is a character string without blanks or tabs.

These are some of the macro definitions defined internally by Sendmail: a The Date: in Arpanet format (e.g., "Tue, 14 Jan 92 10:39:35 -0500"). b The current date in Arpanet format. c The hop count. Essentially the number of Received: headers. d The time in ctime format (e.g., "Tue Jan 14 10:39:35 1992"). f The sender (from) address. g The sender address relative to the recipient (a path). h The recipient host. i The queue identifier (usually built from the pid). p The Sendmail pid. r The protocol used. s The sender's host name. t The current time (e.g., "920114103935"). u The recipient user. v The version number of the compiled Sendmail. w The name of this host (might be fully qualified, or not).[a] x The full name of the sender (e.g., "Bullwinkle T. Moose"). y The name of the sender's tty port (e.g., 09 for /dev/tty09). z The home directory of the recipient. (Vixie and Aviolo) Rules are the executable lines of the configuration file. Rules start with R, have a left hand side (LHS), a right hand side (RHS) and comment lines. A line is separated by tabs, not spaces. A delimiter is a special character considered to be place indicators or operators. The @ and . in sales.cars@fuccillo.com are delimiters. Delimiters are set in sendmail.cf using the O OperatorChars= directive. (Vixie and Aviolo) A token is a word or string not used as a delimiter. In the above example, sales, cars, fuccillo and com are tokens. The $ is used to introduce special characters. Special symbols used on the LHS:
$* Zero or more tokens plus all delimiters between or around them.
$+ One or more tokens plus all delimiters between and or around them.
$- Exactly one token.
$=X Any word in class X.
$~X Any word not in class X. $X The exact string defined by macro X. The RHS has special symbols as well:
$: Apply this transformation exactly once, then go to the next rule
$@ After applying this transformation, exit from the ruleset
$n token number n matched on the LHS by a pattern variable
$>m Call ruleset m. This is like a function call
$[ Send everything before the next $] to the DNS resolver, and use result of that lookup as the transformation.
$] similar to $[
$: This introduces an "Else" if used between a $[ and $] This is an example of a configuration file: (Vixie and Aviolo)
# Thanks to Peter Churchyard, 0x8
# Imperial College, London. 0X12
# Pfirst-class=0
# Your local domain. Pspecial-delivery=100
DDdco.frobozz.com Pjunk=-100 Troot daemon uucp
# Your full hostname H?F?From: $q
Dj$w H?D?Date: $a
#Dj$w.$D H?M?Message-Id:
DRrelayhost.dco.frobozz.com HSubject:
DVsimple
Dnmailer-daemon S0
DlFrom $g $d remote from $U R$*@$j $#local$:$l optional
Do@.% R$*@$w $#local$:$1 optional
Dq$?x$x $|$g$. R$- $#local$:$1 optional
De$j Sendmail $v/$V ready at $b R$* $#remote$@$R$:$1
Odbackground S1
Om S2
OF0644 S3
Og1 R$*$* $2
OH/etc/sendmail.hf S4
OL6 Mremote, P=[IPC], F=nsmFDMuXC, \
Oo S=10, R=10, A=IPC $h
OQ/var/spool/mqueue Mlocal, P=/bin/mail, F=lsDFrmn, \
Or1h S=10, R=10, A=mail -r $f -d $u
OS/etc/sendmail.st Mprog, P=/bin/echo, F=lsDFMmn, \
OT3d S=10, R=10, A=mail $u
Ou1 S10 To operate properly Sendmail has to run in privileged mode as root user. In listener mode sendmail must binds to port 25. To do that it must run as root. When sendmail is about to invoke an MUA for final local delivery it changes its effective user id to be the recipient, and then writes the e-mail message into the user-owned file or directory. Sendmail can run as a less-privileged user. This option is provided for systems where there will be no local delivery like email gateways such as firewalls. As soon as sendmail binds to the SMTP port, the running sendmail process changes its effective user id to the less privileged user specified. The running sendmail daemon and all created processes run as the RunAsUser. (Vixie and Aviolo) There have been buffer-overflow attacks using long MIME headers against e-mail clients. They have not been against Sendmail. While people should patch their e-mail clients, sendmail allows the installer to put a limit on the size of MIME headers passing through the e-mail gateway to help lower the risk. Setting MaxMimeHeaderLength to the suggested 512 not very large, yet this is big for a MIME header. Sendmail provides a feature allowing email to be sent or redirected to a program for delivery automating the email process. Users or email administrators can send email messages through the procmail program to automate tasks like message filing and forwarding to the vacation program to selectively return an "I am away from my e-mail" message. Hackers have exploited filters like this in sendmail to their advantage. Restrictions placed on the execution of programs used as email filters will protect this vulnerability. Setting this option instructs sendmail to use the Sendmail Restricted Shell, smrsh, instead of the default command interpreter usually the UNIX command line interpreter /bin/sh. smrsh only executes programs in a configuration specified directory, /usr/adm/sm.bin/ is an example. If a user attempts to use a program not in a configuration specified directory as an email filter, sendmail returns an error message and does not complete the delivery. (Vixie and Aviolo) Sendmail defines a set of Privacy Flags. The option to set in the configuration file is PrivacyOptions. Some of the privacy flags control the use of the SMTP commands EXPN and VRFY. These commands are useful for debugging. VRFY verifies an address is valid. Issue the VRFY command:
VRFY name
Where name is hostname you want to verify. EXPN expands addresses into the list of mailboxes sendmail will attempt delivery to. If you want to see the individual email addresses hostname expands to, issue the following command:
EXPN hostname
Where hostname is the host you want information about. Sendmail allows you to disable these services for the sake of concealing private information from intruders. It is best to set these flags to disallow these functions. Select the authwarnings flag. Anytime the email exchange misfires, the IP address doesn't match the domain name, the name in the SMTP HELO command doesn't match the IP address, the discrepancy is noted in the addition of an X-Authentication-Warning: header line. Require a HELO command before allowing EXPN, VRFY or a MAIL command. The option flags to set would be needexpnhelo, needvrfyhelo, and needmailhelo. This will allow the mail to go through and log the activity. (Vixie and Aviolo) The dovecot IMAP server provides IMAP and POP3 services. Dovecot is located in /usr/ports/mail/dovecot. Dovecot can interoperate with LDAP servers, databases, authentication systems, and supports many configuration options. (Lucas) Dovecot installs documentation in /usr/local/share/doc/dovecot and example configuration files in /usr/local/etc. Copy the sample configuration file /usr/local/etc/dovecot-example.conf to /usr/local/etc/dovecot.conf and open in a text editor. By default dovecot does not encrypt IMAP and POP3 services. Change protocols entry by adding s to the end of the line for both services. Define where dovecot keeps its SSL certificates using ssl_cert_file and ssl_key_file variables. Default paths are provided. The directory /usr/local/share/dovecot contains the shell script and configuration file to create a dovecot SSL certificate. Find and change or enter the following, C=US, ST=NewYork, L=Schenectady, O is the organization, OU is organizational unit, common name is the reverse DNS name of the server clients get there mail from, emailAddress is the address of the person responsible for the server. Now run the mkcert.sh script:
# /usr/local/share/dovecot/mkcert.sh
Enable dovecot in /etc/rc.conf/ with dovecot_enable=”YES”
Then run /usr/local/etc/rc.d/dovecot start
/var/log/maillog will show dovecot starting and initializing SSL
THAT’S ALL FOLKS!!!!

