Linux501 600

16.
8 lxercises 501
16.8 £X£kCIS£S
E16.1 Exploie youi local NFS setup. Is NFS used, oi is a diffeient solution in
place? Is automounting used? What tiadeoffs have been made?
E16.2 What is the ielationship between mountd, nfsd, and portmap? What
does NFS's dependency on portmap mean in teims of secuiity?
E16.3 What aie some of the design iamifications of NFS being a stateless pio-
tocol? In paiticulai, discuss any effects statelessness has on file locking,
access peimissions, and secuiity. How would a stateful netwoik filesys-
tem diffei fiom NFS?
E16.4 Youi employei needs you to expoit /usr and /usr/local thiough NFS.
You have been given the following infoimation and iequests:
a) Because of office politics, you want only youi depaitment (local sub-
net 192.168.12?.0/24) to be able to use these expoited filesystems.
What lines must be added to what files to implement this configuia-
tion? Pay attention to the piopei expoit options.
b) Iist the steps needed to make mountd and nfsd iecognize these new
shaied filesystems. How could you veiify that the diiectoiies weie
being shaied without mounting them?
c) Outline a stiategy that would make all machines on youi local subnet
automatically mount the expoited diiectoiies on the mount points
/mnt/usr and /mnt/usr/local.
502

5bar/oq 5,stem l//es
A piopeily functioning system depends on tens, peihaps hundieds, of configuiation
files all containing the iight pieces of infoimation. When you multiply the numbei
of configuiation files on a host by the numbei of hosts on a netwoik, the iesult can
be thousands of files-too many to manage by hand.
In the ieal woild, machines aie often similai fiom an administiative point of view.
Instead of editing text files on each machine, you can, foi efficiency, combine ma-
chines into gioups that shaie configuiation infoimation. You can combine machines
in seveial diffeient ways.
The simplest way is to keep a mastei copy of each configuiation file in one place and
distiibute it to membeis of the gioup whenevei the file changes. This solution has the
advantages of being simple and woiking on eveiy Iinux (and UNIX) system.
Anothei appioach is to eliminate text files altogethei and have each machine obtain
its configuiation infoimation fiom a cential seivei. This solution is moie compli-
cated than file copying, but it solves some additional pioblems. Foi example, cli-
ents can't miss updates, even if they are down when a change is made. It may also be
faster to obtain infoimation fiom a seivei than fiom a file, depending on the speed of
the local disk and the amount of caching peifoimed by the seivei. Un the othei hand,
the entiie netwoik can hang when the cential seivei goes down.
To add to the challenge, most oiganizations today aie faced with suppoiting a mix
of platfoims-some UNIX, some Linux, and some Windows-and useis aie in-
cieasingly annoyed when they have to deal with inconveniences such as having to
iemembei (and change) a diffeient passwoid on each platfoim. Synchionizing
Shaiing System Files
11.1 what to share 503
configuiation and usei infoimation acioss wildly diffeient systems (such as Win-
dows and Iinux) was once just a pipe dieam. Today, it is commonplace.
The histoiy of attempts to develop distiibuted administiative databases foi laige
netwoiks stietches back seveial decades and has pioduced a numbei of inteiesting
systems. Howevei, none of the systems cuiiently in geneial use seem exactly iight in
theii appioach. Some aie simple but not secuie and not scalable. Otheis aie func-
tional but unwieldy. All the systems seem to have limitations that can pievent you
fiom setting up the netwoik the way you want to, and none of them manage all the
infoimation you may want to shaie acioss youi machines.
In this chapter we first discuss some basic techniques for keeping files synchronized
on a netwoik. We then desciibe NIS, a histoiically populai database system oiigi-
nally intioduced foi INIX. Finally, we addiess IIAP, a moie sophisticated, platfoim-
independent system that is becoming the de facto standaid. Most sites today aie
migiating towaid IIAP, diiven laigely by Miciosoft's adoption of (most of) the
IIAP standaid in theii Active Iiiectoiy pioduct and the desiie to bettei integiate
Iinux and Windows enviionments.
17.1 whA1 1U ShAk£
Of the many configuiation files on a Linux system, only a subset can be usefully
shaied among machines. The most commonly shaied files aie listed in Table 17.1.
1ab|e 17.1 System f||es that are common|y shared
I||ename Iunct|on
/etc/µasswd user account information database
/etc/shadow
a
nolds shadow þasswords
/etc/grouµ 0efines uNlX grouþs
/etc/hosts Vaþs between hostnames and lP addresses
/etc/networks
b
Associates text names with lP network numbers
/etc/serv|ces lists þort numbers for well-known network services
/etc/µrotoco|s Vaþs text names to þrotocol numbers
/etc/ethers
b
Vaþs between hostnames and lthernet addresses
/etc/ma||/a||ases nolds electronic mail aliases
/etc/rµc lists l0 numbers for RPC services
/etc/netgrouµ
b
0efines collections of hosts, users, and networks
/etc/cuµs/µr|ntcaµ Printer information database
/etc/µr|ntcaµ.cuµs Printer information database (alternative þath)
/etc/termcaµ Jerminal tyþe information database
a. Not necessarily sharable with other flavors of uNlX since the encryþtion can vary, see þage 96.
b. Not used on all systems
504 Chaþter 11 - Sharing System liles
Many othei configuiation files can potentially be shaied among systems, depending
on how similai you want machines at youi site to be. Foi the most pait, these othei
configuiation files aie associated with specific applications (e.g., /etc/sendmail.cf
foi sendmail) and aie not suppoited by administiative database systems such as NIS
and IIAP; you must shaie the files by copying them.
See page õ81 fcr
mcre infcrmaticn
abcut IAM.
Histoiically, many of the files in Table 17.1 have been accessed thiough ioutines in
the standaid C libiaiy. Foi example, the /etc/passwd file can be seaiched with the
getpwuid, getpwnam, and getpwent ioutines. These ioutines take caie of opening,
ieading, and paising the passwd file so that usei-level piogiams don't have to do it
themselves. Modein Iinux distiibutions also use pluggable authentication modules
(PAM), which affoid a standaid piogiamming inteiface foi peifoiming secuiity-ie-
lated lookups. PAM allows systems such as Keibeios and IIAP to be easily inte-
giated into Iinux.
Administiative database systems complicate matteis by pioviding alteinative souices
foi much of this infoimation. The tiaditional C libiaiy ioutines (getpwent, etc.) aie
awaie of the common database systems and can access them in addition to (oi in-
stead of) the standaid flat files. The exact complement of data souices that aie con-
sulted is set by the system administiatoi; see Iricritizing scurces cf administrative
infcrmaticn on page 515 foi details.
17.2 NSC0. CACh£ 1h£ k£SuL1S UI LUUkuPS
On some distiibutions, anothei fingei in the system file pie belongs to nscd, the
somewhat misleadingly titled name seivice cache daemon. nscd woiks in conjunc-
tion with the C libiaiy to cache the iesults of libiaiy calls such as getpwent. nscd is
simply a wiappei foi these libiaiy ioutines; it knows nothing about the actual data
souices being consulted. nscd should in theoiy impiove the peifoimance of look-
ups, but any impiovement is laigely unnoticeable fiom the usei's subjective view.
See Chapter 15 fcr
mcre infcrmaticn
abcut INS.
We say that "name seivice cache daemon" is misleading because the teim "name sei-
vice" usually iefeis to INS, the distiibuted database system that maps between
hostnames and Internet addresses. nscd does in fact cache the iesults of INS look-
ups (because it wiaps gethostbyname, etc.), but it also wiaps the libiaiy ioutines
that access infoimation fiom the passwd and group files and theii netwoik data-
base equivalents. (Foi secuiity, lookups to /etc/shadow aie not cached.)
In concept, nscd should have no effect on the opeiation of the system othei than to
speed up iepeated lookups. In piactice, it can cause unexpected behavioi because it
maintains its own copy of the lookup iesults. Iookups aie stoied in the cache foi a
fixed amount of time (set in nscd's configuiation file, /etc/nscd.conf), and theie is
always the possibility that iecent changes will not be ieflected in nscd's cache until
the pievious data has timed out. nscd is smait enough to monitoi local data souices
(such as /etc/passwd) foi changes, so local updates should piopagate within 15 sec-
onds. Foi iemote entiies, such as those ietiieved thiough NIS, you may have to wait
foi the full timeout peiiod befoie changes take effect.
11.3 Coþying files around 505
Among oui example distiibutions, only SUSE iuns nscd by default. Fedoia and
RHII install nscd but do not stait it at boot time by default; to enable the use of
nscd, just iun chkconfig nscd on. Iebian and Ubuntu aie nscd compatible but do
not include nscd in the default installation; iun apt-get install nscd to download it.
nscd staits at boot time and iuns continuously. The default /etc/nscd.conf specifies
a timeout of 10 minutes foi passwd data and an houi foi hosts and group, with a 20-
second negative timeout (the amount of time befoie an unsuccessful lookup is ie-
tiied). In piactice, these values iaiely need changing. If a change you iecently made
doesn't seem to show up, nscd is piobably the ieason.
17.3 CUP¥IN6 IIL£S AkUuN0
Biute-foice file copying is not an elegant solution, but it woiks on eveiy kind of ma-
chine and is easy to set up and maintain. It's also a ieliable system because it mini-
mizes the inteidependencies among machines (although it may also make it easiei
foi machines to fall out of sync). File copying also offeis the most flexibility in teims
of what can be distiibuted and how. Indeed, it is also often used to keep applications
and data files up to date as well as system files.
Quite a few configuration files are not supported by any of the common database ser-
vices. Some examples aie /etc/ntp.conf, which deteimines how hosts keep theii
clocks synchionized, and /etc/sendmail.cf, which tells sendmail how to delivei
mail. To keep such files in sync (which is usually wise), you ieally have no choice but
to use some soit of file-copying system, even if you distiibute othei types of config-
uiation infoimation thiough NIS oi IIAP.
File-copying systems can use eithei a "push" model oi a "pull" model. With push,
the mastei seivei peiiodically distiibutes the fieshest files to each client, whethei
the client wants them oi not. Files can be pushed explicitly whenevei a change is
made, oi they can simply be distiibuted on a iegulai schedule (peihaps with some
files being tiansfeiied moie often than otheis).
The push model has the advantage of keeping the distiibution system centialized on
one machine. Files, lists of clients, update sciipts, and timetables aie all stoied in one
place, making the scheme easy to contiol. Une disadvantage is that each client must
allow the mastei to modify its system files, theieby cieating a secuiity hazaid.
In a pull system, each client is iesponsible foi updating itself fiom the seivei. This is
a less centialized way of distiibuting files, but it is also moie adaptable and moie
secuie. When data is shaied acioss administiative boundaiies, a pull system is espe-
cially attiactive because the mastei and client machines need not be iun by the same
administiative gioup oi political faction.
rd|st. µush f||es
The rdist command is the easiest way to distiibute files fiom a cential seivei. It has
something of the flavoi of make: you use a text editoi to cieate a specification of the
files to be distiibuted, and then you use rdist to biing ieality into line with youi spec-
ification. rdist copies files only when they aie out of date, so you can wiite youi spec-
ification as if all files weie to be copied and let rdist optimize out unnecessaiy woik.
rdist pieseives the ownei, gioup, mode, and modification time of files. When rdist
updates an existing file, it fiist deletes the old veision befoie installing the new. This
featuie makes rdist suitable foi tiansfeiiing executables that might be in use duiing
the update.
1
rdist histoiically ian on top of rsh and used rsh-style authentication to gain access
to iemote systems. Unfoitunately, this system is not secuie and is disabled by default
on modein opeiating systems. Even though the rdist documentation continues to
talk about rsh, do not be fooled into thinking that rsh is a ieasonable choice.
Cuiient veisions of rdist aie bettei in that they allow any command that undeistands
the same syntax to be substituted foi rsh. In piactice, the substitute is ssh, which
uses ciyptogiaphy to veiify the identity of hosts and to pievent netwoik eavesdiop-
peis fiom obtaining copies of youi data. The downside is that you must iun iemote
ssh seiveis in a mode that does not iequiie a passwoid (but authenticates the client
with a ciyptogiaphic key paii). This is a less secuie configuiation than we would
noimally iecommend, but it is still a huge impiovement ovei rsh. See page 697 for
more information about sshd and its authentication modes.
Now that we've belaboied the peiils of rdist, let's look at how it actually woiks. Iike
make, rdist looks foi a contiol file (Distfile oi distfile) in the cuiient diiectoiy.
rdist -f distfile explicitly specifies the contiol file's pathname. Within the Distfile,
tabs, spaces, and newlines aie used inteichangeably as sepaiatois. Comments aie in-
tioduced with a pound sign (#).
The meat of a Distfile consists of statements of the foim
¦urc¦. ¡uírrumcs -> ucsíiruíiors commurus
The label field associates a name with the statement. From the shell, you can run rdist
label to distiibute only the files desciibed in a paiticulai statement.
The pathnames and destinaticns aie lists of files to be copied and hosts to copy them
to, iespectively. If a list contains moie than one entiy, the list must be suiiounded
with paientheses and the elements sepaiated with whitespace. The pathnames can
include shell-style globbing chaiacteis (e.g., /usr/man/man[123] oi /usr/lib/*). The
notation -user is also acceptable, but it is evaluated sepaiately on the souice and
destination machines.
By default, rdist copies the files and diiectoiies listed in pathnames to the equivalent
paths on each destination machine. You can modify this behavioi by supplying a se-
quence of commands and teiminating each with a semicolon.
1. Though ihe old veision disappeais fiom ihe filesysiem namespace, ii coniinues io exisi uniil all iefei-
ences have been ieleased. You musi also be awaie of ihis effeci when managing log files. See page 203
foi moie infoimaiion.
The following commands aie undeistood:
irs¹all o¡íiors [ucsíuir|,
ro¹iíy rumc¦isí,
exce¡¹ ¡uír¦isí,
exce¡¹_¡a¹ ¡uíícrr¦isí,
s¡ecial [¡uír¦isí| sírirq,
cnds¡ecial [¡uír¦isí| sírirq,
The irs¹all command sets options that affect the way rdist copies files. Options typ-
ically contiol the tieatment of symbolic links, the coiiectness of rdist's diffeience-
checking algoiithm, and the way that deletions aie handled. The options, which
must be pieceded by -o, consist of a comma-sepaiated list of option names. Foi ex-
ample, the line
irs¹all -orenove,íollov ,
makes rdist follow symbolic links (instead of just copying them as links) and ie-
moves existing files on the destination machine that have no counteipait on the
souice machine. See the rdist man page foi a complete list of options. The defaults
aie almost always what you want.
The name "install" is somewhat misleading, since files aie copied whethei oi not an
irs¹all command is piesent. Options aie specified as they would be on the rdist
command line, but when included in the Distfile, they apply only to the set of files
handled by that irs¹all command.
The optional destdir specifies an installation diiectoiy on the destination hosts. By
default, rdist uses the oiiginal pathnames.
The ro¹iíy command takes a list of email addiesses as its aigument. rdist sends mail
to these addiesses whenevei a file is updated. Any addiesses that do not contain an
at sign (u) aie suffixed with the name of the destination host. Foi example, rdist
would expand "pete" to "peteuanchoi" when iepoiting a list of files updated on
host anchoi.
The exce¡¹ and exce¡¹_¡a¹ commands iemove pathnames fiom the list of files to
be copied. Aiguments to exce¡¹ aie matched liteially, and those of exce¡¹_¡a¹ aie
inteipieted as iegulai expiessions. These exception commands aie useful because
rdist, like make, allows macios to be defined at the beginning of its contiol file. You
might want to use a similai list of files foi seveial statements, specifying only the
additions and deletions foi each host.
The s¡ecial command executes a shell command (the string aigument, in quotation
maiks) on each iemote host. If a pathlist is piesent, rdist executes the command
once aftei copying each of the specified files. Without a pathlist, rdist executes the
command aftei eveiy file. cnds¡ecial is similai, but it executes the shell command
once aftei copying is complete. (The contents of the pathlist aie passed to the shell as
an enviionment vaiiable.)
Heie's a simple example of a Distfile:
SYS_!lLLS = (/e¹c/¡assvd /e¹c/¡rou¡ /e¹c/nail/aliases)
GLT_ALL = (clinclin lolli¡o¡ barlador)
GLT_SOML = (vlanno s¡iíí)
all. $¦SYS_!lLLS| -> $¦GLT_ALL|
ro¹iíy barb,
s¡ecial /e¹c/nail/aliases ¨/usr/bir/revaliases¨,
sone. $¦SYS_!lLLS| -> $¦GLT_SOML|
exce¡¹ /e¹c/nail/aliases,
ro¹iíy eddie@s¡iíí,
See page 551 fcr
mcre infcrmaticn
abcut newul|uses.
This configuiation ieplicates the thiee listed system files on chimchim, lollipop, and
baikadon and sends mail to baibudestinaticn desciibing any updates oi eiiois that
occui. Aftei /etc/mail/aliases is copied, rdist iuns newaliases on each destination.
Only two files aie copied to whammo and spiff. newaliases is not iun, and a iepoit
is mailed to eddieuspiff.
To get rdist woiking among machines, you must also tell sshd on the iecipient
hosts to tiust the host fiom which you aie distiibuting files. To do this, you geneiate
a plaintext key foi the mastei host and stoie a copy of the public poition in the file
~root/.ssh/authorized_keys on each iecipient. It's piobably also wise to iestiict
what this key can do and wheie it can log in fiom. See the desciiption of "method B"
on page 697 foi moie infoimation.
rsync. transfer f||es more secure|y
rsync is available frcm
rsync.samba.crg.
rsync, wiitten by Andiew Tiidgell and Paul Vackeiias, is similai in spiiit to rdist but
with a somewhat diffeient focus. It does not use a file-copying contiol file in the man-
nei of rdist (although the seivei side does have a configuiation file). rsync is a bit
like a souped-up veision of scp that is sciupulous about pieseiving links, modifica-
tion times, and peimissions. It is moie netwoik efficient than rdist because it looks
inside individual files and attempts to transmit only the differences between versions.
Vost Iinux distiibutions piovide a piepackaged veision of rsync, although it may
not be installed by default.
Fiom oui peispective, the main advantage of rsync is the fact that ieceiving ma-
chines can iun the iemote side as a seivei piocess out of xinetd oi inetd. The seivei
(actually just a diffeient mode of rsync, which must be installed on both the mastei
and the clients) is quite configuiable: it can iestiict iemote access to a set of given
diiectoiies and can iequiie the mastei to piove its identity with a passwoid. Since no
ssh access is necessaiy, you can set up rsync to distiibute system files without mak-
ing too many secuiity compiomises. (Howevei, if you piefei to use ssh instead of an
inetd-based seivei piocess, rsync lets you do that too.) What's moie, rsync can also
iun in pull mode (pulling files down fiom the rsync seivei iathei than pushing them
to it), which is even moie secuie (see the section on pulling files, page 510).
Unfoitunately, rsync isn't neaily as flexible as rdist, and its configuiation is less so-
phisticated than rdist's distfile. You can't execute aibitiaiy commands on the cli-
ents, and you can't rsync to multiple hosts at once.
As an example, the command
= rsync -gopt --password-fíIe=/etc/rsync.pwd /etc/passwd IoIIípop::sysfíIes
tiansfeis the /etc/passwd file to the machine lollipop. The -gopt options pieseive
the peimissions, owneiships, and modification times of the file. The double colon in
lollipop::sysfiles makes rsync contact the iemote rsync diiectly on poit 873 instead
of using ssh. The passwoid stoied in /etc/rsync.pwd authenticates the connection.
2
This example tiansfeis only one file, but rsync is capable of handling multiple files
at once. In addition, the --include and --exclude flags let you specify a list of iegulai
expiessions to match against filenames, so you can set up a faiily sophisticated set of
tiansfei ciiteiia. If the command line gets too unwieldy, you can also iead the pat-
teins fiom sepaiate files with the --include-file and --exclude-file options.
Once the rsync package has been installed, Red Hat, Fedoia, and SUSE all piovide
xinetd configuiations foi rsync. Howevei, you must edit /etc/xinetd.d/rsync and
change disable = yes to disable = ro to actually enable the seivei.
The rsync package on Iebian and Ubuntu iequiies an entiy in /etc/inetd.conf to
enable the seivei functionality. Assuming that you use TCP wiappeis, the entiy
should look something like this:
rsyrc s¹rean ¹c¡ rovai¹ roo¹ /usr/sbir/¹c¡d /usr/bir/rsyrcd --daenor
It's a good idea to configuie tcpd to block access fiom all hosts except the one that
will be distiibuting youi system files. Host iejection can be specified in rsyncd.conf
as well, but it nevei huits to eiect multiple baiiieis.
Once you have enabled rsync, you need to set up a couple of config files to tell the
rsync seivei how to behave. The main file is /etc/rsyncd.conf, which contains both
global configuiations paiameteis and a set of "modules," each of which is a diiec-
toiy tiee to expoit oi impoit. A ieasonable configuiation foi a module that you can
push to (i.e., that will accept incoming file tiansfeis initiated by the connecting cli-
ent) looks something like this:
= sysíiles is ]us¹ ar arbi¹rary ¹i¹le íor ¹le ¡ar¹icular nodule.
[sysíiles|
= Tlis is ¹le ¡a¹l you allov íiles ¹o be ¡usled ¹o. l¹ could be ]us¹ /.
¡a¹l = /e¹c
= Tlis is ¹le íile s¡eciíyir¡ ¹le user/¡assvord ¡air ¹o au¹ler¹ica¹e ¹le nodule
secre¹s íile = /e¹c/rsyrcd.secre¹s
2. Alihough ihe passwoid is noi seni in plainiexi acioss ihe neiwoik, ihe iiansfeiied files aie noi
enciypied. If you use ssh as ihe iianspoii (rsync -gopt -e ssh /etc/passwd /etc/shadow lollipop:/etc -
noie ihe single colon), ihe conneciion will be enciypied, bui sshd will have io be configuied noi io
iequiie a passwoid. Name youi poison!
= Car be read orly ií you are ¡ullir¡ íiles
read orly = íalse
= UlD ard GlD urder vlicl ¹le ¹rarsíer vill be dore
uid = roo¹
¡id = roo¹
= Lis¹ oí los¹s ¹la¹ are alloved ¹o correc¹
los¹s allov = uisíriruíior_musícr_rosírumc
Many othei options can be set, but the defaults aie ieasonable. This configuiation
limits opeiations to the /etc diiectoiy and allows access only by the listed host. Fiom
the usei's oi client's point of view, you can rsync files to the seivei with the destina-
tion hcstname::sysfiles, which maps to the module above. If you want to set up rsync
in pull mode (pulling files fiom a cential rsync seivei), the configuiation above will
still woik, although you may want to tighten things up a bit, foi example, by setting
the tiansfei mode to iead-only.
The last thing you need to do is set up an rsyncd.secrets file. It's geneially kept in
/etc (although you can put it elsewheie) and contains the passwoids that clients can
use to authenticate themselves. Foi example:
roo¹.¡ussuoru
As a geneial iule, rsync passwoids should be diffeient fiom system passwoids. Be-
cause the passwoids aie shown in plaintext, rsyncd.secrets must be ieadable only
by ioot.
Pu|||ng f||es
You can implement a pulling system in seveial ways. The most stiaightfoiwaid way
is to make the files available on a cential FTP oi web seivei
?
and to have the clients
automatically download them as needed. In histoiical times, administiatois would
ioll theii own utilities to do this (often sciipting ftp with a system such as expect),
but standaid utilities can now do it foi you.
One such utility that ships with most Linux distiibutions is the populai wget. It's a
stiaightfoiwaid little piogiam that fetches the contents of a URL (eithei FTP oi
HTTP). Foi example, to FTP a file with wget, just iun
wget ftp://uscr:¡ussuoru©rosírumc/¡uír/ío/ji¦c
The specified file is deposited in the cuiient diiectoiy.
An alteinative option foi FTP only is ncftp, which also ships with most distiibu-
tions. It's ieally just an enhanced FTP client that allows foi easy sciipting.
Some sites distiibute files by publishing them on a netwoiked filesystem such as
NFS. This is peihaps the simplest technique fiom an automation point of view-all
you need is cp, at least in theoiy. In piactice, you would piobably want to be a little
moie sophisticated and check foi signs of secuiity pioblems and coiiupted content
3. Keep in mind ihai boih HTTP and FTP iianspoii daia in plainiexi. You may wani io considei HTTPS
oi SFTP, iespeciively, if secuiiiy is a concein.
11.4 NlS: the Network lnformation Service 511
befoie blindly copying system files. Publishing sensitive system files ovei NFS has
many disadvantages fiom a secuiity point of view, but it's a simple and effective way
of moving the bits. You can always enciypt the data to ieduce the chance of inteicep-
tion by an intiudei.
A final option is to use rsync as desciibed in the pievious section. If you iun an
rsync seivei on youi cential distiibution host, clients can simply rsync the files
down. Using this method is peihaps slightly moie complex than using FTP, but you
then have access to all of rsync's featuies.
Whatevei system you use, be caieful not to oveiload youi data seivei. If a lot of ma-
chines on the netwoik tiy to access youi seivei simultaneously (e.g., if eveiyone
iuns an update out of cron at the same time), you can cause an inadveitent denial of
seivice attack. Laige sites should keep this pioblem in mind and allow foi time
staggeiing oi iandomization. A simple way to do this is to wiap cron jobs in a Peil
sciipt such as this:
='/usr/bir/¡erl
slee¡ rard() o00, = slee¡ be¹veer 0 ard o00 secords (i.e., l0 niru¹es)
sys¹en(co¡y_íiles_dovr),
17.4 NIS. 1h£ N£1wUkk INIUkMA1IUN S£kvIC£
NIS, ieleased by Sun in the 1980s, was the fiist "piime time" administiative database.
It was oiiginally called the Sun Yellow Pages, but eventually had to be ienamed foi
legal ieasons. NIS commands still begin with the letteis yp, so it's haid to foiget the
oiiginal name. NIS was widely adopted among UNIX vendois and is suppoited by
eveiy Iinux distiibution.
The unit of shaiing in NIS is the iecoid, not the file. A iecoid usually coiiesponds to
one line in a config file. A mastei seivei maintains the authoiitative copies of system
files, which aie kept in theii oiiginal locations and foimats and aie edited with a text
editoi just as befoie. A seivei piocess makes the contents of the files available ovei
the netwoik. A seivei and its clients constitute an NIS "domain."
4
Iata files aie piepiocessed into database files by the Beikeley IB hashing libiaiy to
impiove the efficiency of lookups. Aftei editing files on the mastei seivei, you use
make to tell NIS to conveit them to theii hashed foimat.
Unly one key can be associated with each entiy, so a system file may have to be tians-
lated into seveial NIS "maps." Foi example, the /etc/passwd file is tianslated into
two diffeient maps called passwd.byname and passwd.byuid. One map is used to
look up entiies by useiname and the othei to look up entiies by III. Iithei map can
be used to enumeiate the entiies in the passwd file. Howevei, because hashing li-
biaiies do not pieseive the oidei of iecoids, theie is no way to ieconstiuct an exact
duplicate of the oiiginal file (unless it was soited).
4. Io noi confuse NIS domains wiih INS domains. They aie compleiely sepaiaie and have noihing io do
wiih each oihei.
NIS allows you to ieplicate the netwoik maps on a set of slave seiveis. Pioviding moie
than one seivei helps ielieve the load on the mastei and helps keep clients woiking
even when some seiveis become unavailable. Whenevei a file is changed on the mas-
tei seivei, the coiiesponding NIS map must be pushed out to the slaves so that all
seiveis piovide the same data. Clients do not distinguish between the mastei seivei
and the slaves.
In the tiaditional NIS implementation, you must place at least one NIS seivei on ev-
eiy physical netwoik. Clients use IP bioadcasting to locate seiveis, and bioadcast
packets aie not foiwaided by iouteis and gateways. The ypset command can point a
client at a paiticulai seivei; howevei, at the fiist hint of tiouble, the client attempts
to locate a new seivei by bioadcasting. Unless a seivei on the client's netwoik ie-
sponds, this sequence of events can cause the client to hang.
This system causes a lot of pioblems, not least of which is that it is extiemely inse-
cuie. An intiudei can set up a iogue NIS seivei that iesponds to bioadcasts and ei-
thei piovides bogus data oi deliveis a denial of seivice attack by allowing binding
and then blocking on actual iequests. These days, the piefeiied management tech-
nique is to give each client an explicit list of its legitimate NIS seiveis. This system
also has the advantage that the seiveis need not be on the local subnet.
Undei Iinux, seiveis aie listed in /etc/yp.conf. Heie's an example foi the NIS do-
main atiustnis:
donair a¹rus¹ris server l0.2.2.3
donair a¹rus¹ris server l0.2.2.4
Theie is one line foi each seivei; if one seivei goes down, NIS fails ovei to anothei.
Note that the seiveis aie given in the foim of IP addiesses. yp.conf accepts host-
names, but these hostnames must then be iesolvable at boot time (i.e., enumeiated
in the /etc/hosts file oi iesolvable thiough INS).
If you must use bioadcast mode, the syntax is
donair a¹rus¹ris broadcas¹
understand|ng how NIS works
XIS's data files are stored in the directory /var/yp. Iach NIS map is stoied in a hashed
foimat in a subdiiectoiy of the NIS diiectoiy named foi the NIS domain. Theie is one
map (file) foi each key by which a file can be seaiched. Foi example, in the domain
cssuns, the IB files foi the /etc/passwd maps might be
/var/yp/cssuns/passwd.byname
/var/yp/cssuns/passwd.byuíd
The passwd file is searchable by both name and III, so two maps are derived from it.
The makedbm command geneiates NIS maps fiom flat files. Howevei, you need
not invoke this command diiectly; a Makefile in /var/yp geneiates all the common
NIS maps. Aftei you modify a system file, cd to /var/yp and iun make. The make
command checks the modification time of each file against the modification times of
the maps deiived fiom it and iuns makedbm foi each map that needs to be iebuilt.
Maps aie copied fiom the mastei seivei to the slave seiveis by the ypxfr command.
ypxfr is a pull command; it must be iun on each slave seivei to make that seivei
impoit the map. Slaves usually execute ypxfr eveiy so often just to veiify that they
have the most iecent maps; you can use cron to contiol how often this is done.
The default implementation of map copying is somewhat inefficient. Iinux fui-
nishes a daemon called rpc.ypxfrd that can be iun on the mastei seivei to speed
iesponses to ypxfr iequests. rpc.ypxfrd sidesteps the noimal NIS piotocol and
simply hands out copies of the map files.
yppush is a "push" command that's used on the mastei seivei. It actually does not
tiansfei any data but iathei instiucts each slave to execute a ypxfr. The yppush com-
mand is used by the Makefile in the XIS directory to ensure that newly updated maps
aie piopagated to slaves.
The special map called ypservers does not coiiespond to any flat file. This map
contains a list of all the seiveis of the domain. It's automatically constiucted when
the domain is set up with ypinit (see Ccnfiguring NIS servers on page 518). Its con-
tents aie examined when the mastei seivei needs to distiibute maps to slaves.
Aftei initial configuiation, the only active components of the NIS system aie the
ypserv and ypbind daemons. ypserv iuns only on seiveis (both mastei and slave);
it accepts queiies fiom clients and answeis them by looking up infoimation in the
hashed map files.
ypbind iuns on eveiy machine in the NIS domain, including seiveis. The C libiaiy
contacts the local ypbind daemon when it needs to answei an administiative queiy
(piovided that /etc/nsswitch.conf says to do so). ypbind locates a ypserv in the
appiopiiate domain and ietuins its identity to the C libiaiy, which then contacts the
seivei diiectly. The queiy mechanism is illustiated in Exhibit A.
£xh|b|t A NIS query µrocedure
Aµµ||cat|on yµb|n
yµs
C ||bay
C ||bay
1h
f||systm
gtµwu|
gbm
C||nt |  |
Cuiient Iinux veisions of ypbind peiiodically check to be suie they aie dealing with
the most iesponsive seivei foi an NIS domain. This is an impiovement ovei the tia-
ditional implementation, which fixates on a paiticulai seivei. Anothei featuie unique
to Iinux is that clients can bind to diffeient NIS domains foi diffeient maps.
