22.11. The /etc/mail/aliases file

A poorly or carelessly administered aliases file can easily be used to gain privileged status. For example, many vendors ship systems with a decode alias in the /etc/mail/aliases file. The intention is to provide an easy way for users to transfer binary files using mail. At the sending site the user converts the binary to ASCII with uuencode, then mails the result to the decode alias at the receiving site. That alias pipes the mail message through the /usr/bin/uuencode program, which converts the ASCII back into the original binary file.

Remove the decode alias line from your /etc/mail/aliases file. Similarly, every alias that executes a program that you did not place there yourself and check completely should be questioned and probably removed. Edit the aliases file vi /etc/mail/aliases and remove the following lines:


         # Basic system aliases -- these MUST be present.
         MAILER-DAEMON:  postmaster
         postmaster:    root

         # General redirections for pseudo accounts.
         bin:                   root
         daemon:                root
         games:                 root  (1)
         ingres:                root  (2)
         nobody:                root
         system:                root  (3)
         toor:                  root  (4)
         uucp:                  root  (5)

         # Well-known aliases.
         manager:               root  (6)
         dumper:                root  (7)
         operator:              root  (8)

         # trap decode to catch security attacks
         decode:                root  (9)

         # Person who should get root's mail
         #root:         marc
         
(1)(2)(3)(4)(5)(6)(7)(8)(9)
Remove all these lines

For the changes to take effect you will need to run:


         [root@deep] /# /usr/bin/newaliases
         

You need to prevent your Sendmail being abused by unauthorized users, Sendmail now includes powerful Anti-Spam features, which can help prevent your mail server from being abused by unauthorized users. To do this, make a change to the configuration file to block off spammers. Edit the sendmail.cf file, vi /etc/mail/sendmail.cf and change the line:


         O PrivacyOptions=authwarnings
         
To read:

         O PrivacyOptions=authwarnings,goaway
         
Setting the goaway option causes Sendmail to disallow all SMTP EXPN commands, it also causes it to reject all SMTP VERB commands and to disallow all SMTP VRFY commands. These changes prevent spammers from using the EXPN and VRFY commands in Sendmail.

You have to restrict who can examine the queues contents, ordinarily, anyone may examine the mail queue's contents by using the mailq command. To restrict who may examine the queues contents, you must specify the restrictmailq option in the /etc/mail/sendmail.cf file. With this option, Sendmail allows only users who are in the same group as the group ownership of the queue directory root to examine the contents. This allows the queue directory to be fully protected with mode 0700, while selected users are still able to see the contents.

Edit the sendmail.cf file, vi /etc/mail/sendmail.cf and change the line:


         O PrivacyOptions=authwarnings,goaway
         
To read:

         O PrivacyOptions=authwarnings,goaway,restrictmailq
         
Now we change the mode of our queue directory to be fully protected:

         [root@deep] /# chmod 0700 /var/spool/mqueue
         

Now re-start the sendmail process manually for the change to take effect:


         [root@deep] /# /etc/rc.d/init.d/sendmail restart
         

         Shutting down sendmail:                                          [  OK  ]
         Starting sendmail:                                             [  OK  ]
         

Tip: We have already added the goaway option to the line PrivacyOptions= in sendmail.cf file. Now we can just add the restrictmailq option to this line.

Any non-privileged user who attempts to examine the mail queue content will get this message:


         [user@deep /]$ /usr/bin/mailq
         

         You are not permitted to see the queue