HostedDB - Dedicated UNIX Servers

Securing-Optimizing-RH-Linux-1_2_268
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 268 Sendmail displays upon receiving a connection. You should replace the “xx” in the “C=xx L=xx'' entries with your country and location codes. For example, in my case, I would use “C=CA L=QC'' for Canada, Quebec. Restrict who may examine the queue’s contents Ordinarily, anyone may examine the mail queue’s contents by using the “mailq” command. To restrict who may examine the queue’s contents, you must specify the “restrictmailq” option in the “/etc/sendmail.cf” file. With this option, Sendmail allow only users who are in the same group as the group ownership of the queue directory (root) to examine the contents. This allows the queue directory to be fully protected with mode 0700 yet for selected users to still be able to see its contents. Edit the sendmail.cf file (vi /etc/sendmail.cf) and change the line: O PrivacyOptions=authwarnings,noexpn,novrfy To read: O PrivacyOptions=authwarnings,noexpn,novrfy,restrictmailq · Now we change the mode of our queue directory to be fully protected: [root@deep /]# chmod 0700 /var/spool/mqueue NOTE: We are already added “noexpn and novrfy” option to our line “PrivacyOptions=” in sendmail.cf file. Now we continue by adding the “restrictmailq” option to this line. Any no privileged user who attempts to examine the mail queue content will get this message: [user@deep /]$ /usr/bin/mailq You are not permitted to see the queue Limit queue processing to “root” Ordinarily, anyone may process the queue with the “-q” switch. To limit queue processing to “root” and the owner of the queue directory, you must specify the “restrictqrun” option in the “/etc/sendmail.cf” file. Edit the sendmail.cf file (vi /etc/sendmail.cf) and change the line: O PrivacyOptions=authwarnings,noexpn,novrfy,restrictmailq To read: O PrivacyOptions=authwarnings,noexpn,novrfy,restrictmailq,restrictqrun Any no privileged user who attempts to process the queue will get this message: [user@deep /]$ /usr/sbin/sendmail -q You do not have permission to process the queue Set the immutable bit on important Sendmail files Important Sendmail files can be set immutable for better security with the “chattr” command of Linux. A file with the “+i” attribute cannot be  modified, deleted or renamed, no link can be created to this file and no data can be written to the file. Only the super-user can set or clear this attribute. · Set the immutable bit on “sendmail.cf” file: [root@deep /]# chattr +i /etc/sendmail.cf · Set the immutable bit on “sendmail.cw” file: [root@deep /]# chattr +i /etc/sendmail.cw