NIS includes a numbei of minoi commands that examine maps, find out which vei-
sion of a map each seivei is using, and contiol the binding between clients and seiv-
eis. A complete list of NIS commands and daemons is given in Table 17.2. (Rows aie
shaded to impiove ieadability.)
we|gh|ng advantages and d|sadvantages of NIS
One nice featuie of NIS is that it can be undeistood by meie moitals. NIS is analo-
gous to copying files aiound; in most cases, it's unnecessaiy foi administiatois to be
awaie of NIS's inteinal data foimats. Administiation is done with the same old flat
files, and only one oi two new pioceduies need to be leained.
Since NIS domains cannot be linked, NIS is not suitable foi managing a laige net-
woik of machines unless a single configuiation is to be applied to eveiy machine.
You can divide a laige netwoik into seveial NIS domains, but each domain must be
administeied sepaiately. Iven if a laige netwoik does use a single configuiation, lim-
itations on the scaling of slave seiveis mean that in piactice these sites usually come
up with some othei mechanism to keep theii NIS seiveis in sync. They often end up
1ab|e 17.2 NIS commands and daemons
Program 0escr|µt|on
yµserv ls the NlS server daemon, started at boot time
yµb|nd ls the NlS client daemon, started at boot time
doma|nname Sets the NlS domain a machine is in (run at boot time)
yµxfr 0ownloads current version of a maþ from master server
yµxfrd Serves requests from yµxfr (runs on master server)
yµµush Vakes slave servers uþdate their versions of a maþ
makedbm builds a hashed maþ from a flat file
yµmake Rebuilds hashed maþs from flat files that have changed
yµ|n|t Configures a host as a master or slave server
yµset Vakes yµb|nd connect to a þarticular server
a
yµwh|ch linds out which server the current host is using
yµµo|| linds out what version of a maþ a server is using
yµcat Prints the values contained in an NlS maþ
yµmatch Prints maþ entries for a sþecified key
yµµasswd Changes a þassword on the NlS master server
yµchfn Changes ClC0S information on the NlS master server
yµchsh Changes a login shell on NlS master server
yµµasswdd ls the server for yµµasswd, yµchsh, and yµchfn
a. Vust be sþecifically enabled with yµb|nd -yµsetme or yµb|nd -yµset (dangerous)
iolling theii own back-end databases and making theii NIS seiveis fetch theii data
fiom this cential souice.
See Chapter 8 fcr
mcre infcrmaticn
abcut cron.
If a slave seivei is down oi inaccessible when a map is changed, the slave's copy will
not be updated. Slaves must peiiodically poll the mastei to be suie that they have the
most iecent veision of eveiy map. Although basic tools foi polling aie piovided with
NIS, you must implement the polling scheme you want by using cron. Even so, two
diffeient veisions of a map could possibly be seived simultaneously foi a while, with
clients iandomly seeing one oi the othei.
NIS is minimally secuie. Bioadcast mode is paiticulaily bad; any host on a netwoik
can claim to seive a paiticulai domain and feed bogus administiative data to NIS
clients. You can avoid this pioblem by explicitly enumeiating the peimissible NIS
seiveis foi each client.
You can iestiict the hosts that aie able to iead a seivei's maps by explicitly listing
them in /etc/ypserv.conf; howevei, this technique is not 100% secuie. You can also
impiove the secuiity of youi system by distiibuting youi shadow passwoid file with
some othei technique (such as rdist oi rsync); we don't iecommend using NIS to
seive shadow passwoids.
Oldei veisions of Iinux NIS contain known secuiity holes. If you aie iunning an
oldei system, make suie you get the latest upgiades befoie staiting NIS.
Pr|or|t|z|ng sources of adm|n|strat|ve |nformat|on
Configuiation infoimation can be distiibuted in seveial ways. Eveiy system undei-
stands flat files and knows how to use INS to look up hostnames and Inteinet ad-
diesses. Most also undeistand NIS. Since a given piece of infoimation could come
fiom seveial potential souices, Iinux piovides a way foi you to specify the souices
that aie to be checked and the oidei in which the checks aie made.
In the oiiginal (pie-Iinux) implementation of NIS, some configuiation files (the
/etc/passwd and /etc/group files in paiticulai) had to be configuied to "invite in"
the contents of the coiiesponding NIS maps. The invitation was extended by inclu-
sion of special incantations in the files themselves. A lone "+" at the beginning of a
line would include the entiie NIS map, "+unetgrcup" would include only entiies
ielevant to a given netgioup, and "+name" would include a single entiy.
This appioach was nevei veiy well liked, and it has been supeiseded by a cential con-
fig file, /etc/nsswitch.conf, that allows an explicit seaich path to be specified foi each
type of administiative infoimation. The oiiginal behavioi can be emulated by use of
a compatibility mode, but it's unlikely you would want to use this featuie on a newly
configuied netwoik. (Unfoitunately, emulation is most distiibutions' default.)
A typical nsswitch.conf file looks something like this:
¡assvd. íiles ris
los¹s. íiles drs
¡rou¡. íiles
.
Each line configuies one type of infoimation (usually, one flat-file equivalent). The
common souices aie ris, ris¡lus, íiles, drs, and con¡a¹; they iefei to NIS, NIS+,
5
vanilla flat files (ignoiing tokens such as "+"), INS, and NISified flat files (honoiing
"+"), iespectively. INS is a valid data souice only foi host and netwoik infoimation.
Suppoit foi each souice type comes fiom a shaied libiaiy (/lib/libnss*), so distii-
butions vaiy slightly in the souices they suppoit. Some distiibutions piovide out-of-
the-box suppoit foi IIAP (see page 520) and/oi Hesiod, a diiectoiy seivice based
on INS. Anothei souice commonly suppoited on Iinux (and unfoitunately not veiy
well documented) is db, which ieads a hashed veision of the map fiom /var/db (foi
example, /var/db/passwd.db). If youi flat files aie laige, the use of hashed veisions
can substantially inciease lookup speed.
Souices aie tiied fiom left to iight until one of them pioduces an answei foi the
queiy. In the example above, the gethostbyname ioutine would fiist check the
/etc/hosts file, and if the host was not listed theie, would then check INS. Queiies
about UNIX gioups, on the othei hand, would check only the /etc/group file.
If necessaiy, you can define the "failuie" of a souice moie specifically by putting
biacketed expiessions aftei it. Foi example, the line
los¹s. drs [NOT!OUND=re¹urr| ris
causes INS to be used exclusively if it is available; a negative iesponse fiom the name
seivei makes queiies ietuin immediately (with a failuie code) without checking NIS.
Howevei, NIS is used if no name seivei is available. The vaiious types of failuies aie
shown in Table 17.?; each can be set to re¹urr oi cor¹irue, signifying whethei the
queiy should be aboited oi foiwaided to the next souice.
By default, all Iinux distiibutions ship with nsswitch.conf files that aie ieasonable
foi a stand-alone machine without NIS. All entiies go to the flat files, with the excep-
tion of host lookups, which fiist consult flat files and then INS. Most distiibutions
default to con¡a¹ mode foi passwd and group, which is piobably woith changing.
If you ieally use NIS, just explicitly put it in the nsswitch.conf file.
5. An ill-siaiied successoi io ihe oiiginal NIS now disconiinued by Sun bui siill suppoiied by some sys-
iems foi hisioiical ieasons.
1ab|e 17.3 Ia||ure modes recogn|zed |n /etc/nssw|tch.conf
Cond|t|on Mean|ng
UNAVAlL Jhe source doesn't exist or is down.
NOT!OUND Jhe source exists, but couldn't answer the query.
TRYAGAlN Jhe source exists but is busy.
SUCCLSS Jhe source was able to answer the query.
Iebian and its kissing-cousin Ubuntu ship with ¡ro¹ocols, services, e¹lers, and
r¡c going to db and then íiles. This is slightly odd, since Iebian and Ubuntu don't,
in fact, include /var/db oi any mechanism to maintain it. Piesumably it would be
slightly moie efficient to go diiectly to íiles; you can modify the settings to do that if
you want.
us|ng netgrouµs
NIS intioduced a populai abstiaction known as netgioups. Netgioups name sets of
useis, machines, and nets foi easy iefeience in othei system files. They aie defined
in /etc/netgroup and aie also shaied as an NIS map.
The foimat of a netgroup entiy is
qrou¡rumc ¦isíojmcmrcrs
Vembeis aie sepaiated by whitespace. A membei is eithei a netgioup name oi a tiip-
let of the foim
(rosírumc, uscrrumc, risuomuirrumc)
Any empty field in a tiiplet is a wild caid; thus the entiy (boulder,,) iefeis to all useis
in all domains on the host bouldei (oi to the host bouldei itself, depending on the
context in which the netgioup is used). A dash in a field indicates negation, so the
entiy (boulder,-,) iefeis to the machine bouldei and no useis. Netgioup definitions
can nest.
Heie's a simple example of an /etc/netgroup file:
bobca¹s (srale,,) (leadres¹,,)
servers (arclor,,) (noe¹,,) (¡i¡er,,) (lirl,,)
arclorclier¹s (xx,,) (va¹reys,,) (nolsor,,)
beers (arclor,,) (arclor-¡a¹evay,,) arclorclier¹s
alllos¹s beers bobca¹s servers
These netgioups aie all defined in teims of hosts; that's typical foi ieal-woild use.
See Chapter 1õ fcr
mcre infcrmaticn
abcut NFS.
Netgioups can be used in seveial system files that define peimissions. The most com-
mon application these days is foi configuiing NFS expoits. Netgioups can be men-
tioned in the /etc/exports file to specify gioups of hosts that aie allowed to mount
each filesystem. This featuie is veiy handy when you aie expoiting to a lot of hosts,
paiticulaily on systems that iequiie fully qualified domain names and that limit lines
in the exports file to 1,024 chaiacteis.
Netgioups aie a nice idea. They simplify system files, making them moie undei-
standable. They also add a layei of indiiection that peimits the status of a usei oi
machine to be changed in one file iathei than fifteen.
Sett|ng uµ an NIS doma|n
You must initialize NIS on the mastei seivei, on the slave seiveis, and on each client.
You do this in two steps. Fiist, iun ypinit on each seivei. Second, on eveiy machine
in the domain, set the domain name fiom /etc/domainname oi one of the system
staitup files and configuie /etc/nsswitch.conf to impoit NIS data.
Ccnfiguring NIS servers
The seivei side of NIS must usually be installed as a sepaiate, optional package
called ypserv. Iebian and Ubuntu do things a little diffeiently; theii nis package
includes both the client and seivei sides.
ypinit initializes both the mastei and slave seiveis foi a domain. On the mastei, you
use the following commands:
= cd /var/yp / Tle NlS direc¹ory, vlerever i¹ is /
= domaínname joo / Nane ¹le rev donair. /
= /usr/Iíb/yp/ypínít -m / lri¹ialize as nas¹er server. /
= ypserv / S¹ar¹ ¹le NlS server. /
The -m flag tells ypinit that it's configuiing a mastei seivei; it piompts you to entei
a list of slave seiveis. Once the mastei is up and iunning, piime each slave seivei by
iunning ypinit with the -s (slave) flag:
= cd /var/yp
= /usr/Iíb/yp/ypínít -s musícr / Ar¡uner¹ is nas¹er's los¹rane. /
= ypserv
ypinit -s makes a local copy of the mastei's cuiient data; the piesence of the domain's
data files is enough to let ypserv know that it should seive the domain.
See Chapter 8 fcr
mcre infcrmaticn
abcut cron.
Un each slave, you should set up ciontab entiies to pull fiesh copies of all maps fiom
the mastei. The command ypxfr map, wheie map is a name such as passwd.byuid,
tiansfeis the specified map fiom the mastei seivei. You must iun the command
once foi each map. Maps tend to change at diffeient iates, so you may want to tians-
fei some maps moie often than otheis. In most ciicumstances, tiansfeiiing all the
maps once oi twice a day (peihaps late at night) is good enough. The following
sciipt tiansfeis eveiy map:
='/bir/sl
nydonair = `/bir/donairrane`
cd /var/y¡/$nydonair = ¹le NlS direc¹ory
íor na¡ ir `/bir/ls`, do
/usr/lib/y¡/y¡xír $na¡
dore
Additionally, piefabiicated sciipts in /usr/lib/yp tiansfei NIS maps at vaiious fie-
quencies (ypxfr_1perday, ypxfr_2perday, and ypxfr_1perhour).
If you want useis to be able to change theii passwoids with yppasswd, you must iun
the yppasswdd daemon on the mastei NIS seivei. The Iinux veision of this seivei
has been known to ciash fiequently, so be suie to veiify that it is still iunning if the
yppasswd command doesn't seem to be woiking.
Sett|ng access contro| oµt|ons |n /etc/yµserv.conf
You can set options foi the Iinux veision of the ypserv daemon in /etc/ypserv.conf;
howevei, only a few options aie defined, and most sites will not need to change theii
default values.
Moie impoitantly, ypserv looks to the ypserv.conf file foi instiuctions about how
to contiol access to NIS data. Rathei than simply bluiting out the answei to eveiy
incoming queiy as the tiaditional implementation does, the Iinux ypserv checks
incoming iequests against an access list. Each contiol line is of the foim
rosí.risuomuir.mu¡.sccuriíy
hcst, nisdcmain, and map identify a paiticulai subset of iequests, and the security
paiametei tells how to handle it: dery to ieject the iequest, ¡or¹ to allow the iequest
as long as it oiiginates at a piivileged netwoik poit (< 1024), and rore to always
allow the iequest. Heie is an example configuiation:
l28.l38.24.0/2SS.2SS.2S2.0.a¹rus¹ris. .rore
. .¡assvd.byuid.dery
. .¡assvd.byrane.dery
l28.l38..a¹rus¹ris. .¡or¹
. . .dery
You can use a stai in the hcst, nisdcmain, and map fields to match any value, but
paitial matches aie not allowed. (You can't, foi example, use ¡assvd.' to match all
maps deiived fiom the /etc/passwd file.) Contiol lines aie checked in oidei until a
matching line is found. If no lines match, the default is to answei the iequest.
See page 287 fcr a
discussicn cf CIIR
netmasks.
The hcst paiametei can include a netmask, as on the fiist line, but ypserv does not
undeistand the moie common CIIR notation. As shown on the fouith line, you can
also omit tiailing components of an IP addiess to make ypserv fill it in with zeios
and supply an analogous netmask.
The iules above allow access fiom any host on one of the 128.1?8.24/22 netwoiks.
Hosts within 128.1?8 can access all maps in atiustnis except those deiived fiom the
/etc/passwd file, as long as the iequest oiiginates at a piivileged poit. All othei ac-
cess is denied.
Nevei foiget that this type of access contiol is a stopgap measuie at best. It may
discouiage casual biowsing by people outside youi oiganization, but it won't pio-
vide a veiy effective deteiient to a deteimined attackei.
An oldei secuiity mechanism, the /var/yp/securenets file, is also suppoited foi his-
toiical ieasons. New configuiations should use ypserv.conf.
Conf|gur|ng NIS c||ents
Aftei setting up seiveis, infoim each client machine that it is a membei of the new
domain. The seiveis of a domain aie geneially clients as well.
See Chapter 2 fcr mcre
infcrmaticn abcut the
system startup scripts.
The domainname command sets a machine's NIS domain. It's usually iun at boot
time fiom one of the staitup sciipts. The exact contoitions necessaiy to configuie
this vaiy by distiibution; details aie given below.
Each client must have at least a minimal piivate veision of the passwd, group, and
hosts files. passwd and group aie needed to allow ioot to log in when no NIS seivei
is available. They should contain the standaid system accounts and gioups: ioot, bin,
daemon, etc. The hosts file (oi INS) must be piesent to answei boot-time queiies
that occui befoie NIS is up and iunning.
NIS deta||s by d|str|but|on
Undei Fedoia and RHEI, you set the NIS domain name in /etc/sysconfig/network
by setting the vaiiable NlSDOMAlN. The seivei side of NIS is installed as a sepaiate
package called ypserv. The ypbind, ypserv, and yppasswdd daemons aie enabled
and disabled with chkconfig; foi example,
= chkconfíg ypbínd on
SUSE sets the NIS domain name at boot time fiom the file /etc/domainname. The
seivei side of NIS is installed as a sepaiate package called ypserv. Use chkconfig to
foice the system to automatically stait ypserv and/oi ypbind at boot time. You can
set command-line options foi ypbind in /etc/sysconfig/ypbind. You must eithei
set YFBlND_BROADCAST to yes in this file oi install an /etc/yp.conf file; othei-
wise, the staitup sciipts will iefuse to stait ypbind.
Iebian and Ubuntu keep the name of the NIS domain in /etc/defaultdomain. The
staitup sciipts iun ypbind automatically if this file is piesent. To iun ypserv, edit
the file /etc/default/nis and set the value of NlSSLRVLR to slave oi nas¹er.
17.5 L0AP. 1h£ LI6h1w£I6h1 0Ik£C1Uk¥ ACC£SS PkU1UCUL
UNIX and Linux sites need a good way to distiibute theii administiative configuia-
tion data; howevei, the pioblem is ieally moie geneial than that. What about nonad-
ministiative data such as telephone and email diiectoiies? What about infoimation
that you want to shaie with the outside woild? What eveiyone ieally needs is a gen-
eialized diiectoiy seivice.
A diiectoiy seivice is just a database, but one that makes a few assumptions. Any
data set that has chaiacteiistics matching the assumptions is a candidate foi inclu-
sion. The basic assumptions aie as follows:
·
Iata objects aie ielatively small.
·
The database will be widely ieplicated and cached.
·
The infoimation is attiibute based.
·
Iata aie iead often but wiitten infiequently.
·
Seaiching is a common opeiation.
11.5 l0AP: the lightweight 0irectory Access Protocol 521
The cuiient IETF standaids-tiack system designed to fill this iole is the Iightweight
Iiiectoiy Access Piotocol (IIAP). The IIAP specifications don't ieally speak to the
database itself, just the way that it's accessed thiough a netwoik. But because they
specify how the data is schematized and how seaiches aie peifoimed, they imply a
faiily specific data model as well.
IIAP was oiiginally designed as a gateway piotocol that would allow TCP/IP clients
to talk to an oldei diiectoiy seivice called X.500, which is now obsolete. Ovei time,
it became appaient both that X.500 was going to die out and that INIX ieally needed
a standaid diiectoiy of some soit. These factois have led to IIAP being developed
as a full-fledged diiectoiy system in its own iight (and peihaps to its no longei being
quite so deseiving of the I).
6
At this point (in the yeai 2006), IIAP has become quite mainstieam, spuiied pei-
haps in pait by Miciosoft's adoption of IIAP as the basis foi its Active Iiiectoiy
seivice. On the UNIX and Iinux side, the OpenIIAP package (www.openldap.oig)
has become the standaid implementation.
1he structure of L0AP data
IIAP data takes the foim of piopeity lists, which aie known in IIAP woild as "en-
tiies." Iach entiy consists of a set of named attiibutes (such as "uid" oi "desciiption")
along with those attiibutes' values. Windows useis might iecognize this stiuctuie as
being similai to that of the Windows Registiy. As in the Registiy, an individual at-
tiibute can have seveial values.
As an example, heie's a typical (but simplified) /etc/passwd line expiessed as an
IIAP entiy:
uid. ¡lo¡¡er
cr. Grace Ho¡¡er
userFassvord. ¦cry¡¹|$l$¡ZaGA2RL$MFD[oc0aíulHYoyl8HQ!¡0
lo¡irSlell. /bir/basl
uidNunber. l202
¡idNunber. l202
loneDirec¹ory. /lone/¡lo¡¡er
This notation is a simple example of IIIF, the IIAP Iata Inteichange Foimat,
which is used by most IIAP-ielated tools and seivei implementations. The fact that
IIAP data can be easily conveited back and foith fiom plain text is pait of the iea-
son foi its success.
Entiies aie oiganized into a hieiaichy thiough the use of "distinguished names" (at-
tiibute name: dn) that foim a soit of seaich path. Foi example, the dn foi the usei
above might be
dr. uid=¡lo¡¡er,ou=Feo¡le,dc=ravy,dc=nil
6. Because of LIAP's ioiiuied hisioiy, many souices iend io go inio gieai deiail aboui LIAP's X.500 and
OSI conneciions. Howevei, ihis hisioiy is noi ielevani io coniempoiaiy use of LIAP. Ignoie ii.
As in INS, the "most significant bit" goes on the iight. Heie, the INS name
navy.mil has been used to stiuctuie the top levels of the IIAP hieiaichy. It has been
bioken down into two domain components (dc's), "navy" and "mil," but this is only
one of seveial common conventions.
Eveiy entiy has exactly one distinguished name. Theiefoie, the entiy hieiaichy
looks like a simple bianching tiee with no loops. Theie aie, howevei, piovisions foi
symbolic links between entiies and foi iefeiials to othei seiveis.
IIAP entiies aie typically schematized thiough the use of an objectClass attiibute.
Object classes specify the attiibutes that an entiy can contain, some of which may be
iequiied foi validity. The schema also assigns a data type to each attiibute. Object
classes nest and combine in the tiaditional object-oiiented fashion. The top level of
the object class tiee is the class named "top", which specifies meiely that an entiy
must have an objectClass attiibute.
Table 17.4 shows some common IIAP attiibutes whose meaning might not be im-
mediately appaient.
1he µo|nt of L0AP
Until you've had some expeiience with it, IIAP can be a slippeiy concept to giab
hold of. Unlike NIS, IIAP by itself doesn't solve any specific administiative piob-
lem. Theie's no "piimaiy task" that IIAP is tailoi-made to handle, and sites diveige
widely in theii ieasons foi deploying IIAP seiveis. So befoie we move on to the
specifics of installing and configuiing OpenIIAP, it's piobably woith ieviewing
some ieasons why you might want to investigate IIAP foi use at youi site. Heie aie
the big ones:
·
You can use IIAP as a ieplacement foi NIS. The advantages ovei NIS aie
numeious, but the main ones aie bettei secuiity, bettei tool suppoit, and
incieased flexibility.
See page 555 fcr
mcre infcrmaticn
abcut using IIAI
with sendmu|l.
·
In a similai vein, you can use IIAP to distiibute configuiation infoima-
tion that lies outside the tiaditional domain of NIS. Most mail systems,
including sendmail and Postfix, can diaw a laige pait of theii iouting
infoimation fiom IIAP, and this is in fact one of IIAP's most populai
applications. Tools as vaiied as the Apache web seivei and the autofs
1ab|e 17.4 Some common attr|bute names found |n L0AP h|erarch|es
Attr|bute Stands for what |t |s
o 0rganization 0ften identifies a site's toþ-level entry
ou 0rganizational unit A logical subdivision, e.g., ªmarketing'
cr Common name Jhe most natural name to reþresent the entry
dc 0omain comþonent used at sites that model their l0AP hierarchy on 0NS
ob]ec¹Class 0bject class Schema to which this entry's attributes conform
automountei can be configuied to pay attention to IIAP, too. It's likely
that IIAP suppoit will become moie and moie common ovei time.
·
It's easy to access IIAP data with command-line tools such as ldapsearch.
In addition, IIAP is well suppoited by common sciipting languages such
as Peil and Python (thiough the use of libiaiies). Eigo, IIAP is a teiiific
way to distiibute configuiation infoimation foi locally-wiitten sciipts and
administiative utilities.
·
Excellent web-based tools aie available foi managing IIAP, foi example,
phpIIAPadmin (phpldapadmin.souicefoige.net) and Iiiectoiy Admin-
istiatoi (diiadmin.open-it.oig). These tools aie so easy to use that you can
just iip the box open and stait playing without ieading the manual.
·
IIAP is well suppoited as a public diiectoiy seivice. Most majoi email
clients, including those that iun on PCs, suppoit the use of IIAP to access
usei diiectoiies. Simple IIAP seaiches aie also suppoited by many web
biowseis thiough the use of an IIAP URI type.
·
Miciosoft's Active Iiiectoiy is based on IIAP, and the cuiient ielease of
Windows 200? Seivei R2 includes extensions (oiiginally called "Seivices
foi INIX," now called "Windows Secuiity and Iiiectoiy Seivices foi
INIX") that facilitate the mapping of Iinux useis and gioups.
L0AP documentat|on and sµec|f|cat|ons
We aie not awaie of any ieally excellent souice of intioductoiy infoimation on the
geneial aichitectuie of LDAP. The onetime FAQ is no longei maintained. The
souice that we iecommended foi LDAP veision 2, Understanding IDAI by Johnei
et al, has unfoitunately not been updated foi veision ?, and the diffeiences in the
piotocol aie significant enough that it's piobably woithwhile to look elsewheie.
The cuiient best places to stait aie with the documentation foi the UpenIIAP pack-
age and the Iinux IDAI HOW1O. Citations foi a couple of ieasonable IIAP books
aie also given at the end of this chaptei.
The IIAP-ielated RFCs aie numeious and vaiied. As a gioup, they tend to convey
an impiession of gieat complexity, which is somewhat uniepiesentative of aveiage
use. Some of the high points aie listed in Table 17.5 on the next page.
UµenL0AP. L0AP for L|nux
OpenIIAP is an extension of woik oiiginally done at the Univeisity of Michigan
and now continued as an open souice pioject. It's shipped with most distiibutions,
though it is not necessaiily included in the default installation. The documentation
is peihaps best desciibed as "biisk."
In the OpenLDAP distiibution, slapd is the standaid seivei daemon and slurpd
handles ieplication. A selection of command-line tools enable the queiying and
modification of IIAP data.
Setup is stiaightfoiwaid. Fiist, cieate an /etc/openldap/slapd.conf file by copying
the sample installed with the OpenIIAP seivei. These aie the lines you need to pay
attention to:
da¹abase bdb
suííix ¨dc=myuomuir, dc=com¨
roo¹dr ¨cr=uumir, dc=myuomuir, dc=com¨
roo¹¡v ¦cry¡¹|ab[r¡¡xlB/yVl
direc¹ory /var/lib/lda¡
The database foimat defaults to Beikeley IB, which is fine foi data that will live
within the OpenIIAP system. You can use a vaiiety of othei back ends, including ad
hoc methods such as sciipts that cieate the data on the fly.
The suííix is youi "IIAP basename." It's the ioot of youi poition of the IIAP
namespace, similai in concept to youi INS domain name. This example illustiates a
common piactice: using youi INS domain name as youi IIAP basename.
The roo¹dr is youi administiatoi's name, and the roo¹¡v is the administiatoi's
UNIX-foimat (IES) passwoid. Note that the domain components leading up to the
administiatoi's name must also be specified. You can eithei copy and paste the
passwoid fiom /etc/shadow (if you don't use MI5 passwoids) oi geneiate it with a
simple Peil one-linei
¡erl -e ¨¡rir¹ cry¡¹('¡ussuoru','su¦í'),¨
wheie passwcrd is the desiied passwoid and salt is an aibitiaiy two-chaiactei stiing.
Because of the piesence of this passwoid, make suie that the peimissions on youi
slapd.conf file aie 600 and that the file is owned by ioot.
1ab|e 17.5 Imµortant L0AP-re|ated kICs
kIC 1|t|e
4519 l0AP: Schema for user Aþþlications
4511 l0AP: Syntaxes and Vatching Rules
4516 l0AP: uniform Resource locator
4515 l0AP: String Reþresentation of Search lilters
4514 l0AP: String Reþresentation of 0istinguished Names
4513 l0AP: Authentication Vethods and Security Vechanisms
4512 l0AP: 0irectory lnformation Vodels
4511 l0AP: Jhe Protocol
3612 Subentries in the lightweight 0irectory Access Protocol (l0AP)
3112 l0AP Authentication Password Schema
2849 l0AP 0ata lnterchange lormat (l0ll)÷Jechnical Sþecification
2820 Access Control Requirements for l0AP
2301 An Aþþroach for using l0AP as a Network lnformation Service
You should edit /etc/openldap/ldap.conf to set the default seivei and basename foi
IIAP client iequests. It's pietty stiaightfoiwaid-just set the aigument of the los¹
entiy to youi seivei and set the base to the same value as the suííix in slapd.conf.
(Make suie both lines aie uncommented.)
At this point, you should be able to stait up slapd by simply iunning it with no
aiguments.
NIS reµ|acement by L0AP
See page õ81 fcr mcre
infcrmaticn abcut
pluggable authentica-
ticn mcdules.
You needn't actually use NIS to "migiate" to IIAP, but because NIS defines a stan-
daid set of shaied system files, it seives as a useful iefeience point.
The files distiibutable thiough NIS aie alieady "viitualized" thiough the name sei-
vice switch (the /etc/nsswitch.conf file), so client-side IIAP suppoit is ielatively
easy to add. Some distiibutions install the necessaiy nss_ldap package by default,
but if not, the package is usually piovided as an option. This package includes a
PAM module that lets you use IIAP with pluggable authentication modules in addi-
tion to the name seivice switch.
Client-side IIAP defaults foi this package aie set in /etc/ldap.conf, which shaies its
foimat with the /etc/openldap/ldap.conf file desciibed in the pievious section but
which includes additional options specific to the name seivice and PAM contexts.
You must also edit the /etc/nsswitch.conf file on each client to add lda¡ as a souice
foi each type of data you want to IIAPify. (The nsswitch.conf changes make the C
libiaiy pass iequests to the libnss_ldap libiaiy, which then uses the /etc/ldap.conf
infoimation to figuie out how to peifoim the IIAP queiies.)
RFC2?07 defines the standaid mapping fiom tiaditional UNIX data sets, such as the
passwd and group files, into the IIAP namespace. It's a useful iefeience document
foi sysadmins using IIAP as an NIS ieplacement, at least in theoiy. In piactice, the
specifications aie a lot easiei foi computeis to iead than foi humans; you'ie bettei
off looking at examples.
Padl Softwaie offeis a fiee set of Peil sciipts that migiate existing flat files oi NIS
maps to IIAP. It's available fiom www.padl.com/tools.html, and the sciipts aie
stiaightfoiwaid to iun. They can be used as filteis to geneiate IIIF, oi they can be
iun against a live seivei to upload the data diiectly. Foi example, the migrate_group
sciipt conveits this line fiom /etc/group
css¹aíí.x.2033.evi,na¹¹lev,¹rer¹
to the following IIIF:
dr. cr=css¹aíí,ou=Grou¡,dc=donairrane,dc=con
cr. css¹aíí
ob]ec¹Class. ¡osixGrou¡
ob]ec¹Class. ¹o¡
userFassvord. ¦cry¡¹|x
¡idNunber. 2033
nenberuid. evi
nenberuid. na¹¹lev
nenberuid. ¹rer¹
(Note the object class and distinguished name specifications, which weie omitted
fiom the passwd example on page 521.)
Unce a database has been impoited, you can veiify that the tiansfei woiked coi-
iectly by iunning the slapcat utility, which displays the entiie database.
L0AP and secur|ty
Tiaditionally, IIAP was used moie in the mannei of a phone diiectoiy than any-
thing else, and foi that puipose, sending data without enciypting it was usually ac-
ceptable. As a iesult, the "standaid" IIAP implementation giants unenciypted ac-
cess thiough TCP poit ?89. Howevei, we stiongly advise against the use of
unenciypted LDAP foi the tiansmission of authentication infoimation, even if
passwoids aie individually hashed oi enciypted.
As an alteinative, IIAP-ovei-SSI (known as IIAPS, usually iunning on TCP poit
686) is available in most situations (including the Miciosoft woild) on both the cli-
ent and seivei. This access method is piefeiable because it piotects the infoimation
contained in both the queiy and the iesponse. Use IIAPS when possible.
A system with the complexity and with as many moving paits as IIAP inevitably
has the potential to be misconfiguied in a way that weakens secuiity. Of couise, it is
likely to contain some plain, old-fashioned secuiity holes, too. Caveat administiatoi.
17.6 k£CUMM£N0£0 k£A0IN6
MAIËRE, IUIZ ERNESTO PINHEIRO. IDAI Iinux HOW1O.
www.tldp.oig/HOWTO/IIAP-HOWTO/
VOCIMAIER, REINHARI. 1he ABCs cf IDAI. Hcw tc Install, Run, and Administer
IDAI Services. Boca Raton, FI: Aueibach Publications, 2004.