Sendmail is implemented as a large program doing everything. One large program makes it easy to share mail, and easy to make a major error. Postfix is based on semi resident, mutually cooperating processes performing specific tasks without a preordained parent/child relationship. (www.akadia.com/services/postfix_mta.html) Postfix is implemented as a resident master server running the postfix daemon processes on demand. Postfix has four different queues. The maildrop queus is where localy posted mail is deposited and copied to the incoming queue after being cleaned up. The incoming queue is for still arriving mail or mail the queue manager is yet to look at. The active queue is a limited size queue for mail the queue manager has opened for delivery. The deferred queue is for mail unable to be delivered so it does not get in the way of deliverable mail. The queue manager, qmgr, keeps information in memory about the active queue. The active queue size is limited on purpose. The queue manager should never run out of working memory because of a peak message workload. (www.akadia.com/services/postfix_mta.html) Whenever there is space in the active queue, the queue manager lets in one message from the incoming queue and one from the deferred queue. This ensures new mail go through even when there is a large backlog. Instead of finding a complicated replacement for mail, you can replace the complicated sendmail with the simple alternative sSMTP. sSMTP simplifies the configuring of the SMTP options with a small configuration file allowing the specification of items like the name of the remote SMTP server, authorization and the domain for your outbound email similar to the configuration process of the mail reader. Installation of sSMTP can be done through the distribution package manager or can be built and installed from the source. To do a source installation, unpack the source, change into the source directory, and run the command ./configure --prefix=/usr/local/ssmtp --enable-ssl --enable-md5auth. Enabling SSL and MD5Auth allows you to communicate with an ISP requiring SMTP login. You can also enable IPv6 support if you need it. After configuration is completed, build and install the package using the normal make and sudo make install commands. When running the install command, the install will prompt for a few items. Follow the displayed instructions. Once installation completes find a directory called /usr/local/ssmtp with the sSMTP binary under the sbin subdirectory and the configuration file under the etc/ssmtp subdirectory. Now sendmail can be stopped and replaced with sSMTP. To stop Sendmail under Linux distributions using the System V init scripts: (archive09.linux.com/feature/132006) sudo service sendmail stop sudo chkconfig --levels 2345 sendmail off The first command stops the currently running instance of sendmail and the second prevents it from starting again on reboots. If using a version of Linux not using the SysVInit package, kill the sendmail process manually with the command sudo killall sendmail. To replace sendmail, copy it to another file then create a symbolic link from sSMTP to sendmail: (archive09.linux.com/feature/132006) sudo mv /usr/sbin/sendmail /usr/sbin/sendmail.orig sudo ln -s /usr/local/ssmtp/sbin/ssmtp /usr/sbin/sendmail The first command moves the original sendmail out of the way, the second makes sSMTP the running program when a system command calls sendmail. This way is done because if problems occur using sSMTP, remove the symbolic link and move the sendmail copy back to its original name. The configuration file for sSMTP is based upon the --prefix option used with the configuration command building from the source code located in the /usr/local/ssmtp/etc/ssmtp/ssmtp.conf file. This file has only four common options plus some hidden options for authentication. (archive09.linux.com/feature/132006) After a sample build sSMTP created the following configuration file: # /etc/ssmtp.conf -- a config file for sSMTP sendmail. # # The person who gets all mail for userids < 1000 # Make this empty to disable rewriting. root=postmaster # The place where the mail goes. The actual machine name is required # no MX records are consulted. Commonly mailhosts are named mail.domain.com # The example will fit if you are in domain.com and you mailhub is so named. mailhub=mail # Where will the mail seem to come from? #rewriteDomain=graphics-muse.org # The full hostname hostname=kepler.graphics-muse.org Change the root= value to an email address that will receive all system-generated email, such as output from cron jobs that encounter errors or log file analysis. I changed this line to my personal email address. mailhub= defines the SMTP server to which email should be sent. Set this line to the host you specify in your mail reader for the SMTP server. hostname= is the name of the mail host that you'd like recipients of your email to see it. Since I want responses to my email to be sent to back to my ISP domain so I can use my mail reader to retrieve it, I set this line to the ISP domain. This is the domain part of all outbound messages; all users on your system will appear to be coming from this domain.
You can use rewriteDomain= to spoof who you say you are. Since I'm already spoofing the server address with the hostname line, I leave this line commented out.
The initial configuration does not include information on how to log in to SMTP servers that require authentication. This information is the same information you must provide in your mail reader in order for it to send email through your ISP. To specify this information, you can add the following lines:
AuthUser=your username
AuthPass=your password AuthMethod=CRAM-MD5 With this configuration every time the system sends mail using /bin/mail sendmail gets called which is actually sSMTP. sSMTP uses the authentication provided in the configuration file to log into the ISP's SMTP server and deliver the outgoing email. (archive09.linux.com/feature/132006)

archive09.linux.com/feature/132006. n.d. 3 August 2012.
Lucas, Michael. Absolute FreeBSD: The Complete Guide to FreeBSD (2nd Edition). SanFrancisco, CA: No Starch Press, Incorporated, 2007.
Vixie, Paul A. and Frederick M. Aviolo. Sendmail: Theory and Practice. Digital Press, 2002. www.akadia.com/services/postfix_mta.html. n.d. 3 August 2012.

[TYPE THE COMPANY NAME]

Sendmail

IT 302 Virtual Library

Michael Gigliotti

8/8/2012

Virtual library assignment, covering sendmail and alternatives.

Sendmail is the program used by UNIX, and some of its offshoots like BSD, Linux, SunOS, ULTRIX to handle email. Sendmail was created by Eric Allman (Vixie and Aviolo) to solve the problem of address mapping between the email system and the network. Sendmail routes mail between a UA-mail user agent, a program used to read and send email, and an MTA-message transfer agent, program used to move mail between hosts using a particular network language/protocol. A design goal of sendmail is to accommodate the addition of new UAs and MTAs with only minor configuration changes. (Vixie and Aviolo) Sendmail supports distribution lists in the form of aliases for people or sets of people, the use of individual user .forward files to allow the forwarding of incoming e-mail to programs or other mailboxes. Sendmail also facilitates the rewriting of e-mail addresses to allow for a gateway to deliver mail between different kinds of mail networks and provide a mechanism for bridging between different systems. Sendmail provides for message queuing when a retry able error is encountered, plus automatic routing and returning the e-mail to the sender when an unrecoverable error is encountered. (Vixie and Aviolo) The software used by sendmail to locate domains on the DNS server is the resolver. The resolver is built into C libraries as a directly callable function and as stubs hidden behind the gethostbyname and gethostbyaddr functions. (Vixie and Aviolo) Most of the options of the resolver are turned on by default. One option is DNSRCH, this option tells the resolver to try partial name matches by adding the local domain to the requested domain. When sendmail tries to deliver mail to a domain it first searches for the mail exchanger domain resource records for the domain name. If there are not any mail exchanger domain resource records sendmail searches for address domain resource records. If sendmail finds an address resource records, it responds as if there is a single mail exchange domain resource record for the domain, pointing at the domain at priority zero proceeding as if the mail exchange domain resource record had been found in the DNS. (Vixie and Aviolo) When sendmail has mail exchanger resource records for a domain it sorts them by priority from low to high. Then it scans the list for its own name. If it finds a mail exchange host matching its own name it removes the mail exchange domain resource records and all other records with an equal or lower(equal or higher number) mail exchange priority. This is how sendmail does not see itself on a mail exchange domain resource record and route mail through the mail exchange resource records. (Vixie and Aviolo) Once sendmail has a sorted mail exchange domain resource record list, sendmail delivers the mail using the highest priority (lowest numbered) mail exchange domain resource record first, then continuing down the list. Sendmail will load balance if several mail exchange resource records have the same priority by reordering at random. Sendmail is meant to be configurable because no one configuration can work for every possible host, site or network. Issues when planning a sendmail configuration include network connectivity, mail protocols, error handling, and administration. (Vixie and Aviolo) When designing a sendmail configuration take into account the overall design of a company’s email system. There are five main types of mail configurations. (Vixie and Aviolo) In the mail hub, a host is a relay between gateway hosts and other mail hubs. Mail hubs are concentration points in the flow of email distributed geographically based upon network population. Hubs gather mail from client hosts and forward it to other hubs closer to the destination or mail gateway. In the mail gateway, a host or a process is between one environment and at least one other environment. This host or process relays the mail as its primary job. Today all internet email passes through email gateways. (Vixie and Aviolo) Email gateways provide many services. An email gateway serves as a connector through the internet firewall. Mail gateways act as mail exchangers for their own or other domains. A virtual domain is a domain not actually mapping to IP host or network addresses. Gateways can handle mail for existing domains and virtual domains. A mail gateway can be used for header translation. If a private network is isolated from the internet the mail gateway is the mail exchange service for the hosts in its domain. In a simple client configuration, a client handles local mail. All other mail is sent without processing to a mail hub. Incoming mail is received by a hub offering mail to the simple client using NFS of POP. In smart client, an end host must be able to speak at least one network protocol, at least one mail protocol, and be connected to at least one physical network. A smart client may deliver some mail directly by itself, the rest is sent to a hub. A smart client can handle mail to a subset of the email network. It will send mail directly to all mailboxes within its domain and use a hub for mail outside of its domain and external mail. In a mail cluster a group of mail hosts share a common user name space and a common aliases database. Mail sent to a user on any of the hosts in the cluster will get to the proper mailbox. In a mail cluster a provision can be made for nonglobal mail addresses. Most groups of hosts today are aggregated into mail clusters. Before sitting down to write or modify a sendmail.cf file, we have to ask ourselves some questions and gather some data. This includes our parent domain name for the sendmail configuration. This is usually everything following the first dot (.) in our own fully qualified host name. The parent domain name will usually be the same for most of our hosts, or at least most hosts of a given mail hub. If this host is known by any other name, or if this host should treat any other host names as local, these names are our pseudonyms. These are taken into account as we configure sendmail. We might have pseudonyms because of the consolidation of hosts and need old addresses to continue to work, or a mail hub needs to accept mail addressed to its generic domain name or names. (Vixie and Aviolo) The sendmail configuration file is sendmail.cf, it tells sendmail how to parse mail addresses, rewrite mail addresses, what MTAs sendmail should know about, how to route mail, and to set options and other values. The directory /etc/mail contains all the sendmail configuration files. There are four files on the server to be of concern. /etc/mail/access set per host and per domain access controls for the mail server. /etc/mail/aliases contains a map of email redirections for the local host. /etc/mail/mailertable allows the override of MX records for the mail server. /etc/mail/relay-domains lists domain names and addresses the server will relay email for. (Lucas) A line type is determined by the first character. Blank lines are ignored and are used for readability. Lines beginning with a tab are continuations from the preceding line. # is a comment line ignored by sendmail. C is class definitions. Classes are sets of tokens used for matching the left hand side/pattern side of a rule. (Vixie and Aviolo) Classes are used to test if part of an address matches one of a set of words or tokens. D is for macro definitions, variables when defined and used are treated like string constants in the form of DXvalue. Where X is a single character and value is a character string without blanks or tabs.

