Operating System - HP-UX
1748252 Members
3770 Online
108760 Solutions
New Discussion юеВ

Re: To send mails with Sendmail swicthed off and SMTP port disabled

 
SOLVED
Go to solution
Bonny Jose_1
Advisor

To send mails with Sendmail swicthed off and SMTP port disabled

Hi Experts,
As part of System hardening we need to disable Sendmail and close mail ports(25,110 etc).
Is it possible to send mails(Receiving not reqd) to my mailid in exchange server?.
This is required to notify me for any critical error messages in logs.
Thanks in advance
Bonny
let us make the world
5 REPLIES 5
Jordan Bean
Honored Contributor

Re: To send mails with Sendmail swicthed off and SMTP port disabled

Actually, I would recommend running Sendmail as a queue processing daemon only, so it doesn't listen on port 25. This way, if any failed messages originating from the host via mailx or elm (which invoke sendmail anyway) can still be processed later or properly bounced to postmaster.

(With the latest versions of sendmail, it is possible to bind the daemon to specific interfaces and ports. What I've done on some systems is have sendmail listen to port 25 on the loopback interface only, so that local processes can use SMTP sockets rather than invoke sendmail directly. CGI script mailers can be made a little more secure this way by eliminating access to sendmail's command line functions.)

I wish I was at work to verify this... Edit /etc/rc.config.d/mailsvr and set DAEMON=no. This will elimiate the -bd command line switch to sendmail in /sbin/init.d/sendmail.

Also edit /etc/mail/sendmail.cf (or /etc/sendmail.cf depending on the version/build of sendmail) and set DS, DH, and DR to your exchange server. I would also set DM to $m (domain name) for good measure.

Port 110 would be used by a POP server not native to HPUX (as far as I know) and may likely be handled by inetd (see /etc/inetd.conf). Some may actually be a proper independed daemon like the latest Qpopper.
Jordan Bean
Honored Contributor

Re: To send mails with Sendmail swicthed off and SMTP port disabled

I was wrong... /etc/rc.config.d/mailservs works like this:

export SENDMAIL_SERVER=1
export SENDMAIL_SERVER_NAME=relayhost

If SENDMAIL_SERVER=0, then sendmail doesn't run.

If SENDMAIL_SERVER_NAME="", then sendmail runs as stand-alone relay on port 25.

If SENDMAIL_SERVER_NAME="relayhost", then sendmail will run and forward all local mail to the relayhost. It will still run on port 25 and relay internet mail itself.

Taking a second look at our configuration, I did not set SENDMAIL_SERVER_NAME, and removed the -bd option from line 90 in /sbin/init.d/sendmail, and set DS, DH, and DR to our exchange server in /etc/mail/sendmail.cf.


Bonny Jose_1
Advisor

Re: To send mails with Sendmail swicthed off and SMTP port disabled

Thanks Bean,With SENDMAIL_SERVER=0 can I use sendmail command for sending mail to the users of servers in same network? Or is there any commands or scripts available which dumps the data directly to the port 25 of other server?
Our security advicer wants sendmail server to be down on this server and port 25 to be closed.
Cheers,
Bonny
let us make the world
Jordan Bean
Honored Contributor

Re: To send mails with Sendmail swicthed off and SMTP port disabled

SENDMAIL_SERVER=0 prevents sendmail from starting as a daemon at boot, but will not prevent it from being used as a client agent by mailx and elm. This will satisfy your security expert.

I understand that port 25 must be closed, but undeliverable messages will just pile up in the queue and be forgotten if sendmail is not running. In my first reply I explained that you can have sendmail running as a queue processing daemon, not listening to a network socket, if you remove the -bd from the sendmail command line in /sbin/init.d/sendmail around line 90. Just leave the -qXX where XX is an appropriate queue processing interval like 30m or 2h.
Jordan Bean
Honored Contributor
Solution

Re: To send mails with Sendmail swicthed off and SMTP port disabled

The alternative is to manually process the queue once in a while with `sendmail -q` which can be scheduled by cron.