CARTER, CERAII. IDAI System Administraticn. Sebastopol, CA: O'Reilly Media,
200?.
11.1 lxercises 527
17.7 £X£kCIS£S
E17.1 Why is a pull method of updating a local machine's files moie secuie
than a push method?
E17.2 Explain the following exceipt fiom an rdist distfile:
LlNUX_FASSVD = ( redla¹box debiarbox susebox )
¡assvd.
( /e¹c/¡assvd ) -> ( $¦LlNUX_FASSVD| )
irs¹all /e¹c/¡assvd.rdis¹,
cnds¡ecial /e¹c/¡assvd.rdis¹ ¨/usr/local/sbir/nl¡assvd¨,
E17.3 Explain the diffeiences between rdist and rsync. In what situations
would it be bettei to use one than the othei?
E17.4 Compaie NIS and IIAP. When would you use one and not the othei?
Would you evei use both?
E17.5 What method does youi site use to shaie system files? What secuiity
issues aie ielated to that method? Suggest an alteinative way to shaie
system files at youi site, and detail the conceins that it addiesses. What,
if any, aie the diawbacks?
E17.6 Iesign an IIAP schema that stoies usei infoimation such as login,
passwoid, shell, authoiized machines, etc. Build a tool that enteis new
useis into the database inteiactively oi fiom a file containing a list of us-
eis. Build a tool that geneiates the passwd, group, and shadow files
fiom the IIAP database foi the machines in youi lab. Allow useis to
have diffeient passwoids on each machine if they want. (Not all useis
aie necessaiily authoiized to use each computei.) Youi adduser system
should be able to piint lists of existing usei login names and to piint
login/passwoid paiis foi new useis.
528

f/ectroo/c Ha//
It's haid to iemembei what the woild was like without electionic mail. Eveiyone
fiom school childien to giandmas to the stodgiest of coipoiations now ioutinely
uses email to communicate with family, co-woikeis, paitneis, customeis, and even
the goveinment. It's a mad, mad, mad email-enabled woild.
1
Email is populai because the public can easily undeistand the concept of sending a
message whose model closely paiallels that of a tiaditional wiitten lettei. And email
"just woiks"; if you know someone's email addiess, you type a message addiessed to
them and piess Send. Voila! Seconds latei, the message is deliveied to theii elec-
tionic mailbox, whethei they'ie next dooi oi halfway aiound the woild. Fiom the
usei's peispective, nothing could be easiei.
Unfoitunately, it wasn't always this easy, and even today, the undeilying infiastiuc-
tuie that makes electionic mail possible on such a laige scale is iathei oneious.
Theie aie seveial softwaie packages you can iun on youi Iinux system to tianspoit
and manage electionic mail (thiee of which aie discussed latei in this chaptei), but
they all iequiie a ceitain degiee of configuiation and management. In addition, it's
impoitant that you undeistand the undeilying concepts and piotocols associated
with email so that you don't spoil youi useis' illusion that cioss-platfoim inteioiga-
nizational email is a gift fiom the gods that magically woiks eveiy time.
Today, theie aie alteinatives to undeistanding and administeiing email infiastiuc-
tuie. A numbei of seivice piovideis now piovide "managed" email seivice, wheie
1. Even as Evi is sailing in obscuie, iemoie locaiions, she is almosi always in email coniaci ihiough hei
BlackBeiiy ihanks io ihe ubiquiiy of ihe CPRS neiwoik. Ii woiks in 113 couniiies bui noi Veimoni!
Electionic Mail
529
email is actually hosted on theii seiveis in a data centei fai, fai away, and you pay a
monthly oi annual fee (possibly pei usei) foi access. Iikewise, a numbei of "fiee"
hosted seivices, such as Yahoo! Vail, VSN Hotmail, and Coogle's Cmail have become
populai foi individuals. If you'ie an individual looking foi a peisonal email account
oi an account foi a (veiy) small business, these may be viable options foi you. These
seivices offload a numbei of buidens, including stoiage, seivei management, soft-
waie updates, configuiation, spam filteiing, and secuiity vigilance, to name a few.
In ietuin foi theii "fiee" seivice, peihaps you'll see some adveitising. It seems like a
good deal in many cases; if that option woiks foi you, you at least get the benefit of
not needing to iead the iest of this chaptei.
Howevei, hosted email isn't the solution foi eveiyone. Businesses and othei laige
oiganizations that depend on email seivice in oidei to opeiate often cannot take the
iisk of hosting email off-site. Such oiganizations may have a vaiiety of ieasons to
host theii own email systems, including secuiity, peifoimance, and availability. This
chaptei is foi those people.
The sheei bulk of this chaptei-moie than 100 pages-attests to the complexity of
email systems. The chaptei contains both backgiound infoimation and details of
softwaie configuiation, in ioughly that oidei.
We tiied to divide this chaptei into five smallei ones (on mail systems, sendmail
configuiation, spam, Exim, and Postfix), but that left it confusing, full of chicken-
and-egg pioblems, and, we think, less useful. Instead, we offei the annotated table of
contents shown in Table 18.1.
1ab|e 18.1 A road maµ for th|s chaµter
Sect|on Page Contents
b
a
c
k
g
r
o
u
n
d
1 530 Vail systems and their various þieces
2 534 Addressing, address syntax, mail headers
3 539 Philosoþhy, client/server design, mail homes
4 544 Aliases, mail routing, l0AP
5 551 Vailing list software,
s
e
n
d
m
a
|
|

c
o
n
f
i
g
u
r
a
t
i
o
n
6 551 sendma||: installation, startuþ, the mail queue
1 565 lntroduction to configuring sendma||, m4 macros
8 510 basic sendma|| configuration þrimitives
9 514 lancier sendma|| configuration þrimitives
10 588 Sþam, sendma|| access database
11 599 Configuration case study
12 603 Security
13 611 Performance
14 615 Collecting statistics, testing, and debugging
0
t
h
e
r
15 621 lxim, an alternative to sendma||
16 623 Postfix, another alternative to sendma||
11 639 Additional sources of information
530 Chaþter 18 - llectronic Vail
This oiganization makes the flow a bit smoothei when the chaptei is iead stiaight
thiough, but it sometimes sepaiates the items ielevant to a paiticulai email-ielated
task. The postmastei foi a medium-sized oiganization might need to iead the entiie
chaptei, but a sysadmin setting up PC email suppoit foi a typical business client
suiely does not.
Table 18.2 piesents a navigation guide foi seveial common sysadmin choies.
Vost of this chaptei deals with the configuiation of sendmail, the standaid piogiam
that paises and ioutes electionic mail. sendmail was oiiginally wiitten by Eiic All-
man at the Univeisity of Califoinia, Beikeley. Theie have been thiee majoi veisions:
veision 5, IIA, and veision 8. A completely iedesigned veision, Sendmail X, has
iecently been ieleased in an eaily beta veision but is not yet ieady foi pioduction
use. (Accoiding to insideis, it may nevei ieplace veision 8.) Veision 5 and IIA aie
no longei in common use; veision 8 has ieplaced them. In this chaptei we covei
veision 8 (8.1?, to be piecise).
sendmail is being developed commeicially by Sendmail, Inc., which also maintains a
fiee, open souice veision. The commeicial veisions featuie a giaphical configuiation
tool and centialized monitoiing and iepoiting, featuies that aie especially useful at
high-volume mail sites.
18.1 MAIL S¥S1£MS
In theoiy, a mail system consists of foui distinct components:
·
A "mail usei agent" (MUA) that lets useis iead and compose mail
·
A "mail tianspoit agent" (MTA) that ioutes messages among machines
1ab|e 18.2 Sect|ons of th|s chaµter re|evant to var|ous chores
Chore Sect|ons
uþgrading sendma|| 6, 1
Configuring sendma|| for the first time 3, 6, 1, 8, 9, 10, 11, 12
Changing the config file 1
0esigning a mail system for a site 3, 4, 5, 6, 1, 8, 9, 10, 11
lighting sþam 10
Auditing security 12
Setting uþ a PC to receive mail 1, 3
Setting uþ a mailing list 5
Performance tuning 3, 9, 13
virtual hosting 9
using lxim instead of sendma|| 15
using Postfix instead of sendma|| 16
18.1 Vail systems 531
·
A "deliveiy agent" that places messages in a local message stoie;
2
it is
sometimes called a local deliveiy agent (IIA)
·
An optional "access agent" (AA) that connects the usei agent to the mes-
sage stoie (e.g., thiough the IMAP oi POP piotocol)
Some sites also use a mail submission agent that speaks SMTP (the mail tianspoit
piotocol) and does some of the woik of the tianspoit agent. Ixhibit A shows the iela-
tionship of these components.
£xh|b|t A Ma|| system comµonents
user agents
Email useis employ a usei agent to iead and compose messages. Email messages
oiiginally consisted only of text, but a standaid known as Vultipuipose Inteinet Vail
Ixtensions (VIVI) is now used to encode text foimats and attachments (including
many viiuses) into email. It is suppoited by most usei agents. Since it does not affect
the addiessing oi tianspoit of mail, we do not discuss it fuithei in this chaptei.
One choie of usei agents is to make suie that any text embedded in the contents of a
mail message that might be misundeistood by the mail system gets piotected. An
example is the stiing "Fiom " that seives as a iecoid sepaiatoi between messages.
/bin/mail was the oiiginal usei agent, and iemains the "good ol' standby" foi iead-
ing text email messages at a shell piompt. Foi bettei oi woise, email on the Inteinet
has moved beyond the text eia, so text-based usei agents aie no longei piactical foi
most useis. Giaphical usei inteifaces allow point-and-click access to messages and
deal appiopiiately with attachments such as images, Miciosoft Woid documents,
and spieadsheets.
One of the elegant featuies illustiated in Exhibit A is that a usei agent doesn't neces-
saiily need to be iunning on the same system, oi even on the same platfoim, as the
iest of youi mail system. Useis might iun one of the many usei agents shipped with
2. The ieceiving useis' mailboxes oi, someiimes, a daiabase.
host A - sender host 8 - rece|ver
£udora
uA
ma||
uA
sendma||
(µort 25)
M1A
ma||.|oca|
0A
µrocma||
to
|oca|
user
agents
0A
|maµd
AA
sendma||
M1A
sendma||
(µort 587)
MSA
µ|ne
uA
= user agent
= Subm|ss|on agent
= Jransport agent
= 0e||very agent
= Access agent
uA
HSA
HJA
0A
AA
Message
store
I
n
t
e
r
n
e
t
Linux when logged into a Linux desktop, but they can also access theii email
thiough access agent (AA) piotocols such as IMAP oi POP fiom theii Windows
laptops. This is, by fai, the most common configuiation today. Who says Windows
and Linux can't live happily togethei?
A sample of common usei agents aie listed below, along with theii oiiginal souices.
·
/bin/mail on Red Hat and Fedoia is the BSI veision of the oiiginal UNIX
mail command; on SUSE, Iebian and Ubuntu, this usei agent is found in
/usr/bin/mail.
?
This usei agent is text-only and iequiies a local mail stoie.
·
Thundeibiid fiom Mozilla foi Iinux, Windows, and Mac OS
·
Evolution (aka Novell Evolution, foimeily Ximian Evolution) foi Iinux,
Windows, and Mac OS
·
pine fiom the Univeisity of Washington, www.washington.edu/pine
·
Eudoia fiom Qualcomm foi Macs oi PCs iunning Windows
·
Outlook fiom Miciosoft foi Windows
1ransµort agents
A tianspoit agent must accept mail fiom a usei agent, undeistand the iecipients'
addiesses, and somehow get the mail to the coiiect hosts foi deliveiy. Most tians-
poit agents also act as message submission agents foi the initial injection of new
messages into the mail system. Tianspoit agents speak the Simple Mail Tianspoit
Protocol (SVTP) defined in RFC2821 (originally defined in RFC821) or the Ixtended
SMTP piotocol (ESMTP) defined in RFCs 1869, 1870, 1891, and 1985.
Seveial tianspoit agents aie available foi UNIX and Linux systems (PMDF, Postfix,
smail, qmail, Exim, and zmailer, among otheis), but sendmail is the most compie-
hensive, most flexible, and most widely used. A 2001 suivey
4
of mail systems ie-
poited that sendmail was used by 60% of the domains, Exim by 8%, Miciosoft Ix-
change Seivei by 4%, and Postfix by 2%. Utheis (about 50 of them) weie in the noise.
Red Hat, Fedoia and SUSE ship with sendmail installed. Iebian pietends to include
sendmail, but if you look closely you'll find that sendmail is ieally a link to the Exim
mail tianspoit agent. Exim has been caiefully ciafted to undeistand sendmail's
command-line flags. Usei agents that call "sendmail" explicitly to submit email
should be none the wisei. Ubuntu ships Exim as the default.
0e||very agents
A deliveiy agent accepts mail fiom a tianspoit agent and actually deliveis it to the
appiopiiate local iecipients. Vail can be deliveied to a peison, to a mailing list, to a
file, oi even to a piogiam.
Iach type of iecipient may iequiie a diffeient agent. /bin/mail is the deliveiy agent
foi local useis. /bin/sh is the oiiginal deliveiy agent foi mail going to a piogiam;
3. This usei ageni is someiimes called Mail oi mailx on oihei sysiems. Accoidingly, Red Hai piovides a
link called Mail, and SUSE, Iebian, and Ubuniu piovide links called Mail and mailx.
4. Piivaie siudy by Maiiix.nei foi Sendmail, Inc.
18.1 Vail systems 533
deliveiy to a file is handled inteinally. Recent veisions of sendmail ship with safei
local delivery agents called mail.local and smrsh(pronounced "smursh"). procmail
fiom www.piocmail.oig can also be used as a local deliveiy agent; see page 585. Iike-
wise, if you iun Cyius imapd as youi AA, it includes its own local deliveiy agent.
Message stores
The message stoie is the spot on the local machine wheie email is stoied. It used to
be the diiectoiy /var/spool/mail oi /var/mail, with mail being stoied in files named
aftei useis' login names. That's still the most common message stoie, but ISPs with
thousands oi millions of email clients aie looking to othei technologies foi the mes-
sage stoie (databases, usually).
Un systems that use the /var/spool/mail oi /var/mail stoie, the mail diiectoiy is
cieated duiing the installation of the opeiating system. It should have peimissions set
to mode 775, with gioup ownei mail,
5
unless you use mail.local as youi local mailei,
in which case the mode can be 755. Oui Iinux platfoims vaiy a bit:
Red Ha¹. drvxrvxr-x 2 roo¹ nail l024 Dec S ll.lo /var/s¡ool/nail
!edora. drvxrvxr-x 2 roo¹ nail 40ºo Mar l¯ 08.42 /var/s¡ool/nail
SUSL. drvxrvxrv¹ 2 roo¹ roo¹ 40ºo Au¡ 2 23.2S /var/s¡ool/nail
Debiar. drvxrvsr-x 2 roo¹ nail 40ºo Au¡ 3 lo.l¯ /var/nail
Ubur¹u. drvxrvsr-x 2 roo¹ nail 40ºo [ar 8 03.22 /var/nail
See page 82 fcr
mcre infcrmaticn
abcut the sticky bit.
SUSE's peimissions aie a bit geneious, but files inside the mail spool diiectoiy aie
mode 660 with gioup ioot. Diiectoiies with the sticky bit set (the ¹ in the peimis-
sions) do not allow useis to delete one anothei's files even though they have wiite
peimission on the diiectoiy. Howevei, a malicious usei could fill the mail spool, use
it as a sciatch paitition, oi cieate anothei usei's mailbox.
Access agents
Piogiams such as imapd and spop aie access agents foi PC, Mac, oi Linux useis
whose mail is deliveied to a Linux seivei and then downloaded with the Inteinet
Message Access Piotocol (IMAP) oi the Post Office Piotocol (POP), iespectively.
IMAP and POP aie coveied staiting on page 542.
Ma|| subm|ss|on agents
Anothei newcomei to the mail aiena that was necessitated by high-volume sites is
the mail submission agent. The tianspoit agent at a busy mail hub spends lots of
time piepiocessing mail messages: ensuiing that all hostnames aie fully qualified,
modifying headeis inheiited fiom lame mail usei agents, logging eiiois, iewiiting
headeis, and so foith. RFC2476 intioduced the idea of splitting the mail submission
agent (MSA) fiom the mail tianspoit agent (MTA) to spiead out the woikload and
maximize peifoimance.
5. Sysiems ihai delivei mail by giving away files wiih a noniooi chown need io have gioup wiiie peimis-
sion io ihe diiecioiy as well. In geneial, noniooi chown is a bad idea.
The idea is to use the MSA, which iuns on a diffeient poit, as a soit of "ieceptionist"
foi new messages injected into the mail system by local usei agents. The VSA does all
the piep woik and eiioi checking that must be done befoie a message can be sent out
by the tianspoit agent. It's a bit like inseiting a sanity checkei between the VIA and
the MTA.
In paiticulai, the VSA ensuies that all hostnames aie fully qualified; it veiifies that
local hostnames aie legitimate befoie adding the local domain poition. The MSA
also fixes message headeis if they aie missing oi nonconfoimant. Often, the MSA
adds a Fiom oi Iate headei oi adjusts the Message-Id headei. One final choie that
an MSA can do is to iewiite the sendei's addiess fiom a login name to a piefeiied
exteinal foim such as First_Iast.
Foi this scheme to woik, usei agents must be configuied to connect to the MSA on
poit 587 instead of to poit 25, which is the tiaditional poit foi mail. If youi usei
agents cannot be taught to use poit 587, you can still iun an MSA on poit 25, but on
a system othei than the one that iuns youi MTA. You must also configuie youi
tianspoit agent so that it doesn't duplicate the woik done by the MSA. Duplicate
piocessing won't affect the coiiectness of mail handling, but it does iepiesent use-
less extia woik.
By default, sendmail acts as an VSA as well as an VTA. Staiting with sendmail 8.10,
a single instance of the piogiam listens on both poit 25 and poit 587. Usei agents
often call sendmail diiectly with flags that ask it to accept a mail message (-bs oi
-bm) oi with no flags at all, in which case sendmail's behavioi defaults to -bm. The
sendmail process keeps track of how it was called and becomes an VSA if called with
flags -bs oi -bm oi an MTA if called with -bd.
Isei agents that diiectly open an SVTP connection must be modified to use poit 587
to take advantage of an MSA.
18.2 1h£ ANA1UM¥ UI A MAIL M£SSA6£
A mail message has thiee distinct paits that we must undeistand befoie we become
embioiled in sendmail configuiation.
·
The envelope
·
The headeis
·
The body of the message
The envelope deteimines wheie the message will be deliveied oi, if the message can't
be deliveied, to whom it should be ietuined. The envelope addiesses geneially agiee
with the Fiom and To lines of the headei foi an individual iecipient but do not agiee
if the message is sent to a mailing list. The addiesses aie supplied sepaiately to the
MSA. The envelope is invisible to useis and is not pait of the message itself; it's used
inteinally by sendmail to figuie out wheie to send the message.
18.2 Jhe anatomy of a mail message 535
The headeis aie a collection of piopeity/value paiis foimatted accoiding to RFC2822.
They iecoid all kinds of infoimation about the message, such as the date and time it
was sent and the transport agents through which it passed on its journey. The headeis
aie a bona fide pait of the mail message, although usei agents often hide some of the
less inteiesting ones when displaying messages foi the usei.
The body of the message is the actual content to be sent. It must consist of plain text,
although that text often iepiesents a mail-safe encoding of vaiious binaiy content.
As we get into the configuiation section, we sometimes speak of the envelope sendei
and iecipients and sometimes speak of the headei sendei and iecipients. We tiy to
specify which addiesses we aie iefeiiing to if it's not cleai fiom the context.
Ma|| address|ng
Local addiessing is simple because a usei's login name is a unique identifiei. An
Inteinet addiess is also simple: userChcst.dcmain oi userCdcmain. In the deep
daik past of email and the Inteinet, addiesses such as those shown in Table 18.3
weie common.
Vuch of the complexity of sendmail configuiation stems fiom the eaily iequiiement
to handle such addiesses. Each of these foims of addiessing ielies on ielaying, and
thanks to spammeis, sites aie slowly tuining ielaying off. The peicent hack (last line
in Table 18.3) is a favoiite tool of spammeis who aie tiying to hide theii identity oi
to ielay mail thiough youi machines. If you need to deal with any of these addiess
foims, see the sendmail documentation oi the O'Reilly sendmail book foi help.
Ma|| header |nterµretat|on
Eveiy mail message staits with seveial lines called headeis that contain infoimation
about the message. Each headei begins with a keywoid such as To, Fiom, oi Subject,
followed by a colon and the contents of the headei. The foimat of the standaid head-
eis is defined in RFC2822; howevei, custom headeis aie allowed, too. Any headei
beginning with "X-" is ignoied by the mail system but piopagated along with the
message. Eigo, you can add a headei such as X-Joke-of-the-Day to youi email mes-
sages without inteifeiing with the mail system's ability to ioute them.
6
1ab|e 18.3 £xamµ|es of obso|ete address tyµes
Address tyµe £xamµ|e address Modern form
uuCP mcvaxluunetlucbvaxlhaolboulderllairlevi eviClair
Route-based <Csite1,Csite2,.,CsiteN:userCfinal-site> userCfinal.site
ªPercent hack' user°host1°host2Chost3 userChost1
6. Technically, you can add any headei you like because mail iouiing uses only ihe envelope and ignoies
ihe headeis.
Some headeis aie added by the usei agent and some by the tianspoit agent. Seveial
headeis tiace the path of a message thiough the mail system. Many usei agents hide
these "uninteiesting" headeis fiom you, but an option is usually available to make
the agent ieveal them all. Reading headeis is becoming an impoitant skill as we aie
bombaided with spam and must sometimes tiy to tiace a message back to its souice.
Heie is the headei block fiom a simple message:
!ron ¹rer¹ !ri, 30 [ur 200o 20.44.4º -0o00
Received. íron bull.a¹rus¹.con (bull.a¹rus¹.con [l2¯.0.0.l|) by bull.a¹rus¹.con
(8.l3.l/8.l3.l) vi¹l LSMTF id lol2irlG00lS¯o íor <red@bull.a¹rus¹.con>,
!ri, 30 [ur 200o 20.44.4º -0o00
Da¹e. !ri, 30 [ur 200o 20.44.48 -0o00
!ron. ¹rer¹@a¹rus¹.con
Messa¡e-ld. <200o0¯0l0244.lol2inºl00lS¯S@bull.a¹rus¹.con>
To. red@bull.a¹rus¹.con
Cc. s¹eve@bull.a¹rus¹.con
Sub]ec¹. Yorder Mour¹air
------ body oí ¹le nessa¡e vas lere ---
This message stayed completely on the local machine; the sendei was tient and the
iecipient was ned. The fiist Fiom line was added by mail.local, which was the local
deliveiy agent in this case. The Subject and Cc headei lines weie added by tient's
mail usei agent, which piobably added the To, Fiom, and Iate headeis as well.
sendmail, the mail tianspoit agent, adds To, Fiom, and Iate headeis if they aie not
supplied by the MUA. Each machine (oi moie piecisely, each MTA) that touches a
message adds a Received headei.
The headeis on a mail message tell a lot about wheie the message has been, how long
it stayed theie, and when it was finally deliveied to its destination. The following is a
moie complete dissection of a mail message sent acioss the Inteinet. It is inteispeised
with comments that desciibe the puipose of the vaiious headeis and identify the
piogiams that added them. The line numbeis at the left aie foi iefeience in the fol-
lowing discussion and aie not pait of the message. Some lines have been folded to
allow the example to fit the page.
l. !ron eric@lrecl¹.serdnail.or¡
Line 1 was added by /bin/mail oi mail.local duiing final deliveiy to sepaiate this
message fiom otheis in the iecipient usei's mailbox. Some mail ieadeis iecognize
message boundaiies by looking foi a blank line followed by the chaiacteis "Fiom ";
note the tiailing space. This line does not exist until the message is deliveied, and it
is distinct fiom the "Fiom:" headei line. Many mail ieadeis don't display this line, so
you may not see it at all.
2. Re¹urr-Fa¹l. eric@lrecl¹.Neo¡lilic.COM
Iine 2 specifies a ietuin path, which may be a diffeient addiess fiom that shown on
the Fiom: line latei in the mail headei. Eiioi messages should be sent to the addiess
in the Retuin-Path headei line; it contains the envelope sendei addiess.
18.2 Jhe anatomy of a mail message 537
3. Delivery-Da¹e. Mor, 0o Au¡ 200l l4.3l.0¯ -0o00
Iine ? shows the date that the mail was deliveied to evi's local mailbox. It includes
the offset fiom UTC foi the local time zone (MIT, mountain daylight time).
4. Received. íron arclor.cs.colorado.edu (roo¹@arclor.cs.colorado.edu
[l28.l38.242.l|) by ru¡er¹sber¡.cs.colorado.edu (8.l0.l/8.l0.l) vi¹l LSMTF
id í¯oKV¯[2Sºº¯ íor <evi@ru¡er¹sber¡.cs.colorado.edu>, Mor, o Au¡ 200l
l4.3l.0¯ -0o00 (MDT)
S. Received. íron nroe.cs.colorado.edu (lDLNT.roo¹@nroe.cs.colorado.edu
[l28.l38.243.lSl|) by arclor.cs.colorado.edu (8.l0.l/8.l0.l) vi¹l LSMTF id
í¯oKVo4l800o íor <evi@arclor.cs.colorado.edu>, Mor, o Au¡ 200l l4.3l.0o
-0o00 (MDT)
o. Received. íron lrecl¹.Neo¡lilic.COM (lrecl¹.serdnail.or¡ [20º.3l.233.l¯o|)
by nroe.cs.colorado.edu (8.l0.l/8.l0.l) vi¹l LSMTF id í¯oKVSQl¯o2S íor
<evi@arclor.cs.colorado.edu>, Mor, o Au¡ 200l l4.3l.0S -0o00 (MDT)
¯. Received. íron lrecl¹.Neo¡lilic.COM (locallos¹.Neo¡lilic.COM [l2¯.0.0.l|)
by lrecl¹.Neo¡lilic.COM (8.l2.0.Be¹alo/8.l2.0.Be¹al¯) vi¹l LSMTF id
í¯oKUuí¡084340 íor <evi@arclor.cs.colorado.edu>, Mor, o Au¡ 200l l3.30.
So -0¯00 (FDT)
Iines 4-7 document the passage of the message thiough vaiious systems en ioute to
the usei's mailbox. Each machine that handles a mail message adds a Received line
to the message's headei. New lines aie added at the top, so in ieading them you aie
tiacing the message fiom the iecipient back to the sendei. If the message you aie
looking at is a piece of spam, the only Received line you can ieally believe is the one
geneiated by youi local machine.
Iach Received line includes the name of the sending machine, the name of the ieceiv-
ing machine, the veision of sendmail (oi whatevei tianspoit agent was used) on the
ieceiving machine, the message's unique identifiei while on the ieceiving machine,
the iecipient (if theie is only one), the date and time, and finally, the offset fiom Ini-
veisal Cooidinated Time (UTC, pieviously called CMT foi Cieenwich Mean Time)
foi the local time zone. This data is collected fiom sendmail's inteinal macio vaii-
ables. In the next few paiagiaphs, we tiace the message fiom the sendei to the iecip-
ient (backwaids, fiom the point of view of headei lines).
See page 397 fcr
mcre infcrmaticn
abcut MX reccrds.
Iine 7 shows that the message went fiom knecht's localhost inteiface (which Eiic's
paiticulai mail usei agent chose foi its initial connection) to knecht's exteinal intei-
face via the keinel loopback pseudo-device. Iine 6 documents that knecht then sent
the message to mioe.cs.coloiado.edu, even though the message was addiessed to
eviuanchoi.cs.coloiado.edu (see headei line 9). A quick check with dig oi nslookup
shows that the host anchoi has an MX iecoid that points to mioe, causing the deliv-
eiy to be diveited. The machine knecht was iunning sendmail veision 8.12.0Beta16.
The machine mioe was iunning sendmail veision 8.10.1, and it identified the mes-
sage with queue II f76KV5Q17625 while it was theie. mioe then foiwaided the mes-
sage to anchoi.cs.coloiado.edu as addiessed (line 5), which may seem stiange given
that the original transmission from knecht was diverted from anchor to mroe because
of VX records. The reason for this apparent inconsistency is that the cs.colorado.edu
domain uses a "split INS" configuiation. The MX iecoid foi anchoi that is visible to
the outside woild points to the incoming mastei mail machine (mioe). Howevei, a
diffeient iecoid is seen within the cs.coloiado.edu domain itself. The inteinal veision
of the iecoid points fiist to anchoi itself and then to mioe as a backup.
As soon as the mail aiiived on anchoi, it was immediately foiwaided again, this time
to iupeitsbeig. The cause of this hop was aliasing, a mail handling featuie that is
desciibed in detail staiting on page 544.
Aliases play an important role in the flow of mail. An alias maps a username to some-
thing else; foi example, to the same usei at a diffeient machine, to a gioup of useis,
oi even to an alteinative spelling of the usei's name. You cannot deteimine why the
message was diveited by examining only the example headeis. As with MX iecoids,
you must seek exteinal souices of infoimation.
Received lines 5 and 6 include the "foi <eviuanchoi.cs.coloiado.edu>" phiase,
which identifies how the mail was addiessed when it aiiived at the local site. This
infoimation helps when you aie tiying to unsubsciibe fiom a mailing list that ie-
quiies you to eithei send the unsubsciibe message fiom the same host fiom which
you subsciibed (sometimes yeais eailiei) oi to know that addiess and use it as a
paiametei in youi unsubsciibe message.
The final Received line (line 4) shows "foi <eviuiupeitsbeig.cs.coloiado.edu>"; the
value of sendmail's destination addiess macio has been changed by the alias lookup
on the machine anchoi. The local mail deliveiy agent on iupeitsbeig put the mail in
evi's mailbox.
8. Messa¡e-ld. <200l080o2030.í¯oKUuí¡084340@lrecl¹.Neo¡lilic.COM>
Line 8 contains the message ID, which is diffeient fiom a queue ID and is unique
within the woild-wide mail system. It is added to the message when the message is
initially submitted to the mail system.
º. To. evi@arclor.cs.colorado.edu
l0. !ron. Lric Allnar <eric@Serdnail.ORG>
ll. X-URL. l¹¹¡.//VVV.Serdnail.ORG/~eric
l2. Sub]ec¹. exan¡le nessa¡e íor Lvi
l3. Da¹e. Mor, 0o Au¡ 200l l3.30.So -0¯00
l4. Serder. eric@lrecl¹.Neo¡lilic.COM
Iines 9, 10, 12, 1?, and 14 aie standaid. Although a Subject headei is not iequiied,
most usei agents include it. The To line contains the addiess of the piimaiy iecipient
oi iecipients. The Fiom line lists the sendei as eiicusendmail.oig; howevei, the Re-
ceived lines list the sending machine as being in the neophilic.com domain-Eiic's
machine knecht has seveial viitual domains tied to it in addition to sendmail.oig.
The Iate line shows the date and time the message was sent. In this case the send
time matches the dates in the Received lines pietty closely, even though each was
measuied with a diffeient clock.
18.3 Vail þhilosoþhy 539
Iine 11 identifies the URI of Eiic's home page. Notice that it begins with an X, mak-
ing it an unofficial headei. When mail was fiist specified, theie was no such thing as
the web oi URIs.
The Received lines aie usually added by the tianspoit agent (unless they aie foiged),
and the othei headeis aie added by the usei agent. Some usei agents aie lame and do
not add piopei headeis; in this case, sendmail steps in to add the missing headeis.
The fiist Received line that is added (usually on the sending machine, when the mail
is tiansfeiied to the outgoing inteiface) sometimes includes an "ident" clause that
gives the sendei's login name. It should be the same as the name on the Fiom line, but
it won't be if the Fiom line is foiged. In oui example, Eiic's machine knecht was not
iunning the daemon that implements this featuie (identd), so theie is no clause that
lists the sendei's login name.
Exhibit B illustiates this message's jouiney thiough the mail system. It shows what
actions weie taken, wheie they happened, and what piogiams peifoimed them.