These are some of the macro definitions defined internally by Sendmail: a The Date: in Arpanet format (e.g., "Tue, 14 Jan 92 10:39:35 -0500"). b The current date in Arpanet format. c The hop count. Essentially the number of Received: headers. d The time in ctime format (e.g., "Tue Jan 14 10:39:35 1992"). f The sender (from) address. g The sender address relative to the recipient (a path). h The recipient host. i The queue identifier (usually built from the pid). p The Sendmail pid. r The protocol used. s The sender's host name. t The current time (e.g., "920114103935"). u The recipient user. v The version number of the compiled Sendmail. w The name of this host (might be fully qualified, or not).[a] x The full name of the sender (e.g., "Bullwinkle T. Moose"). y The name of the sender's tty port (e.g., 09 for /dev/tty09). z The home directory of the recipient. (Vixie and Aviolo) Rules are the executable lines of the configuration file. Rules start with R, have a left hand side (LHS), a right hand side (RHS) and comment lines. A line is separated by tabs, not spaces. A delimiter is a special character considered to be place indicators or operators. The @ and . in sales.cars@fuccillo.com are delimiters. Delimiters are set in sendmail.cf using the O OperatorChars= directive. (Vixie and Aviolo) A token is a word or string not used as a delimiter. In the above example, sales, cars, fuccillo and com are tokens. The $ is used to introduce special characters. Special symbols used on the LHS:
$* Zero or more tokens plus all delimiters between or around them.
$+ One or more tokens plus all delimiters between and or around them.
$- Exactly one token.
$=X Any word in class X.
$~X Any word not in class X. $X The exact string defined by macro X. The RHS has special symbols as well:
$: Apply this transformation exactly once, then go to the next rule
$@ After applying this transformation, exit from the ruleset
$n token number n matched on the LHS by a pattern variable
$>m Call ruleset m. This is like a function call
$[ Send everything before the next $] to the DNS resolver, and use result of that lookup as the transformation.
$] similar to $[
$: This introduces an "Else" if used between a $[ and $] This is an example of a configuration file: (Vixie and Aviolo)
# Thanks to Peter Churchyard, 0x8
# Imperial College, London. 0X12
# Pfirst-class=0
# Your local domain. Pspecial-delivery=100
DDdco.frobozz.com Pjunk=-100 Troot daemon uucp
# Your full hostname H?F?From: $q
Dj$w H?D?Date: $a
#Dj$w.$D H?M?Message-Id:
DRrelayhost.dco.frobozz.com HSubject:
DVsimple
Dnmailer-daemon S0
DlFrom $g $d remote from $U R$*@$j $#local$:$l optional
Do@.% R$*@$w $#local$:$1 optional
Dq$?x$x $|$g$. R$- $#local$:$1 optional
De$j Sendmail $v/$V ready at $b R$* $#remote$@$R$:$1
Odbackground S1
Om S2
OF0644 S3
Og1 R$*$* $2
OH/etc/sendmail.hf S4
OL6 Mremote, P=[IPC], F=nsmFDMuXC, \
Oo S=10, R=10, A=IPC $h
OQ/var/spool/mqueue Mlocal, P=/bin/mail, F=lsDFrmn, \
Or1h S=10, R=10, A=mail -r $f -d $u
OS/etc/sendmail.st Mprog, P=/bin/echo, F=lsDFMmn, \
OT3d S=10, R=10, A=mail $u
Ou1 S10 To operate properly Sendmail has to run in privileged mode as root user. In listener mode sendmail must binds to port 25. To do that it must run as root. When sendmail is about to invoke an MUA for final local delivery it changes its effective user id to be the recipient, and then writes the e-mail message into the user-owned file or directory. Sendmail can run as a less-privileged user. This option is provided for systems where there will be no local delivery like email gateways such as firewalls. As soon as sendmail binds to the SMTP port, the running sendmail process changes its effective user id to the less privileged user specified. The running sendmail daemon and all created processes run as the RunAsUser. (Vixie and Aviolo) There have been buffer-overflow attacks using long MIME headers against e-mail clients. They have not been against Sendmail. While people should patch their e-mail clients, sendmail allows the installer to put a limit on the size of MIME headers passing through the e-mail gateway to help lower the risk. Setting MaxMimeHeaderLength to the suggested 512 not very large, yet this is big for a MIME header. Sendmail provides a feature allowing email to be sent or redirected to a program for delivery automating the email process. Users or email administrators can send email messages through the procmail program to automate tasks like message filing and forwarding to the vacation program to selectively return an "I am away from my e-mail" message. Hackers have exploited filters like this in sendmail to their advantage. Restrictions placed on the execution of programs used as email filters will protect this vulnerability. Setting this option instructs sendmail to use the Sendmail Restricted Shell, smrsh, instead of the default command interpreter usually the UNIX command line interpreter /bin/sh. smrsh only executes programs in a configuration specified directory, /usr/adm/sm.bin/ is an example. If a user attempts to use a program not in a configuration specified directory as an email filter, sendmail returns an error message and does not complete the delivery. (Vixie and Aviolo) Sendmail defines a set of Privacy Flags. The option to set in the configuration file is PrivacyOptions. Some of the privacy flags control the use of the SMTP commands EXPN and VRFY. These commands are useful for debugging. VRFY verifies an address is valid. Issue the VRFY command:
VRFY name
Where name is hostname you want to verify. EXPN expands addresses into the list of mailboxes sendmail will attempt delivery to. If you want to see the individual email addresses hostname expands to, issue the following command:
EXPN hostname
Where hostname is the host you want information about. Sendmail allows you to disable these services for the sake of concealing private information from intruders. It is best to set these flags to disallow these functions. Select the authwarnings flag. Anytime the email exchange misfires, the IP address doesn't match the domain name, the name in the SMTP HELO command doesn't match the IP address, the discrepancy is noted in the addition of an X-Authentication-Warning: header line. Require a HELO command before allowing EXPN, VRFY or a MAIL command. The option flags to set would be needexpnhelo, needvrfyhelo, and needmailhelo. This will allow the mail to go through and log the activity. (Vixie and Aviolo) The dovecot IMAP server provides IMAP and POP3 services. Dovecot is located in /usr/ports/mail/dovecot. Dovecot can interoperate with LDAP servers, databases, authentication systems, and supports many configuration options. (Lucas) Dovecot installs documentation in /usr/local/share/doc/dovecot and example configuration files in /usr/local/etc. Copy the sample configuration file /usr/local/etc/dovecot-example.conf to /usr/local/etc/dovecot.conf and open in a text editor. By default dovecot does not encrypt IMAP and POP3 services. Change protocols entry by adding s to the end of the line for both services. Define where dovecot keeps its SSL certificates using ssl_cert_file and ssl_key_file variables. Default paths are provided. The directory /usr/local/share/dovecot contains the shell script and configuration file to create a dovecot SSL certificate. Find and change or enter the following, C=US, ST=NewYork, L=Schenectady, O is the organization, OU is organizational unit, common name is the reverse DNS name of the server clients get there mail from, emailAddress is the address of the person responsible for the server. Now run the mkcert.sh script:
# /usr/local/share/dovecot/mkcert.sh
Enable dovecot in /etc/rc.conf/ with dovecot_enable=”YES”
Then run /usr/local/etc/rc.d/dovecot start
/var/log/maillog will show dovecot starting and initializing SSL
THAT’S ALL FOLKS!!!!

