A poorly or carelessly administered aliases file can easily be used to gain privileged status. For example, many vendors ship systems with a decode alias in the /etc/mail/aliases file. The intention is to provide an easy way for users to transfer binary files using mail. At the sending site the user converts the binary to ASCII with uuencode, then mails the result to the decode alias at the receiving site. That alias pipes the mail message through the /usr/bin/uuencode program, which converts the ASCII back into the original binary file.
Remove the decode alias line from your /etc/mail/aliases file. Similarly, every alias that executes a program that you did not place there yourself and check completely should be questioned and probably removed. Edit the aliases file vi /etc/mail/aliases and remove the following lines:
# Basic system aliases -- these MUST be present.
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
games: root
ingres: root
nobody: root
system: root
toor: root
uucp: root
# Well-known aliases.
manager: root
dumper: root
operator: root
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
#root: marc
|
For the changes to take effect you will need to run:
[root@deep] /# /usr/bin/newaliases
|
You need to prevent your Sendmail being abused by unauthorized users, Sendmail now includes powerful Anti-Spam features, which can help prevent your mail server from being abused by unauthorized users. To do this, make a change to the configuration file to block off spammers. Edit the sendmail.cf file, vi /etc/mail/sendmail.cf and change the line:
O PrivacyOptions=authwarnings
|
To read:
O PrivacyOptions=authwarnings,goaway
|
Setting the
goaway option causes Sendmail to disallow all
SMTP EXPN commands, it also causes it to reject all
SMTP VERB commands and to disallow all
SMTP VRFY commands. These changes prevent spammers from using the
EXPN and
VRFY commands in Sendmail.
You have to restrict who can examine the queues contents, ordinarily, anyone may examine the mail queue's contents by using the mailq command. To restrict who may examine the queues contents, you must specify the restrictmailq option in the /etc/mail/sendmail.cf file. With this option, Sendmail allows only users who are in the same group as the group ownership of the queue directory root to examine the contents. This allows the queue directory to be fully protected with mode 0700, while selected users are still able to see the contents.
Edit the sendmail.cf file, vi /etc/mail/sendmail.cf and change the line:
O PrivacyOptions=authwarnings,goaway
|
To read:
O PrivacyOptions=authwarnings,goaway,restrictmailq
|
Now we change the mode of our queue directory to be fully protected:
[root@deep] /# chmod 0700 /var/spool/mqueue
|
Now re-start the sendmail process manually for the change to take effect:
[root@deep] /# /etc/rc.d/init.d/sendmail restart
|
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
|
: We have already added the goaway option to the line PrivacyOptions= in sendmail.cf file. Now we can just add the restrictmailq option to this line.
Any non-privileged user who attempts to examine the mail queue content will get this message:
[user@deep /]$ /usr/bin/mailq
|
You are not permitted to see the queue
|