£xh|b|t 8 A message from £r|c
As you can see, sendmail is the woikhoise in this piocess. It handles the message
fiom the time it leaves exmh in Beikeley until it aiiives on iupeitsbeig foi deliveiy.
18.3 MAIL PhILUSUPh¥
The mail philosophy we outline in this chaptei is almost mandatoiy foi keeping the
administiation of medium and laige sites manageable. Howevei, it is also appiopii-
ate foi small sites. The main concepts that lead to easy administiation aie:
·
Seiveis foi incoming and outgoing mail; oi foi ieally laige sites, a hieiaichy
·
A mail home foi each usei at a physical site
·
IMAP oi POP
7
to integiate PCs, Macs, and iemote clients
Un ruµertsberg Un anchor Un mroe Un knecht
exmh on
knecht
sendma|| on
ruµertsberg
sendma|| on
anchor
sendma|| on
mroe
sendma|| on
knecht
ma||.|oca| on
ruµertsberg
MK tc ærce
0N: ¢uer] fcr aachcr
MK tc aachcr
0N: ¢uer] fcr aachcr
eº|0aachcr
a||ase4 tc
eº|0rupertsberç
£v| |M enace 0eµar t m ent of Sat an|sm un| ver s| t y of Co| or ado 8ou| der , CU8 0302
hun ky M onkey 8eet r ed booger s hun gary, £ur oµe
£r|c
7. IMAP is piefeiied ovei POP ihese days. If you suppoii email access fiom ouiside youi oiganizaiion,
make suie you use ihe SSL-enciypied veisions of ihese pioiocols (IMAPS and POPS, iespeciively). See
page 542 foi moie deiails.
See page 397 fcr
mcre infcrmaticn
abcut MX reccrds.
We discuss each of these key issues below and then give a few examples. Othei sub-
systems must coopeiate with the design of youi mail system as well: INS VX iecoids
must be set coiiectly, Inteinet fiiewalls must let mail in and out, the message stoie
machine(s) must be identified, and so on.
Mail seiveis have foui functions:
·
To accept outgoing mail fiom usei agents and inject it into the mail system
·
To ieceive incoming mail fiom the outside woild
·
To delivei mail to end-useis' mailboxes
·
To allow useis to access theii mailboxes with IMAP oi POP
At a small site, the seiveis that implement these functions might all be the same ma-
chine weaiing diffeient hats. At laigei sites, they should be sepaiate machines. It is
much easiei to configuie youi netwoik fiiewall iules if incoming mail aiiives at only
one machine and outgoing mail appeais to oiiginate at only one machine.
Some sites use a pioxy to ieceive mail fiom the outside woild. The pioxy doesn't ie-
ally piocess mail; it just accepts and spools it. A sepaiate piocess then foiwaids the
spooled mail to sendmail foi tianspoit and piocessing. smtpd and smtpfwdd fiom
www.obtuse.com aie examples of such pioxies foi sendmail; smtpd can also filtei
incoming mail with access lists. Both aie open souice pioducts. None of oui Linux
distiibutions include them in the standaid installation package.
us|ng ma|| servers
Pick stable, ieliable machines to use as youi mail seiveis. Heie, we outline a mail
system design that seems to scale well and is ielatively easy to manage and secuie. It
centializes the handling of both incoming and outgoing mail on seiveis dedicated to
those puiposes. Exhibit C illustiates one foim of this system.
£xh|b|t C Ma|| system arch|tecture
Inbound ma|| Uutbound ma||
|ns|de your s|te
the outs|de wor|d
|ns|de your s|te
                                                               













NIS
a
or
|oca| d|sk
|NAP or
P0P
Secure
|NAP or
P0P
SNJP SNJP
SNJP SNJP
Ma||-|n
server
Ma||-out
server
MSA
server
C||ents
Nob||e
c||ents
Message
store
a. we don't recommend using NlS for the message store because of the þotential for locking þroblems.
The mail system depicted in Exhibit C has a single point of exposuie to the outside
woild: the mail seivei that ieceives messages fiom the Inteinet. The outgoing mail
seivei is also diiectly connected to the Inteinet, but it is less exposed because it ini-
tiates connections iathei than accepting connections fiom exteinal sites. The incom-
ing mail seivei should be caiefully monitoied, should be upgiaded with secuiity
patches, and should iun the latest veision of sendmail with spam filteis foi incom-
ing mail.
The seivei that handles outgoing mail must also be well maintained. It can include
spam filteis of its own to veiify that no local usei is contiibuting to the spam piob-
lem. If youi site has conceins about the leakage of piopiietaiy infoimation, estab-
lishing a single seivei thiough which all outgoing mail must pass makes it easiei to
implement oi enfoice content policies. If youi site manages laige mailing lists, the
outgoing mail seivei can be configuied to take advantage of some of sendmail's pei-
foimance-oiiented featuies; see page 611 foi details.
Both the incoming and outgoing mail seiveis can be ieplicated if youi mail load ie-
quiies it. Foi example, multiple inbound mail seiveis can hide behind a load balanc-
ing box oi use INS VX iecoids to ciudely balance the load. Iiffeient client machines
can ioute mail thiough diffeient outbound seiveis. Ion't pass any mail diiectly be-
tween the incoming seiveis and the outgoing seiveis, howevei; they should be sepa-
iated fiom each othei by an inteinal fiiewall.
At ieally laige sites, incoming and outgoing mail seiveis would be ieplicated. An ad-
ditional iouting layei could be added to look up useis' mailboxes (peihaps thiough
IIAP) and ioute the mail to the appiopiiate message stoie. The iouting layei could
also do spam and viius filteiing befoie deliveiing messages to useis' mailboxes.
ISPs who aie designing a mail system foi customeis should add anothei seivei that
acts as the taiget of customeis' backup MX iecoids and handles mailing lists. This
machine has to accept mail and ielay it back out, but it must be heavily filteied to
make suie that it only ielays the mail of actual customeis. It, too, should be sepaiated
fiom the incoming and outgoing mail seiveis by a fiiewall.
See page 5u5 fcr a
discussicn cf file
distributicn issues.
Caiden-vaiiety Iinux hosts can be given a minimal sendmail configuiation that foi-
waids outgoing mail to the seivei foi piocessing. They do not need to accept mail
fiom the Inteinet. Some sites may want to ielax this funneling model a bit and allow
aibitiaiy hosts to send mail diiectly to the Inteinet. In eithei case, nonseivei ma-
chines can all shaie the same sendmail configuiation. You might want to distiibute
the configuration with a tool such as rdist oi rsync.
Sites that use softwaie such as Miciosoft Exchange and Iotus Notes but aie not com-
foitable diiectly exposing these applications to the Inteinet can use a design modeled
on that shown in Exhibit I on the next page.
Whatevei design you choose, make suie that youi sendmail configuiation, youi
INS MX iecoids, and youi fiiewall iules aie all implementing the same policy with
iespect to mail.
£xh|b|t 0 Ma|| system arch|tecture d|agram #2
us|ng ma|| homes
It is convenient foi useis to ieceive and keep theii mail on a single machine, even if
they want to access that mail fiom seveial diffeient systems. You can implement mail
homes by using the aliases file oi an IIAP database (see page 555). You can piovide
iemote access to each usei's mailbox with IMAP oi POP.
The aliasing scheme we use lets the alias files be the same on all machines within an
administiative domain. This unifoimity is a big win fiom the administiatoi's point
of view. (We assume that login names and UIDs aie unique acioss all machines, a
policy we iecommend highly.)
Some sites centialize mail by expoiting /var/spool/mail ovei NFS. Locking piob-
lems with NFS files can cause useis to lose mail oi to have theii spool files gaibled.
Fingei-pointing among NFS, sendmail, and the delivery agents with regard to proper
locking does not help the pooi usei whose mailbox has been coiiupted (howevei,
sendmail is always innocent since it nevei actually deliveis mail).
Some NFS implementations (such as those on dedicated NFS file seiveis) include a
lock managei that woiks coiiectly. Vost implementations eithei do not suppoit lock-
ing oi suppoit it impiopeily. Some sites just ignoie the locking pioblem and hope foi
the best, and otheis iequiie useis to iead mail on the file seivei.
Oui advice is to not use an NFS-shaied /var/spool/mail.
us|ng IMAP or PUP
IMAP and POP aie piotocols that download email to a usei's desktop machine when
it joins the network. This is the ideal way to manage mail, especially for hosts that are
not always connected, eithei because they aie tuined off when not in use oi because
they aie at home and shaie the phone line with teenageis. A passwoid is iequiied; be
suie to use a veision (IMAPS and POPS) that incoipoiates SSI enciyption and
hence does not tiansmit the passwoid in cleaitext ovei the Inteinet.
Inbound ma|| Uutbound ma||
                                                      
   

















outs|de
outs|de
|ns|de
|ns|de
SNJP
SNJP
SNJP
Ma||-|n server
(L|nux)
MS £xchange
server
M1A-out MSA
C||ents' user agents
uA
uA
uA
We like IVAP, the Inteinet Vessage Access Piotocol, bettei than PUP. It deliveis youi
mail one message at a time iathei than all at once, which is much kindei to the net-
woik (especially on a slow link) and bettei foi someone tiaveling fiom location to
location. It is especially nice foi dealing with the giant attachments that some folks
like to send: you can biowse the headeis of youi mail messages and not download
the attachments until you aie ieady to deal with them.
IMAP manages mail foldeis among multiple sites; foi example, between youi mail
seivei and youi PC. Mail that stays on the Iinux seivei can be pait of the noimal
backup schedule. www.imap.oig contains lots of infoimation about IMAP and a list
of available implementations.
POP, the Post Office Piotocol, is similai but assumes a model in which all the mail is
downloaded fiom the seivei to the PC. It can be eithei deleted fiom the seivei (in
which case it might not be backed up) oi saved on the seivei (in which case youi mail
spool file giows laigei and laigei). The "whole mailbox at a time" paiadigm is haid
on the netwoik and less flexible foi the usei. It can be ieally slow on dial-up lines if
you aie a pack iat and have a laige mail spool file. Mail ends up getting scatteied
aiound with POP.
Both of these piotocols can become iesouice hogs if useis nevei delete any messages.
In the case of IMAP, it takes foievei to load the headeis of all the mail messages; POP
tiansmits the whole mailbox. Make suie youi useis undeistand the value of deleting
messages oi filing them in local foldeis.
A ieasonable implementation of POP?, the cuiient veision of the piotocol, is avail-
able fiom Qualcomm at www.eudoia.com/pioducts/unsuppoited/qpoppei. The
qpopper seivei includes TIS/SSI authentication between the seivei and client and
enciypts messages.
You can find many othei POP? seiveis foi Iinux on the Inteinet; make suie you
choose one that is being actively maintained.
IMAP seivei softwaie is available fiom www.washington.edu/imap. No configuia-
tion is needed except to put the piopei IMAP entiies in the files /etc/services and
/etc/inetd.conf and to make suie that youi fiiewall (if any) doesn't pievent IMAP
fiom woiking. IMAP has been guilty of secuiity pioblems in the past; see the CERT
advisoiies, and be suie to obtain the latest veision of IMAP, especially if theie aie
secuiity bulletins that postdate youi Iinux distiibution.
Cainegie Mellon Univeisity has developed an IMAP seivei called Cyius IMAP that
suppoits the POP piotocol as well. We like it bettei than the UW IMAP implementa-
tion foi its iich featuie set and peifoimance foi high-end useis.
Iovecot is a moie iecent package that implements both IMAP and POP seivice. It
was wiitten accoiding to stiict and explicit coding guidelines that inciease its secu-
iity, at least in theoiy. Iovecot also has some inteiesting featuies, such as the ability
to stoie email in a SQI database iathei than in the filesystem. Iovecot doesn't yet
have the tiack iecoid oi installed base of Cyius, but it's definitely a pioject to keep
an eye on and evaluate.
All oui example Iinux distiibutions include an IMAP seivei called imapd and a
client, fetchmail, that speaks both IMAP and POP. Red Hat's imapd is the Cyius
IMAP seivei fiom CMU; SUSE, Iebian, and Ubuntu use the Univeisity of Washing-
ton veision. Red Hat also includes pop3d, a POP seivei. Not to be outdone, SUSE
includes thiee: qpopper (which SUSE ienames popper), pop2d, and pop3d. Ie-
bian has several tools for managing mailboxes with IVAP; man -k imap tells you
their names.
18.4 MAIL ALIAS£S
Aliases allow mail to be ieiouted eithei by the system administiatoi oi by individual
useis.
8
They can define mailing lists, foiwaid mail among machines, oi allow useis
to be iefeiied to by moie than one name. Alias piocessing is iecuisive, so it's legal
foi an alias to point to othei destinations that aie themselves aliases.
sendmail suppoits seveial aliasing mechanisms:
·
A vaiiety of flat file maps that useis and system administiatois can easily
set up (such as /etc/aliases)
·
Vendoi-piomoted legacy file distiibution systems such as NIS and NIS+
fiom Sun
9
and NetInfo fiom Apple
·
Vaiious mail iouting databases
·
IIAP (the Iightweight Iiiectoiy Access Piotocol)
See page 555 fcr
mcre infcrmaticn
abcut IIAI.
Flat files such as the /etc/aliases file (discussed latei in this section) aie by fai the
most stiaightfoiwaid and easiest to set up foi small- to mid-sized sites. If you want
to use the mail homes concept and you have a laige, complex site, we iecommend
that you implement mail homes by stoiing aliases in an LDAP seivei.
We covei IIAP in moie detail in thiee places in this chaptei, and we also mention it
in Chaptei 17, Sharing System Files. We intioduce and explain IIAP on page 555. We
then desciibe IIAP's inteiaction with sendmail and with sendmail's configuiation
file on page 580. Befoie diving into LDAP, howevei, we fiist desciibe the tiaditional
flat file aliasing mechanisms.
Aliases can traditionally be defined in the following three places (unfortunately, with
three diffeient syntaxes):
·
In a usei agent's configuiation file (by the sending usei)
·
In the system-wide /etc/mail/aliases file (by the sysadmin)
·
In a usei's foiwaiding file, ~/.forward (by the ieceiving usei)
10
8. Technically, aliases aie configuied only by sysadmins. The usei's coniiol of mail iouiing by use of a
.forward file is noi ieally aliasing, bui we have lumped ihem iogeihei heie.
9. Suppoii foi NIS+ was officially disconiinued by Sun in 2005. LIAP is ihe designaied ieplacemeni.
10. ~/.forward is ihe defauli place ihai sendmail looks. Howevei, you can oveiiide ihis paih by seiiing
sendmail's !orvardFa¹l opiion.
18.4 Vail aliases 545
The usei agent looks foi aliases in the usei's config files and expands them befoie
injecting the message into the mail system. The tianspoit agent, sendmail, looks foi
aliases in the global aliases file and then in the iecipients' foiwaiding files. Aliasing
is applied only to messages that sendmail consideis to be local.
11
Heie aie some examples of aliases in the aliases file foimat:
rene¹l. evi
evi. evi@naillub
au¹lors. evi,¡ar¹l,¹rer¹
The fiist line says that mail sent to "nemeth" should be deliveied to the usei evi on
the local machine. The second line says that all mail to evi should be deliveied on the
machine mailhub, and the thiid line says that mail addiessed to "authois" should be
deliveied to the useis evi, gaith, and tient. Recuision is suppoited, so mail sent to
nemeth actually ends up going to eviumailhub.
See Chapter 17 fcr
mcre infcrmaticn
abcut NIS.
The path to the global aliases file is specified in sendmail's configuiation file. It's
/etc/aliases on Red Hat, SUSE, and Ubuntu. /etc/mail/aliases is actually the "stan-
daid" location. Sites can have multiple aliases files, and they can also use alteinative
ways of stoiing alias mappings such as NIS oi database files.
The foimat of an entiy in the aliases file is
¦ocu¦rumc. rcci¡icríl,rcci¡icrí2,.
wheie lccal-name is the oiiginal addiess to be matched against incoming messages
and the iecipient list contains eithei iecipient addiesses oi the names of othei aliases.
Indented lines aie consideied continuations of the pieceding lines.
Fiom mail's point of view, the aliases file supeisedes /etc/passwd, so the entiy
david. david@sonevlere-else.edu
would pievent the local usei david fiom evei getting any mail. Theiefoie, administia-
tois and adduser tools should check both the passwd file and the aliases file when
selecting new usei names.
The /etc/mail/aliases file should always contain an alias named "postmastei" that
foiwaids mail to whoevei maintains the mail system. Likewise, an alias foi "abuse"
is appiopiiate in case someone outside youi oiganization needs to contact you ie-
gaiding spam oi suspicious netwoik behavioi that oiiginates at youi site. An alias
foi automatic messages fiom sendmail must also be piesent; it's usually called
Mailei-Iaemon and is often aliased to postmastei.
You should iediiect ioot's mail to youi site administiatois oi to someone who logs
in eveiy day. The bin, sys, daemon, nobody, and hostmastei accounts (and any
othei pseudo-usei accounts you set up) should also have aliases that foiwaid mail to
a human. The file sendmail/aliases in the distiibution is a good template foi the
11. Aciually, ihis siaiemeni is noi compleiely iiue. If you add ihe !=A flag io ihe SMTP mailei, you can
implemeni aliasing foi iemoie addiesses as well.
system-wide aliases that should be included. It also includes secuiity suggestions and
an example of how some common usei iequests aie iouted at Beikeley.
sendmail detects loops that would cause mail to be foiwaided back and foith foi-
evei by counting the numbei of Received lines in a message's headei and ietuining it
to the sendei when the count ieaches a pieset limit (usually 25).
12
Each visit to a new
machine is called a "hop" in sendmail jaigon; ietuining a message to the sendei is
known as "bouncing" it. The pievious sentence, piopeily jaigonized, would be, "Vail
bounces aftei 25 hops."
1?
In addition to a list of useis, aliases can iefei to
·
A file containing a list of addiesses
·
A file to which messages should be appended
·
A command to which messages should be given as input
Since the sendei of a message totally deteimines its content, these deliveiy taigets
weie often abused by hackeis. sendmail has become veiy fussy about the owneiship
and peimissions on such files and commands. To oveiiide sendmail's paianoia, you
must set one of the Dor¹BlaneSerdnail options, so named to discouiage you fiom
doing it. Unfoitunately, the eiioi messages that sendmail pioduces when it encoun-
teis unsafe peimissions oi owneiships aie not always cleai.
6ett|ng ma|||ng ||sts from f||es
The .irclude. diiective is a gieat way to let useis manage theii own mailing lists. It
allows the membeis of an alias to be taken fiom an exteinal file iathei than listed
diiectly in the aliases file. The file can also be changed locally without inteivention
by the system administiatoi who is iesponsible foi the global aliases file.
When setting up the list, the sysadmin must entei the alias into the global aliases file,
cieate the included file, and chown the included file to the usei maintaining the mail-
ing list. Foi example, the aliases file might contain
sabool. .irclude./usr/local/nail/lal.readers
The file lah.readers should be on a local filesystem, not on an NFS-mounted filesys-
tem,
14
and should be wiitable only by its ownei. To be ieally complete, we should
also include aliases foi the mailing list's ownei so that eiiois (bounces) aie sent to
the ownei of the list and not to the sendei of a message addiessed to the list:
ovrer-sabool. evi
12. The defauli hop limii is 25, bui you can change ii in ihe config file.
13. We have been inconsisieni wiih ieiminology in ihis chapiei, someiimes calling a ieiuined message a
"bounce" and someiimes calling ii an "eiioi." Whai we ieally mean is ihai a Ieliveiy Siaius Noiifica-
iion (ISN) has been geneiaied. Such a noiificaiion usually means ihai a message was undeliveiable
and is iheiefoie being ieiuined io ihe sendei.
14. If ihe NFS filesysiem is mounied "haid" and NFS fails, sendmail will block wiih seveial file handles
open and seveial waiiing piocesses. You may eveniually iun oui of piocess IIs oi file handles and have
io iebooi ihe machine io cleai ihings.
See page 551 foi moie about mailing lists and theii inteiaction with the aliases file.
Ma|||ng to f||es
If the taiget of an alias is an absolute pathname (double-quoted if it includes special
chaiacteis), messages aie appended to the specified file. The file must alieady exist.
Foi example:
con¡lair¹s. /dev/rull
It's useful to be able to send mail to files and piogiams, but this featuie intioduces
secuiity conceins and is theiefoie iestiicted. This syntax is only valid in the aliases
file and in a usei's .forward file (oi in a file that's inteipolated into one of these files
with .irclude.). A filename is not undeistood as a noimal addiess, so mail addiessed
to /etc/passwduhost.domain will bounce.
Some usei agents let you save mail to a local file (such as an outbox foldei). Howevei,
that copy of the message is saved by the usei agent and is nevei ieally piocessed by
the mail system.
If the destination file is iefeienced fiom the aliases file, it must be woild-wiitable
(not advisable), setuid but not executable, oi owned by sendmail's default usei. The
identity of the default usei is set with the Deíaul¹User option. It is noimally mail-
null, sendmail, daemon, oi UII 1, CII 1.
If the file is iefeienced in a .forward file, it must be owned and wiitable by the oiig-
inal message iecipient, who must be a valid usei with an entiy in the /etc/passwd file
and a valid shell that's listed in /etc/shells. Foi files owned by ioot, use mode 4644
oi 4600, setuid but not executable.
Ma|||ng to µrograms
An alias can also ioute mail to the standaid input of a piogiam. This behavioi is
specified with a line such as
au¹oí¹¡. ¨|/usr/local/bir/í¹¡server¨
It's even easiei to cieate secuiity holes with this featuie than with mailing to a file, so
once again it is only peimitted in aliases, .forward, oi .irclude. files, and the de-
fault configuiation of sendmail now iequiies use of the iestiicted shell smrsh.
15
In
the aliases file, the piogiam iuns as sendmail's default usei; otheiwise, the piogiam
iuns as the ownei of the .forward oi .irclude. file. That usei must be listed in the
/etc/passwd file with a valid shell (one that is listed in /etc/shells).
The piogiam mailei changes its woiking diiectoiy to the usei's home diiectoiy (oi, if
that diiectoiy is inaccessible, to the ioot diiectoiy) befoie iunning the command that
is to ieceive the mail. The default used to be sendmail's queue diiectoiy, but some
csh-based shells objected.
15. Mailing to piogiams is a majoi potential secuiity hole. See Security and sendmail on page 603 foi moie
infoimation about smrsh.
A||as|ng by examµ|e
Heie aie some typical aliases that a system administiatoi might use.
= Required aliases
lo
¡os¹nas¹er. ¹rouble, evi
¡os¹nis¹ress. ¡os¹nas¹er
MAlLLR-DALMON. ¡os¹nas¹er
los¹nas¹er. ¹rer¹
abuse. ¡os¹nas¹er
vebnas¹er. ¹rouble, ¹rer¹
roo¹. ¹rouble, ¹rer¹
= irclude íor local ¹rouble alias
¹rouble. .irclude./usr/local/nail/¹rouble.alias
¹rouble¹ra¡. ¨/usr/local/nail/lo¡s/¹roublenail¨
¹nr. ¹rouble¹ra¡,.irclude./usr/local/nail/¹nr.alias
= sysadnir corverierces
diary. ¨/usr/local/adnir/diary¨
irío. ¨|/usr/local/bir/serdirío¨
= class aliases ¹la¹ clar¡e every senes¹er
sa-class. real-sa-class@ra¡
real-sa-class. .irclude./usr/local/adn/sa-class.lis¹
In this example, we would like useis fiom all ovei campus to be able to send mail to
a single alias "tiouble" whenevei pioblems occui. Pioblem iepoits should always be
iouted to an appiopiiate gioup of local system administiatois. In paiticulai, we'd
like to set up the mail aliases so that
·
Tiouble mail always goes to an appiopiiate gioup.
·
A single veision of the aliases file is used on all hosts.
·
Individual admin gioups contiol theii own distiibution lists.
·
A copy of all tiouble mail goes to a local log file foi each gioup.
The configuiation above satisfies these goals by taking the definition of the tiouble
alias fiom a file on each machine. Mail sent to the addiesses tioubleuanchoi and
tioubleubouldei would end up in diffeient places even though anchoi and bouldei
use the same /etc/mail/aliases file.
Tiouble mail is usually handled on one paiticulai machine in each locale. Foi exam-
ple, the trouble.alias file on a slave machine could contain the addiess
¹rouble@musícr
to make tiouble mail go to the appiopiiate mastei machine.
When a tiouble message is iesolved, it is sent to the alias tmi, which stands foi "tiou-
ble mail ieadeis." The tmi alias aichives the message to the tioubletiap alias and also
16. A whiie lie. Only posimasiei and MAILER-IAEMON aie ieally iequiied (by ihe RFCs), bui ii is con-
veniional io include hosimasiei, abuse, and webmasiei as well.
sends it to a list of useis taken fiom a file on the mastei machine. Adding novice
administiatois to the tmi list is a gieat way to let them see the suppoit questions
that aiise, the administiatois' ieplies, and the piopei sycophantic tone that should
be used with useis (i.e., customeis).
The sa-class alias has two levels so that the data file containing the list of students only
needs to be maintained on a single machine, nag. The sabook alias example on page
546 should ieally have this same type of indiiection so that the include file does not
need to be ieplicated.
The diaiy alias is a nice convenience and woiks well as a documentation extiaction
technique foi squiiielly student sysadmins who biistle at documenting what they do.
Sysadmins can easily memoiialize impoitant events in the life of the machine (OS
upgiades, haidwaie changes, ciashes, etc.) by sending mail to the diaiy file. Ion't put
the file on a filesystem that contains youi log files; that would allow hackeis to fill up
the filesystem and prevent syslog from writing log entries (thus covering their tracks).
Iorward|ng ma||
The aliases file is a system-wide config file that should be maintained by an admin-
istiatoi. If useis want to ieioute theii own mail (and youi site doesn't use POP oi
IMAP to access mail), they can do so by cieating .forward files in theii home diiec-
toiies. sendmail always looks in a usei's home diiectoiy foi a .forward file unless
the !orvardFa¹l vaiiable is set and oveiiides the default location. It's convenient to
use a .forward file when a usei wants to ieceive mail on a paiticulai host oi when
someone leaves youi site and wants to have mail foiwaided to a new location.
A .forward file consists of a list of comma-sepaiated addiesses on a single line oi
seveial entiies on sepaiate lines. Foi example,
evi@i¡r.caida.or¡
evi@a¹rus¹.con
oi
'ncbryar, ¨/lone/ncbryar/arclive¨, ncbryar@ílsu¡il.¡nd.de
In the fiist example, mail foi evi is not deliveied on the local machine, but is instead
foiwaided to the machine ipn at CAIIA in San Iiego and to atiust.com. The second
entiy is fiom a usei who does not tiust mail systems and wants his mail ieplicated in
thiee places: the iegulai mail spool on the local machine, a peimanent aichive of all
incoming mail, and a tempoiaiy addiess in Ceimany wheie he is tiaveling at the mo-
ment. The backslash befoie his useiname says to delivei mail locally no mattei what
the aliases oi foiwaid files might say.
Foi tempoiaiy changes in mail iouting, use of a .forward file is piefeiable to use of
the global aliases file. The oveihead (computei time and people time) iequiied to
change the system-wide aliases is quite high.
A usei's .forward file must be owned by the usei and must not be gioup- oi woild-
wiitable. If sendmail thinks the diiectoiy path to the .forward file is safe (i.e., the
peimissions fiom the ioot all the way down aie OK), it can be a link; otheiwise, it
cannot be a link. sendmail ignoies foiwaiding files on which the peimissions look
suspicious; the peimissions on the paient diiectoiy must also be safe (wiitable only
by the usei who owns the files).
Natuially, sendmail must be able to access a usei's home diiectoiy on the machine
wheie mail is deliveied to deteimine whethei it contains a .forward file. Peimanent
changes of addiess should be put in the /etc/mail/aliases file because a usei's home
diiectoiy and files will eventually be iemoved.
sendmail has a nifty featuie, !LATURL(`redirec¹'), that helps with the management
of peimanent email changes. If an alias points to useiunewsite.RIIIRICT, mail will
be ietuined to the sendei with a notification of the new addiess. The message is not
foiwaided to the new addiess, so the sendei must update his addiess book and ie-
send the message.
You can configuie sendmail to suppoit a cential diiectoiy foi .forward files, but
useis do not expect this configuiation. The location of .forward files is contiolled by
the !orvardFa¹l option, which usually points to that cential diiectoiy and then to
the usei's home diiectoiy. The generic.m4 domain file illustiated on page 572 con-
tains an example of a cential location foi .forward files.
An entiy in the global aliases file takes piecedence ovei an entiy in a .forward file.
Since these files aie maintained by diffeient people, useis must be caieful not to inad-
veitently cieate mail loops. If a usei on a netwoik has a mail home (and theiefoie an
entiy in the global aliases file), that usei cannot use a .forward file to ieioute mail
to anothei machine that shaies the same aliases. Foi example, at the Univeisity of
Coloiado, wheie we use a site-wide aliases file, an entiy such as
evi. evi@boulder
and a .forward file on the machine bouldei containing
evi@arclor.cs
would cieate a loop. Mail addiessed to evi would be foiwaided to bouldei, wheie the
.forward file would cause it to be sent to anchoi in the cs subdomain. The aliases
file on anchoi would cause it to be foiwaided back to bouldei, and so on. Aftei 25
hops, the mail would be ietuined to the sendei.
Notifying a usei of a mail loop is challenging if youi piimaiy mode of communica-
tion is email. Mail to \user
17
deliveis the message on the local machine, iegaidless of
what the system-wide aliases file oi the usei's .forward file might say. If the local
machine is wheie the usei expects to iead mail, fine; otheiwise, send mail to the
postmastei to iepoit the loop oi pick up the phone!
17. You may have io use iwo oi moie backslashes io gei one of ihem pasi ihe shell and inio sendmail.
18.5 Vailing lists and list wrangling software 551
1he hashed a||as database
Since entiies in the aliases file aie in no paiticulai oidei, it would be inefficient foi
sendmail to seaich this file diiectly. Instead, a hashed veision is constiucted with
the Beikeley DB database system. This hashing significantly speeds alias lookups,
especially when the file gets big.
The file deiived fiom /etc/mail/aliases is called aliases.db. Eveiy time you change
the aliases file, you must iebuild the hashed database with the newaliases com-
mand. newaliases is ieally just sendmail in disguise with command-line flags (-bi)
that tell it to iebuild the database. Save the eiioi output if you iun newaliases auto-
matically-you might have intioduced foimatting eiiois.
18.5 MAILIN6 LIS1S AN0 LIS1 wkAN6LIN6 SUI1wAk£
A mailing list is a giant alias that sends a copy of each message posted to it to each
peison who has joined the list. It's like a Isenet newsgioup fiom the days of yoie that
is deliveied by email. Some mailing lists have thousands of iecipients.
Vailing lists aie usually specified in the aliases file but maintained in an exteinal file.
Some standaid naming conventions aie undeistood by sendmail and most mailing
list softwaie. Expeiienced useis have come to iely on them as well. Most common
aie the "-iequest" suffix and the "ownei-" piefix, which aie used to ieach the main-
taineis of the list. The conventions aie illustiated by the following aliases:
nylis¹. .irclude./e¹c/nail/irclude/nylis¹
ovrer-nylis¹. nylis¹-reques¹
nylis¹-reques¹. evi
ovrer-ovrer. ¡os¹nas¹er
In this example, mylist is the name of the mailing list. The membeis aie iead fiom the
file /etc/mail/include/mylist. Bounces fiom mailing to the list aie sent to its ownei,
evi, as aie iequests to join the list. The indiiection fiom "ownei" to "iequest" to evi
is useful because the ownei's addiess (in this case, mylist-iequest) becomes the Re-
tuin-Path addiess on each message sent to the list. mylist-iequest is a bit bettei than
the actual maintainei foi this field. Eiiois in messages to the ownei-mylist alias (evi,
ieally) would be sent to ownei-ownei.
The case in which a message is undeliveiable is called a bounce. The case in which
the eiioi message sent about the bounce cannot be deliveied is a double bounce. So
in oui example, double bounces aie sent to ownei-ownei oi postmastei.
