From: Miller, Dave (I.S.) (Dave.Miller@BHS.ORG)
Date: Wed Dec 10 2003 - 17:14:19 EST
Excellent. Thanks Patrick
-----Original Message-----
From: Patrick B. O'Brien [mailto:pobrien@DOIT.NV.GOV]
Sent: Wednesday, December 10, 2003 5:10 PM
To: aix-l@Princeton.EDU
Subject: Re: Telnet port 25
Yes,
Anti_Relay_510
Special Notices
Please use this information with care. IBM will not be responsible for
damages of any kind resulting from its use. The use of this information
is the sole responsibility of the customer and depends on the customer's
ability to evaluate and integrate this information into the customer's
operational environment.
Configuring sendmail 8.11.0 for Anti-Relay
Make sure the following fileset is installed on your system. If not
install
it through smitty.
# lslpp -l bos.adt.base
# lslpp -l bos.net.tcp.adt
AIX 5.1.0 ships the necessary tools and macros to generate custom
sendmail
configuration files. The tools and macros reside in fileset
bos.net.tcp.adt and once loaded can be found in
/usr/samples/tcpip/sendmail/cf:
#cd /usr/samples/tcpip/sendmail/cf
There is a file under this directory called aixsample.mc. This file
contains
the new features that the user can change, one of them being
FEATURE(promiscuous_relay) dnl.
Rename it so you don't write over the original.
#cp aixsample.mc aix51.norelay.mc
The original file looks like this without the comments.
#vi aix51.norelay.mc
------------------------------------------------------------------------
---- NOTE:The aixsample.mc can be edited with whatever FEATURES are needed for the new sendmail.cf. These features are documented at http://www.sendmail.org/m4/features.html This is an example of a minimum .mc file: divert(0)dnl OSTYPE(aixsample)dnl FEATURE(genericstable)dnl --->remove line if not needed. FEATURE(mailertable)dnl --->remove line if not needed. FEATURE(virtusertable)dnl --->remove line if not needed. FEATURE(domaintable)dnl --->remove line if not needed. FEATURE(allmasquerade)dnl FEATURE(promiscuous_relay)dnl --->remove line to stop unauthorized relay. FEATURE(accept_unresolvable_domains)dnl ---> remove this line if not needed. FEATURE(accept_unqualified_senders)dnl ---> remove this line if not needed. DOMAIN(generic)dnl MAILER(local)dnl MAILER(smtp)dnl MAILER(uucp) ------------------------------------------------------------------------ -- The new file now will look like this. NOTE:You must remove the entries, commenting them out doesn't work. The entry that is responsible for relay is "FEATURE(promiscuous_relay)dnl" we remove the other ones because sendmail will complain if those options are not set up. #view aix51.norelay.mc ------------------------------------------------------------------------ - divert(0)dnl OSTYPE(aixsample)dnl FEATURE(allmasquerade)dnl DOMAIN(generic)dnl MAILER(local)dnl MAILER(smtp)dnl MAILER(uucp) ------------------------------------------------------------------------ - Then you must rebuild the new sendmail.cf file using these new options. You must be under the/usr/samples/tcpip/sendmail/cf directory, otherwise it won't work. #m4 ../m4/cf.m4 aix51.norelay.mc > testmail.cf Now you should have a new testmail.cf file under the /usr/samples/tcpip/sendmail/cf directory. Rename your old sendmail.cf and replace it with the new one, but first make a backup copy of the original in case something goes wrong. #mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig #mv testmail.cf /etc/mail/sendmail.cf Now this is your new /etc/mail/sendmail.cf There is a line in the sendmail.cf that points to the file where you specify who you want to allow relay. #vi /etc/mail/sendmail.cf Search for this line. This is the macro that points to the /etc/mail/relay-domains file that allows relaying. You don't need to do anything to this line, its just to show you where it is located, and the file it points to. #Hosts that will permit relaying ($=R) FR-o /etc/mail/relay-domains Now you must add the domains or fully qualified names of hosts that you want to allow relay, including your own. You may also use network/host IP addresses as well. #vi /etc/mail/relay-domains entry1... entry2... entry3... For example if you want to let hosts in the ibm.com domain to be able to relay. Then type ibm.com in the relay-domains file. Finally we must tell sendmail that it has a new configuration file. #refresh -s sendmail If sendmail is not active, then read the note below. NOTE: If sendmail is not running you need to check if its active using the following command: #lssrc -s sendmail Subsystem Group PID Status sendmail mail 5424 active If its not active, start it up by issuing the following command: #startsrc -s sendmail -a "-bd -q30m" To test out anti relaying just don't list any domains in the file /etc/mail/relay-domains file and try to use this machine as a relay, it should it should give the message "relay denied". OTHER THINGS THAT CAN GO WRONG ------------------------------------------------------------------------ ---- If you get an error message when you try to mail saying: /etc/mail/sendmail.cf: line 140: fileclass: Cannot open /etc/mail/local-host-names:A file or directory in the path name does not exist. This is the file that sendmail uses to figure out what messages it needs to keep names of hosts for which we receive mail. You tell sendmail which domains or host it is responsible for. #vi /etc/mail/local-host-names In this file you will add your hostname, aliases and any domains that this host is responsible for. For example, a machine called carter who is responsible for the following domains. carter carter.autin.ibm.com ibm.com austin.ibm.com Thank you for using AIX Technical Support Services. If you have any questions call 1800-CALLAIX. -----Original Message----- From: Miller, Dave (I.S.) [mailto:Dave.Miller@BHS.ORG] Sent: Wednesday, December 10, 2003 10:31 AM To: aix-l@Princeton.EDU Subject: Re: Telnet port 25 Thanks for the replies. Maybe I should ask/approach this way...can I limit telnet to respond only to certain IP addresses, or sendmail relays for that matter? thanks -----Original Message----- From: Bill Verzal [mailto:BVerzal@KOMATSUNA.COM] Sent: Wednesday, December 10, 2003 12:22 PM To: aix-l@Princeton.EDU Subject: Re: Telnet port 25 smtp runs on port 25. You do not need sendmail running to send mail out of a box. Once you stop sendmail, telnet to port 25 will be closed. BV -------------------------------------------------------- "If everything is coming your way, then you are in the wrong lane" Bill Verzal AIX Administrator, Komatsu America (847) 970-3726 - direct (847) 970-4184 - fax "Miller, Dave (I.S.)" <Dave.Miller@BHS. To ORG> aix-l@Princeton.EDU Sent by: IBM AIX cc Discussion List <aix-l@Princeton. Subject EDU> Telnet port 25 12/10/2003 11:10 AM Please respond to IBM AIX Discussion List <aix-l@Princeton. EDU> Can someone point me in the write direction as to how I would easily disallow telnet to port 25, but still allow telnet to port 23? I.e. I don't want to be able to telnet to port 25 and send mail, but I still want to run sendmail, and allow telnet... or am I looking at this wrong? Thanks. CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (413) 794-0000 and destroy all copies of this communication and any attachments. For further information regarding Baystate Health System's privacy policy, please visit our Internet web site at http://www.baystatehealth.com. ----------------------------------------- CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (413) 794-0000 and destroy all copies of this communication and any attachments. For further information regarding Baystate Health System's privacy policy, please visit our Internet web site at http://www.baystatehealth.com. ----------------------------------------- CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (413) 794-0000 and destroy all copies of this communication and any attachments. For further information regarding Baystate Health System's privacy policy, please visit our Internet web site at http://www.baystatehealth.com.
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:24 EDT