Securing-Optimizing-RH-Linux-1_2_268
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
268
Sendmail displays upon receiving a connection. You should replace the xx in the C=xx L=xx''
entries with your country and location codes. For example, in my case, I would use C=CA L=QC''
for Canada, Quebec.
Restrict who may examine the queues contents
Ordinarily, anyone may examine the mail queues contents by using the mailq command. To
restrict who may examine the queues contents, you must specify the restrictmailq option in the
/etc/sendmail.cf file. With this option, Sendmail allow only users who are in the same group as
the group ownership of the queue directory (root) to examine the contents. This allows the queue
directory to be fully protected with mode 0700 yet for selected users to still be able to see its
contents.
Edit the sendmail.cf file (vi /etc/sendmail.cf) and change the line:
O PrivacyOptions=authwarnings,noexpn,novrfy
To read:
O PrivacyOptions=authwarnings,noexpn,novrfy,restrictmailq
·
Now we change the mode of our queue directory to be fully protected:
[root@deep /]# chmod 0700 /var/spool/mqueue
NOTE: We are already added noexpn and novrfy option to our line PrivacyOptions= in
sendmail.cf file. Now we continue by adding the restrictmailq option to this line.
Any no privileged user who attempts to examine the mail queue content will get this message:
[user@deep /]$ /usr/bin/mailq
You are not permitted to see the queue
Limit queue processing to root
Ordinarily, anyone may process the queue with the -q switch. To limit queue processing to root
and the owner of the queue directory, you must specify the restrictqrun option in the
/etc/sendmail.cf file.
Edit the sendmail.cf file (vi /etc/sendmail.cf) and change the line:
O PrivacyOptions=authwarnings,noexpn,novrfy,restrictmailq
To read:
O PrivacyOptions=authwarnings,noexpn,novrfy,restrictmailq,restrictqrun
Any no privileged user who attempts to process the queue will get this message:
[user@deep /]$ /usr/sbin/sendmail -q
You do not have permission to process the queue
Set the immutable bit on important Sendmail files
Important Sendmail files can be set immutable for better security with the chattr command of
Linux. A file with the +i attribute cannot be modified, deleted or renamed, no link can be created
to this file and no data can be written to the file. Only the super-user can set or clear this attribute.
·
Set the immutable bit on sendmail.cf file:
[root@deep /]# chattr +i /etc/sendmail.cf
·
Set the immutable bit on sendmail.cw file:
[root@deep /]# chattr +i /etc/sendmail.cw