If you use a site-wide aliases file, you need to add an extia level of indiiection point-
ing mylist to myieallistumastei so that the data file containing the list of membeis
only needs to exist in one place.
Software µackages for ma|nta|n|ng ma|||ng ||sts
Seveial softwaie packages automate the maintenance of mailing lists. They typically
allow useis to add and iemove themselves fiom the list, obtain infoimation about the
list, and obtain files thiough email. A few of the populai mailing list manageis (and
theii download souices) aie
·
Majoidomo, fiom www.gieatciicle.com (included with SUSE)
·
Mailman, the CNU mailing list piocessoi, fiom www.list.oig
·
IistPioc, fiom www.cien.net
·
SmaitIist, deiived fiom procmail
·
listmanager fiom www.listmanagei.oig
·
IISTSIRV Iite, from www.lsoft.com (free version of the commercial IISTSIRV)
In geneial, SmaitIist is small and simple, IistPioc is laige and complex, and the oth-
eis aie in between. They diffei in theii philosophies of list maintenance, with some
leaning towaid sysadmins as administiatois (IistPioc) and otheis leaning towaid us-
eis as maintaineis (Vajoidomo, Vailman, SmaitIist, IISTSIRV Iite). Vajoidomo,
Mailman, listmanager, and IISTSIRV Iite suppoit iemote administiation; the list
maintainei does not even need to have a login on the machine wheie the list is lo-
cated because all tiansactions take place thiough email. Vost of the list packages al-
low infoimation posted to the list to be assembled into digests, some automatically
(IistPioc, Vailman, listmanager, and IISTSIRV Lite) and some thiough manual
configuiation (SmaitIist and Majoidomo).
Mailman is oui favoiite list managei. It's a joy to administei and lets list maintain-
eis tweak all the featuies of theii own lists. IistPioc and IISTSERV Iite aie piopii-
etaiy: the fiist expensive, the othei binaiy-only and ciippled. We have not tiied
SmaitList, but we like procmail, on which it depends.
We desciibe each of these packages biiefly below. Foi moie detail, see the docu-
mentation with each package oi the O'Reilly book Managing Mailing Iists by Alan
Schwaitz and Paula Feiguson.
Majcrdcmc
Vajoidomo is a Peil/C package available fiom www.gieatciicle.com. It was oiiginally
wiitten by Bient Chapman. Ievelopment of Vajoidomo has ceased; Vajoidomo 2 is
a total iewiite but seems to have fizzled in 2004, so we desciibe only the oiiginal
veision, which is still in common use. Among oui example distiibutions, only SUSE
ships Majoidomo. Iespite what the man page says (/usr/lib/mail/majordomo), it's
hidden in the diiectoiy /usr/lib/majordomo.
See page õu3 fcr
mcre infcrmaticn
abcut trusted users.
Majoidomo iuns as an unpiivileged usei, typically with useiname majoidom oi
mdom and default gioup daemon. Since Iinux suppoits long usei names (moie than
8 chaiacteis), you can also use majoidomo as the login name. The usei must be one
that sendmail iecognizes as "tiusted" and so must be mentioned in youi sendmail
configuiation, usually in a coríTRUSTLD_USLRS declaiation.
18
Majoidomo is configuied thiough the majordomo.cf file, which consists of valid
Peil commands that initialize vaiiables, define the diiectoiies wheie things aie (oi
18. A "iiusied" usei is allowed io change ihe Fiom headei line of a message and io iebuild ihe aliases file.
wheie they should be put), specify the lists to be suppoited, and configuie the han-
dling of bounced mail. A helpei piogiam, config-test, tests youi configuiation file
foi missing vaiiables oi bad syntax. SUSE puts the config file in /etc and leaves con-
fig-test with the Majoidomo distiibution in /usr/lib/majordomo.
Majoidomo iequiies special aliases to be installed in sendmail's aliases file. The
cleanest way to integiate these aliases is to cieate a sepaiate alias file used just foi
Majoidomo (iecent veisions of sendmail suppoit multiple alias files). The file con-
tains a set of aliases foi Majoidomo itself and a set foi each mailing list that it man-
ages. The distiibution contains a sample aliases file, majordomo.aliases.
The most common usei question about mailing lists is "How do I unsubsciibe?" Foi
lists managed by Majoidomo, the answei foi listnameuhost is to send mail to the
addiess majoidomouhost with the woids "unsubsciibe listname" oi "unsubsciibe
listname email-addiess" in the body of the message (not on the subject line).
With the fiist foim, you need to send the unsubsciibe message fiom the same host
that you used when you subsciibed to the list; in the second foim, that host is pait of
the email addiess. See page 5?5 foi hints on how to glean this infoimation fiom the
mail headeis so that you can unsubsciibe piopeily, even if you have foigotten which
machine you used when you joined the list. Some mailing lists also accept mail to
listname-iequestuhost with just the woid "unsubsciibe" in the body.
Nevei, evei, send an unsubsciibe message to the list itself. If you do, youi message
announces to all the iecipients of the list that you don't know what you'ie doing.
Mailman
Mailman, a faiily iecent addition to the mailing list softwaie fleet (veision 2.1.8
ieleased in Apiil 2006), is available fiom www.list.oig oi the CNU aichives. It was
oiiginally wiitten by John Viega and is cuiiently being developed in collaboiation
with Ken Manheimei, and Baiiy Waisaw. Iike Majoidomo, Mailman is piimaiily
wiitten in a sciipting language with C wiappeis, but in this case the language is
Python (available fiom www.python.oig).
Mailman was inspiied by its authois' use of Majoidomo and theii fiustiation with
bounce eiiois, tiicky configuiation of advanced featuies such as digests and modei-
ated lists, and peifoimance difficulties with bulk mailings. A Vailman sciipt impoits
Majoidomo lists. Mailman can also detect and contiol spam to some degiee.
Mailman's big claim to fame is its web inteiface, which makes it easy foi the modei-
atoi oi postmastei to manage a list and also easy foi useis to subsciibe, unsubsciibe,
and configuie theii options.
IistIrcc
IistPioc is an old-timei in mailing list management softwaie. It was wiitten in 1991
by Anastasios Kotsikonas and maintained until about 1994. It then lay idle foi a few
yeais but was iesuiiected with a new beta ielease in 1998. It used to be available fiom
the computei science depaitment at Boston Univeisity foi fiee, but with somewhat
stiange licensing iules. Now it is available fiom www.cien.net foi a hefty licensing
fee ($2,000 pei copy, even foi univeisities). Foiget IistPioc and go with one of the
fiee, open souice packages.
SmartIist
SmaitIist was oiiginally wiitten by Stephen R. van den Beig, who is also the oiiginal
authoi of procmail. It's available fiom www.piocmail.oig. SmaitIist uses procmail,
so you will need to download both procmail.tar.gz and SmartList.tar.gz. It's piob-
ably easiest to just giab the Iinux package appiopiiate to youi system.
SmaitIist is small and simple. It's a combination of C code, procmail iules, and shell
sciipts. Bounces, the maintenance headache of mailing lists, aie automatically dealt
with by the softwaie. Iseis aie automatically iemoved fiom a list aftei a ceitain num-
bei of bounces to theii addiess. SmaitList iequiies a login entiy in the passwd file
("smait" oi peihaps "list") that is a tiusted usei in sendmail's configuiation file.
The installation includes led, a lock wiappei foi editing that tiies to piotect Smait-
Iist against being left with an incoheient, paitially edited configuiation file.
listmanager
listmanager by Muiiay Kucheiawy is wiitten in C and so is fastei than the packages
built on top of a sciipting language such as Peil oi Python. listmanager also im-
pioves speed by using the IB database package fiom sleepycat.com iathei than flat
files and the filesystem. Its featuie list is about a page long and includes a web intei-
face, digests, and seveial secuiity enhancements.
listmanager ieally seems like a killei list managei-the only downside is that souice
code is not yet being distiibuted. Accoiding to the www.listmanagei.oig web page,
the code is being withheld until the authoi finishes a cleanup pass to avoid possible
embaiiassment. A Iinux binaiy is available.
IIS1SLRV Iite
LISTSERV Lite by Eiic Thomas is a ciippled veision of LISTSERV, the commeicial
pioduct fiom L-Soft Inteinational, Inc. Some of the featuies of the ieal veision aie
missing, and the softwaie is limited to managing 10 mailing lists of up to 500 people.
IISTSERV Iite needs to iun as the pseudo-usei listseiv, which must own its files. It
also likes to have a listseiv gioup. IISTSERV Iite piovides a web inteiface both foi
subsciibing to a list and foi maintaining it.
The distiibution is available fiom www.lsoft.com. Souice code is not distiibuted, but
piecompiled binaiies and stubs foi many veisions of UNIX and Iinux aie piovided.
If you alieady aie familiai with IISTSIRV and have lists that use it, you might be able
to justify iunning a binaiy-only, ciippled list managei. If you'ie staiting fiom sciatch,
choose one of the open souice, uniestiicted alteinatives mentioned above.
L0AP. the L|ghtwe|ght 0|rectory Access Protoco|
IIAP is a piotocol that piovides access to a geneiic administiative diiectoiy seivice.
It has been aiound foi a few yeais, but it has just iecently staited to become populai.
Administiatois aie discoveiing that IIAP is good foi lots of things:
·
sendmail configuiation: aliases, viitual domains, mail homes, the access
database, and tables
·
Isei management: login names, passwoids, hosts (e.g., Stanfoid Iniveisity)
·
Administiative config files (e.g., SUSE)
·
A ieplacement foi NIS
·
A calendai seivei
·
Use with pluggable authentication modules (PAM)
It's envisioned that IIAP will eventually become a global diiectoiy system used foi
many diffeient puiposes. Infoitunately, tools foi automating typical sysadmin tasks
with IIAP aie still missing.
IIAP giew out of the ISO piotocols and the X.500 diiectoiy seivice. That heiitage
immediately suggests complex, bloated, veibose, bad, etc., but the I in IIAP is sup-
posed to take caie of all that. Piotocol veisions 1 and 2 have been standaidized. Vei-
sion ? is close. Foitunately, all veisions aie backwaid compatible. Veision 3 of the
IIAP piotocol suppoits hieiaichical seiveis; queiying one seivei foi a piece of data
can iesult in a iefeiial to anothei seivei. Veision 2 suppoited hieiaichical dutu, but
hieiaichical servers aie only in veision 3.
Mail aliases aie a paiticulaily good match foi LDAP, especially now that sendmail
suppoits LDAP inteinally. sendmail can queiy the LDAP seivei foi alias lookups
instead of doing them diiectly. LDAP can also manage mail iouting and viitual do-
mains. IIAP suppoit must be compiled into the sendmail binaiy.
If you aie looking foi an IIAP implementation, we iecommend the seivei pioduced
by the OpenLDAP gioup at www.openldap.oig. This gioup took ovei and enhanced
the code of an eailiei seivei that was developed at the Univeisity of Michigan. Foi a
bit moie infoimation about IIAP-ielated softwaie, see page 520.
LDAP database entiies iesemble a teimcap entiy with longei vaiiable names. The
attiibutes (vaiiable names) in the IIAP database aie not yet fully standaidized, and
this fact can iesult in incompatibilities among diffeient implementations.
The attiibutes on the fiist line of a database entiy aie defined by the IIAP configu-
iation file. The examples in this section assume that the IIAP seivei daemon (slapd,
in the OpenIIAP case) was configuied with a ioot distinguished name (roo¹dr) of:
¨cr=roo¹, dc=syracl, dc=re¹¨
The dc attiibute appeais twice because the domain component values cannot con-
tain a dot; to expiess the domain synack.net, two entiies aie necessaiy. Fuithei at-
tiibutes, oi vaiiable names, can be whatevei you want. They aie case insensitive.
sendmail (whose code looks foi specific attiibute names and assigns them piedetei-
mined inteipietations), the IIAP seivei, and the buildei of the IIAP database must
all coopeiate and use the same naming conventions.
Some possible attributes that can appear on the first line of a database entry (the da-
tabase keys) aie dr foi a domain name, dc foi a domain component, o foi an oigani-
zation name, c foi a countiy name, and uid foi a unique ID (e.g., a login name).
sendmail uses an IIAP seivei much like it uses the INS name seivei. It calls on the
INS seivei to iesolve names into IP addiesses so that messages can be sent. It calls
on the IIAP seivei to look up aliases so that messages can be iouted to the iight
place. In both cases, the lookups have moved fiom flat files (hosts and aliases) to
databases, with seiveis managing the queiies.
By default, sendmail iecognizes the following IIAP data tags:
nailLocalAddress
nailRou¹ir¡Address
nailHos¹
Veision 8.12 expanded this default set extensively (see cf/sendmail.schema) and
also let you define youi own schema to use any IIAP tags you like.
Heie is an example of the OpenIIAP implementation's slapd ldap.conf file
= LDAF Deíaul¹s, lda¡.corí íile, slould be vorld-readable.
=
BASL dc=syracl, dc=re¹
HOST ¡v.syracl.re¹
FORT 38º
that suppoits database entiies of the foim
dr. uid=]or, dc=syracl, dc=re¹
ob]ec¹Class. ire¹LocalMailReci¡ier¹
nailLocalAddress. ]or@syracl.re¹
nailRou¹ir¡Address. s¹abile]@cs.colorado.edu
uid.]or
When !LATURL(lda¡_rou¹ir¡) has been specified in the sendmail configuiation
file, the incoming iecipient is matched against the nailLocalAddress field. If it
matches, the mail is iediiected to the nailRou¹ir¡Address. The ob]ec¹Class line
must be piesent-it comes fiom the diaft RFC that defines the inteiaction of LDAP
and mail systems.
On the host gw.synack.net, this database entiy coiiesponds to the alias
]or. s¹abile]@cs.colorado.edu
A bit long-winded, isn't it? These database entiies could ieplace the typical entiies in
the aliases file foi defining a mail home foi each usei.
18.6 sendmail: ringmaster of the electronic mail circus 557
Some laige oiganizations alieady stoie usei piovisioning infoimation, such as each
usei's piefeiied mailbox, in anothei database. If that is the case at youi site, you will
piobably want to wiite some shoit sciipts to extiact that infoimation and shove it
into IIAP. If youis is a small oiganization, you may want to stick with the tiaditional
/etc/mail/aliases file oi wiite a sciipt to geneiate the coiiect IIAP entiies fiom the
command line.
The aliases file is also still the best way to define mailing lists (with the .irclude.
diiective). Mailing list softwaie typically pipes the message to a wiappei sciipt and
iesends it. An IIAP queiy can ietuin aliases that point to .irclude. files oi to pio-
giams such as majordomo, but it cannot diiectly call a piogiam.
As of veision 8.12, IIAP can also stoie the contents of some of sendmail's other data
(for example, tables and classes). See page 580 for more information about configui-
ing sendmail to use IIAP.
18.6 S£N0MAIL. kIN6MAS1£k UI 1h£ £L£C1kUNIC MAIL CIkCuS
All five of oui Iinux iefeience platfoims ship a mail tianspoit agent. Red Hat, Fe-
doia, and SUSE ship with sendmail; Iebian and Ubuntu include Exim by default.
We desciibe Exim biiefly staiting on page 621. Many of the Exim constiucts and
configuiation knobs have analogs within the sendmail woild. Since this chaptei is
alieady fai too long, we covei only sendmail in detail. We desciibe Exim in teims of
the equivalent sendmail facilities.
sendmail can adapt to the whims of standaids-makeis thanks in pait to the flexibil-
ity of its configuiation file, which allows sendmail to meet the needs of a diveise
community of useis. The iest of this chaptei is piimaiily devoted to the undeistand-
ing and constiuction of this configuiation file, the infamous sendmail.cf.
sendmail is a tianspoit agent, a piogiam that inteifaces between usei agents and
deliveiy agents. It speaks the SMTP piotocol and deliveis messages to peeis on ie-
mote machines thiough the Inteinet. sendmail's list of choies includes
·
Contiolling messages as they leave the usei's keyboaid
·
Undeistanding the iecipients' addiesses
·
Choosing an appiopiiate deliveiy oi tianspoit agent
·
Rewiiting addiesses to a foim undeistood by the deliveiy agent
·
Refoimatting headeis as iequiied
·
Passing the tiansfoimed message to the deliveiy agent
sendmail also geneiates eiioi messages and ietuins undeliveiable messages to the
sendei.
vers|ons of sendma||
As of this wiiting, oui example distiibutions' veisions of sendmail deiive fiom V8.
They aie typically a ielease oi two behind the mastei veision fiom Sendmail, Inc.,
howevei. Vendois often customize a paiticulai veision of sendmail and aie then ie-
luctant to upgiade theii base system to include cuiient ievisions.
We base oui discussion of sendmail on V8.1? and totally ignoie both V5 and IIA,
which aie obsolete. V8 uses the m4 macio piocessoi to allow easy configuiation of
the standaid cases. This "config lite" is all that most sites need.
Unfoitunately, if youi configuiation has a pioblem, you may have to base youi de-
bugging on an undeistanding of the iaw config file, which we've heaid desciibed as
unappioachable, daunting, picky, ciyptic, oneious, infamous, boiing, sadistic, con-
fusing, tedious, iidiculous, obfuscated, and twisted. We talked quite a bit about the
iaw config file in oldei veisions of this book, but since its ielevance to modein ad-
ministiatois has waned, we now iefei you to the O'Reilly sendmail book by Biyan
Costales and Eiic Allman (titled sendmail) oi the Sendmail Installaticn and Opera-
ticns Cuide that is included in the sendmail distiibution.
New ieleases of sendmail aie sometimes issued to addiess secuiity pioblems; we
suggest that you check the ielease notes fiom www.sendmail.oig and upgiade if you
have missed any secuiity-ielated patches. You can usually get updated sendmail
packages diiectly fiom youi Iinux distiibutoi, but make suie that the binaiy you
ieceive coiiesponds to the cuiient sendmail veision. If you need to compile and in-
stall the souice distiibution diiectly fiom www.sendmail.oig, you'll need a C com-
pilei and the m4 macio piepiocessoi (both of which aie usually included in Iinux
distiibutions).
Sometimes it's difficult to deteimine the actual sendmail base ielease, but if the ven-
doi hasn't meddled too much, you can iun
$ /usr/sbín/sendmaíI -d0.1 -bt < /dev/nuII
to make sendmail disclose its veision, the options that weie compiled into it, and
who it thinks it is aftei ieading the config file. The -d flag sets a debug level (see page
616 foi moie info on debugging levels in sendmail), the -bt flag puts sendmail into
addiess test mode, and the iediiect fiom /dev/null gives it no addiesses to test. Heie
is some sample output (slightly tiuncated) fiom a Red Hat system.
Versior 8.ll.o
Con¡iled vi¹l. LDAFMAF MAF_RLGLX LOG MATCHGLCOS MlML¯TO8
MlML8TO¯ NAMLD_BlND NLTlNLT NLTlNLTo NLTUNlX NLVDB NlS
QULUL SASL SCAN! SMTF TCFVRAFFLRS USLRDB
============ SYSTLM lDLNTlTY (aí¹er readcí) ============
(slor¹ donair rane) $v = coyo¹e
(carorical donair rane) $] = coyo¹e.¹oadrarcl.con
(subdonair rane) $n = ¹oadrarcl.con
(rode rane) $l = coyo¹e.¹oadrarcl.con
======================================================
sendmail should always use DNS MX (mail exchangei) iecoids and does so if com-
piled with the NAMLD_BlND option (as in the pieceding example). The one-lettei
vaiiables such as $v aie fiom the iaw config file oi deteimined at iun time.
sendma|| |nsta||at|on from sendma||.org
As of veision 8.12, the installation enviionment foi sendmail has changed a bit. It no
longei iuns setuid to ioot but instead is setgid to the sendmail gioup, smmsp. Be-
foie installing sendmail, you must cieate both the usei smmsp and the gioup smmsp
(the mysteiious name stands foi sendmail mail submission piogiam). We use UID
and GID 25 to match the SMTP mail piotocol's well-known poit numbei. The
smmsp usei should have smmsp as its default login gioup, which is typically set in
the /etc/passwd file. The addition of a dedicated sendmail usei and gioup lets
sendmail iun with ieduced piivileges and enhances secuiity.
The second majoi change fiom a sysadmin's point of view is that sendmail now uses
two configuiation files: submit.cf and sendmail.cf. The file submit.cf contiols the
handling of mail that oiiginates on the local machine (and is being initially submit-
ted to the mail system), and sendmail.cf contiols incoming mail and mail queued
duiing the submission piocess. submit.cf is supplied with the distiibution and is
the same foi all sites; theie's usually no need to customize it.
This section biiefly desciibes the installation piocess; iefei to the installation notes
in the sendmail distiibution foi the goiy details and foi issues ielated to paiticulai
aichitectuies oi opeiating systems. The next section desciibes sendmail installation
on a Debian system with apt-get. If you aie ieplacing youi system's oiiginal veision
of sendmail, some of the configuiation choies (such as installing help files) may al-
ieady have been done foi you.
The playeis:
·
The sendmail binaiy, usually installed in /usr/sbin.
-r-xr-sr-x roo¹ snns¡ /usr/sbir/serdnail
·
The configuiation files /etc/mail/sendmail.cf and (in veisions 8.12 and
latei) /etc/mail/submit.cf, installed by the sysadmin:
-rv-r--r-- roo¹ bir /e¹c/nail/serdnail.cí
-rv-r--r-- roo¹ bir /e¹c/nail/subni¹.cí
·
The mail queue diiectoiies, /var/spool/mqueue and (in veisions 8.12 and
latei) /var/spool/clientmqueue, cieated by the sysadmin oi the installa-
tion piocess:
drvxrvx--- snns¡ snns¡ /var/s¡ool/clier¹nqueue
drvx------ roo¹ vleel /var/s¡ool/nqueue
·
Vaiious links to the sendmail binaiy (newaliases, mailq, hoststat, etc.)
19
·
sendmail's safei local deliveiy agents, smrsh and mail.local (usually
installed in /usr/libexec)
19. Be caieful heie. Some vendois use haid links, wiih ihe iesuli ihai when you upgiade, you mighi end up
wiih ihe veision of sendmail noi maiching ihe veision of newaliases, cieaiing subile and haid-io-find
suppoii headaches.
You can download the latest veision of sendmail fiom www.sendmail.oig. To com-
pile and install the package, follow the diiections in the top-level INSTALL file. Stait
by adding the smmsp usei and gioup; do not give this usei a ieal shell. Heie is a
typical /etc/passwd entiy:
snns¡.x.2S.2S.Serdnail Mail Subnissior Fro¡./rorexis¹er¹./bir/íalse
And heie is a typical /etc/group entiy:
snns¡. .2S.snns¡
To compile the softwaie, change to the distiibution's sendmail diiectoiy, iun the
Build sciipt and then iun Build install. The file devtools/OS/Linux contains the
assumptions used to build sendmail on Iinux systems. Iinux distiibutions have not
standaidized wheie things aie, so devtools/OS/Linux contains best guesses and may
not be exactly iight foi youi distiibution.
Befoie you stait compiling, howevei, you must decide on a database foimat and a
stiategy foi inteifacing sendmail with administiative databases such as NIS. Foi on-
disk databases, we iecommend the Beikeley IB package specified in the Makefile as
NLVDB (the default).
To customize the Vakefile, don't edit it; cieate youi own site.config.m4 file and put
it in the diiectoiy devtools/Site to tweak it foi youi opeiating system and local envi-
ionment. Foi example, if you intend to use IIAP and the new mail filteiing libiaiy
foi spam, cieate in that diiectoiy a site.config.m4 file containing the lines
AFFLNDDL!(`coríMAFDL!', `-DLDAFMAF')
AFFLNDDL!(`coríLlBS', `-llda¡ -llber')
AFFLNDDL!(`corí_serdnail_LNVDL!', `-DMlLTLR')
A deíire ieplaces the cuiient definition of an attiibute; the AFFLNDDL! macio ap-
pends to the cuiient definition.
Compiling sendmail with
$ sh ./BuíId
automatically includes the site-specific entiies. To install sendmail in the piopei
place, iun
$ sudo sh ./BuíId ínstaII
sendmail should nct noimally be set up to be contiolled by inetd/xinetd, so it must
be explicitly staited in the rc files at boot time. A typical sequence is something like:
ií [-í /usr/sbir/serdnail -a -í /e¹c/nail/serdnail.cí|,
¹ler
(cd /var/s¡ool/clier¹nqueue, rn -í [¹Tx|í )
(cd /var/s¡ool/nqueue, rn -í [¹Tx|í )
/usr/sbir/serdnail -bd -q30n === queue rurrer íor re¡ular queue
/usr/sbir/serdnail -Ac -q30n & === queue rurrer íor clier¹ queue (8.l2)
eclo -r ' serdnail' > /dev/corsole
íi
These lines check foi the sendmail binaiy and its configuiation file and then stait
the piogiam in daemon mode. The sendmail package foi youi Iinux distiibution
should piovide a piopei staitup sciipt that lives in /etc/init.d.
Seveial usei agents explicitly iun sendmail (sometimes with the -bm oi -bs flags)
when they submit a usei's message to the mail system iathei than diiectly speaking
the SMTP piotocol. In this situation, sendmail uses the config file submit.cf and
puts messages in the /var/spool/clientqueue queue. Calling sendmail with the
-Am oi -Ac flags foices messages to the mqueue oi clientqueue, iespectively.
Red Hat and Fedoia have a sendmail staitup sciipt (/etc/init.d/sendmail) that
does not clean ciuft out of the mqueue diiectoiies (as shown in the example
above). Howevei, it does iebuild the database. With sendmail 8.12 and latei, IIAP
can be used foi the database maps, and iebuilding the maps aftei changes is not
necessaiy. Paiameteis defined in /etc/sysconfig/sendmail deteimine whethei
sendmail should stait in daemon mode and how often it should iun the queue, so
that is wheie you should set the sendmail staitup behavioi foi youi site. Red Hat, as
shipped, staits sendmail in daemon mode and iuns the queue eveiy ?0 minutes.
SUSE's staitup sciipt (/etc/init.d/sendmail) just checks foi the binaiy and config
file and then staits sendmail with the aiguments defined in the SENIMAII_ARCS
enviionment vaiiable; these aie set in the file /etc/rc.config.d/sendmail.rc.config.
SUSE also defaults to daemon mode and iuns the queue eveiy ?0 minutes.
Add the sh fiagment above (oi one like it) to /etc/init.d/sendmail if youi Iinux
distiibution does not include a sendmail staitup sciipt. A fanciei sciipt in the instal-
lation guide tiies to clean up pieviously inteiiupted queue iuns. Mix and match as
you like.
Histoiically, sendmail's suppoiting files have wandeied aiound the filesystem to
glamoious destinations such as /usr/lib, /etc, /usr/ucblib, and /usr/share. With the
8.10 ielease of sendmail, all files (except the queue diiectoiies) aie expected to be
kept beneath the /etc/mail diiectoiy.
20
Let's hope that vendois take the hint and
leave them togethei in one consistent place.
sendma|| |nsta||at|on on 0eb|an and ubuntu systems
You can use the apt-get piogiam to install sendmail. The package installs sendmail
and m4 and also uninstalls Exim. Aftei apt-get has downloaded and installed the
sendmail package, it offeis to configuie it. Saying yes invokes a sciipt that asks
questions (20 oi so) about the sendmail configuiation you want. The defaults aie
geneially ieasonable. The only question that you ieally have to answei diffeiently is
"mail name"; the default answei is the unqualified hostname (e.g., lappie), but it
needs to be the fully qualified name (e.g., lappie.toadianch.com).
20. Well, ii's noi quiie ioially iiue yei ihai all files aie kepi undei /etc/mail. The sendmail.pid file and
someiimes ihe siaiisiics file aie siill kepi elsewheie.
Answeiing the questions posed by the sciipt will make moie sense if you aie familiai
with sendmail's vaiious options and featuies, which aie discussed in moie detail
latei in this chaptei. The configuiation sciipt does not take into account the contents
of the geneiic domain file that it includes by default. As a iesult, you can decline a
featuie but end up with it tuined on anyway (foi example, the redirec¹ featuie).
1he sw|tch f||e
7he service switch is
ccvered in mcre detail
in Chapter 17.
Linux systems have a "seivice switch" configuiation file, /etc/nsswitch.conf, that
enumeiates the methods that can satisfy vaiious standaid queiies such as user and
host lookups. If more than one resolution method is listed for a given type of queiy,
the seivice switch also deteimines the oidei in which methods aie consulted.
The use of the seivice switch is noimally tianspaient to softwaie. Howevei, sendmail
likes to exeit fine-giained contiol ovei its lookups, so it cuiiently ignoies the system
switch file and uses its own inteinal one (/etc/mail/service.switch) instead.
Two fields in the switch file impact the mail system: aliases and los¹s. The possible
values foi the hosts seivice aie drs, ris, ris¡lus, and íiles. Foi aliases, the possible
values aie íiles, ris, ris¡lus, and lda¡. Suppoit foi all the mechanisms you use (ex-
cept íiles) must be compiled into sendmail befoie the seivice can be used.
sendmail's inteinal seivice switch contains
aliases íiles ris¡lus ris = ií con¡iled vi¹l ris/ris+
los¹s drs ris¡lus ris íiles
Modes of oµerat|on
You can iun sendmail in seveial modes, selected with the -b flag. -b stands foi "be"
oi "become" and is always used with anothei flag that deteimines the iole sendmail
will play. Table 18.4 lists the legal values.
1ab|e 18.4 Command-||ne f|ags for sendma||'s major modes
I|ag Mean|ng
-bd Run in daemon mode, listening for connections on þort 25
-b0 Run in daemon mode, but in the foreground rather than the background
a
-bh view recent connection info (same as hoststat)
-bh Purge disk coþy of outdated connection info (same as µurgestat)
-b| lnitialize hashed aliases (same as newa||ases)
-bm Run as a mailer, deliver mail in the usual way (default)
-bµ Print mail queue (same as ma||q)
-bP Print the number of entries in queues via shared memory (8.12 and later)
-bs lnter SVJP server mode (on standard inþut, not þort 25)
-bt lnter address test mode
-bv verify mail addresses only, don't send mail
a. Jhis mode is used for debugging so that you can see error and debugging messages.
If you expect incoming mail to aiiive fiom the Inteinet, iun sendmail in daemon
mode (-bd). In this mode, sendmail listens on network port 23 and waits for work.
21
You will usually specify the -q flag, too-it sets the inteival at which sendmail pio-
cesses the mail queue. Foi example, -q30m iuns the queue eveiy thiity minutes, and
-q1h iuns it eveiy houi.
sendmail noimally tiies to delivei messages immediately, saving them in the queue
only momentaiily to guaiantee ieliability. But if youi host is too busy oi the destina-
tion machine is unieachable, sendmail queues the message and tiies to send it again
latei. sendmail used to foik a child piocess eveiy time it piocessed the queue, but it
now supports persistent queue runners that are usually started at boot time. RFC1123
iecommends at least ?0 minutes between iuns. sendmail does locking, so multiple,
simultaneous queue iuns aie safe.
sendmail 8.12 added a new featuie to help with laige mailing lists and queues: queue
gioups with envelope splitting. It is coveied in moie detail staiting on page 611.
sendmail ieads its configuiation file, sendmail.cf, only when it staits up. Therefore,
you must either kill and restart sendmail or send it a HIP signal when you change
the config file. sendmail cieates a sendmail.pid file that contains its piocess II and
the command that staited it. You should stait sendmail with an absolute path be-
cause it ieexecs itself on ieceipt of the HUP signal. The sendmail.pid file allows the
piocess to be HUPed with:
= kíII -HUP `head -1 sendmaíI.píd`
The location of the PII file was foimeily a compile-time paiametei, but it can now
be set in the .mc config file with the coríFlD_!lLL option.
deíire(coríFlD_!lLL, `/var/rur/serdnail.¡id')
The default value is OS dependent but is usually eithei /var/run/sendmail.pid oi
/etc/mail/sendmail.pid. The Red Hat, Fedoia, Ibuntu, and Iebian distiibutions
use /var/run/sendmail.pid, and SUSE keeps it in the diiectoiy /var/run/sendmail.
