UC Davis Information & Educational Technology

SPAM and Unix sendmail

Antispam Configurations for Sendmail

All unix systems come with some form of sendmail listening on the smtp port for incoming mail connections.  Unfortunately, the sendmail delivered with most unix operating systems is both vulnerable to hacking and mail relaying.  You should strongly consider turning off the sendmail daemon unless you plan on using the system for receiving mail.  If you turn off the sendmail daemon which listens for oncoming mail, you can still send mail from the system.

Do you need to run sendmail
If you never need to receive mail, then you do not need the sendmail daemon. For instance: If all your users receive mail on the Information Technology systems, or on another system in your department. Consider the following before deciding whether or not you need to run a sendmail daemon.
  • If you turn off the sendmail daemon, you can still send mail from your unix server. (ie. logs, cron mail will still be delivered)
  • If you turn off the sendmail daemon, you will no longer be vulnerable to mail relay attacks or sendmail root compromises.
If you choose to turn off the sendmail daemon, you may still want to install the latest sendmail binaries and sendmail CFs from the ftp site. The reasons are outlined below.
Editing the Sendmail Startup Script
To disable sendmail for incoming mail connections you must edit the sendmail startup script. On most systems, this startup script is /etc/init.d/sendmail or /sbin/init.d/sendmail.  For older SunOS systems it is /etc/rc.local.  Remove the -bd option from the line which actually starts sendmail. After editing, the line should look like:

/usr/sbin/sendmail -q30m
or
/usr/lib/sendmail -q1h

sans the option -bd

Once the changes are complete, reboot the system. Telnet to port 25:

telnet systemname 25

If you get connection refused, you were successful.

Installing  or upgrading sendmail binaries & sendmail.cf
Regardless of whether or not you opt to turn off sendmail, we strongly recommend installing the latest sendmail binary and cf file from http://email.ucdavis.edu/sendmail.d. These sendmail binaries and cf files are maintained for the UC Davis community for several reasons:
  • By installing the binaries, you're assured the latest patch level of sendmail. This prevents root compromises if you are running the sendmail daemon
  • You obtain cf files that provide the latesst spam relaying blocks
  • You configure you server to use UCD smart mail hub for mailid translation from login@host.ucdavis.edu to mailid@ucdavis.edu.
Installation Instructions:
  • Kill all sendmail processes
    /etc/init.d/sendmail stop, ps -e |grep send and kill [pid], or something similar
  • Fetch the proper sendmail binary from the binaries directory
    http://email.ucdavis.edu/sendmail.d/binaries 
    If your OS or architecture is not represented, contact Dave Zavatson (dhzavatson@ucdavis.edu) and he will assist you in creating a binary for you.
  • Fetch the proper ucd-OSTYPE cf from the cf-files dir
    http://email.ucdavis.edu/sendmail.d/cf-files
  • Determine where sendmail lives on your system
    which sendmail will return the path
  • Make a copy of your current sendmail files:
    Note that the sendmail binary will exist in the same location as your current sendmail binary, but the sendmail.cf will exist as /etc/sendmail.cf, regardless of the location of your current sendmail.cf
    mv sendmail sendmail.old
    mv sendmail-[VERSION-OSTYPE] sendmail
    mv /etc/sendmail.cf /etc/sendmail.cf.old     (if sendmail.cf exists)
    mv ucd-[OSTYPE] /etc/sendmail.cf
  • Check permissions
     Sendmail often gets blamed for many problems that are actually the result of other problems, such as overly permissive modes on directories. For this reason, sendmail checks the modes on system directories and files to determine if can have been trusted. For sendmail to run without complaining, you MUST execute the following command:
    chmod chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
    chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
  • Start sendmail
    /etc/init.d/sendmail start, /sbin/init.d/sendmail start, or reboot
Troubleshooting Tips
Sendmail is very particular about /usr and /etc permissions.  If you get 'unsafe map' errors, try:

chmod 755 /etc /usr

Facts about the UCD sendmail configuration files
The sendmail configuration files are fairly standardized so that they run in a predictable and similar manner on various platforms. Following is a list of settings which may be different than your default sendmail configuration.
  • Other hosts or domains for which you server delivers mail need to be added to /etc/mail/sendmail.cw. Restart sendmail after modifying this file.
  • All mail which is generated on your host or routed through your host not destined for local delivery will be forwarded to smtp.ucdavis.edu.
  • Mail routed to smtp.ucdavis.edu will undergo loginid@host.ucdavis.edu to mailid@ucdavis.edu translation before being delivered.
  • local aliases must be in /etc/mail/aliases. You must run newaliases after adding aliases or upgrading sendmail.
  • sites or domains which should be allowed to relay through your host can be added to /etc/mail/relay-domains. Use this carefully. Make sure you trust the hosts which you add to this. Restart sendmail after modifying this file.
Where to go for Help...
If you do not find the binary for your system on the ftp site, send a request for assistance to sysadmin@ucdavis.edu.  The ISM System Administration group will assist in compiling the latest version of sendmail for any platform, providing you create an account on your system for their use.