Sendmail is implemented as a large program doing everything. One large program makes it easy to share mail, and easy to make a major error. Postfix is based on semi resident, mutually cooperating processes performing specific tasks without a preordained parent/child relationship. (www.akadia.com/services/postfix_mta.html) Postfix is implemented as a resident master server running the postfix daemon processes on demand. Postfix has four different queues. The maildrop queus is where localy posted mail is deposited and copied to the incoming queue after being cleaned up. The incoming queue is for still arriving mail or mail the queue manager is yet to look at. The active queue is a limited size queue for mail the queue manager has opened for delivery. The deferred queue is for mail unable to be delivered so it does not get in the way of deliverable mail. The queue manager, qmgr, keeps information in memory about the active queue. The active queue size is limited on purpose. The queue manager should never run out of working memory because of a peak message workload. (www.akadia.com/services/postfix_mta.html) Whenever there is space in the active queue, the queue manager lets in one message from the incoming queue and one from the deferred queue. This ensures new mail go through even when there is a large backlog. Instead of finding a complicated replacement for mail, you can replace the complicated sendmail with the simple alternative sSMTP. sSMTP simplifies the configuring of the SMTP options with a small configuration file allowing the specification of items like the name of the remote SMTP server, authorization and the domain for your outbound email similar to the configuration process of the mail reader. Installation of sSMTP can be done through the distribution package manager or can be built and installed from the source. To do a source installation, unpack the source, change into the source directory, and run the command ./configure --prefix=/usr/local/ssmtp --enable-ssl --enable-md5auth. Enabling SSL and MD5Auth allows you to communicate with an ISP requiring SMTP login. You can also enable IPv6 support if you need it. After configuration is completed, build and install the package using the normal make and sudo make install commands. When running the install command, the install will prompt for a few items. Follow the displayed instructions. Once installation completes find a directory called /usr/local/ssmtp with the sSMTP binary under the sbin subdirectory and the configuration file under the etc/ssmtp subdirectory. Now sendmail can be stopped and replaced with sSMTP. To stop Sendmail under Linux distributions using the System V init scripts: (archive09.linux.com/feature/132006) sudo service sendmail stop sudo chkconfig --levels 2345 sendmail off The first command stops the currently running instance of sendmail and the second prevents it from starting again on reboots. If using a version of Linux not using the SysVInit package, kill the sendmail process manually with the command sudo killall sendmail. To replace sendmail, copy it to another file then create a symbolic link from sSMTP to sendmail: (archive09.linux.com/feature/132006) sudo mv /usr/sbin/sendmail /usr/sbin/sendmail.orig sudo ln -s /usr/local/ssmtp/sbin/ssmtp /usr/sbin/sendmail The first command moves the original sendmail out of the way, the second makes sSMTP the running program when a system command calls sendmail. This way is done because if problems occur using sSMTP, remove the symbolic link and move the sendmail copy back to its original name. The configuration file for sSMTP is based upon the --prefix option used with the configuration command building from the source code located in the /usr/local/ssmtp/etc/ssmtp/ssmtp.conf file. This file has only four common options plus some hidden options for authentication. (archive09.linux.com/feature/132006) After a sample build sSMTP created the following configuration file: # /etc/ssmtp.conf -- a config file for sSMTP sendmail. # # The person who gets all mail for userids < 1000 # Make this empty to disable rewriting. root=postmaster # The place where the mail goes. The actual machine name is required # no MX records are consulted. Commonly mailhosts are named mail.domain.com # The example will fit if you are in domain.com and you mailhub is so named. mailhub=mail # Where will the mail seem to come from? #rewriteDomain=graphics-muse.org # The full hostname hostname=kepler.graphics-muse.org Change the root= value to an email address that will receive all system-generated email, such as output from cron jobs that encounter errors or log file analysis. I changed this line to my personal email address. mailhub= defines the SMTP server to which email should be sent. Set this line to the host you specify in your mail reader for the SMTP server. hostname= is the name of the mail host that you'd like recipients of your email to see it. Since I want responses to my email to be sent to back to my ISP domain so I can use my mail reader to retrieve it, I set this line to the ISP domain. This is the domain part of all outbound messages; all users on your system will appear to be coming from this domain.
You can use rewriteDomain= to spoof who you say you are. Since I'm already spoofing the server address with the hostname line, I leave this line commented out.
The initial configuration does not include information on how to log in to SMTP servers that require authentication. This information is the same information you must provide in your mail reader in order for it to send email through your ISP. To specify this information, you can add the following lines:
AuthUser=your username
AuthPass=your password AuthMethod=CRAM-MD5 With this configuration every time the system sends mail using /bin/mail sendmail gets called which is actually sSMTP. sSMTP uses the authentication provided in the configuration file to log into the ISP's SMTP server and deliver the outgoing email. (archive09.linux.com/feature/132006)

archive09.linux.com/feature/132006. n.d. 3 August 2012.
Lucas, Michael. Absolute FreeBSD: The Complete Guide to FreeBSD (2nd Edition). SanFrancisco, CA: No Starch Press, Incorporated, 2007.
Vixie, Paul A. and Frederick M. Aviolo. Sendmail: Theory and Practice. Digital Press, 2002. www.akadia.com/services/postfix_mta.html. n.d. 3 August 2012.

[TYPE THE COMPANY NAME]

Sendmail

IT 302 Virtual Library

Michael Gigliotti

8/8/2012

Virtual library assignment, covering sendmail and alternatives.