1he ma|| queue
Vail messages are stored in the queue directory when the machine is too busy to de-
livei them immediately oi when a destination machine is unavailable. sendmail
seives as a mail submission agent listening on poit 587 as well as fulfilling its usual
role as a daemon listening on port 23 and using the queue /var/spool/mqueue. Some
usei agents (/bin/mail foi example) use poit 587, the mail submission poit, but oth-
eis (Eudoia, Outlook, etc.) speak SMTP diiectly to the sendmail iunning on poit
25. Beginning with veision 8.12, mail submission piogiams inject new messages into
the mail system by using the queue diiectoiy /var/spool/clientmqueue and the
configuiation file submit.cf. All messages go into the queue biiefly as they aiiive.
21. The poiis ihai sendmail lisiens on aie deieimined by DALMON_OFTlONS; poii 25 is ihe defauli.
sendmail permits more than one mail queue and lets you identify subsets of the
queues as belonging to a queue gioup. Foi example, if the mqueue diiectoiy con-
tained the subdiiectoiies q1, q2, and q3 and you specified the queue diiectoiy as
/var/spool/mqueue/q*, then all thiee queues would be used. sendmail's ability to
handle multiple queues incieases peifoimance undei high load.
22
If a site is iunning
a laige mailing list, sendmail splits the envelope iecipient list into seveial smallei
lists and assigns them to diffeient queue gioups. This tiick can gieatly enhance pei-
foimance because the smallei iecipient lists can be piocessed in paiallel.
Queue gioups weie new in veision 8.12 and give fine-giained contiol ovei individ-
ual types of messages. Any of the paiameteis associated with queues can also be set
on a paiticulai queue gioup, including execution piioiity (with the nice system call).
Vail is submitted to a queue gioup accoiding to the addiess of the fiist iecipient of
the message. The default queue gioup is called nqueue and is automatically de-
fined and available foi use without fuithei configuiation. Queue gioups aie coveied
in detail staiting on page 611.
When a message is queued, it is saved in pieces in seveial diffeient files. Each file-
name has a two-lettei piefix that identifies the piece, followed by a iandom II built
fiom sendmail's piocess ID. This ID is not fixed, because sendmail is constantly
foiking and each copy gets a new piocess II. Table 18.5 shows the six possible pieces.
If subdiiectoiies qf, df, oi xf exist in a queue diiectoiy, then those pieces of the mes-
sage aie put in the piopei subdiiectoiy. The qf file contains not only the message
headei but also the envelope addiesses, the date at which the message should be ie-
tuined as undeliveiable, the message's piioiity in the queue, and the ieason the
message is in the queue. Each line begins with a single-lettei code that identifies the
iest of the line.
Iach message that is queued must have a qf and df file. All the othei piefixes aie used
by sendmail duiing attempted deliveiy. When a machine ciashes and ieboots, the
staitup sequence foi sendmail should delete the tf, xf, and Tf files fiom each queue
22. Iiiecioiies aie an efficieni sioiage mechanism if ihey do noi coniain ioo many files. If you have a busy
mail seivei wiih lois of mailing lisis ihai gei oui of daie, ihe queue diiecioiy can easily gei so laige ihai
ii cannoi be deali wiih efficienily.
1ab|e 18.5 Pref|xes for f||es |n the ma|| queue
Pref|x I||e contents
qf Jhe header of the message and control file
df Jhe body of the message
tf A temþorary version of the qf file while the qf file is being uþdated
1f Signifies that 32 or more failed locking attemþts have occurred
qf Signifies that the message bounced and could not be returned
xf Jemþorary transcriþt file of error messages from mailers
18.1 sendmail configuration 565
diiectoiy. The sysadmin iesponsible foi mail should check occasionally foi Qf files
in case local configuiation is causing the bounces.
The mail queue opens up seveial oppoitunities foi things to go wiong. Foi example,
the filesystem can fill up (avoid putting /var/spool/mqueue and /var/log on the
same paitition), the queue can become clogged, and oiphaned mail messages can
get stuck in the queue.
sendmail has a configuiation option (coríMlN_!RLL_BLOCKS) to help manage
disk space. When the filesystem that contains the mail queue gets too full, mail is
iejected with a "tiy again latei" eiioi until moie space has been made available. This
option leaves a bit of slop space so that mail staits being iejected befoie the filesys-
tem is totally full and eveiything wedges.
See page 397 fcr mcre
infcrmaticn abcut
INS MX reccrds.
If a majoi mail hub goes down, its MX backup sites can become oveiloaded with
thousands of messages. sendmail can foik too many copies of itself and thiash a
machine to death. Seveial options help with peifoimance on veiy busy machines; we
have collected these in the peifoimance section staiting on page 611. To handle a
temporarily clogged queue before version 8.12, move the clog aside, continue pio-
cessing new mail as usual, and iun a sepaiate copy of sendmail on the clogged
queue aftei things quiet down. Foi example, the pioceduie foi handling a single
queue diiectoiy would look like this:
= kíII `head -1 sendmaíI.píd`
= mv mqueue cIoggedqueue /´ ¯o uroírcr ¹S ij rcccssury ´/
= mkdír mqueue /´ Scí ourcr/¡crms, íoo ´/
= chown root mqueue
= chmod 700 mqueue
= /usr/sbín/sendmaíI -bd -q1h &
When things settle down, iun sendmail with the following flags:
= /usr/sbín/sendmaíI -oQ/var/spooI/cIoggedqueue -q
These flags point sendmail at the clogged queue diiectoiy and specify that sendmail
should piocess it immediately. Repeat this command until the queue empties. Stait-
ing with veision 8.12, sendmail uses haid links in ways that will bieak if you move a
queue. A bettei way to deal with clogged queues is to use a fallback machine and MX
iecoids; see the peifoimance section foi details.
The point at which the queue becomes clogged depends on the site and the haidwaie
on which sendmail is running. Your system and the mail hub for aol.com, which pio-
cesses millions of messages a day, have diffeient definitions of a clogged queue. See
page 615 foi infoimation about measuiing youi tiaffic levels.
18.7 S£N0MAIL CUNII6ukA1IUN
Befoie veision 8.12, sendmail's actions weie contiolled by a single configuiation file,
/etc/mail/sendmail.cf (it was foimeily found in /etc oi /usr/lib). We call it the con-
fig file foi shoit. Veision 8.12 intioduced a second instance of the configuiation file
called submit.cf (also in the /etc/mail diiectoiy). The flags with which sendmail is
staited determine which config file it uses: -bm, -bs, and -bt use submit.cf if it ex-
ists, and all othei modes use sendmail.cf. Of couise, some command-line flags and
config file options change the names of the configuiation files, but it is best to leave
the names alone. The config file deteimines the following foi sendmail:
·
Choice of deliveiy agents
·
Addiess iewiiting iules
·
Mail headei foimats
·
Options
·
Secuiity piecautions
·
Spam iesistance
The iaw config file foimat was designed to be easy to paise. This focus has made it a
bit lacking in waim, usei-fiiendly featuies. Maintenance of the config file is the most
significant administiative choie ielated to electionic mail and scaies the pejeebeis
out of even seasoned sysadmins.
Eveiy veision of sendmail uses a config file, but modein veisions make the configu-
iation piocess easiei thiough the use of m4 macios, which disguise much of the un-
deilying complexity. It might be said that the iaw config file is at the level of assembly
language, wheieas m4 configuiation is moie at the level of Peil.
2?
When the m4 macios weie fiist intioduced, the hope was that they would handle
80%-90% of cases. In fact, the coveiage iate tuined out to be much highei, piobably
closei to 98%. In this book, we covei only the m4-based "config lite." You need delve
into the low-level config file only if you aie debugging a thoiny pioblem, giowing
youi mail site in bizaiie ways, oi iunning a veiy high volume mail hub.
Thiee key pieces of documentation aie the U'Reilly book sendmuil by Biyan Costales
and Eiic Allman, the papei Sendmail Installaticn and Operaticns Cuide by Eiic All-
man (included in the doc/op diiectoiy of the sendmail distiibution), and the file
README (in the cf diiectoiy). We often iefei to sendmail as a souice foi moie
infoimation and iefei to it as "the sendmail book." Iikewise, we iefei to the installa-
tion papei as "the installation guide" and the REAIME file as cf/README.
us|ng the m4 µreµrocessor
We fiist desciibe a few m4 featuies, show how to build a configuiation file fiom an
m4 mastei file, and finally desciibe some of the impoitant piepackaged m4 macios
that come with the sendmail distiibution.
m4 was oiiginally intended as a fiont end foi piogiamming languages that would let
the usei wiite moie ieadable (oi peihaps moie ciyptic) piogiams. m4 is poweiful
enough to be useful in many input tiansfoimation situations, and it woiks nicely foi
sendmail configuiation files.
23. The sendmail config language is "Tuiing compleie," which means ihai ii can be used io wiiie any pos-
sible compuiei piogiam. Readeis who have expeiienced ihe iaw config file will iealize whai a fiighien-
ing concepi ihis is .
m4 macios have the foim
rumc(urql, urq2, ., urqr)
Theie should be no space between the name and the opening paienthesis. Ieft and
iight single quotes designate stiings as aiguments. m4's quote conventions aie dif-
feient fiom those of othei languages you may have used, since the left and iight
quotes aie diffeient chaiacteis.
24
Quotes nest, too. With today's compilei building
tools, one wondeis how m4 suivived with such a iigid and exotic syntax.
m4 has some built-in macios, and useis can also define theii own. Table 18.6 lists the
most common built-in macios used in sendmail configuiation.
Some sites add a drl macio to the end of eveiy line to keep the tianslated .cf file tidy;
without drl, m4 adds extia blank lines to the configuiation file. These blank lines
don't affect sendmail's behavioi, but they make the config file haid to iead. We have
omitted the drls fiom oui examples. Othei sites use drl at the beginnings of lines
that aie intended as comments.
m4 does not ieally honoi comments in files. A comment such as:
= Ard ¹ler deíire ¹le .
would not do what you expect because deíire is an m4 keywoid and would be ex-
panded. Instead, use the m4 drl keywoid (foi "delete to newline"). Foi example,
drl = Ard ¹ler deíire ¹le .
would woik. You must follow drl with a space oi punctuation maik foi it to be iec-
ognized as an m4 command.
1he sendma|| conf|gurat|on µ|eces
The sendmail distiibution includes a cf subdiiectoiy that contains all the pieces
necessaiy foi m4 configuiation: a README file and seveial subdiiectoiies, listed in
Table 18.7 on the next page.
24. You could change ihe quoie chaiacieis wiih ihe clar¡equo¹e macio, bui doing so would ioially bieak
ihe use of m4 in sendmail because vaiious macios make assumpiions aboui ihe quoie chaiacieis.
1ab|e 18.6 m4 macros common|y used w|th sendma||
Macro Iunct|on
deíire 0efines a macro named atq¹ with value atq2
urdeíire 0iscards a þrevious definition of macro named atq¹
irclude lncludes (interþolates) the file named atq¹
drl 0iscards characters uþ to and including the next newline
diver¹ Vanages outþut streams
The cf/cf diiectoiy contains examples of .mc files. In fact, it contains so many exam-
ples that youis will get lost in the cluttei. We iecommend that you keep youi own
.mc files sepaiate fiom the distiibuted cf diiectoiy. Eithei cieate a new diiectoiy
named foi youi site (cf/sitename) oi move the cf diiectoiy aside to cf.examples and
cieate a new cf diiectoiy. If you do this, copy the Makefile and Build sciipt ovei to
youi new diiectoiy so the instiuctions in the README file still woik. It's best to also
copy all the configuiation .mc files to a cential location iathei than leaving them
inside the sendmail distiibution. The Build sciipt uses ielative pathnames that will
have to be changed if you tiy to build a .cf file fiom a .mc file and aie not in the
sendmail distribution hieiaichy.
8u||d|ng a conf|gurat|on f||e from a samµ|e .mc f||e
Befoie we dive into pages and pages of details about the vaiious configuiation mac-
ios, featuies, and options, we put the cait befoie the hoise and cieate a "no fiills"
configuiation to illustiate the piocess. Oui example is foi a leaf node, foo.com; the
mastei configuiation file is called foo.mc.
We put foo.mc in oui shiny new cf diiectoiy. The tianslated (by m4) configuiation
file will be foo.cf in the same diiectoiy, and we ultimately install it as sendmail.cf in
/etc oi /etc/mail. /etc/mail is the sendmail standaid foi the location of the config
file, but many distiibutions use /etc.
Some boileiplate should go in each new .mc file:
diver¹(-l)
==== basic .nc íile íor íoo.con
diver¹(0)
VLRSlONlD(`$ld$')
If you want to put comments at the stait of youi file, use a diver¹ statement on the
fiist line to make m4 discaid the spuiious mateiial and obviate the need foi drl in
#-style comments. The comments come next, followed by anothei diver¹.
A VLRSlONlD line (heie, in RCS foimat) completes the boileiplate. It is desciibed in
detail in the next section.
1ab|e 18.7 Conf|gurat|on subd|rector|es
0|rectory Contents
cf Samþle .mc (master configuration) files
doma|n Samþle m4 files for various domains at berkeley
feature lragments that imþlement various features
hack Sþecial features of dubious value or imþlementation
m4 Jhe basic config file and other core files
ostyµe 0S-deþendent file locations and quirks
ma||er m4 files that describe common mailers (delivery agents)
sh Shell scriþts used by m4
In many cases, specifying an OSTYFL (see page 570) to biing in opeiating-system-
dependent paths oi paiameteis and also a set of MAlLLRs (see page 57?) completes
the configuiation:
OSTYFL(`lirux')
deíire(`coríCOFY_LRRORS_TO', `¡os¹nas¹er')
MAlLLR(`local')
MAlLLR(`sn¹¡')
Heie, we also set an option (coríCOFY_LRRORS_TO) that sends a copy of the head-
eis of any bounced mail to the local postmastei. This notification allows the post-
mastei to inteivene when the pioblem is at the local site.
To build the ieal configuiation file, just iun the Build command you copied ovei to
the new cf diiectoiy:
= ./BuíId foo.cf
oi
= make foo.cf
Finally, install foo.cf in the iight spot-noimally /etc/mail/sendmail.cf, but both
Red Hat and SUSE stash it in /etc/sendmail.cf.
A laigei site can cieate a sepaiate m4 file to hold site-wide defaults in the cf/domain
diiectoiy; individual hosts can then include the contents of this file. Not eveiy host
needs a sepaiate config file, but each gioup of similai hosts (same aichitectuie and
same iole: seivei, client, etc.) will piobably need its own configuiation.
Chang|ng the sendma|| conf|gurat|on
You will often find that youi existing sendmail configuiation is almost iight, but
that you just want to tiy out a new featuie, add a new spam iule, oi make a simple
change. To do that:
·
Edit the .mc file and entei youi changes.
·
Rebuild the config file with the Build sciipt in the configuiation diiectoiy.
·
Install the iesulting cf file as sendmail.cf in the iight diiectoiy.
·
Send sendmail a HUP signal to make it ieiead its config file.
25
Even with sendmail's easy new configuiation system, you still have to make seveial
configuiation decisions foi youi site. As you iead about the featuies desciibed be-
low, think about how they might fit into youi site's oiganization. A small site will
piobably have only a hub node and leaf nodes and thus will need only two veisions
of the config file. A laigei site may need sepaiate hubs foi incoming and outgoing
mail and, peihaps, a sepaiate POP/IMAP seivei.
25. Use ihe kill command io do ihis. The sendmail.pid file makes ii easy io find sendmail's piocess II;
unfoiiunaiely, iis locaiion is noi consisieni among disiiibuiions (iiy /var/run/sendmail.pid). See page
563 foi an example of how io use ii.
Whatevei the complexity of youi site and whatevei face it shows to the outside woild
(exposed, behind a fiiewall, oi on a viitual piivate netwoik, foi example), it's likely
that the cf diiectoiy contains some appiopiiate ieady-made configuiation snippets
just waiting to be customized and put to woik.
18.8 8ASIC S£N0MAIL CUNII6ukA1IUN PkIMI1Iv£S
sendmail configuiation commands aie case sensitive. By convention, the names of
piedefined macios aie all caps (e.g., OSTYFL), m4 commands aie all lowei case (e.g.,
deíire), and configuiable vaiiable names stait with a loweicase corí and end with
an all-caps vaiiable name (e.g., coríCOFY_LRRORS_TO). Macios usually iefei to
an m4 file called ../macrcname/arg1.m4. Foi example, the macio OSTYFL(`lirux')
causes ../ostype/linux.m4 to be included.
In this section we covei the basic configuiation commands and leave the fanciei
featuies foi latei.
1he v£kSIUNI0 macro
You should maintain youi config files with CVS oi RCS, not only so that you can back
out to an eailiei config veision if necessaiy but also so that you can identify the
veisions of the m4 files that go into making up the config file. Use the VLRSlONlD
macio to automatically embed veision infoimation. The syntax is
VLRSlONlD(`$ld$')
The actual veision infoimation is filled in by RCS as you check in the file. It appeais
in the final sendmail.cf file as a comment. This infoimation can also be useful if you
foiget wheie you put the sendmail distiibution; often, the location of files is dic-
tated by available disk space and not by filesystem design logic.
1he US1¥P£ macro
Files in the ostype diiectoiy aie named foi the opeiating system whose default val-
ues they contain. An OSTYFL file packages up a vaiiety of vendoi-specific infoima-
tion, such as the expected locations of mail-ielated files, paths to commands that
sendmail needs, flags to mailei piogiams, etc.
By convention, OS-specific infoimation is inteipolated into the config file with the
OSTYFL macio.
26
Iveiy config file must include an OSTYFL macio neai the top, typ-
ically just aftei VLRSlONlD.
OSTYFL files do theii woik piimaiily by defining othei m4 vaiiables. Foi example,
deíire(ÀLlAS_!lLL', `/e¹c/aliases')
specifies the location of the system-wide aliases file. You can oveiiide the default
values foi youi OS latei in the .mc file if you wish, but don't change the distiibuted
26. So wheie is ihe OSTYFL macio iiself defined? In a file in ihe cf/m4 diiecioiy, which is magically
piepended io youi config file when you iun ihe Build sciipi.
18.8 basic sendmail configuration þrimitives 571
OSTYFL file unless it's actually wiong, in which case you should also submit a bug
iepoit to sendmail-bugsusendmail.oig. Some sites want a consistent location foi
the aliases file acioss platfoims and so iedefine its location in theii DOMAlN file.
The README file in the cf diiectoiy lists all the vaiiables that can be defined in an
OSTYFL file. Some of the important ones are shown in Table 18.8, along with seveial
that you may want to configuie foi spam abatement (but which aie undefined by
default). The default values aie what you get if youi OSTYFL file doesn't specify
something else.
If you install sendmail on a new OS ielease oi aichitectuie, be suie to cieate a coiie-
sponding OSTYFL file and give it to sendmail.oig so that it can be included in the
next ielease. Just model youi new file aftei those alieady theie and check it against
the table of defaults in the cf/README file. If the value of a vaiiable on youi new
system is the same as the default value, you don't need to include an entiy foi it (but
it doesn't huit to piotect youiself in case the default changes).
Table 18.9 shows the OSTYFL files foi oui iefeience platfoims.
1ab|e 18.8 0efau|t va|ues of some var|ab|es set |n US1¥P£ f||es
var|ab|e 0efau|t va|ue
ALlAS_!lLL /etc/ma||/a||ases
HLLF_!lLL /etc/ma||/he|µf||e
STATUS_!lLL /etc/ma||/stat|st|cs
QULUL_DlR /var/sµoo|/mqueue
MSF_QULUL_DlR /var/sµoo|/c||entmqueue
LOCAL_MAlLLR_FATH /b|n/ma||
LOCAL_SHLLL_FATH /b|n/sh
LOCAL_MAlLLR_MAX undel|ned
LOCAL_MAlLLR_MAXMSGS undel|ned
SMTF_MAlLLR_MAX undel|ned
SMTF_MAlLLR_MAXMSGS undel|ned
1ab|e 18.9 US1¥P£ f||es for L|nux systems
System I||e 0|rectory usage
Red nat ||nux.m4 /usr/share/sendma||-cf OSTYFL(`lirux')
ledora ||nux.m4 /usr/share/sendma||-cf OSTYFL(`lirux')
SuSl suse-||nux.m4 /usr/share/sendma|| OSTYFL(`suse-lirux')
0ebian deb|an.m4 /usr/share/sendma||/sendma||.cf OSTYFL(`debiar')
ubuntu ||nux.m4 /usr/share/sendma|| OSTYFL(`lirux')
SUSE puts the sendmail distiibution in /usr/share/sendmail. The suse-linux.m4
OSTYFL file is in the ostype diiectoiy theie and not pait of the sendmail distiibu-
tion fiom sendmail.oig. That file is veiy long (ovei 80 lines) and contains numeious
!LATURLs and othei macios that aie usually found in a site's mastei configuiation
file (the .mc file) and not in the OSTYFL file. This hides the ieal configuiation fiom
the sysadmin-a mixed blessing, peihaps, but nct a piactice we iecommend.
Iebian hides the config files beneath /usr/share/sendmail/sendmail.cf/. The diiec-
toiy sendmail.cf (confusing choice of names fiom the Iebian folks) coiiesponds to
the cf diiectoiy in the sendmail distiibution and contains all the config pieces you
need, including a Iebian-specific OSTYFL file, ostype/debian.m4. The OSTYFL file
is 50 lines long and consists mostly of pathnames and comments, as it should. Many
aie identical to the cuiient defaults fiom sendmail.oig and so don't ieally need to be
explicitly iestated. Howevei, iestating them piotects Debian against changes in de-
faults that might otheiwise intioduce inconsistencies oi eiiois. The only Iebian sin
in the sendmail OSTYFL style depaitment is the inclusion of the geneiic DOMAlN
file shipped with the sendmail distiibution. A DOMAlN statement should appeai
eaily in the actual .mc file iathei than being hidden in the OSTYFL file.
1he 0UMAIN macro
The DOMAlN diiective lets you specify site-wide geneiic infoimation in one place
(cf/domain/filename.m4) and then iefei to that place in each host's config file with
DOMAlN(`ji¦crumc')
Choose a filename that desciibes youi site. Foi example, oui file foi the computei
science depaitment is called cs.m4 and appeais in oui .mc files as:
DOMAlN(`cs')
Iike OSTYFL, DOMAlN is ieally just a nice way of doing an include. But it makes the
stiuctuie of the config file cleaiei and piovides a hook foi futuie tweaks. It is most
useful when you centialize and build all youi site's .cf files fiom .mc files kept in a
single location.
Small sites do not usually need a domain file, but laigei sites often use them foi iefei-
ences to ielay machines, site-wide masqueiading oi piivacy options, and iefeiences
to tables foi maileis, viitual domains, and spam databases.
The geneiic DOMAlN file included with the distiibution shows the types of entiies
that aie usually put in site-wide domain files. Its contents (with comments and drls
iemoved) is shown below.
VLRSlONlD(`$ld. ¡ereric.n4,v 8.lS lººº/04/04 00.Sl.0º ca Lx¡ $')
deíire(`corí!ORVARD_FATH', `$z/.íorvard.$v+$l.$z/.íorvard+$l.
$z/.íorvard.$v.$z/.íorvard')
deíire(`coríMAX_HLADLRS_LLNGTH', `32¯o8')
!LATURL(`redirec¹')
!LATURL(ùse_cv_íile')
LXFOSLD_USLR(`roo¹')
18.8 basic sendmail configuration þrimitives 573
The file sets the path foi the locations of useis' foiwaid files, limits headei lengths,
27
includes the redirec¹ featuie foi useis who have left youi oiganization, and tuins on
the use_cv_íile featuie foi the handling of equivalent machine names. If youi .mc
file includes masqueiading, the ioot usei will not be masqueiaded. Each of these
constiucts is desciibed in moie detail latei in the chaptei.
1he MAIL£k macro
You must include a MAlLLR macio foi eveiy deliveiy agent you want to enable. You'll
find a complete list of suppoited maileis in the diiectoiy cf/mailers in the sendmail
distiibution. Cuiiently, the options aie local, sn¹¡, íax, usere¹, ¡rocnail, q¡a¡e,
cyrus, ¡o¡, ¡lquery, and uuc¡. Typically, you need at least
MAlLLR(`local')
MAlLLR(`sn¹¡')
The fiist line includes the local and ¡ro¡ maileis. The second line includes sn¹¡,
esn¹¡, dsn¹¡, sn¹¡8, and relay. Suppoit foi user+detailsCsite.dcmain email ad-
diesses was added to the local mailei staiting with veision 8.7.
28
The user defines the
mailbox to which messages should be deliveied, and the details add an extia paiam-
etei that a local mail piogiam such as procmail can use to soit incoming mail.
If you plan to tune any mailei-ielated macios (such as USLNLT_MAlLLR_ARGS oi
!AX_MAlLLR_FATH), be suie that the lines that set these paiameteis precede the line
that invokes the mailei itself; otheiwise, the old values will be used. Foi this ieason,
MAlLLR declaiations usually come towaid the bottom of the config file.
The ¡o¡ mailei inteifaces to the spop piogiam that is pait of the mh mail handlei
package and implements the Post Office Piotocol defined in RFC1460. It's used by
PCs and Macs that need to access mail on a UNIX host. The cyrus mailei is foi use
with CMU's IMAP seivei and comes in two flavois: cyrus to delivei mail to useis'
mailboxes and cyrusbb to delivei mail to a cential bulletin boaid. The cyrus mailei
also undeistands the usei+details syntax; its MAlLLR specification must come aftei
that of the local mailei.
HylaFAX is available
frcm www.hylafax.crg.
The íax mailei integiates Sam Iefflei's HylaFAX package into the mail system. SUSE
includes it as /usi/bin/faxmail; Red Hat, Fedoia, Iebian, and Ibuntu do not include
HylaFAX by default. Mailing to userudestinaticn.fax sends the body of the message
as a fax document. The destinaticn is typically a phone numbei. To allow symbolic
names (iathei than just phone numbeis) as destinations, use a keyed database file.
ghostscr|pt is available
frcm www.gnu.crg.
You must glue HylaFAX and sendmail togethei by installing a sciipt fiom the Hy-
laFAX distiibution in /usr/local/bin. You also might need to change the value of the
macio !AX_MAlLLR_FATH. Human inteivention is still needed to delivei incoming
27. Hackeis have used veiy, veiy long headeis as a way of causing a denial of seivice in oldei veisions of
sendmail. This line is iheie in case you aie siill iunning any of ihese vulneiable veisions (pie-8.9.3).
28. The usei+deiails syniax oiiginaied ai Cainegie Mellon Univeisiiy, wheie ii is used wiih local iools foi
iouiing and soiiing mail.
faxes fiom the spool aiea to a usei's mailbox. You can conveit fax documents to Post-
Sciipt (with HylaFAX) and view them with the CNU package ghostscript.
The q¡a¡e mailei inteifaces to QuickPage softwaie to delivei email to youi pagei.
See www.qpage.oig foi moie infoimation about QuickPage.
The macios VLRSlONlD, OSTYFL, and MAlLLR aie all you need to build a basic
hcstname.mc file.
18.9 IANCI£k S£N0MAIL CUNII6ukA1IUN PkIMI1Iv£S
In the next sections, we desciibe a few moie macios and some of the most common
!LATURLs that modify sendmail's default behavior. We also discuss some policy is-
sues in the context of sendmail configuiation: secuiity, piivacy, spam, and the
technique of hiding infoimation by the use of masqueiading and viitual domains.
1he I£A1uk£ macro
With the !LATURL macio you can enable seveial common options by including m4
files fiom the feature diiectoiy. In the discussion below, we inteimix oui piesenta-
tion of !LATURLs and some of sendmail's othei macios since they aie occasionally
inteitwined. When m4 configuiation was fiist added to sendmail, desciibing the
!LATURL macio became a big section of oui mail chaptei. Now, so many featuies
have been added that the !LATURL macio almost needs its own chaptei.
The syntax is
!LATURL(rcyuoru, urq, urq, .)
wheie keywcrd coiiesponds to a file keywcrd.m4 in the cf/feature diiectoiy and the
args aie passed to it. See the diiectoiy itself oi the cf/README file foi a definitive
list of featuies. A few commonly used ones aie desciibed below.
1he use_cw_f||e feature
The sendmail inteinal class v (hence the name cw) contains the names of all local
hosts foi which this host accepts and deliveis mail. A client machine might include
its hostname, its nicknames, and localhost in this class. If the host being configuied
is youi mail hub, then the v class should also include any local hosts and viitual
domains foi which you accept email.
The use_cv_íile featuie defines class v fiom the file /etc/mail/local-host-names
(which used to be called sendmail.cw). The exact filename is configuiable with the
coríCV_!lLL option, discussed latei. Without this featuie, sendmail deliveis mail
locally only if it is addiessed to the machine on which sendmail is iunning. An in-
coming mail seivei must list in the local-host-names file all the machines and do-
main names foi which it will handle mail. If you change the file, you must send a
HUP signal to sendmail to make youi changes take effect because sendmail ieads
this file only when it staits.
18.9 lancier sendmail configuration þrimitives 575
invokes the featuie and uses the local-host-names file as the data souice; heie is an
example local-host-names file:
= local-los¹-ranes - irclude all aliases íor your naclire lere.
¹oadrarcl.con
coyo¹e.¹oadrarcl.con
bi¡-¹r.con
yolerb.con
lerbnorreale.con
a¡¡lied¹rus¹.con
a¡¡lied-¹rus¹.con
a¹rus¹.con
In this example, the entiies aie all viitual domains that aie hosted locally.
1he red|rect feature
When people leave youi oiganization, you usually eithei foiwaid theii mail oi let
mail to them bounce back to the sendei with an eiioi. The redirec¹ featuie piovides
suppoit foi a moie elegant way of bouncing mail. If Joe Smith has giaduated fiom
oldsite.edu to newsite.com, then enabling redirec¹ with
!LATURL(`redirec¹')
and adding the line
sni¹l]. ]oe@revsi¹e.con.RLDlRLCT
to the aliases file at oldsite.edu causes mail to smithj to be ietuined to the sendei
with an eiioi message suggesting that the sendei tiy the addiess joeunewsite.com
instead. The message itself is not automatically foiwaided.
1he a|ways_add_doma|n feature
This featuie makes sendmail add the local hostname to local destination addiesses
that aie not fully qualified. Foi example, suppose lyndaucs.coloiado.edu sends a
message to the local useis baib and evi. Without alvays_add_donair, the mail
headeis would show sendei and iecipient addiesses as simple login names. With
alvays_add_donair tuined on, all addiesses would become fully qualified befoie
the message left lynda's machine.
Use alvays_add_donair when you shaie spool diiectoiies among machines that
do not shaie an alias file oi that do not have the same passwd file (incidentally, you
piobably shouldn't do such shaiing). Vail to an alias oi usei that is not known eveiy-
wheie would be fully qualified on the oiiginating machine and theiefoie could be
ieplied to.
Anothei selling point foi this featuie is that unqualified names aie often iejected as
spam. We iecommend that you always use it. (Unless you aie sending spam!)
If you aie using MASQULRADL_AS (see page 581), alvays_add_donair adds the
name of the host you aie masqueiading as, not the local hostname. This convention
can cause pioblems if the aliases file oi passwd file on the local host is not a subset
of the equivalent file on the MASQULRADL_AS host.
1he nocanon|fy feature
sendmail typically veiifies that the domain name poition of an addiess is fully qual-
ified and not a INS CNAME. If this is not so, sendmail iewiites the addiess. This
piocess is called canonification and is usually done by a INS lookup on the host-
name. The rocaroriíy featuie says not to do this iewiiting, and the INS lookup that
is necessaiy to delivei a message is postponed. Foi example, at a site with a mastei
mail hub and client machines that foiwaid all theii mail thiough the mastei, the
clients might use
!LATURL(`rocaroriíy')
to avoid doing the DNS lookups locally. sendmail does not keep tiack of whethei
INS lookups have been done as a message moves fiom machine to machine within
a local site-it can't. The rocaroriíy featuie lets you contiol the timing of these
lookups. See oui configuiation case study (page 599) foi an example.
rocaroriíy can also be used in an MSA/MTA scheme such as might be used at a
veiy laige mail site. In this scenaiio, the VSA does all the INS lookups and the mas-
tei machine iunning the MTA specifies rocaroriíy.
