Operating System - HP-UX
1839308 Members
2886 Online
110138 Solutions
New Discussion

Re: preventing users from sending email

 
Fred Martin_1
Valued Contributor

preventing users from sending email

I'm looking for a method of preventing specific local users from sending email to the internet (sendmail).

I was directed by someone to this ruleset:

http://www.sendmail.org/~ca/email/restrict.html

Unfortunately I can't get it to work. I've spent a fair amount of time troubleshooting but no luck.

Has anyone implemented this ruleset or something similar?
fmartin@applicatorssales.com
18 REPLIES 18
Aussan
Respected Contributor

Re: preventing users from sending email

hi Fred
from doc id KBRC00010173

How to restrict users from sending mail via sendmail 8.11.x


"PROBLEM

Is it possible to set up sendmail 8.11.x to deny users from sending mail
from that server?

RESOLUTION

Using sendmail 8.11.1, it is possible to restrict users from sending mail
from the server.

1. #touch /etc/mail/sendmail.ct

2. cd /usr/newconfig/etc/mail/cf/cf and
create a sendmail configuration file using:
./gen_cf with option 24

3. vi the sendmail.cf.gen file output from gen_cf,
and make these changes

a) Search for Ft and uncomment Ft/etc/mail/sendmail.ct

#this is equivalent to setting class "t"
Ft/etc/mail/sendmail.ct
Troot
Tdaemon
Tuucp
Tx400
Tbherren >> added user

This is a list of the people/processes that can send mail using sendmail, which
can also be listed in the /etc/mail/sendmail.ct file.

b) Find this next set of rules and uncomment as seen below:

Scheck_compat

R$* <> $* $| $* $@ ok Mailer daemon offsite/local is ok
R$n $| $* $@ ok Mailer daemon offsite/local is ok
# Uncomment out the next rule if you want trusted users to be able to mail
offsite # Trusted users by default are root, daemon, uucp and x400. See Trusted
users section
R$=t $| $* $@ ok Trusted user offsite is ok

c) Make a backup copy of /etc/rc.config.d/mailservs

d) #cp/usr/contrib/sendmail/usr/newconfig/etc/rc.config.d/mailservs
/etc/rc.config.d

e) #vi /etc/rc.config.d/mailservs and change RECVONLY=1

export SENDMAIL_SERVER=0
export SENDMAIL_SERVER_NAME=
export SENDMAIL_RECVONLY=1
export SENDMAIL_SENDONLY=0

4. Stop and restart sendmail.
#/sbin/init.d/sendmail stop
#/sbin/init.d/sendmail start

Now only the users/processes listed in the /etc/mail/sendmail.st file, or
listed within the configuration file will be able to send mail from this server.



If you do not use the mailservs file created by this option,
(/usr/contrib/sendmail/usr/newconfig/etc/rc.config.d/mailservs), sendmail will
not start and you will recieve this message:

Need to run 'gen_cf' manually in /usr/newconfig/etc/mail/cf/cf directory to
generate Default sendmail.cf file. The newly created,
usr/newconfig/etc/mail/cf/cf/sendmail.cf.gen file
can be copied as /etc/mail/sendmail.cf "
The tongue weighs practically nothing, but so few people can hold it
Fred Martin_1
Valued Contributor

Re: preventing users from sending email

Thanks Aussan, this looks promising. It will take some time for me to get it tested but I will report back here afterward.
fmartin@applicatorssales.com
Fred Martin_1
Valued Contributor

Re: preventing users from sending email

I ran gen_cf, included the 24 Receive_Only option as required, but also put in the options I had previously used (Relay_Off, Access_Database, etc).

Then, modifed the new sendmail.cf to put all the changes I had previously made, back in there (DS, etc). I have a log of every cf change so I was able to duplicate all that, and even compared it with 'diff' after, to make sure the only changes were those added by the 'Receive_Only' option.

Restart sendmail. The I get this:

# /sbin/init.d/sendmail start
Need to run 'gen_cf' manually in /usr/newconfig/etc/mail/cf/cf directory
to generate Default sendmail.cf file. The newly
created, /usr/newconfig/etc/mail/cf/cf/sendmail.cf.gen file
can be copied as /etc/mail/sendmail.cf. Then start sendmail

It's essentially telling me it doesn't see or doesn't like the cf file I've created.

Since I used gen_cf to create it, I'm not sure what to do next.
fmartin@applicatorssales.com
Aussan
Respected Contributor

Re: preventing users from sending email

it does not like the new file created...once teh gen_cf completed, did you copy it to sendmail.cf or did you vi the old sendmail.cf?