Sendmail is the program used by UNIX, and some of its offshoots like BSD, Linux, SunOS, ULTRIX to handle email. Sendmail was created by Eric Allman (Vixie and Aviolo) to solve the problem of address mapping between the email system and the network. Sendmail routes mail between a UA-mail user agent, a program used to read and send email, and an MTA-message transfer agent, program used to move mail between hosts using a particular network language/protocol. A design goal of sendmail is to accommodate the addition of new UAs and MTAs with only minor configuration changes. (Vixie and Aviolo) Sendmail supports distribution lists in the form of aliases for people or sets of people, the use of individual user .forward files to allow the forwarding of incoming e-mail to programs or other mailboxes. Sendmail also facilitates the rewriting of e-mail addresses to allow for a gateway to deliver mail between different kinds of mail networks and provide a mechanism for bridging between different systems. Sendmail provides for message queuing when a retry able error is encountered, plus automatic routing and returning the e-mail to the sender when an unrecoverable error is encountered. (Vixie and Aviolo) The software used by sendmail to locate domains on the DNS server is the resolver. The resolver is built into C libraries as a directly callable function and as stubs hidden behind the gethostbyname and gethostbyaddr functions. (Vixie and Aviolo) Most of the options of the resolver are turned on by default. One option is DNSRCH, this option tells the resolver to try partial name matches by adding the local domain to the requested domain. When sendmail tries to deliver mail to a domain it first searches for the mail exchanger domain resource records for the domain name. If there are not any mail exchanger domain resource records sendmail searches for address domain resource records. If sendmail finds an address resource records, it responds as if there is a single mail exchange domain resource record for the domain, pointing at the domain at priority zero proceeding as if the mail exchange domain resource record had been found in the DNS. (Vixie and Aviolo) When sendmail has mail exchanger resource records for a domain it sorts them by priority from low to high. Then it scans the list for its own name. If it finds a mail exchange host matching its own name it removes the mail exchange domain resource records and all other records with an equal or lower(equal or higher number) mail exchange priority. This is how sendmail does not see itself on a mail exchange domain resource record and route mail through the mail exchange resource records. (Vixie and Aviolo) Once sendmail has a sorted mail exchange domain resource record list, sendmail delivers the mail using the highest priority (lowest numbered) mail exchange domain resource record first, then continuing down the list. Sendmail will load balance if several mail exchange resource records have the same priority by reordering at random. Sendmail is meant to be configurable because no one configuration can work for every possible host, site or network. Issues when planning a sendmail configuration include network connectivity, mail protocols, error handling, and administration. (Vixie and Aviolo) When designing a sendmail configuration take into account the overall design of a company’s email system. There are five main types of mail configurations. (Vixie and Aviolo) In the mail hub, a host is a relay between gateway hosts and other mail hubs. Mail hubs are concentration points in the flow of email distributed geographically based upon network population. Hubs gather mail from client hosts and forward it to other hubs closer to the destination or mail gateway. In the mail gateway, a host or a process is between one environment and at least one other environment. This host or process relays the mail as its primary job. Today all internet email passes through email gateways. (Vixie and Aviolo) Email gateways provide many services. An email gateway serves as a connector through the internet firewall. Mail gateways act as mail exchangers for their own or other domains. A virtual domain is a domain not actually mapping to IP host or network addresses. Gateways can handle mail for existing domains and virtual domains. A mail gateway can be used for header translation. If a private network is isolated from the internet the mail gateway is the mail exchange service for the hosts in its domain. In a simple client configuration, a client handles local mail. All other mail is sent without processing to a mail hub. Incoming mail is received by a hub offering mail to the simple client using NFS of POP. In smart client, an end host must be able to speak at least one network protocol, at least one mail protocol, and be connected to at least one physical network. A smart client may deliver some mail directly by itself, the rest is sent to a hub. A smart client can handle mail to a subset of the email network. It will send mail directly to all mailboxes within its domain and use a hub for mail outside of its domain and external mail. In a mail cluster a group of mail hosts share a common user name space and a common aliases database. Mail sent to a user on any of the hosts in the cluster will get to the proper mailbox. In a mail cluster a provision can be made for nonglobal mail addresses. Most groups of hosts today are aggregated into mail clusters. Before sitting down to write or modify a sendmail.cf file, we have to ask ourselves some questions and gather some data. This includes our parent domain name for the sendmail configuration. This is usually everything following the first dot (.) in our own fully qualified host name. The parent domain name will usually be the same for most of our hosts, or at least most hosts of a given mail hub. If this host is known by any other name, or if this host should treat any other host names as local, these names are our pseudonyms. These are taken into account as we configure sendmail. We might have pseudonyms because of the consolidation of hosts and need old addresses to continue to work, or a mail hub needs to accept mail addressed to its generic domain name or names. (Vixie and Aviolo) The sendmail configuration file is sendmail.cf, it tells sendmail how to parse mail addresses, rewrite mail addresses, what MTAs sendmail should know about, how to route mail, and to set options and other values. The directory /etc/mail contains all the sendmail configuration files. There are four files on the server to be of concern. /etc/mail/access set per host and per domain access controls for the mail server. /etc/mail/aliases contains a map of email redirections for the local host. /etc/mail/mailertable allows the override of MX records for the mail server. /etc/mail/relay-domains lists domain names and addresses the server will relay email for. (Lucas) A line type is determined by the first character. Blank lines are ignored and are used for readability. Lines beginning with a tab are continuations from the preceding line. # is a comment line ignored by sendmail. C is class definitions. Classes are sets of tokens used for matching the left hand side/pattern side of a rule. (Vixie and Aviolo) Classes are used to test if part of an address matches one of a set of words or tokens. D is for macro definitions, variables when defined and used are treated like string constants in the form of DXvalue. Where X is a single character and value is a character string without blanks or tabs.

These are some of the macro definitions defined internally by Sendmail: a The Date: in Arpanet format (e.g., "Tue, 14 Jan 92 10:39:35 -0500"). b The current date in Arpanet format. c The hop count. Essentially the number of Received: headers. d The time in ctime format (e.g., "Tue Jan 14 10:39:35 1992"). f The sender (from) address. g The sender address relative to the recipient (a path). h The recipient host. i The queue identifier (usually built from the pid). p The Sendmail pid. r The protocol used. s The sender's host name. t The current time (e.g., "920114103935"). u The recipient user. v The version number of the compiled Sendmail. w The name of this host (might be fully qualified, or not).[a] x The full name of the sender (e.g., "Bullwinkle T. Moose"). y The name of the sender's tty port (e.g., 09 for /dev/tty09). z The home directory of the recipient. (Vixie and Aviolo) Rules are the executable lines of the configuration file. Rules start with R, have a left hand side (LHS), a right hand side (RHS) and comment lines. A line is separated by tabs, not spaces. A delimiter is a special character considered to be place indicators or operators. The @ and . in sales.cars@fuccillo.com are delimiters. Delimiters are set in sendmail.cf using the O OperatorChars= directive. (Vixie and Aviolo) A token is a word or string not used as a delimiter. In the above example, sales, cars, fuccillo and com are tokens. The $ is used to introduce special characters. Special symbols used on the LHS:
$* Zero or more tokens plus all delimiters between or around them.
$+ One or more tokens plus all delimiters between and or around them.
$- Exactly one token.
$=X Any word in class X.
$~X Any word not in class X. $X The exact string defined by macro X. The RHS has special symbols as well:
$: Apply this transformation exactly once, then go to the next rule
$@ After applying this transformation, exit from the ruleset
$n token number n matched on the LHS by a pattern variable
$>m Call ruleset m. This is like a function call
$[ Send everything before the next $] to the DNS resolver, and use result of that lookup as the transformation.
$] similar to $[
$: This introduces an "Else" if used between a $[ and $] This is an example of a configuration file: (Vixie and Aviolo)
# Thanks to Peter Churchyard, 0x8
# Imperial College, London. 0X12
# Pfirst-class=0
# Your local domain. Pspecial-delivery=100
DDdco.frobozz.com Pjunk=-100 Troot daemon uucp
# Your full hostname H?F?From: $q
Dj$w H?D?Date: $a
#Dj$w.$D H?M?Message-Id:
DRrelayhost.dco.frobozz.com HSubject:
DVsimple
Dnmailer-daemon S0
DlFrom $g $d remote from $U R$*@$j $#local$:$l optional
Do@.% R$*@$w $#local$:$1 optional
Dq$?x$x $|$g$. R$- $#local$:$1 optional
De$j Sendmail $v/$V ready at $b R$* $#remote$@$R$:$1
Odbackground S1
Om S2
OF0644 S3
Og1 R$*$* $2
OH/etc/sendmail.hf S4
OL6 Mremote, P=[IPC], F=nsmFDMuXC, \
Oo S=10, R=10, A=IPC $h
OQ/var/spool/mqueue Mlocal, P=/bin/mail, F=lsDFrmn, \
Or1h S=10, R=10, A=mail -r $f -d $u
OS/etc/sendmail.st Mprog, P=/bin/echo, F=lsDFMmn, \
OT3d S=10, R=10, A=mail $u
Ou1 S10 To operate properly Sendmail has to run in privileged mode as root user. In listener mode sendmail must binds to port 25. To do that it must run as root. When sendmail is about to invoke an MUA for final local delivery it changes its effective user id to be the recipient, and then writes the e-mail message into the user-owned file or directory. Sendmail can run as a less-privileged user. This option is provided for systems where there will be no local delivery like email gateways such as firewalls. As soon as sendmail binds to the SMTP port, the running sendmail process changes its effective user id to the less privileged user specified. The running sendmail daemon and all created processes run as the RunAsUser. (Vixie and Aviolo) There have been buffer-overflow attacks using long MIME headers against e-mail clients. They have not been against Sendmail. While people should patch their e-mail clients, sendmail allows the installer to put a limit on the size of MIME headers passing through the e-mail gateway to help lower the risk. Setting MaxMimeHeaderLength to the suggested 512 not very large, yet this is big for a MIME header. Sendmail provides a feature allowing email to be sent or redirected to a program for delivery automating the email process. Users or email administrators can send email messages through the procmail program to automate tasks like message filing and forwarding to the vacation program to selectively return an "I am away from my e-mail" message. Hackers have exploited filters like this in sendmail to their advantage. Restrictions placed on the execution of programs used as email filters will protect this vulnerability. Setting this option instructs sendmail to use the Sendmail Restricted Shell, smrsh, instead of the default command interpreter usually the UNIX command line interpreter /bin/sh. smrsh only executes programs in a configuration specified directory, /usr/adm/sm.bin/ is an example. If a user attempts to use a program not in a configuration specified directory as an email filter, sendmail returns an error message and does not complete the delivery. (Vixie and Aviolo) Sendmail defines a set of Privacy Flags. The option to set in the configuration file is PrivacyOptions. Some of the privacy flags control the use of the SMTP commands EXPN and VRFY. These commands are useful for debugging. VRFY verifies an address is valid. Issue the VRFY command:
VRFY name
Where name is hostname you want to verify. EXPN expands addresses into the list of mailboxes sendmail will attempt delivery to. If you want to see the individual email addresses hostname expands to, issue the following command:
EXPN hostname
Where hostname is the host you want information about. Sendmail allows you to disable these services for the sake of concealing private information from intruders. It is best to set these flags to disallow these functions. Select the authwarnings flag. Anytime the email exchange misfires, the IP address doesn't match the domain name, the name in the SMTP HELO command doesn't match the IP address, the discrepancy is noted in the addition of an X-Authentication-Warning: header line. Require a HELO command before allowing EXPN, VRFY or a MAIL command. The option flags to set would be needexpnhelo, needvrfyhelo, and needmailhelo. This will allow the mail to go through and log the activity. (Vixie and Aviolo) The dovecot IMAP server provides IMAP and POP3 services. Dovecot is located in /usr/ports/mail/dovecot. Dovecot can interoperate with LDAP servers, databases, authentication systems, and supports many configuration options. (Lucas) Dovecot installs documentation in /usr/local/share/doc/dovecot and example configuration files in /usr/local/etc. Copy the sample configuration file /usr/local/etc/dovecot-example.conf to /usr/local/etc/dovecot.conf and open in a text editor. By default dovecot does not encrypt IMAP and POP3 services. Change protocols entry by adding s to the end of the line for both services. Define where dovecot keeps its SSL certificates using ssl_cert_file and ssl_key_file variables. Default paths are provided. The directory /usr/local/share/dovecot contains the shell script and configuration file to create a dovecot SSL certificate. Find and change or enter the following, C=US, ST=NewYork, L=Schenectady, O is the organization, OU is organizational unit, common name is the reverse DNS name of the server clients get there mail from, emailAddress is the address of the person responsible for the server. Now run the mkcert.sh script:
# /usr/local/share/dovecot/mkcert.sh
Enable dovecot in /etc/rc.conf/ with dovecot_enable=”YES”
Then run /usr/local/etc/rc.d/dovecot start
/var/log/maillog will show dovecot starting and initializing SSL
THAT’S ALL FOLKS!!!!