Sometimes you want to avoid DNS lookups that aie potentially expensive but you
aie willing to do the lookups foi the local domain. You can exempt specific domains
fiom the rocaroriíy specification by including eithei the CANONl!Y_DOMAlN oi
CANONl!Y_DOMAlN_!lLL macios, which take a list of domains oi a filename as
an aigument, iespectively. Foi example, the lines
CANONl!Y_DOMAlN(`cs.colorado.edu cs')
would defei INS lookups except foi addiesses of the foim userucs.coloiado.edu oi
userucs. These exception macios weie fiist intioduced in veision 8.12.
1ab|es and databases
sendmail has seveial !LATURLs that use a constiuct called a "table" to figuie out
wheie mail should be iouted. A table is usually a text file of iouting, aliasing, policy,
oi othei infoimation that is conveited to a database foimat exteinally with the
makemap command and then used as an inteinal database foi sendmail's vaiious
lookups. Although the data usually staits as a text file, that is not iequiied; data foi
sendmail tables can come fiom INS, NIS, IIAP, oi othei souices. The use of a cen-
tialized IMAP oi POP seivei ielieves sendmail of the choie of chasing down useis
and obsoletes some of the tables discussed below. Table 18.10 on page 584 includes a
summaiy of the available tables.
Two database libiaiies aie suppoited: the dbm/ndbm libiaiy that is standaid with
most veisions of Linux; and Beikeley DB, a moie extensible libiaiy that suppoits
multiple stoiage schemes. Youi choice of database libiaiies must be specified at com-
pile time. We iecommend DB if you can install it; it's fastei than dbm and cieates
smallei files. IB is available fiom sleepycat.com.
Thiee database map types aie available:
·
dbn - uses an extensible hashing algoiithm (dbm/ndbm)
·
lasl - uses a standaid hashing scheme (IB)
·
b¹ree - uses a B-tiee data stiuctuie (IB)
Foi most table applications in sendmail, the lasl database type-the default-is
the best. Use the makemapcommand to build the database file fiom a text file; you
specify the database type and the output file base name. The text veision of the data-
base should appeai on makemap's standaid input, foi example:
= makemap hash /etc/maíI/access < /etc/maíI/access
At fiist glance this command looks like a mistake that would cause the input file to
be oveiwiitten by an empty output file. Howevei, makemap tacks on an appiopiiate
suffix, so the actual output file is /etc/mail/access.db and in fact theie is no conflict.
Each time the text file is changed, the database file must be iebuilt with makemap
(but sendmail need not be HUPed).
In most ciicumstances, the longest possible match is used foi database keys. As with
any hashed data stiuctuie, the oidei of entiies in the input text file is not significant.
!LATURLs that expect a database file as a paiametei default to lasl as the database
type and /etc/mail/tablename.db as the filename foi the database. To oveiiide this
behavioi, eithei specify the desiied database type to both the makemap command
and the !LATURL oi ieset the default by defining a diffeient value foi the vaiiable
DATABASL_MAF_TYFL. Foi example:
deíire(`DATABASL_MAF_TYFL', `dbn')
To use youi new access.db database, you'd add the following line to youi .mc file:
!LATURL(àccess_db', `lasl /e¹c/nail/access')
Since this line uses the default type and naming scheme, you could just wiite
!LATURL(àccess_db')
You can specify the database filename eithei with oi without the suffix (.db); with-
out is piefeiied.
Ion't foiget to iebuild the database file with makemap eveiy time you change the
text file; otheiwise, youi changes will not take effect.
We covei the nailer¹able, ¡ererics¹able, and vir¹user¹able !LATURLs in the next
few sections. access_db is coveied latei in the spam section. user_db is not coveied
at all because it has been depiecated and will eventually be iemoved.
Staiting with veision 8.12, all maps and classes can specify LDAP as the souice of
theii data, so you can have sendmail contact the LDAP seivei to deteimine mail
routing and headei iewiiting. Just specify LDAF as the second paiametei:
!LATURL(àccess_db', `LDAF')
This line causes the access_db to use the default IIAP schema that is defined in the
file cf/sendmail.schema in the sendmail distiibution. You can also define youi
own database schema with additional aiguments to the !LATURL diiective; see the
cf/README file foi details.
1he ma||ertab|e feature
The nailer¹able featuie iediiects mail addiessed to a paiticulai host oi domain to
an alteinate destination thiough a paiticulai mailei. It is applied as the mail goes out
fiom a site. The nailer¹able feature looks only at the host portion of the address, not
the usei poition. The headei addiess is not iewiitten, so the mail continues to be
addiessed to the same usei but is sent to a diffeient host thiough a diffeient mailei.
nailer¹able was oiiginally designed to deal with othei mail systems such as UUCP,
DECnet, and BITNET, but today it is often used to iediiect mail fiom a gateway
machine to an inteinal seivei oi to a seivei at a iemote site that does not have di-
iect Inteinet access.
To use a nailer¹able, include the following line in youi .mc file.
!LATURL(`nailer¹able')
An entiy in the nailer¹able has the foim:
o¦u_uomuir mui¦cr.ucsíiruíior
A leading dot in fiont of the key on the left side is a wild caid that means any host in
that domain. Only host and domain names aie allowed as nailer¹able keys; usei-
names aie not allowed. The destinaticn value on the iight side can be a domain, a
useiudomain clause, oi even null, in which case the envelope is not changed. The
mailer value must be the name of a mailei defined in a MAlLLR clause; see page 57?.
As an example, suppose you used VS Ixchange as youi main inteinal mail seivei but
weie ieluctant to have it facing the Inteinet. You could put a Iinux box on the Intei-
net as youi mail gateway and then foiwaid all mail to the Exchange seivei aftei viius
scanning oi whatevei piepiocessing you liked. Heie is the nailer¹able entiy that
would do it, assuming that the Exchange seivei had the inteinal IP addiess shown:
ny-donair esn¹¡.[lº2.lo8.l.24S|
Howevei, this is a foim of ielaying, which, as we see on page 589, needs to be con-
tiolled. To complete this example, you would need to put the line
To. ny-donair RLLAY
in youi access database to allow ielaying foi all mail to any usei at my-domain.
1he gener|cstab|e feature
The ¡ererics¹able featuie ("geneiics table," not "geneiic stable") is like aliasing foi
outgoing mail. Foi example, it can map tientuatiust.com to tient.heinuatiust.com
on outbound mail. It is the headeis that aie iewiitten, not the envelope. Mail deliv-
eiy is not affected, only ieplies.
Seveial mechanisms can map hostnames, but ¡ererics¹able is the only one that
includes both the useiname and the hostname as pait of the mapping key. The
nasquerade_ervelo¡e and allnasquerade featuies discussed latei in this section
can also apply to addiesses in the ¡ererics¹able.
To use ¡ererics¹able, make suie that youi domain is in the ¡ererics class. To put a
domain in the ¡ererics class, you can eithei list it in the GLNLRlCS_DOMAlN
macio oi put it in the file specified by the GLNLRlCS_DOMAlN_!lLL macio.
Foi example, to use ¡ererics¹able with the defaults foi the database, add
GLNLRlCS_DOMAlN_!lLL(`/e¹c/nail/local-los¹-ranes')
!LATURL(`¡ererics¹able')
to youi .mc configuiation file. In this example, any host you accept mail foi is in-
cluded. Enabling the ¡ererics¹able featuie slows down sendmail slightly because
eveiy sendei addiess must be looked up.
1he v|rtusertab|e feature
The viitual usei table suppoits domain aliasing foi incoming mail. This featuie al-
lows multiple viitual domains to be hosted on one machine and is common at web
hosting sites.
The key field of the table contains eithei an email addiess (userChcst.dcmain) oi a
domain specification (Cdcmain). The value field is a local email addiess oi an ex-
teinal email addiess. If the key is a domain, the value can eithei pass the user field
along as the vaiiable °l oi ioute the mail to a diffeient usei. If the usei specification
has the foim user+details, then the vaiiable °2 contains the details and vaiiable °3
contains +details; use whichevei foim you want.
Iet's look at some examples (we added the comments):
irío@íoo.con íoo-irío = rouíc ío u ¦ocu¦ uscr
irío@bar.con bar-irío = uroírcr ¦ocu¦ uscr
]oe@bar.con error.No sucl user = ío rcíurr ur crror
@baz.or¡ ]are@elsevlere.con = u¦¦ mui¦ ío ,urc
@zolri.or¡ °l@elsevlere.con = ío írc sumc uscr, uijjcrcrí uomuir
All the host keys on the left side of the data mappings must be listed in the cw file,
/etc/mail/local-host-names, (oi the Vir¹Hos¹ class); otheiwise, sendmail tiies to
find the host on the Inteinet and to delivei the mail theie. If INS points sendmail
back to this seivei, you get a "local configuiation eiioi" message in bounces. Unfoi-
tunately, sendmail cannot tell that the eiioi message foi this instance should ieally
be "viituseitable key not in cw file."
Seveial pieces aie actually involved heie:
·
INS MX iecoids must exist so that mail is iouted to the iight host in the
fiist place; then
·
cw entiies must be piesent oi VlRTUSLR_DOMAlN specified (oi equiva-
lently, VlRTUSLR_DOMAlN_!lLL) to allow the local machine to accept
the mail; and finally
·
the viitual usei table must tell sendmail what to do with the mail.
The featuie is invoked with
!LATURL(`vir¹user¹able')
The examples staiting on page 599 use vir¹user¹able to implement viitual hosting.
1he |daµ_rout|ng feature
As a final chunk floating in this cesspool of aliasing, iewiiting, and falsification, we
have IIAP, the Iightweight Iiiectoiy Access Piotocol. IIAP (see page 555 foi gen-
eial infoimation) can substitute foi vir¹user¹able with iespect to iouting email
and accepting mail foi viitual domains. It can also manage aliases, maps, and
classes. And as of veision 8.12, it can do a decent job with mailing lists.
To use IIAP in this way, you must include seveial statements in youi config file, and
you must have built sendmail to include LDAP suppoit. In youi .mc file you need
the lines
deíire(`coríLDAF_DL!AULT_SFLC', `-l scr·cr -b scurcrrusc')
!LATURL(`lda¡_rou¹ir¡')
LDAFROUTL_DOMAlN(`my_uomuir')
to tell sendmail that you want to use an IIAP database foi iouting incoming mail
addiessed to the specified domain. The LDAF_DL!AULT_SFLC option identifies the
IIAP seivei and database seaich base name.
In the following example, the seaich base is o=serdnail.con, c=US. If you iun
IIAP on a custom poit (not ?89), add -¡ ldap_pcrt# to the LDAF_DL!AULT_SFLC.
sendmail uses the values of two tags in the IIAP database:
·
nailLocalAddress foi the addiessee on incoming mail
·
nailRou¹ir¡Address foi the alias to send it to
sendmail also suppoits the tag nailHos¹, which if piesent ioutes mail to the MX
iecoids foi the specified host, with nailRou¹ir¡Address as iecipient.
Foi example, the IIAP entiy (foi a seivei configuied with a ioot distinguished name
of cr=roo¹, o=serdnail.con, c=US)
dr. uid=eric, o=serdnail.con, c=US
ob]ec¹Class. ire¹LocalMailReci¡ier¹
nailLocalAddress. eric@serdnail.or¡
nailRou¹ir¡Address. eric@er¡.serdnail.con
would cause mail addiessed to eiicusendmail.oig (which INS MX iecoids caused
to be deliveied to sendmail.com) to be sent to eiicueng.sendmail.com. If the entiy
also contained the line
nailHos¹. nailserver.serdnail.con
then mail to eiicusendmail.oig would be addiessed to eiicueng.sendmail.com and
sent to the host mailseivei.sendmail.com aftei MX lookups.
LDAP database entiies suppoit a wild caid entiy, udcmain, that ieioutes mail ad-
diessed to anyone at the specified domain (as was done in the vir¹user¹able).
In veisions 8.12 and latei, a bit moie flexibility was added in the foim of a configuia-
tion piimitive, LDAFROUTL_LQUlVALLNT (oi LDAFROUTL_LQUlVALLNT_!lLL),
with which you can define equivalent veisions of the domain name you aie ieiouting
with IIAP. Foi example, mail coming to useiuhost1.mydomain would noimally be
queiied liteially in the IIAP database and then queiied as uhost1.mydomain. In-
cluding the line
LDAFROUTL_LQUlVALLNT(`los¹l.nydonair')
would also tiy the keys useiumydomain and umydomain. This featuie enables a
single database to ioute mail at a complex site.
Additional aiguments to the lda¡_rou¹ir¡ featuie now enable you to specify moie
details about the IIAP schema to use and to specify the handling of usei names that
have a +detail pait. As of sendmail veision 8.1?, a new lda¡_rou¹ir¡ aigument
(serder¹oo) can ieject SMTP mail fiom a sendei that doesn't exist in IIAP. As al-
ways, see the cf/README file foi exact details.
Masquerad|ng and the MASqu£kA0£_AS macro
With the MASQULRADL_AS macio, you can specify a single identity that othei ma-
chines hide behind. All mail appeais to emanate fiom the designated machine oi do-
main. The sendei's addiess is iewiitten to be userumasquerading-name instead of
userucriginal-hcst.dcmain. Of couise, those masqueiaded addiesses must be valid
so that people can ieply to the mail.
This configuiation peimits all useis at a site to use a geneiic email addiess. Foi ex-
ample, if all hosts at atiust.com masqueiade behind the domain atiust.com, then
mail fiom useruhcst.atiust.com is stamped as being fiom useruatiust.com, with no
mention of the actual hostname fiom which the usei sent the mail. The machine
that iepiesents atiust.com must know how to delivei all useis' mail, even mail foi
useis that do not have a login on the incoming mail seivei. Natuially, login names
must be unique acioss the whole domain.
Some useis and addiesses (such as ioot, postmastei, hostmastei, tiouble, opeiations,
Vailei-Iaemon, etc.) should be exempted fiom this behavioi. They can be explicitly
excluded with the LXFOSLD_USLR macio.
Foi example, the sequence
MASQULRADL_AS(à¹rus¹.con')
LXFOSLD_USLR(`roo¹')
LXFOSLD_USLR(`Mailer-Daenor')
would stamp mail as coming fiom useiuatiust.com unless it was sent by ioot oi the
mail system; in these cases, the mail would caiiy the name of the oiiginating host.
A featuie intioduced in 8.12 enables you to exempt mail foi the local domain (oi mail
to specific hosts listed as exceptions) fiom the masqueiading. Foi example, this fea-
tuie might be handy foi a site that uses an uniegisteied piivate domain name locally
and wants masqueiading only on messages bound foi the Inteinet.
The syntax is
!LATURL(`local_ro_nasquerade')
MASQULRADL_LXCLFTlON(`los¹.donair')
MASQULRADL_LXCLFTlON_!lLL(`íilerane')
The basic MASQULRADL_AS macio has seveial extensions, both thiough othei
macios and thiough !LATURLs:
·
The MASQULRADL_DOMAlN macio
·
The MASQULRADL_DOMAlN_!lLL macio
·
The MASQULRADL_LXCLFTlON macio
·
The MASQULRADL_LXCLFTlON_FIIE macio
·
The lini¹ed_nasquerade !LATURL
·
The allnasquerade !LATURL
·
The nasquerade_ervelo¡e !LATURL
·
The nasquerade_er¹ire_donair !LATURL
We iecommend using the MASQULRADL_AS macio desciibed above along with the
allnasquerade and nasquerade_ervelo¡e featuies. The lini¹ed_nasquerade
featuie modifies the behavioi of MASQULRADL_DOMAlNand is useful foi viitual
hosting enviionments. MASQULRADL_DOMAlNlets you list domains that you want
to masqueiade; the list is pieloaded fiom the v class that is typically defined with the
use_cv_íile featuie and lists the hosts in youi domain. lini¹ed_nasquerade does
not pieinitialize the list with class v. All those domains aie hidden by the domain you
aie masqueiading as.
The allnasquerade featuie extends masqueiading to the iecipients of the message
(as opposed to just the sendei), and the nasquerade_ervelo¡e featuie extends it
to the envelope as well as to the headei addiesses.
29
With these two extensions, all
29. The headei addiesses aie ihe To, Fiom, Cc, and Bcc addiesses ihai appeai in ihe headei of a message.
The envelope addiesses aie the addiesses to which the mail is actually deliveied. The envelope addiesses
aie oiiginally buili fiom ihe headei addiesses by ihe usei ageni, bui ihey aie piocessed sepaiaiely by
sendmail. Many of sendmail's masqueiading and iediieciion feaiuies would be impossible io imple-
meni if ihe disiinciion beiween headei and envelope addiesses was noi mainiained.
addiesses aie hidden in a consistent fashion. The nasquerade_er¹ire_donair fea-
tuie extends masqueiading to all hosts in a specified list of othei domains.
If you want to use othei masqueiading techniques, you can iead about theii behav-
ioi in the cf/README file oi in the sendmail book. Read caiefully; some of the mas-
queiading piimitives can hide too much.
1he MAIL_hu8 and SMAk1_hUS1 macros
Vasqueiading makes all mail appeai to come fiom a single host oi domain by iewiit-
ing the headeis and, optionally, the envelope. Some sites may want all mail to ieally
come fiom (oi go to) a single machine. You can achieve this configuiation with the
macios MAlL_HUB foi incoming mail and SMART_HOST foi outgoing mail.
To ioute all incoming mail to a cential seivei foi deliveiy, set MAlL_HUB to the
value mailer.hcst, wheie mailer is the agent to use to ieach the designated hcst. If you
don't specify a deliveiy agent, then relay is used. Foi example:
deíire(`MAlL_HUB', `sn¹¡.naillub.cs.colorado.edu')
The SMART_HOST designation causes a host to delivei local mail but to punt extei-
nal mail to SMART_HOST. This featuie is useful foi machines that live behind a fiie-
wall and so cannot use INS diiectly. Its syntax paiallels that of MAlL_HUB; the de-
fault deliveiy agent is again relay. Foi example:
deíire(`SMART_HOST', `sn¹¡.naillub.cs.colorado.edu')
In these examples, the same machine acts as the seivei foi both incoming and out-
going mail. A larger site might split these into separate machines. The SMART_HOST
must allow ielaying so that client machines can send mail thiough it. nailer¹able
entiies oveiiide the SMART_HOST designation.
Masquerad|ng and rout|ng
With all these featuies and macios ieady and waiting to massage youi email ad-
diesses, we thought it might be nice to tiy to compaie the vaiious mechanisms in
teims of whethei they change the headeis, the envelope, oi the deliveiy of a mes-
sage, whethei they apply to incoming oi outgoing messages, sendei oi iecipient ad-
diesses, etc. If the page weie double oi tiiple width, we might have succeeded in
ieally illustiating the diffeiences among the vaiious constiucts.
Instead, we give you just a hint in Table 18.10 (next page); you will have to look up the
details in the sendmail documentation to get the nuances of the diffeient vaiiations.
Entiies in Table 18.10 that aie all capital letteis aie m4 macios. Ioweicase entiies aie
the names of featuies that aie invoked with the !LATURL macio. Indented items de-
pend on the items above; foi example, a featuie that modifies the MASQULRADL_AS
behavioi does nothing unless MASQULRADL_AS has been tuined on. In the table,
the featuie is indented to indicate this dependency. Vasqueiading affects the headei
addiesses on outgoing mail and whethei a message can be ieplied to; iouting affects
the actual deliveiy of the mail.
1he nu||c||ent feature
rullclier¹ is used foi a host that should nevei ieceive mail diiectly and that sends all
its mail to a cential seivei. The .mc file foi such a host has only two lines.
OSTYFL(òsíy¡c')
!LATURL(`rullclier¹', `mui¦_scr·cr')
The rullclier¹ featuie oveiiides many othei featuies. All mail, without exception,
is deliveied to mail_server foi piocessing.
?0
Note that the seivei must allow the client
to ielay thiough it if useis iegulaily oiiginate mail on the client and don't use a sepa-
iate seivei foi outgoing mail. Recent veisions of sendmail have ielaying tuined off
by default. See the spam section (page 588) foi details on how to contiol ielaying. A
rullclier¹ configuiation masqueiades as mail_server, so you might want to include
an LXFOSLD_USLR clause foi ioot.
The client that uses the rullclier¹ featuie must have an associated MX iecoid that
points to the seivei. It must also be included in the seivei's cw file, which is usually
/etc/mail/local-host-names. These settings let the seivei accept mail foi the client.
A host with a rullclier¹ configuiation should not accept incoming mail. If it did, it
would just foiwaid the mail to the seivei anyway. Staiting sendmail without the -bd
flag so that it doesn't listen foi SMTP connections on poit 25 is one way to avoid
1ab|e 18.10 Comµar|son of masquerad|ng and rout|ng features
Construct 0|r Affects
a
wh|ch µ|ece
V
a
s
q
u
e
r
a
d
i
n
g
MASQULRADL_AS out Sn host.domain
allnasquerade out Rn
b
host.domain
MASQULRADL_DOMAlN[_!lLL| out Sn host.domain
nasquerade_er¹ire_donair out Sn host.sub.domain
lini¹ed_nasquerade out Sn host.domain
nasquerade_ervelo¡e out Sl
c
host.domain
¡ererics¹able out Sn userChost.domain
R
o
u
t
i
n
g
nailer¹able out VA0 host.domain
vir¹user¹able in R0 userChost.domain
lda¡ in R0 userChost.domain
naillub in R0 local mail
snar¹los¹ out R0 remote mail
a. S ¬ sender, R ¬ reciþient, 0 ¬ delivery, n ¬ header, l ¬ enveloþe, V ¬ mailer, A ¬ address
b. 0nce reciþient rewriting has been enabled with the allnasquerade feature, all other masquerading
constructs rewrite not only the sender but also the reciþient.
c. 0nce enveloþe rewriting has been enabled with the nasquerade_ervelo¡e feature, all other
masquerading constructs rewrite not only the header but the enveloþe as well.
30. If you configuie a clieni ihis way and ihen iesi ihe configuiaiion wiih sendmail -bt, ihe clieni appeais
io locally delivei local mail. The ieason is ihai ihe rullclier¹ diieciive is piocessed laiei, in iulesei 5 of
ihe iaw config file.
ieceiving mail. Howevei, some usei agents (MUAs) attempt the initial submission of
a mail message through port 23 and so are foiled if your sendmail is not listening. A
bettei way to disallow incoming mail is to iun sendmail with the -bd flag but to use
DALMON_OFTlONS to listen only on the loopback inteiface. Eithei way, leave the
-q30m flag on the command line so that if mail_server goes down, the client can
queue outgoing mail and tiy to send it to mail_server latei.
rullclier¹ is appiopiiate foi leaf nodes at sites that have a cential mail machine. At
laigei sites, considei the mail load on the hub machine. You may want to sepaiate
the incoming and outgoing seiveis oi to adopt a hieiaichical appioach.
SISI ships with a sample rullclier¹ mc file in /etc/mail/linux.nullclient.mc. Just
fill in the name of youi mail_server, iun m4 on it to build the sendmail.cf file, and
you aie done.
1he |oca|_|mtµ and smrsh features
By default, the local mailei uses /bin/mail as the local deliveiy agent foi useis and
files and /bin/sh as the deliveiy agent foi piogiams. sendmail now piovides bettei
alteinatives, especially foi deliveiy to piogiams. Both options aie available thiough
the !LATURL macio.
If the local_ln¹¡ featuie is specified, then its aigument is a local mailei capable of
speaking IMTP, the Iocal Mail Tianspoit Piotocol (see RFC20??). The default foi
deliveiy to useis is the mail.local piogiam fiom the sendmail distiibution. Iike-
wise, the snrsl featuie specifies the path to the piogiam to use foi mail deliveiy to
piogiams. See page 605 foi a moie detailed discussion of mail.local and smrsh.
1he |oca|_µrocma|| feature
You can use Stephen van den Beig's procmail as youi local mailei by enabling the
local_¡rocnail featuie. It takes up to thiee aiguments: the path to the procmail
binaiy, the aigument vectoi to call it with, and flags foi the mailei. The default val-
ues aie OK, but the default path (/usr/local/bin/procmail) conflicts with most dis-
tiibutions' usual procmail location (/usr/bin).
procmail can do fanciei things foi the usei than plain /bin/mail oi mail.local can.
In addition to deliveiing mail to useis' mailboxes, it can soit messages into foldeis,
save them in files, iun piogiams, and filtei spam. Use of the local_¡rocnail featuie
laigely nullifies the secuiity enhancements piovided by smrsh (desciibed on page
605). Howevei, if you don't need to iestiict the piogiams youi useis iun (that is, if
you tiust all youi useis), procmail can be veiy handy. procmail is not distiibuted
with sendmail; get it fiom www.piocmail.oig if it is not installed by youi vendoi.
You can use othei mail piocessing piogiams in conjunction with this featuie just by
lying to sendmail and saying that you aie just showing it the local copy of procmail:
!LATURL(`local_¡rocnail', `/usr/local/bir/nynailer')
If you use procmail, check out /usr/bin/mailstat foi some handy procmail statis-
tics (not to be confused with /usr/sbin/mailstats, which shows sendmail statis-
tics). It is installed on all of oui example distiibutions and can be used to summaiize
procmail log files.
1he LUCAL_" macros
If you ieally need to get youi hands diity and wiite some exotic new iules to deal with
special local situations, you can use a set of macios piefaced by LOCAL_. The sec-
tion on spam, latei in this chaptei, has some examples of this low-level constiuct.
Conf|gurat|on oµt|ons
Config file options and macios (the O and D commands in the iaw config language)
can be set with the deíire m4 command. A complete list of options accessible as m4
vaiiables and theii default values is given in the cf/README file. The default values
aie OK foi most sites.
Some examples:
deíire(`coríTO_QULULRLTURN', `¯d')
deíire(`coríTO_QULULVARN', `4l')
deíire(`coríFRlVACY_!LAGS', `roex¡r')
The queue ietuin option deteimines how long a message will iemain in the mail
queue if it cannot be deliveied. The queue wain option deteimines how long a mes-
sage will sit befoie the sendei is notified that theie might be deliveiy pioblems. The
fiist two lines set these to 7 days and 4 houis, iespectively.
See page õuõ fcr mcre
infcrmaticn abcut
privacy cpticns.
The next line sets the piivacy flags to disallow the SMTP EXPN (expand addiess)
command. The coríFRlVACY_!LAGS option takes a comma-sepaiated list of val-
ues. Some veisions of m4 iequiie two sets of quotes to piotect the commas in a field
with multiple entiies, but the CNU m4 shipped with Iinux is smaitei and doesn't
iequiie the extia quotes:
deíire(`coríFRlVACY_!LAGS', ``roex¡r, rovríy'')
The default values foi most options aie about iight foi a typical site that is not too
paianoid about secuiity oi not too conceined with peifoimance. In paiticulai, the
defaults tiy to piotect you fiom spam by tuining off ielaying, iequiiing addiesses to
be fully qualified, and iequiiing that addiesses iesolve to an IP addiess. If youi mail
hub machine is veiy busy and seivices lots of mailing lists, you may need to tweak
some of the peifoimance values.
Table 18.11 lists some options that you might need to adjust (about 15% of the almost
175 configuiation options), along with theii default values. To save space, the option
names aie shown without theii corí piefix; foi example, the !ALLBACK_MX op-
tion is ieally named corí!ALLBACK_MX. We divided the table into subsections that
identify the kind of issue the vaiiable addiesses: geneiic, iesouices, peifoimance, se-
cuiity and spam abatement, and miscellaneous. Some options cleaily fit in moie than
one categoiy, but we listed them only once.
1ab|e 18.11 8as|c conf|gurat|on oµt|ons
Uµt|on name 0escr|µt|on and (defau|t va|ue)
C
e
n
e
r
i
c
C0PY_lRR0RS_J0 Addresses to Cc on error messages (none)
00ubll_b0uNCl_A00RlSS Catches a lot of sþam, some sites use /dev/nu||,
but that can hide serious þroblems (þostmaster)
R
e
s
o
u
r
c
e
s
VlN_lRll_bl0CKS Vin filesystem sþace to acceþt mail (100)
VAX_VlSSACl_SlZl Vax size in bytes of a single message (infinite)
J0_|o|s_ol_s|ull Jimeouts for all kinds of things (various)
J0_l0lNJ Jimeout for ident queries to check sender's iden-
tity, if 0, ident checks are not done (5s)
VAX_0AlV0N_Cnll0RlN Vax number of child þrocesses
a
(no limit)
P
e
r
f
o
r
m
a
n
c
e
VCl_CACnl_SlZl # of oþen outgoing JCP connections cached (2)
VCl_CACnl_JlVl0uJ Jime to keeþ cached connections oþen (5m)
n0SJ_SJAJuS_0lRlCJ0RY See þage 614 for descriþtion (no default)
lAllbACK_VX See þage 613 for descriþtion (no default)
lASJ_SPllJ Suþþresses VX lookuþs as reciþients are sorted
and sþlit across queues, see þage 612 (1 ¬ true)
µulul_lA load average at which mail should be queued
instead of delivered immediately (8 ` #CPus)
RlluSl_lA load avg. at which to refuse mail (12 ` #CPus)
0llAY_lA load avg. to slow down deliveries (0 ¬ no limit)
VlN_µulul_ACl Vinimum time jobs must stay in queue, makes a
busy machine handle the queue better (0)
S
e
c
u
r
i
t
y
/
s
þ
a
m
JRuSJl0_uSlRS lor mailing list software owners, allows forging of
the lrom line and rebuilding of the aliases data-
base (root, daemon, uucþ)
PRlvACY_llACS limits info given out by SVJP (authwarnings)
lNPuJ_VAll_lllJlRS lists filters for incoming mail (emþty)
VAX_VlVl_nlA0lR_llNCJn Sets max size of VlVl headers (no limit)
b
C0NNlCJl0N_RAJl_JnR0JJll Slows 00S attacks by limiting the rate at which
mail connections are acceþted (no limit)
VAX_RCPJS_PlR_VlSSACl Slows sþam delivery, defers extra reciþients and
sends a temþorary error msg (infinite)
00NJ_blAVl_SlN0VAll 0verrides sendma||'s security and file checking,
don't change casuallyl (safe)
AuJn_VlCnANlSVS SVJP auth mechanisms for Cyrus SASl
c
V
i
s
c
l0AP_0llAulJ_SPlC Vaþ sþec for l0AP database, including the host
and þort the server is running on (undefined)
a. Vore sþecifically, the maximum number of child þrocesses that can run at once. when the limit is reached,
sendma|| refuses connections. Jhis oþtion can þrevent (or create) denial of service (00S) attacks.
b. Jhis oþtion can þrevent user agent buffer overflows. ª256/128' is a good value to use÷it means 256
bytes þer header and 128 bytes þer þarameter to that header.
c. Jhe default value is lXJlRNAl CSSAPl KlRblR0S_v4 0lClSJ-V05 CRAV-V05, don't add PlAlN l0ClN
unless you want to reduce security.
18.10 SPAM-k£LA1£0 I£A1uk£S IN S£N0MAIL
Spam is the jaigon woid foi junk mail, also known as unsolicited commeicial email.
It has become a seiious pioblem, piimaiily because the sendeis typically do not pay
by the byte but iathei pay a flat iate foi connectivity. Oi if they do pay pei byte, they
send a single message with many thousands of iecipients and ielay it thiough an-
othei machine. The othei machine pays the big pei-byte cost and the spammei pays
foi only one copy. In many countiies, end useis pay foi bytes ieceived and get pietty
angiy at having to pay to ieceive spam.
Fiom the maiketing folks' point of view, spam woiks well. Response iates aie high,
costs aie low, and deliveiy is instantaneous. A list of ?0 million email addiesses costs
about $40.
Many spammeis tiy to appeai innocent by suggesting that you answei theii email
with a message that says "iemove" if you want to be iemoved fiom theii mailing list.
Although they may iemove you, you have just veiified foi them that they have a valid,
cuiient email addiess; this infoimation can land you on othei lists. Spammeis also
like to mess with theii mail headeis in an attempt to disguise who the mail is fiom
and on which machine it oiiginated.
