HPE Community
Operating System - HP-UX
1829103 Members
2256 Online
109986 Solutions
New Discussion

Re: Sendmail

 
SOLVED
Go to solution
R Harris
Advisor

‎11-17-2008 12:52 PM

‎11-17-2008 12:52 PM

Sendmail

Hello,

I'm running HP-UX 11.11. I'm working on system security, and one of the recommendations from a recent security audit is to shutdown sendmail, if possible. I recently installed the 8.13.3 version of sendmail on our test server and configured the /etc/mail/submit.cf file to send mail out to our email server for delivery of mail. The sendmail daemon is not running. Delivery of outgoing mail works fine. However, local mail to root and other mail that should stay local does not get delivered to root on the local host.

I have created the smmsp user and group, and have tried several changes to the submit.cf file, but still cannot deliver local mail to the local host. All mail seems to get sent to our mail server instead. Mail for systems administrators should be sent to our mail server for delivery.

Does anyone know how to send local mail (like root mail) to the local and send other mail (eg. someuser@ourdomain.com) to our mail server?

Thanks,

Ray Harris.

0 Kudos
Reply
18 REPLIES 18
Armin Kunaschik
Esteemed Contributor

‎11-18-2008 04:52 AM

‎11-18-2008 04:52 AM

Re: Sendmail

You need a running sendmail to deliver local mail!
So deactivating sendmail is not always the best way of securing things.
You should modify the listening port in /etc/mail/sendmail.cf to listen only on 127.0.0.1 like
O ClientPortOptions=Family=inet, Address=127.0.0.1

With this setup everything should work fine again. From the security point of view you now have an open port 25 listening on localhost. But this does not matter because those users should be able to send mail anyway.

My 2 cents,
Armin

PS: Assign points if you find answers useful!
And now for something completely different...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎11-18-2008 05:01 AM

‎11-18-2008 05:01 AM

Re: Sendmail

Shalom,

To answer your question, I'd need to at least see the DS directive in sendmail.cf

Take a look at /var/adm/mail.log to see whats going on with this mail.

Further it would be helpful to see the commands or cron job entries that are sending the mail to get some contest.

Normally, even if you relay all mail with a DS directive, local mail gets delivered.

However without sendmail running, it may be getting auto rejected.

Additional information required to give good help.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Armin Kunaschik
Esteemed Contributor

‎11-18-2008 05:04 AM

‎11-18-2008 05:04 AM

Re: Sendmail

I have to correct myself. It's not ClientPortOptions but DaemonPortOptions.

My 2 cents,
Armin
And now for something completely different...
0 Kudos
Reply
R Harris
Advisor

‎11-18-2008 08:11 AM

‎11-18-2008 08:11 AM

Re: Sendmail

Prior to upgrading sendmail I was able to send local main without sendmail running.

As for settings, I have:
O DaemonPortOptions=Family=inet, Address=127.0.0.1

and DS is:
DSlocalhost

Thanks,

Ray Harris
0 Kudos
Reply
R Harris
Advisor

‎11-18-2008 08:12 AM

‎11-18-2008 08:12 AM

Re: Sendmail

Prior to upgrading sendmail I was able to send local main without sendmail running.

As for settings, I have:
O DaemonPortOptions=Family=inet, Address=127.0.0.1

and DS is:
DSlocalhost

The last entry in the mail log is:
Nov 18 08:44:46 newpc sendmail[9213]: mAIDifNc009213: to=root, ctladdr=reharris (259/20), delay=00:00:05, xdelay=00:00:05, mailer=relay, pri=30129, relay=gwiaout.crhc.org. [198.212.6.44], dsn=2.0.0, stat=Sent (Ok)


Thanks,

Ray Harris
0 Kudos
Reply
Armin Kunaschik
Esteemed Contributor

‎11-18-2008 09:10 AM

‎11-18-2008 09:10 AM

Re: Sendmail

I don't know what your old sendmail version was? There were some major changes after sendmail 8.9.3.
Now the configuration is splitted into 2 processes configured with sendmail.cf and submit.cf.
The sendmail.cf is responsible for receiving mail, submit.cf for sending mail. Local delivery is part of receiving, therefore you need a receiving configuration.
You need to modify DaemonPortOptions in sendmail.cf, not in submit.cf!

I don't see any reason why DSlocalhost makes any sense because it's implicitly localhost if not set.
The syslog entry looks OK. But it looks like DS is set to gwiaout.crhc.org or [198.212.6.44] in submit.cf.
For some reason your address is not recognized as local. Did you configure anything else?
From my point of view I'd start over from the beginning, and just change DaemonPortOptions and DS.

My 2 cents,
Armin

PS: Assign points if you find answers useful!
And now for something completely different...
0 Kudos
Reply
R Harris
Advisor

‎11-18-2008 09:56 AM

‎11-18-2008 09:56 AM

Re: Sendmail

The entrys from the previous post are from the sendmail.cf file.

In the submit.cf file, DS is:

DS

and the D{MTAHost} entry is:
D{MTAHost}[gwiaout.crhc.org]

Thanks,

Ray Harris
0 Kudos
Reply
Armin Kunaschik
Esteemed Contributor

‎11-19-2008 02:01 AM

‎11-19-2008 02:01 AM

Re: Sendmail

The documentation regarding MTAHost looks like:
"All messages will be forwarded to the ${MTAHost}."
This seems to work exactly as described.

There is still a DS available in 8.13.
Quick guess: Unset MTAHost and set the smart relay DS again.

My 2 cents,
Armin

PS: Assign points if you find answers useful!
And now for something completely different...
Reply
Armin Kunaschik
Esteemed Contributor

‎11-19-2008 02:05 AM

‎11-19-2008 02:05 AM

Re: Sendmail

>I have assigned points to 0 of 14 responses to my questions.