Sendmail is implemented as a large program doing everything. One large program makes it easy to share mail, and easy to make a major error. Postfix is based on semi resident, mutually cooperating processes performing specific tasks without a preordained parent/child relationship. (www.akadia.com/services/postfix_mta.html) Postfix is implemented as a resident master server running the postfix daemon processes on demand. Postfix has four different queues. The maildrop queus is where localy posted mail is deposited and copied to the incoming queue after being cleaned up. The incoming queue is for still arriving mail or mail the queue manager is yet to look at. The active queue is a limited size queue for mail the queue manager has opened for delivery. The deferred queue is for mail unable to be delivered so it does not get in the way of deliverable mail. The queue manager, qmgr, keeps information in memory about the active queue. The active queue size is limited on purpose. The queue manager should never run out of working memory because of a peak message workload. (www.akadia.com/services/postfix_mta.html) Whenever there is space in the active queue, the queue manager lets in one message from the incoming queue and one from the deferred queue. This ensures new mail go through even when there is a large backlog. Instead of finding a complicated replacement for mail, you can replace the complicated sendmail with the simple alternative sSMTP. sSMTP simplifies the configuring of the SMTP options with a small configuration file allowing the specification of items like the name of the remote SMTP server, authorization and the domain for your outbound email similar to the configuration process of the mail reader. Installation of sSMTP can be done through the distribution package manager or can be built and installed from the source. To do a source installation, unpack the source, change into the source directory, and run the command ./configure --prefix=/usr/local/ssmtp --enable-ssl --enable-md5auth. Enabling SSL and MD5Auth allows you to communicate with an ISP requiring SMTP login. You can also enable IPv6 support if you need it. After configuration is completed, build and install the package using the normal make and sudo make install commands. When running the install command, the install will prompt for a few items. Follow the displayed instructions. Once installation completes find a directory called /usr/local/ssmtp with the sSMTP binary under the sbin subdirectory and the configuration file under the etc/ssmtp subdirectory. Now sendmail can be stopped and replaced with sSMTP. To stop Sendmail under Linux distributions using the System V init scripts: (archive09.linux.com/feature/132006) sudo service sendmail stop sudo chkconfig --levels 2345 sendmail off The first command stops the currently running instance of sendmail and the second prevents it from starting again on reboots. If using a version of Linux not using the SysVInit package, kill the sendmail process manually with the command sudo killall sendmail. To replace sendmail, copy it to another file then create a symbolic link from sSMTP to sendmail: (archive09.linux.com/feature/132006) sudo mv /usr/sbin/sendmail /usr/sbin/sendmail.orig sudo ln -s /usr/local/ssmtp/sbin/ssmtp /usr/sbin/sendmail The first command moves the original sendmail out of the way, the second makes sSMTP the running program when a system command calls sendmail. This way is done because if problems occur using sSMTP, remove the symbolic link and move the sendmail copy back to its original name. The configuration file for sSMTP is based upon the --prefix option used with the configuration command building from the source code located in the /usr/local/ssmtp/etc/ssmtp/ssmtp.conf file. This file has only four common options plus some hidden options for authentication. (archive09.linux.com/feature/132006) After a sample build sSMTP created the following configuration file: # /etc/ssmtp.conf -- a config file for sSMTP sendmail. # # The person who gets all mail for userids < 1000 # Make this empty to disable rewriting. root=postmaster # The place where the mail goes. The actual machine name is required # no MX records are consulted. Commonly mailhosts are named mail.domain.com # The example will fit if you are in domain.com and you mailhub is so named. mailhub=mail # Where will the mail seem to come from? #rewriteDomain=graphics-muse.org # The full hostname hostname=kepler.graphics-muse.org Change the root= value to an email address that will receive all system-generated email, such as output from cron jobs that encounter errors or log file analysis. I changed this line to my personal email address. mailhub= defines the SMTP server to which email should be sent. Set this line to the host you specify in your mail reader for the SMTP server. hostname= is the name of the mail host that you'd like recipients of your email to see it. Since I want responses to my email to be sent to back to my ISP domain so I can use my mail reader to retrieve it, I set this line to the ISP domain. This is the domain part of all outbound messages; all users on your system will appear to be coming from this domain.
You can use rewriteDomain= to spoof who you say you are. Since I'm already spoofing the server address with the hostname line, I leave this line commented out.
The initial configuration does not include information on how to log in to SMTP servers that require authentication. This information is the same information you must provide in your mail reader in order for it to send email through your ISP. To specify this information, you can add the following lines:
AuthUser=your username
AuthPass=your password AuthMethod=CRAM-MD5 With this configuration every time the system sends mail using /bin/mail sendmail gets called which is actually sSMTP. sSMTP uses the authentication provided in the configuration file to log into the ISP's SMTP server and deliver the outgoing email. (archive09.linux.com/feature/132006)

archive09.linux.com/feature/132006. n.d. 3 August 2012.
Lucas, Michael. Absolute FreeBSD: The Complete Guide to FreeBSD (2nd Edition). SanFrancisco, CA: No Starch Press, Incorporated, 2007.
Vixie, Paul A. and Frederick M. Aviolo. Sendmail: Theory and Practice. Digital Press, 2002. www.akadia.com/services/postfix_mta.html. n.d. 3 August 2012.…...

Similar Documents

Premium Essay

320 Linux Admin

...SELinux SELinux was developed by the United States National Security Agency. It was then released for open source development on December 22, 2000 and was merged into the main Linux kernel version 2.6.0-test3 on August 8, 2003. SELinux was designed to change the access control protocols for Linux users, to make them more secure and computer resources and applications less likely to be exploited. Prior to the development of SELinux, systems used a form of DAC, Discretionary Access Control. In this set up, placed all clients into three categories: user, group, and other. If an application or file were "exploited," it would allow the current user to access the file(s) or application at the highest permission allow, the owner of the file, or user. SELinux introduced two new ways to allow permissions to be determined by the client computer. The first of these is MAC, Mandatory Access Control. This new protocol introduce the principle of least privilege, which simply allows programs to use what resources they need to do the task at hand, and nothing else. An example from an article I found online: "if you have a program that responds to socket requests but doesn't need to access the file system, then that program should be able to listen on a given socket but not have access to the file system." The second protocol is RBAC, Role-based Access Control. In this protocol, "permissions are provided based on roles that are granted by the security system." From what I read of......

