Phoebe 1,
2, 3,
4 Catalogs
'n Manuals
Hardening
| Configuring the Sendmail E-mail DaemonI use the Sendmail package to provide e-mail services. Sendmail is the definitive mail handler; in fact it is so popular that it is estimated that over 80% of e-mail passing over the Internet will be handled at one or both ends by it. It does just about anything and I couldn't imagine running an Internet server without it (another e-mail server package called Qmail seems to be quite popular as well -- but I haven't had a reason yet to give it a try). To keep up with new features and bug-fixes, and most importantly, for reasons of security, it is a probably a good idea to upgrade Sendmail from time to time. In addition, the very latest versions of Sendmail include powerful anti-spam features which can help prevent your mail server being abused by unauthorized users. This section will discuss some of the things you should do if you wish to use Sendmail as an incoming e-mail server. This would be the likely scenario for server systems. If, instead, you have no need to use it for incoming mail and wish to only use it as an outgoing mail queue, you should ((need some info here)). For this section, it is assumed that you are using the very latest version of Sendmail (8.9.3 at the time of this writing), have it installed and running. As packaged with the Red Hat distribution, Sendmail usually contains appropriate configuration information to operate correctly in the majority of server setups. Nonetheless, you may find it necessary to edit the ``/etc/sendmail.cf'' file and customize some settings as required. This, however, is beyond the scope of this document. One thing I find helpful, however, is to make a couple of changes to the configuration file to thwart off spammers. These include:
(The first change prevents spammers from using the ``EXPN'' and ``VRFY'' commands in sendmail. I find that these commands are too often abused by unethical individuals. The second change modifies the banner which Sendmail displays upon receiving a connection. You should replace the ``xx'' in the ``C=xx L=xx'' entries with your country and location codes. For example, in my case, I would use ``C=CA L=ON'' for Ontario, Canada. (The latter change doesn't actually affect anything, but was recommended by folks in the news.admin.net-abuse.email newsgroup as a legal precaution. Next, if your mail server will have a different host name than the actual machine it is running on, you can add one or more aliases in the ``/etc/sendmail.cw'' file. For example, if you have a system called “kirk.mydomain.name” which is set up as the mail exchanger for mydomain.name, but want incoming mail addressed in the format ``user@mydomain.name'' to be delivered to your users on “kirk”, simply add this alias as follows:
Finally, If you need to restrict a domain (or subdomain) from connecting to your sendmail service, you can edit the ``/etc/mail/access'' and add the domain information as well as type of restriction. For example:
The above examples would reject all e-mail connections from the ``some.domain'' site, as well as reject the specific machine name ``hax0r.another.domain'' with a descriptive message. After making changes to this file, you will need to update the ``access.db'' file, and then restart sendmail as follows:
For more information on Sendmail, see the FAQ document located at http://www.sendmail.org/faq/. |