| |
| |
| |
|
Page: 1 2
Comments:
<0> narf
<1> Morning.
<2> hi
<3> is there a way to have a catchall email address for sendmail?
<4> yes.
<4> usually a mistake.
<4> though using it for rejections works well.
<3> basically i need something that will copy all the emails for users on the system to an inbox that can be checked by the manager.
<4> sendmail has no facilities for that.
<4> you'll need a milter.
<3> milter? what is that
<3> mta filter?
<5> how secure is sendmail dudes?
<5> sorry for the retarded question, I meant... what security measures can I take to further secure my sendmail server?
<5> I have done a few already
<5> I have hid sendmail welcome message and version
<5> I have also hid the local users so brute forcers will be clueless
<5> any other?
<5> anything I should perhaps?
<5> anything I should read rather
<4> hiding users seems an odd thing to do to a mail server. but anyway, what adversaries are you trying to handle?
<5> hiding local users prevents brute forcers from attempting to come from FTP using users accepted in sendmail
<5> or through shell and so on
<5> ssh rather
<5> I'm considering moving over to qmail
<5> especially after readin: http://www.securityfocus.com/columnists/400/1
<4> good.
<4> won't help anything.
<5> why so, going afk thoug... a sec
<4> qmail will happily bounce, so the cracker just needs a temporary drop box.
<5> I'm back
<5> I'm sorry, I might not be too familiar with the MTA terms.. but what do you mean qmail will happily bounce?
<4> qmail accepts mail for any address presented, good or bad. then later when it finds that it is bad it returns a mail message to the sender.
<4> anyway, have you decided who your adversaries are yet?
<5> yes, I ***ume sendmail does the same. And if not, wouldn't be able to just configure qmail?
<4> sendmail does not do the same, it rejects during smtp.
<5> not the settings I have, it accepts all emails to local users that don't exist to /dev/null
<5> which has a blinding affect on the exploiter
<5> won't know if the user exists or not
<4> if you say so.
<4> so, have you decided who your adversaries are yet?
<5> secondly, adversaries... no one specific... but I'm a very security consious person and it has saved me a lot in the past.
<5> I'm mostly trying to block scanners, as far I don't display the sendmail version or that it's sendmail
<5> disabled the help command for obvious reasons
<5> one thing that bugs me about sendmail most is that it runs as root, which is VERY stupid.
<4> so adversaries, then how do you know when to stop trying to prevent things? how do you budget your efforts?
<5> and useless to begin with, so I'm currently trying to find out if you can run it as a normal or a noone user
<4> it is possible to run sendmail as other than root.
<5> I'll know when it's reasonbably out of my hands, honestly.
<5> yes, that's my question... or even better... as the nobody user
<4> you aren't security paranoid if you run anything as nobody.
<4> anyway, it is trivial to run sendmail as any user you like.
<4> your main problem is getting your lda to be able to deliver mail.
<5> " you aren't security paranoid if you run anything as nobody", I'll take that as a sarcasm.
<4> nope.
<4> if you are paranoid about security nothing should run as nobody, you should have distinct uid's for each service (perhaps several, depends on the service).
<5> ah, yes... I see what you're saying.
<5> Yeah, I can imagine why you wouldn't want to use same users for more than one service.
<5> but running a service as root is just downright disgusting
<4> blah, blah.
<4> let me know when you throw away sshd.
<4> but anyway, if you were to read the sendmail documentation you would see the portions related to running it under any uid, including some issues that really aren't sendmail issues but people always seem to want sendmail to provide answers to.
<5> but hear this twkm, I have changed the port on my sshd, disabled root user from logging in and sshd has a way better reason to use root as it's running user.
<5> Plus it's far more secure than sendmail considering its past
<4> oh really?
<4> better reason?
<5> yes indeed,
<5> ever heard of the su command?
<5> :)
<4> yeah. sure, sendmail can't deliver your mail until you provide your p***word. you'd love that.
<4> hahahaha.
<5> no, I'm just saying it shouldn't use root as it's running user... as there isn't a particular reason. But for sshd, it's a must and again I repeat... it's security history is far surp***es sendmail's
<4> it isn't a must for sshd either.
<5> yes it is, how would one login as root then?
<4> sshd could run as foo then invoke a private suid root binary to switch to the target uid.
<4> that would limit sshd's exposure time.
<4> anyway, i don't much care about sshd. moving on.
<4> you can run sendmail as non-root.
<4> trivially.
<5> I don't like that word :P
<4> now, how do you want your mail delivered?
<5> considering I'm not an expert in Linux
<4> yet you are jamming your expertness at me as if you were.
<5> oh, I was not!
<5> just voicing my concern, hoping to hear your opinion
<5> which I have :)
<5> anyhow, what do you mean how do I want my mail delivered?
<4> well, the usual way requires root, so it can switch to the recipient's uid so that their private files can be written.
<4> since you don't want that you'll need an alternative.