Words: 792 - Pages: 4

Premium Essay

Linux

...Whether you are an experienced user of Linux or you just want to test run the system on your computer, there are several advantages that you can gain from using this operating system. One factor would be the cost, when you use Linux you will have to spend a penny this software is freely available. This operating system allows you to install the software on number computers unlike in the case of other application systems where you are limited to only one computer installation. Another advantage you gain from installing Linux onto your computer is the fact that this software has stronger security than other OS. There is your choice is another great advantage of using Linux over other operating systems. This is because the user is allowed to control almost all aspects of the system. Majorly, you will be allowed to change how your desktop looks and feels. Fourthly Linux software is packed with huge usability features as compared to other operating software such as Windows. Finally the best part of this software is that it is an open source of software material. This means that in addition to getting the software free of charge, you will also be able to have an opportunity to modify the source code to suit you desires by adding more features or removing undesired ones. Linux provides so many software choices for your specific tasks. These are feature that no other operating system can offer as far your computer application and usage is concerned. Linux should therefore be......

Words: 276 - Pages: 2

Free Essay

Linux

...Linux CIS 155 Victor Gaines Dr. Weidman December 19, 2012 An operating system is, in the most basic of terms, the back bone of any modern day personal computer. They allow for users to start applications, manipulate the system, and, in general, use the computer effectively and efficiently. There are many different operating systems, all of which are used by different people for different reasons. The Apple OS operating system is the sole property of the Apple Company and is used in all of their computers and technology that they create. Then you have Windows, which is quite possibly the most widely recognizable operating system on the market today. Then there is Linux. Linux is seen as the operating system for “people who know computers”. Linux is not as user friendly as the Apple OS or Windows but it is seen as one of the most flexible operating systems around. Linux was born from the brain trust of a small group of friends lead by a Finn computer science student, Linus Torvalds. Linus built the kernel, which is the core of the Linux operating system, though the kernel itself does not fully constitute an operating system. Richard Stallman’s GNU tools were used to fully flesh out the Linux operating system. Torvald matched these two together to make these two parts one whole working body. Linux is still in its infancy but has gathered a tremendous following since its inception in 1991. Linux is greatly favored by amongst developers, being used in everything from......

Words: 1046 - Pages: 5

Premium Essay

Linux

...is also responsible for allocating memory to various processes. Shell is the software that provides an interface for an operating system to access the services of kernel. The primary purpose of shell is to execute another program. The user interface of the operating system is usually referred to as a shell. Shells are normally of two types: command line and graphical. Command line provides a command line interface (CLI) to the operating system whereas graphical provides a graphical user interface (GUI). Although there are more than 600 Linux distributions available for use but few are popular among the general users. Top five Linux distributions are: a) Ubuntu b) Fedora c) openSUSE d) Debian e) Slackware Ubuntu is the most popular version of Linux. There are numerous shells available for Ubuntu like GNOME, KDE, Unity, LXDE, and Cinnamon. Two most popular and widely used graphical shells in Ubuntu are GNOME and KDE. Bash shell is the widely used and default cli shell in Ubuntu. I have chosen bash shell to discuss the commands and function in Ubuntu. Bash is a command line interface where users can type the command to tell the computer what to do. It is faster and powerful medium to run any command or process. The commands can be divided in various categories: a) File and......

Words: 785 - Pages: 4

Premium Essay

Linux

...Chapter 1 1. Free software is software that users have the freedom to distribute and change. The three main characteristics of free software are: The source code has to be distributed with the program, you cannot restrict people from redistributing/modifying/using the software, and users must be allowed to redistribute modified versions under the same terms/licensing. 4. The Free Software Foundation is the sponsor of the GNU Project. GNU developed many of the tools that are part of Linux. Linux is the name of the operating system kernel developed by Linus Torvalds, which has been expanded and improved by thousands of people on the Internet. Torvalds’ kernel and GNU’s tools work together as the Linux operating system. Chapter 2 1. Installing Fedora/RHEL is the process of copying operating system files from a CD, DVD, or USB flash drive to hard disks on a system and setting up configuration files so Linux runs properly on the hardware. Several types of installations are possible, including fresh installations, upgrades from older releases of Fedora/RHEL, and dual-boot installations. Chapter 3 1. A live system gives you a chance to preview Fedora without installing it. It does not write to hard disks. 4. The ubiquity utility is a graphical installer written mostly in Python. It installs Ubuntu from a live session. 8. Remove quiet and splash from the boot command line. Press F6 from the initial install screen to display the boot command line. Press backspace...

Words: 461 - Pages: 2

Free Essay

Linux

...THREADS MANAGEMENT IN LINUX OPERATING SYSTEM Thread of execution is the smallest sequence of programmed instructions that can be managed independently by an operating system scheduler. The scheduler itself is a light-weight process. The implementation of threads and processes differs from one operating system to another, but in most cases, a thread is contained inside a process. Multiple threads can exist within the same process and share resources such as memory, while different processes do not share these resources. In particular, the threads of a process share its code and its context . On a single processor, multithreading is generally implemented by time-division multiplexing (as in multitasking): the processor switches between different threads. This context switching generally happens frequently enough that the user perceives the threads or tasks as running at the same time. On a multiprocessor or multi-core system, threads can be truly concurrent, with every processor or core executing a separate thread simultaneously. Many modern operating systems directly support both time-sliced and multiprocessor threading with a process scheduler. The kernel of an operating system allows programmers to manipulate threads via the system call interface. Some implementations are called a kernel thread, whereas a lightweight process (LWP) is a specific type of kernel thread that shares the same state and information. Threads are created like normal tasks,......

Words: 993 - Pages: 4

Free Essay

Linux

...operating system kernel, Linux version 0.01. Linux evolved into a fully functioning Operating System (OS) with one of its first distributions created by the Manchester Computing Center, MCC Interim Linux, using a combined boot/root disk (Hayward, 2012). Linux luminaries, Slackware, RedHat and Debian began to rise between 1992 and 1994 as well as the Linux kernel growing to version 0.95, becoming the first kernel to run the X Windows System. The Big Three, Slackware, Debian and Red Hat were instrumental in the anticipated launching of Linux version 1.0.0 in 1994 with 176,250 lines of code. Over the next five years the big three released some of the greatest Linux distributions, including the Jurix Linux, which is allegedly the first distribution to include a scriptable installer; the installer allows an administrator install across similar machines. The Juris Linux distribution is mostly noted in Linux history because it was used as a base system for SUSE Linux which is still in operation today (Hayward, 2012). Launched in 1996, Linux 2.0 had 41 releases in the series; inclusion of critical operating system features and rapid releases helped to make the Linux operating system the OS of choice for IT professionals. Another notable moment in Linux history was the release of Version 2.4 which contained support for USB, PC Cards, ISA Plug and Play and Bluetooth, just to name a few; these features demonstrated the versatility and the advancement of the Linux kernel since the......

Words: 745 - Pages: 3

Free Essay

Linux

...understand the concept think of “free” as in “free speech” not as in “free beer”. To understand thislogic think of it as you receive a beer but you don’t know what ingredients go into that beer to make up a glass. But if you were to make the beer yourself you know what ingredients are going intothat beer. 2. The relationship between GNU and linux is that the GNU project for creating an operating system , both kernel and system programs. Today GNU runs on top of the FreeBSD and NetBSD. 3. 1. Its free or little to no cost to users. 2. There is a wide selection of applications as well as a wide variety of tools.4. the amount of software that is available not just source sod but also pre-built binaries that are easy to install and reday to run. 4. 3 different hardware platforms that has been ported onto are power-PC apple computers (ppclinux), Compaq’s (nee digital equipment corporation) alpha based machines, also its not just for single processor machines as of verison2.0, it runs on multiple processor mahines. 5. Windows X was developed in part by reasearchers at MIT and provides the foundation for the GUI’s available with Linux. 6. The window manager is what allows heavy customization. 7. Miinimum system requirements for 32-bit fedora 8 w GUI installed is 192-256 megabytes for graphical systems,400 megahertz Pentium pro or Pentium II processor or the equilvalent, 300 megabytes-9 gigabytes, 8. 3 types of hardware supported are PC(i386), 64-bit PC (x86_64), and Mac......

