From: Patrick B. O'Brien (pobrien@DOIT.NV.GOV)
Date: Wed Dec 10 2003 - 17:10:13 EST
Yes,
Anti_Relay_510
Special Notices
Please use this information with care. IBM will not be responsible for damages of any kind resulting from its use. The use of this information is the sole responsibility of the customer and depends on the customer's ability to evaluate and integrate this information into the customer's operational environment.
Configuring sendmail 8.11.0 for Anti-Relay
Make sure the following fileset is installed on your system. If not install
it through smitty.
# lslpp -l bos.adt.base
# lslpp -l bos.net.tcp.adt
AIX 5.1.0 ships the necessary tools and macros to generate custom sendmail
configuration files. The tools and macros reside in fileset
bos.net.tcp.adt and once loaded can be found in
/usr/samples/tcpip/sendmail/cf:
#cd /usr/samples/tcpip/sendmail/cf
There is a file under this directory called aixsample.mc. This file contains
the new features that the user can change, one of them being
FEATURE(promiscuous_relay) dnl.
Rename it so you don't write over the original.
#cp aixsample.mc aix51.norelay.mc
The original file looks like this without the comments.
#vi aix51.norelay.mc
----------------------------------------------------------------------------
NOTE:The aixsample.mc can be edited with whatever FEATURES are needed for the
new sendmail.cf.
These features are documented at http://www.sendmail.org/m4/features.html
This is an example of a minimum .mc file:
divert(0)dnl
OSTYPE(aixsample)dnl
FEATURE(genericstable)dnl --->remove line if not needed.
FEATURE(mailertable)dnl --->remove line if not needed.
FEATURE(virtusertable)dnl --->remove line if not needed.
FEATURE(domaintable)dnl --->remove line if not needed.
FEATURE(allmasquerade)dnl
FEATURE(promiscuous_relay)dnl --->remove line to stop unauthorized relay.
FEATURE(accept_unresolvable_domains)dnl ---> remove this line if not needed.
FEATURE(accept_unqualified_senders)dnl ---> remove this line if not needed.
DOMAIN(generic)dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(uucp)
--------------------------------------------------------------------------
The new file now will look like this.
NOTE:You must remove the entries, commenting them out doesn't work.
The entry that is responsible for relay is
"FEATURE(promiscuous_relay)dnl" we remove the other ones because
sendmail will complain if those options are not set up.
#view aix51.norelay.mc
-------------------------------------------------------------------------
divert(0)dnl
OSTYPE(aixsample)dnl
FEATURE(allmasquerade)dnl
DOMAIN(generic)dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(uucp)
-------------------------------------------------------------------------
Then you must rebuild the new sendmail.cf file using these new options.
You must be under the/usr/samples/tcpip/sendmail/cf
directory, otherwise it won't work.
#m4 ../m4/cf.m4 aix51.norelay.mc > testmail.cf
Now you should have a new testmail.cf file under the
/usr/samples/tcpip/sendmail/cf directory. Rename your old sendmail.cf and
replace it with the new one, but first make a backup copy of the original
in case something goes wrong.
#mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig
#mv testmail.cf /etc/mail/sendmail.cf
Now this is your new /etc/mail/sendmail.cf
There is a line in the sendmail.cf that points to the file where you specify
who you want to allow relay.
#vi /etc/mail/sendmail.cf
Search for this line. This is the macro that points to the
/etc/mail/relay-domains file that allows relaying. You don't need to do
anything to this line, its just to show you where it is located, and the file
it points to.
#Hosts that will permit relaying ($=R)
FR-o /etc/mail/relay-domains
Now you must add the domains or fully qualified names of hosts that you want
to allow relay, including your own. You may also use network/host IP addresses as well.
#vi /etc/mail/relay-domains
entry1...
entry2...
entry3...
For example if you want to let hosts in the ibm.com domain to be able to
relay. Then type ibm.com in the relay-domains file.
Finally we must tell sendmail that it has a new configuration file.
#refresh -s sendmail
If sendmail is not active, then read the note below.
NOTE: If sendmail is not running you need to check if its active
using the following command:
#lssrc -s sendmail
Subsystem Group PID Status
sendmail mail 5424 active
If its not active, start it up by issuing the following command:
#startsrc -s sendmail -a "-bd -q30m"
To test out anti relaying just don't list any domains in the file
/etc/mail/relay-domains file and try to use this machine as a relay, it
should it should give the message "relay denied".
OTHER THINGS THAT CAN GO WRONG
----------------------------------------------------------------------------
If you get an error message when you try to mail saying:
/etc/mail/sendmail.cf: line 140: fileclass: Cannot open
/etc/mail/local-host-names:A file or directory in the path name does not exist.
This is the file that sendmail uses to figure out what messages it needs
to keep names of hosts for which we receive mail. You tell sendmail which
domains or host it is responsible for.
#vi /etc/mail/local-host-names
In this file you will add your hostname, aliases and any domains that this
host is responsible for. For example, a machine called carter who is
responsible for the following domains.
carter
carter.autin.ibm.com
ibm.com
austin.ibm.com
Thank you for using AIX Technical Support Services. If you have any questions
call 1800-CALLAIX.
-----Original Message-----
From: Miller, Dave (I.S.) [mailto:Dave.Miller@BHS.ORG]
Sent: Wednesday, December 10, 2003 10:31 AM
To: aix-l@Princeton.EDU
Subject: Re: Telnet port 25
Thanks for the replies.
Maybe I should ask/approach this way...can I limit telnet to respond
only to certain IP addresses, or sendmail relays for that matter?
thanks
-----Original Message-----
From: Bill Verzal [mailto:BVerzal@KOMATSUNA.COM]
Sent: Wednesday, December 10, 2003 12:22 PM
To: aix-l@Princeton.EDU
Subject: Re: Telnet port 25
smtp runs on port 25. You do not need sendmail running to send mail out
of
a box. Once you stop sendmail, telnet to port 25 will be closed.
BV
--------------------------------------------------------
"If everything is coming your way, then you are in the wrong lane"
Bill Verzal
AIX Administrator, Komatsu America
(847) 970-3726 - direct
(847) 970-4184 - fax
"Miller, Dave
(I.S.)"
<Dave.Miller@BHS.
To
ORG> aix-l@Princeton.EDU
Sent by: IBM AIX
cc
Discussion List
<aix-l@Princeton.
Subject
EDU> Telnet port 25
12/10/2003 11:10
AM
Please respond to
IBM AIX
Discussion List
<aix-l@Princeton.
EDU>
Can someone point me in the write direction as to how I would easily
disallow telnet to port 25, but still allow telnet to port 23?
I.e. I don't want to be able to telnet to port 25 and send mail, but I
still want to run sendmail, and allow telnet... or am I looking at this
wrong? Thanks.
CONFIDENTIALITY NOTICE: This email communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above. If you are not the intended
recipient,
you are hereby notified that you have received this communication in
error
and that any review, disclosure, dissemination, distribution or copying
of
it or its contents is prohibited. If you have received this
communication
in error, please reply to the sender immediately or by telephone at
(413)
794-0000 and destroy all copies of this communication and any
attachments.
For further information regarding Baystate Health System's privacy
policy,
please visit our Internet web site at http://www.baystatehealth.com.
-----------------------------------------
CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (413) 794-0000 and destroy all copies of this communication and any attachments. For further information regarding Baystate Health System's privacy policy, please visit our Internet web site at http://www.baystatehealth.com.
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:24 EDT