Sendmail tales

Christos Ricudis ricudis at paiko.gr
Fri Aug 24 22:43:01 EEST 2001


Hello All!

Osoi me kseroun gnwrizoun oti eimai fanatilas sendmailas.

Ayto ton kairo ftiaxnw mia kainouria egkatastash sthn opoia h8ela na proseksw
ligo perissotero to security [1] apo oti synh8ws [2]. Esthsa loipon ena super-
duper-whizzly-squirlbang [3] setup to opoio fysika xrhsimopoiei ton agaphmeno
moy MTA.

H8ela na xrhsimopoihsw TLS [4] kai SASL Authentication sto sendmail, poy
yposthrizontai apo thn ekdosh 8.11 kai pera. To problhma einai oti h xrhsh
opoioudhpote apo ta dyo apaitei thn xrhsh mias alternate stdio library poy
legetai sfio [12]. Opws katalabainete, o,tidhpote dokimazei na
antikatasthsei thn stdio einai katadikasmeno na mh mporei na ginei compile
se syndiasmo me sxedon o,tidhpote allo logw ateleiwtwn kai unresolvable
stdio.h clashes. 

To problhma den yfistatai sta BSD systems, poy ws gnwston einai anwtera kai
xrhsimopoioyn to stdio implementation toy Chris Torek, yfistatai omws se
otidhpote allo, symperilambanomenou toy Solaris to opoio foraei to
sygkekrimeno mhxanhma. Sto usenet brhka apeirous poy rwtousan gia to idio
problhma, h kalyterh apanthsh htan 'switch to BSD'. 

Katelhksa telika sth xrhsh toy Sendmail 8.12, to opoio an kai beta den
apaitei th xrhsh sfio gia to TLS, kai parexei kai orismena alla
pleonekthmata, opws ena split server scheme gia enhanched security: Trexei 
se 2 modes, MTA daemon mode me root priviledges kai delivery mode san enas
unpriviledged user. Nai, apaitei 2 configuration files, ktl ktl, alla to
sendmail binary den einai pleon setuid root. Eksairetika sixamero kai brwmera 
mperdemeno sxhma, akribws opws m'aresei.   

Alla endiaferonta features toy 8.12 einai : 

* Xrhsh buffered I/O se oles tis platformes.

* Concurrent SMTP delivery se orismenes periptwseis, eksairetika kalo. 

* Multiple queues kai queue groups gia osous apaitoyn akoma pio sixamero kai 
mplegmeno sendmail installation apo oti hdh exoyn.

* Exei ki ena poly wraio document sxetiko me performance tuning. 

Oi gnwrizontes 8a kseroyn oti o agaphmenos moy tropos na ftiaxnw to sendmail
configuration einai na xwnw rules sto sendmail.cf me to xeri. Fainetai oti
pernaw emmhnopaysh, giati pleon prospa8w na to apofygw. Etsi, eftiaksa ta
dika moy .mc files ta opoia xrhsimopoiw sxedon se oles tis egkatastaseis
moy. Ta para8etw parakatw : 

divert(-1)
#
# Copyrights snipped gia na mh megalwsei yperbolika ayto to pragma
#
divert(0)dnl
VERSIONID(`$Id: generic-solaris2.mc,v 8.11 1999/02/07 07:26:03 gshapiro Exp $')
define(`DATABASE_MAP_TYPE', `text -k 0 -v 1')dnl
OSTYPE(solaris8)dnl
DOMAIN(generic)dnl
FEATURE(local_procmail)dnl
FEATURE(mailertable)dnl
FEATURE(domaintable)dnl
FEATURE(genericstable)dnl
FEATURE(virtusertable)dnl
FEATURE(`access_db', `text -k 0 -v 1 -T<TMPF> /etc/mail/access', `skip')dnl
FEATURE(lookupdotdomain)dnl
FEATURE(redirect)dnl
FEATURE(blacklist_recipients)dnl
FEATURE(compat_check)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
MAILER(bzuucp)dnl

Orismena xrhsima sxolia kai parathrhseis : 

To define(`DATABASE_MAP_TYPE', `text -k 0 -v 1') orizei to default map type 
san plaintext. H xrhsimothta toy? An prepei na trexeis to makemap ka8e fora 
poy allazeis kati sto /etc/mail/, arga h grhgora 8a ksexaseis na to kaneis. 
De nomizw oti ena plain text lookup einai pia toso expensive otan milame gia 
arxeia 50 grammwn to poly.