The tongue weighs practically nothing, but so few people can hold it
Fred Martin_1
Valued Contributor

Re: preventing users from sending email

I copied it into /etc/mail/sendmail.cf, then modified it for my own settings such as DS and so on.

Fred
fmartin@applicatorssales.com
Aussan
Respected Contributor

Re: preventing users from sending email

what version of sendmail do you have, and are you up to date with the sendmail patches?
The tongue weighs practically nothing, but so few people can hold it
Fred Martin_1
Valued Contributor

Re: preventing users from sending email

Here's what I've got:

Upgraded sendmail to 8.11.1/8.9.3

Patches:

Sendmail-811, B.11.11.01.006 Sendmail-8.11.1 special release upgrade

fmartin@applicatorssales.com
Aussan
Respected Contributor

Re: preventing users from sending email

i don't know what patch that is

if you do
#swlist -l patch |grep -i sendmail

what's the output?

i'm asking because the sendmail 8.9.3 had an sr open for gen_cf and it was fixed with a patch,

if you don't have the patch try installing it

install PHNE_35484 or the one before it PHNE_28810

but if you have it installed it will show in the swlist

let me know
The tongue weighs practically nothing, but so few people can hold it
Fred Martin_1
Valued Contributor

Re: preventing users from sending email

Actually that was the output from swlist:

# swlist|grep -i sendm
Sendmail-811 B.11.11.01.006 Sendmail-8.11.1 special release upgrade

Fred
fmartin@applicatorssales.com
Aussan
Respected Contributor

Re: preventing users from sending email

Fred

please put -l patch with the swlist

swlist -l patch |grep -i sendmail
The tongue weighs practically nothing, but so few people can hold it
Fred Martin_1
Valued Contributor

Re: preventing users from sending email

Ah, sorry. Here it is:

# PHNE_28810 1.0 sendmail(1m) 8.9.3 patch
# SMAIL-811 B.11.11.01.006 sendmail(1m) 811 special release upgrade

Fred
fmartin@applicatorssales.com
Aussan
Respected Contributor

Re: preventing users from sending email

the sendmail-811 that you have is for HP-UX 11.0

but the patch you have is for 11.11

are you running 11.11 or 11.0?
The tongue weighs practically nothing, but so few people can hold it
Fred Martin_1
Valued Contributor

Re: preventing users from sending email

# uname -a
HP-UX corp B.11.11 U 9000/800 132931597 unlimited-user license
fmartin@applicatorssales.com
Aussan
Respected Contributor

Re: preventing users from sending email

the sendmail you have smail811 is for 11.0

download the sendmail for 11.11

it's sendmail 8.13

here is the link

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SMAIL813
The tongue weighs practically nothing, but so few people can hold it
Fred Martin_1
Valued Contributor

Re: preventing users from sending email

Thanks. It will be some days before I can put this in place, but I'll leave this open and will let you know how things go.
Fred
fmartin@applicatorssales.com
Steven E. Protter
Exalted Contributor

Re: preventing users from sending email

Shalom,

gen_cf is a front end for generating an sendmail.cf file from a macro file. On a normal sendmail release its sendmail.mc. HP has their own macro file.

It doesn't really matter what version of sendmail you use, restricting sendmail send access is actually simple.

Add:
From:username@hostname 550 No outbound mail

For each user to the access file.

USe gen_cf to generate a access.db and sendmail.cf file. There is no way sendmail will permit mail from that user after doing this properly.

I learned these techniques fighting spammers on Linux and adapted them to HP-UX some years back.

IF your current path does not succeed, please try my suggestion. It will work and does work for me on both HP-UX (with gen_cf) and Linux (standard sendmail tactics).

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Fred Martin_1
Valued Contributor

Re: preventing users from sending email

Steven,

I am already using access for control of who sendmail will relay for:

In sendmail.cf:
Kaccess dbm /etc/mail/access

Then:
makemap dbm /etc/mail/access < /etc/mail/access

My access file has entries like:

nnn.nnn.nnn RELAY
nnn.nnn.nnn RELAY

I've tried adding addresses to it as you've suggested but no luck so far. Must be the format of the address. I've tried:

From:xfm@domain.com 550 No outbound
From:fmartin@domain.com 550 No outbound
From:xfm 550 No outbound
From:fmartin 550 No outbound

And several others. No errors, but not stopping the sender either.
fmartin@applicatorssales.com
Aussan
Respected Contributor

Re: preventing users from sending email

He has Sendmail release for hp-ux 11.00

but he is running HP-UX 11.11

i think the release does mater at this moment,
he has the wrong sendmail for the wrong OS
The tongue weighs practically nothing, but so few people can hold it