Words: 383 - Pages: 2

Free Essay

Linux

...the creation of the Linux kernel by Linus Torvalds in 1991, many versions of Linux have been created. Due to the open source of the kernel, this gives advanced users the option to alter the kernel to their liking. This, in turn, has yielded a near endless amount of distributions and versions available out there. In my research, I have found the main versions of Linux have derived from Debian Linux, Slackware Linux, or RedHat Linux. However, the first distribution meant for the masses was Yggdrasil Linux (Citation). First, there were versions such as MCC Interim Linux developed by University of Manchester and TAMU developed by Texas A&M, however these were in-house developments not really meant to be widely distributed. Yggdrasil, one of the first widely distributed version of Linux, was described as a Plug and play Linux. Its’ initial release took place in December of 1992, but in the form of an alpha release. The beta version was released in 1993, and the official release the next year in 1994. It was the first Linux operating system distributed via a live CD-ROM. It included an automatic configuration of the software installation, much like we see today, making it very easy for even a novice user to set it up. Yggdrasil was not free, however, the company charged $39.95 per copy (Yggdrasil Computing). After conducting research of the number of distribution of Linux, the exact number could not be pinpointed. There are so many developers tweaking the Linux kernel and......

Words: 1003 - Pages: 5

Free Essay

Linux

...www.it-ebooks.info Praise for Previous Editions of A Practical Guide to Fedora and Red Hat Enterprise Linux ® ® “Since I’m in an educational environment, I found the content of Sobell’s book to be right on target and very helpful for anyone managing Linux in the enterprise. His style of writing is very clear. He builds up to the chapter exercises, which I find to be relevant to real-world scenarios a user or admin would encounter. An IT/IS student would find this book a valuable complement to their education. The vast amount of information is extremely well balanced and Sobell manages to present the content without complicated asides and meandering prose. This is a ‘must have’ for anyone managing Linux systems in a networked environment or anyone running a Linux server. I would also highly recommend it to an experienced computer user who is moving to the Linux platform.” —Mary Norbury IT Director Barbara Davis Center University of Colorado at Denver from a review posted on slashdot.org “I had the chance to use your UNIX books when I when was in college years ago at Cal Poly, San Luis Obispo, CA. I have to say that your books are among the best! They’re quality books that teach the theoretical aspects and applications of the operating system.” —Benton Chan IS Engineer “The book has more than lived up to my expectations from the many reviews I read, even though it targets FC2. I have found something very rare with your book: It doesn’t read like the standard......

Words: 315186 - Pages: 1261

Premium Essay

It Admin

...individual, so that there is no sharing of an individual account between multiple people? |  2 |  Institutional |  √ |   | 2  |  Privileged | √  |   | 2  |  Individual | √  |   | 1  |  Institutional | √  |   | 1  |  Privileged | √  |   | 1  |  Individual | √  |   | MSSEI 9.3 Separation of system resourcesDo Resource Proprietors or Resource Custodians use any shared accounts or re-use individual accounts for application credentials, service accounts, user accounts, database accounts, or system hardware? | 2 | Institutional | √ |   | 1 | Institutional | √ |   | MSSEI 10.1 Use of admin accounts only on secure devicesAre all users given their own account to institutional devices? Are privileged accounts used only for administrative tasks? | 2 | Institutional | √ |   | 2 | Privileged | √ |   | 1 | Institutional | √ |   | 1 | Privileged | + |   | MSSEI 10.2 Admin account securityDo you maintain a password policy for administrative accounts on institutional and privileged devices? Are your password complexity requirements compliant with MSSND 5? Provide documentation of password policies. Do you use administrative accounts when conducting high-risk activities such as reading email, using a web browser (e.g., to download a patch or tool), or reading and editing general documents? | 2 | Institutional | √ |   | 2 | Privileged | √ |   | 1 | Institutional | √ |   | 1 | Privileged | + |   | MSSEI 11.1 Managed hardware firewallDo you have hardware......

Words: 3263 - Pages: 14

Free Essay

Linux

...select few believe otherwise. Many programmers and computer enthusiasts believe Linux to be a far more efficient and usable system because of its flexibility and efficient code. Even so, among the common users, Linux is probably the least known and most underused computer system in the world. The objective of this paper is to determine which system truly is better for users both common and adept. This research compares both operating systems with each other as to determine which is more customizable, easier use, and faster to run. To provide an objective and thorough comparison, this paper looks at key features present in each operating system. After assessing each system, it can be concluded that, although Windows is definitely more widely used than Linux, Linux is the better operating system because of its usability, open source code, and efficient language. However, before analyzing the necessary components, ample background for each operating system must first be provided. The main objective of Windows was "...to provide a personal computing environment for the common user," (Alampay) the common user being people who don't have in-depth knowledge in computer technology (i.e. Programmers, system analysts, etc.). This operating system was built using the corporate model (Microsoft) and therefore has a closed source code to protect their system from their competitors. The goal of Linux, on the other hand, was to provide an open source version of UNIX, a very......

Words: 3215 - Pages: 13

Free Essay

Linux

...University of Sunderland School of Computing and Technology File Management System in Linux CUI Interface A Project Dissertation submitted in partial fulfillment of the Regulations governing the award of the degree of BA in Computer Studies, University of Sunderland 2006 I. Abstract This dissertation details a project to design and produce a prototype Linux character environment file manipulation assisting application. The application is offering a friendly menu driven interface to handle the jobs that non-programmers keep finding cumbersome to master when it comes to working in a Unix/Linux interface, resulting in serious mistakes and much loss of productive time. The Linux File Management System is a basic program for every user at a Unix/Linux terminal. Advantages here include the fact that the support team does not have to be burdened with solving simple file based queries by the employees. The areas of Designing GUI interfaces in Linux and Windows versus Linux Security were researched and a prototype has been designed, developed and tested. An evaluation of the overall success of the project has been conducted and recommendations for future work are also given. Words II. Table of Contents 1) Introduction.................................................................................................................................4 1.1 Overview.................................

Words: 17681 - Pages: 71

Free Essay

Its-325 Linux

...services that meet required regulations, and provide use of credit cards and loan application in a Linux / open source infrastructure.  Point out specific legislation and regulations that meet the statutory compliance criteria. The proposed plan would have to meet PCI / SOX / and GLBA regulations. For PCI compliance we would need to conduct an annual risk assessment using a SAQ (self-assessment questionnaire), and conduct quarterly PCI scans using an approved vendor. If our business grew to 6 million transactions per year, we would need to conduct an annual internal audit, in addition to the PCI scans. Some of the basics for PCI functionality includes, network hardening on web applications to protect cardholder data, including (but not excluded to) password policy enforcement, encryption, maintaining secure systems, keeping systems up to date on anti-virus, restricting business access to cardholder data, restricting physical access to data, tracking and monitoring access to all network resources, regular tests on security. If our web applications evolved into more services such as shareholder infrastructure, we would need to delve into the SOX regulations. Because we are offering loan services, we would need to abide by the Gramm Leach Bliley Act rules. Some of this would involve privacy notices about how we divulge their data.  Assess the feasibility of Linux and open source infrastructure in handling security demands listed by the legislation and......

Words: 1024 - Pages: 5

Premium Essay

Linux

...Linux handles security through three basic concepts, SELinux, chroot jail and iptables. Each concept is designed to target a specific need in the security spectrum. SELinux works at the kernel level and enforces mandatory access control, chroot jail works within the file system and iptables handles routing of data. In the following paragraphs I will discuss some details of each discipline. SELinux can be traced back to the National Security Agency (NSA) when they got involved in trying to create a secure architecture. They released there research to the open source community which picked it up and continues to make improvements to its basic architecture. SELinux is designed to work at the kernel level of an operating system to enforce mandatory access control policies that confine users and servers to the minimum amount of privilege they require to do their job. The concept was to lock everything down by default and selectively allow access to applications as needed. This prevented security loop holes from remaining open because the average user wouldn’t know what to have running and what to have shut down. This way as users attempt to use an application SELinux will deny the attempt unless you can authorize its use. This gave administrators better security on their workstations from inadvertent malicious use or outright attack. One unique feature that makes SELinux different from standard anti-virus and spyware is its ability to be proactive rather than reactive.......

Words: 522 - Pages: 3

Identity theft | Coldplay - Hymn For The Weekend. | no7 protect perfect intense advanced eye cream, day, night cream or hand cream