Xrhsimopoiw ta klassika funky sendmail features (mailertable, domaintable,
genericstable, virtusertablem redirect, blacklist_recipients). To definition 
toy access_db einai ligo diaforetiko apo oti synh8ws logw ths apaitoymenhs 
xrhshs toy -T<TMPF> [13] 

Opws panta, xrhsimopoiw san local delivery agent to procmail. To mono kako
poy exei to procmail einai oti den yposthrizei LMTP. Elpizw na to dior8wsoun
sthn epomenh ekdosh. 

To bzuucp einai ena tweaked uucp mailer definition poy kanei compress me bz2
ta uucp batches. An sas endiaferei pragmatika ti exei mesa, exete *AMESH*
anagkh apo benzodiazepines, li8io, kai trikyklika antikata8liptika.
Episkefteite ton psyxiatro ths geitonias sas gia sxetikh syntagografia. 

Ayta gia thn wra. Sthn epomenh noubella mou 8a sas perigrapsw thn
egkatastash enos antivirus san filter sto sendmail gia na glytwsoyn ta zwa
poy xrhsimopoioyn to systhma sas apo sircamia kai allous zwntanous
mikroorganismous. Mexri tote, kalhnyxta sas.   

--
Christos Ricudis

In God we trust.
All others must present a valid X.509 certificate.


[1] Basika dexthkan na me plhrwsoyn gia na to kanw.

[2] Dhladh ka8olou.

[3] Default xarakthrismos twn setups moy.

[4] Ayto to feature yparxei kyriws xarhn entypwsiasmoy, dioti praktika einai
sxedon axrhsto [6] ektos apo mia periptwsh [7].

[5] Ayto anti8eta einai poly xrhsimo, epitrepei epilektiko relaying
basismeno se authentication. Einai sxediasmeno wste to IT support na
stamathsei na metatrepei tis erwthseis toy styl 'Giati de mporw na
xrhsimopoihsw ton mail server ths etairias apo to spiti me thn syndesh moy
sthn FrothNET [9]' apo atoma poy apokleietai na katalaboyn ti shmainei
'SPAM relay prevention', se erwthseis toy styl 'PWS mporw na xrhsimopoihsw
ton mail server ths etairias apo to spiti ktl ktl'. 

[6] Sto 99% twn periptwsewn poy den perilambanontai sto [7], to SMTP traffic 
den periexei tipote eksairetika endiaferon apo pleyras security wste na to 
kanete encrypt - ektos apo to 1% twn periptwsewn poy to Maxim's bazei 
h4ck3rzzz na ypoklepsoyn th syntagh gia ta ntolmadakia poy stelnei h 
grammateas sas sthn anhpsia ths.

[7] O,ti perigrafetai sto [6] ylopoieitai me th xrhsh ths SASL, thn opoia 8a
gnwrizoyn osoi eixan pote thn atyxia na sthsoyn Cyrus IMAP. To kyriotero
problhma me to SASL einai oti apaitei mia ksexwristh authentication
database (CRAM-MD5) pragma poy shmainei oti exeis user/password information 
se dyo merh. Ean xrhsimopoihseis PLAIN authentication, mporeis na kaneis
authenticate toys users apo to klassiko user database toy systhmatos (PAM,
/etc/passwd, ktl). S'ayth thn periptwsh omws eisai eyalwtos se ypoklopes,
mia poy to password stelnetai se plaintext. Mia lysh einai o syndiasmos SASL 
kai TLS [10]. H swsth lysh bebaia einai na xrhsimopoieis pantou MD5 
passwords [11].

[9] Fantastiko onoma ISP poy xrhsimopoieitai se paradeigmata. Paromoiws
xrhsimopoioyntai onomata toy styl "America Off Line" ktl ktl. Ta onomata
ayta den exoun kammia sxesh me pragmatikous ISP's kai opoiadhpote omoiothta 
prepei na 8ewreitai symptwmatikh.

[10] H lysh ayth ylopoih8hke sto idio systhma gia ta IMAP connections. 

[11] S'ayto to shmeio arxisa na bariemai opote epeleksa thn allh lysh. 

[12] Kai exei TO PIO ASXHMO build/configuration system poy exw dei pote
moy se software. Aksizei na th deite mono gi ayto. 

[13] Den epekteinomai giati an kapoios endiaferetai toso poly wste na ton 
noiazei ti kanei ayto, to exei koitaksei hdh. 



More information about the Linux-greek-users mailing list