I want you to kindly remind you to follow the rules of this forum.

It might happen that you won't get any answers in the future if you ignore the efforts of those who answer your questions!
And now for something completely different...
0 Kudos
Reply
V. Nyga
Honored Contributor

‎11-19-2008 02:24 AM

‎11-19-2008 02:24 AM

Re: Sendmail

@Armin (and @Ray) - this is a useful link about points-assignment:
http://forums13.itrc.hp.com/service/forums/helptips.do?#28

Keep on foruming,
Volkmar
*** Say 'Thanks' with Kudos ***
0 Kudos
Reply
R Harris
Advisor

‎11-19-2008 06:47 AM

‎11-19-2008 06:47 AM

Re: Sendmail

Hello,

I have tried all the suggestions. None work. Seems all mail (remote and local) gets sent to the mail server.

It's also interesting to note that only the 'mailx' command will now send mail. The regular mail command fails to send mail.

Thanks,

Ray Harris.
0 Kudos
Reply
Armin Kunaschik
Esteemed Contributor

‎11-19-2008 10:39 AM

‎11-19-2008 10:39 AM

Re: Sendmail

You did restart sendmail after changing configurations, didn't you?

What changes did you make to the default configuration? Did you set DH, DR? Anything else? Did you set MTAHost back to the default [127.0.0.1]?
Check /usr/newconfig/etc/mail for differences from default config files!

Did local delivery work in the default setup?

From my point of view your setup needs only 2 modifications from the default setup:
1. DaemonPortOptions in sendmail.cf
2. DS in submit.cf

You can always try test mode like:
sendmail -Csubmit.cf -bt
> /try smtp root

This should write *LOCAL* some lines later for local addresses.

My 2 cents,
Armin
And now for something completely different...
Reply
R Harris
Advisor

‎11-19-2008 11:20 AM

‎11-19-2008 11:20 AM

Re: Sendmail

No, I have not started the sendmail daemon.

I renamed the submit.cf file. After doing so, I was still able to send out-bound mail, and the mail command now functions again.

I just tried a mail -d root command to send local mail, and that worked fine. Without the -d option, it fails to send local mail.

Here are the errors showing up in the mail.log file for local mail sent without the -d option (eg. mail root):

Nov 19 13:11:45 newpc sendmail[26215]: mAJGtKHq022966: to=root@localhost, ctladdr=root (0/3), delay=01:16:25, xdelay=00:03:19, mailer=local, pri=300010, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/rmail) exited with EX_TEMPFAIL
Nov 19 13:11:54 newpc sendmail[26369]: mAJI9st8026367: timeout waiting for input from local during Draining Input
Nov 19 13:13:13 newpc sendmail[26369]: mAJI9st8026367: to=root, ctladdr=root (0/3), delay=00:03:19, xdelay=00:03:19, mailer=local, pri=120010, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/rmail) exited with EX_TEMPFAIL

Thanks,

Ray Harris.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎11-19-2008 11:31 AM

‎11-19-2008 11:31 AM

Re: Sendmail

Shalom Ray,

After any changes to sendmail.cf you need to restart the sendmail daemon to have any effect.

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

As for settings, I have:
O DaemonPortOptions=Family=inet, Address=127.0.0.1

and DS is:
DSlocalhost

The DS directive and deamon options only permit inbound mail from localhost, that is good.

The DSlocalhost option tries to use the local system to relay mail. That is bad. Your relay server needs to be a system set up to get your mail to its final destination.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎11-19-2008 01:24 PM

‎11-19-2008 01:24 PM

Solution

Re: Sendmail

>local mailer (/usr/bin/rmail) exited with EX_TEMPFAIL

/usr/include/sysexits.h lists EX_TEMPFAIL as:
EX_TEMPFAIL -- temporary failure, indicating something that is not really an error. In sendmail, this means that a mailer (e.g.) could not create a connection, and the request should be reattempted later.
Reply
R Harris
Advisor

‎11-20-2008 10:12 AM

‎11-20-2008 10:12 AM

Re: Sendmail

This server is not defined in DNS, so other servers can't resolve it's name or IP. That might have something to do with it.

Thanks,

Ray Harris.
0 Kudos
Reply
Armin Kunaschik
Esteemed Contributor

‎11-24-2008 04:32 AM

‎11-24-2008 04:32 AM

Re: Sendmail

No DNS can be a problem. But I suppose not here.
It's always a good idea to place any server into DNS.

What are the permissions of /var/mail?
/var/mail should be 775 owned by root:mail.
Do the mail files have the right permissions?
The mailfiles have to be 660 owned by :mail.

My 2 cents,
Armin
And now for something completely different...
Reply
R Harris
Advisor

‎11-24-2008 05:43 AM

‎11-24-2008 05:43 AM

Re: Sendmail

I tried to telnet on port 25, but could not connect. The reason is the sendmail daemon was not running. I started the sendmail daemon, and was able to telnet on port 25 after doing so. However, local mail is still not locally delivered. Ownership and permissions of /var/mail are correct. According to the mail log, mail to root was delivered to the mail server:

Nov 24 08:28:44 hptest sendmail[19910]: mAODShRG019910: to=root, ctladdr=root (0/3), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=3001
7, relay=gwiaout.crhc.org. [198.212.6.44], dsn=2.0.0, stat=Sent (Ok)

It seems that since the MTA is set to the mail server, it wants to send all mail there. If the mail server doesn't know what to do with it, it'll toss it into the bit bucket.

I'm thinking we're gonna set up a folder on the mail server to catch all that mail, and configure the submit.cf and sendmail.cf files for send_only mode.

Thanks,

Ray Harris.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.