Folks that sell email addiesses to spammeis have iecently staited to use a foim of
dictionaiy attack to feiiet out unknown addiesses. Staiting with a list of common
last names, the scanning softwaie adds diffeient fiist initials in hopes of hitting on a
valid email addiess. To check the addiesses, the softwaie connects to the mail seiv-
eis at, say, 50 laige ISPs and does a VRFY oi RCPT on each of zillions of addiesses.
This piobing has a huge impact on youi mail seivei and its ability to delivei legiti-
mate mail. sendmail can deal with this situation with the FrivacyO¡¹ior ¡oavay
which is coveied staiting on page 606. But the smaitei spam piogiams aie veiy
iobust; if VRFY is blocked, they tiy EXPN, and if both aie blocked they tiy RCPT.
They can tiy millions of addiesses that way and nevei send a single message-they
suie keep youi mail seivei busy, though.
sendmail has an option, BAD_RCFT_THROTTLL, to foil such behavioi. If the num-
bei of iejected addiesses in a message's envelope exceeds the value of this option,
sendmail sleeps foi one second aftei each iejected RCPT command.
sendmail has added some veiy nice featuies to help with spam contiol and also to
help with the occasional mail-boine computei viius. Unfoitunately, most ISPs must
pass along all mail, so these featuies may be too diaconian foi customei policy (oi
then again, maybe they aien't). Howevei, the featuies can be used to gieat effect at
the end usei's site.
Spam contiol featuies come in foui flavois:
·
Rules that contiol thiid-paity oi piomiscuous ielaying, which is the use of
youi mail seivei by one off-site usei to send mail to anothei off-site usei.
Spammeis often use ielaying to mask the tiue souice of theii mail and
18.10 Sþam-related features in sendmail 589
theieby avoid detection by theii ISPs. It also lets them use ycur cycles and
save theii own. That's the killei.
·
The access database, by which mail is filteied by addiess, iathei like a fiie-
wall foi email.
·
Blacklists containing open ielays and known spam-fiiendly sites that
sendmail can check against.
·
Headei checking and input mail filteiing by means of a geneiic mail filtei-
ing inteiface called libmilter. It allows aibitiaiy scanning of message head-
eis and ccntent and lets you ieject messages that match a paiticulai piofile.
We desciibe these new featuies heie and then look at a couple of pieces of spam we
ieceived iecently to see how we might have tuned oui mail system to iecognize and
ieject them automatically.
ke|ay|ng
sendmail and othei mail tianspoit agents accept incoming mail, look at the enve-
lope addiesses, decide wheie the mail should go, and then pass it along to an appio-
piiate destination. That destination can be local oi it can be anothei tianspoit agent
faithei along in the deliveiy chain. When an incoming message has no local iecipi-
ents, the tianspoit agent that handles it is said to be acting as a ielay.
Befoie sendmail veision 8.9, piomiscuous ielaying (also called open ielaying) was
on by default. sendmail would accept any message piesented to it on poit 25 and tiy
its best to make the deliveiy. It was the neighboily Inteinet thing to do.
Infoitunately, spammeis staited to abuse ielaying; they exploited it to disguise theii
identities and, moie impoitantly, to use youi bandwidth and cycles instead of theii
own. It is now consideied veiy bad to configuie youi mail seivei as an open ielay.
Neveitheless, many seiveis aie still configuied as open ielays.
Only hosts that aie tagged with RLLAY in the access database (see page 591) oi that
aie listed in /etc/mail/relay-domains aie allowed to submit mail foi ielaying. In the
next few yeais, the piopoition of open ielays should fall as a iesult of this change in
default behavioi, incieasing public awaieness, and pioactive scieening based on
vaiious black hole lists.
So, piomiscuous ielaying is bad. At the same time, some types of ielaying aie useful
and legitimate. How can you tell which messages to ielay and which to ieject? Relay-
ing is actually necessaiy in only two situations:
·
When the transpcrt agent acts as a gateway fcr hcsts that are nct reachable
any cther way; foi example, hosts that aie not always tuined on (dial-up
hosts, Windows PCs) and viitual hosts. In this situation, all the iecipients
foi which you want to ielay lie within the same domain.
·
When the transpcrt agent is the cutgcing mail server fcr cther, nct-sc-smart
hcsts. In this case, all the sendeis' hostnames oi IP addiess will be local (oi
at least enumeiable).
Any othei situation that appeais to iequiie ielaying is piobably just an indication of
bad design (with the possible exception of suppoit foi mobile useis). You can obviate
the fiist use of ielaying (above) by designating a centialized seivei to ieceive mail
(with PUP or IVAP used for client access). The second case should always be allowed,
but only foi youi own hosts. You can check IP addiesses oi hostnames; hostnames
aie easiei to fake, but sendmail veiifies that they aie not foigeiies.
Although sendmail comes with ielaying tuined off by default, seveial featuies have
been added to tuin it back on, eithei fully oi in a limited and contiolled way. These
featuies aie listed below foi completeness, but oui iecommendation is that you be
caieful about opening things up too much. Most sites do not need any of the ieally
dangeious featuies in the second bulleted list below. The access_db featuie, coveied
in the next section, is the safest way to allow limited ielaying.
·
!LATURL(`relay_er¹ire_donair') - allows ielaying foi just youi domain
·
RLLAY_DOMAlN(`dcmain, .') - adds moie domains to be ielayed
·
RLLAY_DOMAlN_!lLL(`filename') - same, but takes domain list fiom a file
·
!LATURL(`relay_los¹s_orly') - affects RLLAY_DOMAlN, accessdb
You will need to make an exception if you use the SMART_HOST oi MAlL_HUB des-
ignations to ioute mail thiough a paiticulai mail seivei machine. That seivei will
have to be set up to ielay mail fiom local hosts. Configuie it with
!LATURL(`relay_er¹ire_donair')
Sites that do viitual hosting may also need RLLAY_DOMAlN to allow ielaying foi
theii viitual names, although
effectively opens ielays foi those domains oi hosts.
The few othei possibilities aie fiaught with pioblems:
·
!LATURL(`¡roniscuous_relay') - allows all ielaying; don't use
·
!LATURL(`relay_based_or_MX') - ielays foi anyone that VXes to you
·
!LATURL(`loose_relay_clecl') - allows "peicent hack" addiessing
·
!LATURL(`relay_local_íron') - bases ielays on the Fiom addiess
The ¡roniscuous_relay featuie ielays fiom any site to any othei site. Using it is a
one-way ticket to the black hole lists. Dc nct use this featuie on a machine ieachable
thiough the public Inteinet.
The relay_based_or_MX featuie is bad because you do not contiol what sites aie
allowed to point theii MX iecoids at you. Typically, the only hosts that have an MX
iecoid pointing to youi mail seivei aie youi own, but nothing pievents othei sites
fiom changing theii MX iecoids to point to you. Spammeis usually cannot change
MX iecoids, but shady sites ceitainly could.
The loose_relay_clecl featuie allows the "% hack" foim of addiessing (see page
535) that spammeis love to use.
The relay_local_íron featuie tiusts the sendei addiess on the envelope of the mes-
sage and ielays messages that appeai to be fiom a local addiess. Of couise, both the
envelope and the headeis of mail messages aie tiivial to foige, and spammeis aie
foigeiy expeits.
If you considei tuining on ielaying in some foim, consult the sendmail documenta-
tion in cf/README to be suie you don't inadveitently become a fiiend of spammeis.
When you aie done, have one of the ielay checking sites veiify that you did not inad-
veitently cieate an open ielay-tiy spam.abuse.net.
Theie aie mismatched configuiations in which youi host might be convinced to ie-
lay weiid addiesses that misuse the UUCP addiessing syntax. Just to be suie, if you
have no UUCP connectivity, you can use
!LATURL(`rouuc¡', `re]ec¹')
to foiestall this possibility. Cuiient sendmail does not default to suppoiting any of
the ancient netwoiking technologies such as UUCP, BITNET, oi IECnet.
Anothei common ielay is the LUSLR_RLLAY foi local useis who do not exist. It is
defined by default as
deíire(`LUSLR_RLLAY', èrror.No sucl user')
A site with sendmail misconfiguied sometimes leaks unqualified local usei names
to the Inteinet (usually on the Cc line). Someone who ieplies to the mail addiesses
the iesponse to an appaiently local usei who does not exist. This ielay is often called
the "losei ielay" and is diiected to the error mailei.
You need not change this configuiation unless you want to ietuin a diffeient mes-
sage oi implement some kind of special tieatment. Some sites iediiect "losei" mail
to a peison oi piogiam that does fuzzy matching in case the sendei made a typo oi
just has the login name slightly wiong.
1he access database
sendmail includes suppoit foi an access database that you can use to build a mail-
specific fiiewall foi youi site. The access database checks mail coming in fiom the
outside woild and iejects it if it comes fiom specific useis oi domains. You can also
use the access database to specify which domains a machine is willing to ielay foi.
The access database is enabled with the line
!LATURL(àccess_db', `íy¡c ji¦crumc')
If type and filename aie not specified, the database defaults to type lasl (if IB data-
bases aie used-depends on the DATABASL_MAF_TYFL setting) built fiom the file
/etc/mail/access. IBM databases don't use the type field. As always, cieate the data-
base with makemap:
= makemap hash /etc/maíI/access < /etc/maíI/access
The key field of the access file can contain email addiesses, usei names, domain
names, oi netwoik numbeis.
Foi example:
cybers¡anner.con SS0 S¡an ro¹ acce¡¹ed
ol¡uy@cybers¡anner.con OK
bad¡uy@aol.con RL[LCT
serdnail.or¡ RLLAY
l28.32 RLLAY
l¯0.20l.l80.lo RL[LCT
lo¹livesex@ SS0 S¡an ro¹ acce¡¹ed
írierd@ SS0 You are ro¹ ny írierd'
The value pait must contain one of the items shown in Table 18.12. The value RLLAY
is the most peimissive; it simply accepts the message and foiwaids it to its final desti-
nation. OK accepts the message but will not allow ielaying. RL[LCT will not accept
the message at all. SKlF allows you to make exceptions. Foi example, if you want to
ielay mail foi all hosts except two in a ceitain domain, you could list the two hosts
with the SKlF action and then list the domain with the RLLAY action. The oidei does
not mattei.
1ab|e 18.12 1h|ngs that can aµµear |n the va|ue f|e|d of the access database
va|ue what |t does
OK Acceþts mail and delivers it normally
RLLAY Acceþts the mail as addressed and relays it to its destination,
enables þer-host relaying
SKlF Allows for exceþtions to more general rules
RL[LCT Rejects the mail with a generic error message
DlSCARD Silently discards the message
!RlLND lor sþam, used by delay-clecls feature, if matched, skiþs
other header checks
HATLR lor sþam, used by delay-clecls feature, if matched,
aþþlies other header checks
xxx mcssuqc Returns an error, sss must be an RlC821 numeric code
a
LRROR.xxx mcssuqc Same as above, but clearly marked as an error message
LRROR.x.x.x mcssuqc s.s.s must be an RlC1893-comþliant delivery status notifica-
tion (a generalization of the 550 error code)
a. lor examþle, 550 is the single-error code.
The database file above would allow messages fiom okguyucybeispammei.com but
would ieject all othei mail fiom cybeispammei.com with the indicated eiioi mes-
sage. Mail fiom eithei sendmail.oig oi 128.?2.0.0/16 (UC Beikeley's netwoik) would
be ielayed. Mail fiom badguyuaol.com and fiom hotlivesex oi fiiend at any domain
would also be iejected.
IPv6 addresses in their colon-separated form can be used on the left hand side as well,
but they must be piefaced with "IPv6:". The u aftei the useinames hotlivesex and
fiiend is iequiied; it diffeientiates useinames fiom domain names.
550 is an RFC821 eiioi code. The RFC189? eiioi codes (oi "deliveiy status notifica-
tion messages," as they aie called) aie moie extensive. Fiist digit 4 signifies a tempo-
iaiy eiioi; 5 means a peimanent eiioi. We've listed a few in Table 18.1?.
Foi even finei contiol, the key field (left side) can contain the tags Correc¹, To,
!ron, and in 8.12 and latei, S¡an to contiol the way in which the filtei is applied.
Correc¹ iefeis to connection infoimation such as client IP addiess oi client host-
name. To and !ron iefei to the envelope addiesses, not the headeis. The S¡an tag
allows exceptions to global iules thiough the "spam fiiend" and "spam hatei" tests.
It is enabled with the delay_clecls featuie:
!LATURL(`delay_clecls', `írierd')
!LATURL(`delay_clecls', `la¹er')
The fiist featuie skips othei iulesets that might ieject the message if theie is a match-
ing entiy in the access_db with !RlLND as the iight hand side of the mapping. The
second applies the othei iulesets if the access_db value is HATLR. These foui tags
give you finei contiol ovei ielaying and iejection of mail; they oveiiide othei ie-
stiictions as well. Individual useis who complain about youi site-wide spam policy
can be accommodated with the spam !RlLND oi HATLR tags.
If one of these tags is used, the lookup is tiied fiist with the tag info and then without,
to maintain backwaid compatibility with oldei access databases.
1ab|e 18.13 kIC1893 de||very status codes
1emµorary Permanent Mean|ng
4.2.1 5.2.1 Vailbox is disabled
4.2.2 5.2.2 Vailbox is full
4.2.3 5.2.3 Vessage is too long
4.2.4 5.2.4 list exþansion þroblem
4.3.1 5.3.1 Vail system is full
4.4.4 5.4.4 unable to route
4.4.5 5.4.5 Vail congestion
4.1.` 5.1.` Site þolicy violation
Heie aie some examples:
!ron.s¡anner@sone.donair RL[LCT
To.¡ood.donair RLLAY
Correc¹.¡ood.donair OK
S¡an.abuse@ !RlLND
Mail fiom spammeiusome.domain would be blocked, but you could still send mail
to that addiess, even if it was blacklisted. Mail would be ielayed to good.domain,
but not fiom it (assuming that ielaying has been disabled elsewheie). Connections
fiom good.domain would be allowed even if the domain was in one of the INS-based
iejection lists. Mail to abuseulocaldomain would get thiough, even fiom spam-
meiusome.domain whose email would have been iejected by the fiist access data-
base line.
Many sites use an access database to contiol spam oi policy. The incoming mastei
mail machine in the computei science depaitment at the Iniveisity of Coloiado uses
the access_db featuie to ieject mail fiom ovei 500 known spammeis identified by
addiesses, domains, oi IP netwoiks.
user or s|te b|ack||st|ng
If you have local useis oi hosts to which you want to block mail, use
!LATURL(`blacllis¹_reci¡ier¹s')
which suppoits the following types of entiies in youi access file:
To.robody@ SS0 Mailbox disabled íor ¹lis user
To.¡rir¹er.nydonair.edu SS0 Tlis los¹ does ro¹ acce¡¹ nail
To.user@los¹.nydonair.edu SS0 Mailbox disabled íor ¹lis user
These lines block incoming mail to usei nobody on any host, to host piintei, and to a
paiticulai usei's addiess on one machine. The use of the To. tag lets these useis send
messages, just not ieceive them; some piinteis have that capability.
Unfoitunately, it's viitually impossible these days to manually maintain a blacklist
like this. Foitunately, seveial community-maintained black hole lists aie accessible
thiough INS, and some of these aie piovided at no chaige.
To include a INS-style black hole list, use the drsbl featuie:
!LATURL(`drsbl', `sbl-xbl.s¡anlaus.or¡')
This featuie makes sendmail ieject mail fiom any site whose IP addiess is in the
Spamhaus Block List of known spammeis maintained at sbl-xbl.spamhaus.oig.
Othei lists catalog sites that iun open ielays and known blocks of dial-up addiesses
that aie likely to be a haven foi spammeis.
These blacklists aie distiibuted thiough a clevei tweak of the INS system; hence the
name drsbl. Foi example, a special INS iesouice iecoid of the foim
íFuuurcss.sbl-xbl.s¡anlaus.or¡ lN A l2¯.0.0.2
put into the IXS database of the sbl-xbl.spamhaus.org domain would block mail
fiom that host if the drsbl featuie was enabled (because sendmail would check ex-
plicitly to see if such a iecoid existed). The II-address in this example is a host ad-
diess in its dotted quad foim with the oidei of the octets ieveised.
You can include the drsbl featuie seveial times to check diffeient lists of abuseis:
just add a second aigument to specify the blacklist name seivei and a thiid aigument
with the eiioi message that you would like ietuined. If the thiid aigument is omitted,
a fixed eiioi message fiom the INS database containing the iecoids is ietuined.
header check|ng
Spammeis often tiy to hide theii identities. Since sendmail 8.9, if the envelope Fiom
addiess is not of the foim userCvalid.dcmain, mail is iejected. You can waive this
behavioi with the following featuies:
!LATURL(àcce¡¹_urresolvable_donairs')
!LATURL(àcce¡¹_urqualiíied_serders')
With the first feature, sendmail accepts mail from domains that do not exist or do
not resolve in the INS naming tiee. With the second, sendmail accepts Fiom ad-
diesses that contain only a usei name with no host oi domain poition. Ion't use
eithei of these featuies unless you aie behind a fiiewall and have only local INS data
available theie. If you find youiself wanting to tuin these featuies on, you should
piobably think about iedesigning youi sendmail and INS enviionments instead.
Requiiing a valid envelope sendei addiess ieduces spam significantly.
Ietailed headei checking is a poweiful spam-fighting mechanism that makes use of
the low-level sendmail configuiation file syntax, which we do not covei heie. By us-
ing headei checking, sendmail can look foi specified patteins in headeis (e.g., "To:
fiiendupublic.com") and ieject messages befoie they aie deliveied to youi useis'
mailboxes.
Headei checking can also iecognize viiuses caiiied by email if they have a distinc-
tive headei line. Foi example, the Melissa viius of 1999 contained the subject line
"Impoitant Message Fiom .". Within houis of the Melissa viius being ieleased and
iecognized, sendmail.com posted a local iuleset to identify it and discaid it.
When the fingeipiint of a viius is distinctive and easy to expiess in sendmail iules,
sendmail.com will quickly post a fix foi it at both sendmail.com and sendmail.oig.
Foi a iepiesentative sample of filteiing iules foi spam and viiuses, see the sendmail
configuration for Iric Allman's home machine, knecht. This configuration is included
in the sendmail distiibution as cf/cf/knecht.mc. Steal the spam-filteiing iules and
add them to the end of youi .mc file.
In looking at vaiious examples, we have seen headei checking iules foi
·
Mail addiessed to any usei in the domain public.com
·
Mail addiessed to "fiiend" oi "you"
·
Mail with the X-Spanska headei, which indicates the Happy99 woim
·
Mail with subject "Impoitant Message Fiom ." (the Melissa viius)
·
Mail with subject "all.net and Fied Cohen ." (the Papa viius)
·
Mail with subject "IIOVEYOU" (the iloveyou viius and vaiiants)
·
Zillions of maiketing hype spam messages
·
Mail with a bioken Outlook Expiess headei (the SiiCam woim)
All the headei checking iules go undei LOCAL_CON!lG and LOCAL_RULLSLTS
statements at the end of the .mc configuiation file. With the help of m4's diver¹ com-
mand, sendmail just knows wheie to put them in the iaw config file.
To some degiee, any spam abatement that you implement blocks some spammeis but
iaises the bai foi the iemaining ones. Use the error mailei with a "usei unknown"
eiioi message instead of the discard mailei, because many spammeis clean up theii
lists. Clean lists aie moie valuable, so you might get iemoved fiom some if you can
inteicept the spam, filtei it, and iespond with an eiioi message.
kate and connect|on ||m|ts
sendmail 8.1? added a ra¹ecor¹rol featuie that sets pei-host oi pei-net limits on
the iate at which incoming connections aie accepted. This iestiiction can be paitic-
ulaily useful foi slowing down spam fiom souices that can't be completely blocked
without causing pioblems, such as laige ISPs that have a high peicentage of dial-up
useis. To enable iate contiols, put a line like this one in the .mc file:
!LATURL(`ra¹ecor¹rol', `rodelay',`¹ernira¹e')
In addition, you must also list the hosts oi nets to be contiolled and theii iestiiction
thiesholds in youi /etc/mail/access file. Foi example, the lines
Clier¹Ra¹e.lº2.lo8.o.l¯ 2
Clier¹Ra¹e.l¯0.oS.3.4 l0
limit the hosts 192.168.6.17 and 170.65.?.4 to two new connections pei minute and
ten new connections pei minute, iespectively.
The corrcor¹rol featuie places similai iestiictions on the numbei of simultaneous
connections. You enable this featuie in the .mc file with the following line:
!LATURL(`corrcor¹rol', `ro delay',`¹ernira¹e')
As with ra¹ecor¹rol, you specify which hosts and nets to limit in /e¹c/nail/access:
Clier¹Corr.lº2.lo8.2.8 2
Clier¹Corr.l¯S.l4.4.l ¯
Clier¹Corr. l0
This configuiation iesults in limits of two simultaneous connections foi 192.168.2.8,
seven simultaneous connections foi 175.14.4.1, and ten simultaneous connections
foi all othei hosts.
S|amm|ng
Anothei nifty featuie intioduced in 8.1? is ¡ree¹_¡ause. When a iemote MTA con-
nects to youi sendmail seivei, the SMTP piotocol mandates that it wait foi youi
seivei's welcome gieeting befoie speaking. Howevei, it's common foi spam maileis
(and woims/viiuses) to bluit out an EHIO/HEIO command immediately. This be-
havioi is paitially explainable as pooi implementation of the SMTP piotocol in
spam-sending tools, but it may also be a featuie that aims to save time on the spam-
mei's behalf. Whatevei the tiue cause, this behavioi is suspicious and is known as
"slamming."
The ¡ree¹_¡ause featuie makes sendmail wait foi a specified peiiod of time at the
beginning of the connection befoie gieeting its newfound fiiend. If the iemote MTA
does not wait to be piopeily gieeted and pioceeds with an EHIO oi HEIO com-
mand duiing the planned awkwaid moment, sendmail logs an eiioi and iefuses
subsequent commands fiom the iemote MTA.
You can enable gieet pause with this entiy in the .mc file:
!LATURL(`¡ree¹_¡ause', `¯00')
This line causes a 700 millisecond delay at the beginning of eveiy new connection. It
is possible to set pei-host oi pei-net delays similai to corrcor¹rol and ra¹ecor¹rol,
but most sites use a blanket value foi this featuie.
M||ter|ng. ma|| f||ter|ng
sendmail veision 8.12 intioduced a geneialization of headei filteiing that could de-
velop into a most effective spam-fighting tool. It is a mail filteiing API (application
piogiamming inteiface) that folks can use to develop theii own mail filteiing pio-
giams. These filteiing piogiams sit between sendmail and incoming messages and
can iecognize the piofile of a viius oi spam message and discaid oi log it (oi take
whatevei othei action you feel is appiopiiate). Both metadata and message content
can be taigeted.
Milteiing is potentially a poweiful tool both foi fighting spam and foi violating us-
eis' piivacy. Manageis who want to know exactly what infoimation is leaving the
company by email may be eaily adopteis. Milteiing foi outgoing mail is not avail-
able in 8.12, but it is on the to-do list.
The milteiing libiaiy is called libmilter. sendmail invokes input filteiing with the
lNFUT_MAlL_!lLTLR or MAlL_!lLTLR configuiation diiectives and contiols the
milteiing action with options named MlLTLR_MACROS_' that allow fine-giained
contiol ovei the filteis applied at each stage of the SMTP conveisation.
Foi example, the line
lNFUT_MAlL_!lLTLR(`íil¹errane', `S=nailer./var/rur/íil¹errane.socle¹')
passes each incoming message to the /etc/mail/filtername piogiam thiough the
socket specified in the second aigument.
Foi moie infoimation, see libmilter/README oi the HTVI documentation in the
libmilter/docs diiectoiy of the sendmail distiibution. The README file gives an
overview and simple example of a filter that logs messages to a file. The files in the
docs desciibe the libiaiy inteiface and tell how to use the vaiious calls to build youi
own mail filteiing piogiams.
Sµam hand||ng
Fighting spam can be a difficult and fiustiating job. Past a ceitain point, it's also quite
futile. Ion't be seduced into chasing down individual spammeis, even though lots
will get through your anti-spam shields. Time spent analyzing spam headers and fret-
ting about spammeis is wasted time. Yes, it's fighting the good fight, but time spent
on these issues will piobably not ieduce the amount of spam coming into youi site.
You can nail stationaiy spammeis pietty quickly by iatting them out to theii ISP, but
hit-and-iun spammeis that use an ISP account once and then abandon it aie haid to
hold accountable. If they adveitise a web site, then the web site is iesponsible; if it's a
telephone numbei oi postal addiess, it's haidei to identify the peipetiatoi, but not
impossible. Mobile spammeis seem to be essentially immune fiom punishment.
The vaiious black hole lists have been somewhat effective at blocking spam and have
diamatically ieduced the numbei of open ielays. Being blacklisted can seiiously im-
pact business, so some ISPs and companies aie caieful to police theii useis.
Uui main iecommendation iegaiding spam is that you use the pieventive measuies
and publicly maintained blacklists that aie available. Anothei possibility is to iedi-
iect youi incoming email to an outsouiced spam fighting company such as Postini
(www.postini.com). Howevei, this option may entail some compiomises in peifoi-
mance, piivacy, oi ieliability.
Advise youi useis to simply delete the spam they ieceive. Many spam messages con-
tain instiuctions on how iecipients can be iemoved fiom the mailing list. If you fol-
low those instiuctions, the spammeis may iemove you fiom the cuiient list, but they
immediately add you to seveial othei lists with the annotation "ieaches a ieal human
who ieads the message." Youi email addiess is then woith even moie.
If you'd like to take a seat on the spam-fighting bandwagon, some web sites can help.
One good site is www.abuse.net. Two otheis of note aie spamcop.net and cauce.oig.
SpamCop has tools that help paise mail headeis and deteimine the ieal sendei. The
cauce.oig site has good infoimation on spam laws. In the Inited States you may be
able to get the Fedeial Tiade Commission to help. Visit them at www.ftc.gov/spam.
SµamAssass|n
SpamAssassin is a filtei (which can be invoked thiough a sendmail miltei) that is
veiy effective at identifying spam. It uses a point system foi evaluating a message's
sins. It catches essentially all the ieal spam and iaiely has false positives. If a mes-
sage accumulates too many points (configuiable on both a site-wide and pei-usei
basis), SpamAssassin tags the message. You can then iefile suspicious messages in a
18.11 Configuration file case study 599
spam foldei, eithei by iunning a seivei-side filtei such as Cyius's sieve oi by config-
uiing youi usei agent. You can even teach SpamAssassin about good and bad mes-
sages. Be suie to sciutinize all the spam caiefully as you aie setting up SpamAssassin
and tuning its paiameteis. Check it out at spamassassin.apache.oig.
SPI and Sender I0
The best way to fight spam is to stop it at its souice. This sounds simple and easy, but
in ieality it's almost an impossible challenge. The stiuctuie of the Inteinet makes it
difficult to tiack the ieal souice of a message and veiify its authenticity. The commu-
nity needs a suie-fiie way to veiify that the entity sending an email is ieally who oi
what it claims to be.
Many pioposals have addiessed this pioblem, but SPF and Sendei II have achieved
the most tiaction. SPF oi Sendei Policy Fiamewoik is now standaidized by the IETF
(RFC4408). It defines a set of INS TXT iecoids (see page 40?) by which an oigani-
zation can identify its "official" outbound mail ielays. MTAs can then iefuse any
email fiom that oiganization's domain if the email does not oiiginate fiom these
official souices. Of couise, this only woiks well if the majoiity of oiganizations pub-
lish SPF iecoids. Seveial milteis available foi download implement this functional-
ity in sendmail.
Sendei II and SPF aie viitually identical in foim and function. Howevei, key paits
of Sendei II aie patented by Miciosoft, and hence it has been the subject of much
contioveisy. As of this wiiting, Miciosoft is still tiying to stiong-aim the industiy
into adopting its piopiietaiy standaids.
18.11 CUNII6ukA1IUN IIL£ CAS£ S1u0¥
As a case study of how sendmail is configuied in the ieal woild, this section ieviews
the config files foi a small but sendmail-savvy company, Sendmail, Inc. Theii mail
design includes a mastei mail hub machine foi both incoming mail and outgoing
mail. All incoming mail is accepted and immediately iouted to a set of inteinal
IMAP seiveis that check each message foi viiuses befoie deliveiing it to a usei's
mailbox. The mail hub machine also checks each outgoing message foi viiuses so
that Sendmail, Inc. is nevei iesponsible foi spieading viiuses by email. We look at
the clients' configuiation fiist, then inspect the moie complicated mastei machines.
In the examples, we have modified the oiiginals slightly, leaving out the copyiight
notices, adding occasional comments, and iemoving the m4 drl diiective at the
ends of lines. If you use any of these examples as a model foi youi .mc file, be suie to
iemove the comments fiom the ends of lines.
C||ent mach|nes at sendma||.com
The smi-client.mc file foi client machines is quite simple. It uses the mastei machine
smtp.sendmail.com, which is ieally just anothei name foi foon.sendmail.com. Ising
an MX iecoid (oi a CNAME
?1
) to point to the mail seivei is a good idea; it's easy to
change when you want to move youi mastei mail machine.
Note that the date on this file is Octobei 1998. sendmail has been upgiaded many
times since then, but the configuiation file did not need to change.
diver¹(-l)
===== Tlis íile cor¹airs deíiri¹iors íor a Serdnail,
===== lrc. clier¹ naclire's .nc íile.
diver¹(0)
VLRSlONlD(`@(=)sni-clier¹.nc l.0 (Serdnail) l0/l4/º8')
OSTYFL(`bsd4.4')
urdeíire(ÀLlAS_!lLL')
deíire(`MAlL_HUB', `sn¹¡.serdnail.con')
deíire(`SMART_HOST', `sn¹¡.serdnail.con')
deíire(`corí!ORVARD_FATH', `')
MAlLLR(`local')
MAlLLR(`sn¹¡')
The MAlL_HUB and SMART_HOST lines diiect incoming and outgoing mail to the
host smtp.sendmail.com. VX iecoids in INS should coopeiate and list that host with
highei piioiity (lowei numbei in MX iecoid) than the individual client machines.
The path foi .forward files is set to null, and the alias file is also set to null; all alias
expansion occuis on the mastei machine. The rocaroriíy featuie is specified heie
to save time, since INS lookups aie done on the mastei anyway.
Master mach|ne at sendma||.com
The mastei machine at sendmail.com may be one of the most attacked sendmail
installations aiound. It must be secuie fiom all the twisty mailei attacks that people
come up with and must piotect the machines behind it. Heie is its configuiation file:
diver¹(-l)
= Crea¹ed vi¹l Serdnail Svi¹cl, serdnail.con's connercial ¡roduc¹.
diver¹(0)
iídeí(`COMMLRClAL_CON!lG', `lNFUT_MAlL_!lLTLR(`nine-íil¹er', `S=local.
/var/rur/nine-íil¹er/nine-íil¹er.socl')')
LDAFROUTL_DOMAlN(`serdnail.con serdnail.re¹ serdnail.or¡')
MASQULRADL_AS(`serdnail.con')
MASQULRADL_DOMAlN(`serdnail.con')
RLLAY_DOMAlN(`serdnail.con serdnail.re¹ serdnail.or¡')
deíire(`MAlL_HUB', ìr¹erral-lub.serdnail.con')
deíire(`QULUL_DlR', `/var/s¡ool/nqueue/q ')
deíire(`SMART_HOST', `virus-scar.serdnail.con')
iídeí(`COMMLRClAL_CON!lG', `deíire(`coríCACLRT', `/local/cer¹s/cacer¹.¡en')')
iídeí(`COMMLRClAL_CON!lG', `deíire(`coríCACLRT_FATH', `/local/cer¹s/¹rus¹edcer¹s')')
deíire(`coríCHLCK_ALlASLS', `True')
iídeí(`COMMLRClAL_CON!lG', `deíire(`coríCLlLNT_CLRT', `/local/cer¹s/cer¹.¡en')')
31. An MX iecoid is aciually moie efficieni ihan a CNAME; CNAMEs iequiie a second lookup on ihe ieal
name io gei ihe IP addiess.

Linux501 600

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Linux501 600

Uploaded by

Copyright:

Available Formats

16.

You might also like