<4> (all this *is* covered in the documentation -- of course)
<5> oh, I should mention I don't want outside email going to local users at all
<5> oh, now I've confused you further
<5> sorry, I'll rephrase
<4> does your mta do any local delivery, or is it just to tease people?
<4> perhaps it only relays to some other server?
<4> if it does any local delivery then your lda must be able to handle the issue.
<5> okay, this is my goal... all I want to do is forward emails for my sites using virtual users (which I have successfully done), for example... an email sent to user@virtualdomain.com will forward to specificuser@yahoo.com. That's the only reason why I'm trying to run my own MTA. I want local users to email eachother freely, however all smtp coming from the outside world should only send emails to the domains allowed an
<5> d not to local users, example user@alloweddomain.com ... meh, I'm sorry if this isn't proper explanantion or confusing.
<5> did I scare you away twkm? :-S
<4> no, i just have a few other irons in the fire.
<4> you need to do anti-spam as well, else you end up forwarding spam and then the destination comes to hate your service.
<5> ahah! That's the kind of advice I need!
<5> I was thinking of using black list protection, I'm ***uming that's not enough?!
<5> example: FEATURE(`dnsbl', `relays.ordb.org', `551 Rejected - see http://ordb.org/')dnl
<4> that will get a small part of the spam.
<5> FEATURE(dnsbl, `bl.spamcop.net', `"552 Spam blocked see: http://spamcop.net/bl.shtml?"; $&{client_addr}')dnl
<5> <- too and many more
<5> I'm tempted to paste the whole list I've come accross, however I'm ***uming you don't allow pasting/spamming here.
<5> I'll paste it in the pastebin
<4> spamcop will probably just annoy your users. anyway, dnsbl's won't save you, just reduce the damage a little.
<5> how will spamcop annoy "my" users?
<4> false triggers. might even accidentally blacklist your own users, unless you've got delayed checks and/or a whitelist worked out.
<6> spamcop blacklisted gmail last week.
<6> my users were not amused
<4> anyway, that's more along the lines of religion than security of sendmail.
<4> since you are only ever forwarding you don't care about local deliveries (you should, what if remote deliveries *are* the problem?) so there are likely no issues with running sendmail as other than root.
<4> just make sure that mqueue is 700 and owned by whomever you set sendmail to run as.
<5> http://paste.lisp.org/display/21987 btw
<5> okay twkm, thanks for the sound advice. I should also mention that it won't be forwarding all emails, forwarding will be done for only like 6 emails.
<4> ahh, then you need local deliveries, which puts you once again against the wall.
<5> so basically spamcop won't interfere I'm hoping as there'll only be emails going to 6 different email addresses.
<4> not to. from.
<5> I won't do local deliveries at all
<4> probably a mistake, but that's your decision.
<4> other programs might generate mail, perhaps to root. how will you get it? forward it off-site -- okay, but what if off-site forwarding is what is broken? lost mail can be a issue, especially if it has the original clues to the problem.
<6> just use a firewall to formard port 25 to where you want it to go
<4> heh.
<6> no. really.
<5> Basically, to recap and or clear up further. I want a forwarding MTA only. That will only forward to 6 different email address from the outsideworld, and possibly all going to @yahoo.com. Since I haven't had the need to allow local users to receive emails in the past from the outside world. I see no reason to allow that. And it's you should mention programs sending mointoring emails to root, that's another issue I was
<5> planning tackle in the future.
<5> it's funny you should mention* that is
<5> I'm in no rush though, I already have my registrar do email forwards for me now...
<6> i must be dyslexic
<6> formard?
<5> email@mydomain.com goes to some free email service (example email@yahoo.com)
<6> hear's an idea. get a gmail email service
<6> let google deal with the headaches
<5> haha, I don't think I communicated my goals as clearly as I'd liked. I should mention that I want to present with my site users a professional email address and not be embarrased by @yahoo or @gmail email address. As far, my domain registerar is doing this perfectly for me... but like I said above, I'm trying to do it myself rather than depend on my registerar
<5> for example, if I own abc.com, I'd like to display my email address on that site as webmasterORanyuser@abc.com
<5> and the destination finally being abcsiteemail@yahoo.com or @gmail.com
<6> you can do that with an mx record
<5> Like I said also, I have done this perfectly. I'm just at this point trying to secure sendmail
<4> google will run any @fqdn.
<4> anyhow, documentation tells you how to set the running uid.
<5> I can do that an mx record pip?
<5> thanks twkm
<5> I have never heard or could even imagine mx records that foward emails for you lol
<5> pip, what are you smoking :P
<4> google will handle any domain's mail.
<4> not just @gmail
Return to
#sendmail
or
Go to some related
logs:
drivers scanjet5500
aneechich
#solaris
any2dvdrc
Terriosm
avwerage fish caught in a year
#politics
#computers
#nhl
phisher1
|
|