Re: sendmail banner

Animesh Chakraborty · ‎03-17-2003

Hi,
I wanted to omit sendmail banner (audit requirement) and I put # before SmtpGreetingMessage in /etc/mail/sendmail.cf and stop and start sendmail.
Still it appears while I telnet to port 25.
Any idea ?

Did you take a backup?

U.SivaKumar_2 · ‎03-17-2003

Hi,

The Line should be like this

O SmtpGreetingMessage=

Or you can just put a simple banner

O SmtpGreetingMessage=Mail Server

regards,

U.SivaKumar

Innovations are made when conventions are broken

Sridhar Bhaskarla · ‎03-17-2003

Hi,

Shiv is right.

A customized greeting would be much better.

Add some customized message like

O SmtpGreetingMessage="Your activity is being logged"

Also consider disabling the options like noexpn, novrfy etc.,

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Animesh Chakraborty · ‎03-17-2003

Thanks Guys.
It worked.
How to confirm that vrfy and expn is disabled?
That is also another audit comments in my list.

Regards
Animesh

Did you take a backup?

T G Manikandan · ‎03-17-2003

The line should be
PrivacyOptions=authwarnings,noexpn,novrfy

in sendmail.cf file

Animesh Chakraborty · ‎03-17-2003

Thanks TG.
Another one
"Sendmail must not be running in daemon mode"
how can I make sure that it is not running in daemon mode?

Did you take a backup?

T G Manikandan · ‎03-17-2003

if the sendmail is running in daemon mode then it should have the startup option -bd

check the sendmail startup script

/sbin/init.d/sendmail

check whether the -bd option is there with the sendmail startup

like
/usr/sbin/sendmail -bd

-bd is the daemon mode startup.
THe default startup is -bm and not -bd.

Thanks

Balaji N · ‎03-17-2003

by default sendmail doesnt run as a daemon. check your startup script in /sbin/init.d/.

and refer to the sections "Modes" in the manual pages of sendmail.

Modes
sendmail operates in one of the following modes. The default is -bm,
deliver mail in the usual way.

-ba Go into ARPANET mode. All input lines must end with a CR-
LF, and all messages will be generated with a CR-LF at the
end. Also, the ``From:'' and ``Sender:'' fields are
examined for the name of the sender.

-bd Run as a daemon. sendmail will fork and run in background
listening on socket 25 for incoming SMTP connections.

-bD Run as a daemon, but run in foreground.

-bh Print the persistent host status database.

-bH Purge the persistent host status database.

-bi Initialize the alias database for the mail aliases file.
newaliases is identical to sendmail -bi. See
newaliases(1M).

-bm Deliver mail in the usual way (default).

-bp Print a listing of the mail queue. mailq is identical to
sendmail -bp. See mailq(1).

-bs Use the SMTP protocol as described in RFC821 on standard
input and output. This flag implies all the operations of
the ba flag that are compatible with SMTP.

-bt Run in address test mode. This mode reads addresses and
shows the steps in parsing; it is used for debugging
configuration tables.

-bv Verify names only - do not try to collect or deliver a
message. Verify mode is normally used for validating users
or mailing lists.

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

Animesh Chakraborty · ‎03-17-2003

It was -bd in my case.
what is -bm option for?

Did you take a backup?

Yogeeraj_1 · ‎03-17-2003

hi,

-bm Deliver mail in the usual way (default).

hth
yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)

U.SivaKumar_2 · ‎03-17-2003

Hi,

For High security SMTP site,

PrivacyOptions=goaway

regards,

U.SivaKumar

Innovations are made when conventions are broken

Sridhar Bhaskarla · ‎03-18-2003

Hi Animesh,

To verify noexpn, novrfy or goaway, do the following from another system telnet to the box

$telnet your_box 25

Trying...
Connected to your_box.yourdomain.com.
Escape character is '^]'.
220 Your ESMTP activity is being logged
expn your_id
502 Sorry, we do not allow this operation
vrfy your_id
252 Cannot VRFY user; try RCPT to attempt delivery (or try finger)

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Animesh Chakraborty · ‎03-18-2003

After I started sendmail with -bm option,now I can not stop it using
#/sbin/init.d/sendmail stop(killsm is also the same)
#No sendmail server running
#ps -ef|grep sendmail
root 19134 1 0 12:09:27 ? 0:00 /usr/sbin/sendmail -bm -q30m

Did you take a backup?

Balaji N · ‎03-19-2003

hi,
something wrong. can u check if the file sendmail.pid exists in /etc/mail.
also, does the pid what it lists and ps -ef | grep sendmail matches.

try killing it manually. removing the pid file and then start & stop sendmail.

hth
-balaji

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

Animesh Chakraborty · ‎03-19-2003

sendmail.pid file does not exit where it was started with -bm option.
killing manualy also the same

Did you take a backup?

Balaji N · ‎03-19-2003

hi,
i couldnt get u. the pid file is not there. but stopping gives the same error message?

try killing the process and then start sendmail with the startup script. is the pid file getting created.
-balaji

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

Animesh Chakraborty · ‎03-19-2003

sendmail.pid file note being created when I start sendmail with -bm option. With -bd option .pid is getting created.

Did you take a backup?

Balaji N · ‎03-19-2003

no idea. is there any error message in syslog or mail.log. also, can u try starting sendmail with the debug option and see if there are nay errors
-balaji

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

Yogeeraj_1 · ‎03-19-2003

hi,

i believe you should start your sendmail using the script in /sbin/init.d

e.g.
/sbin/init.d/sendmail start

you may also wish to check the ownership of the pid file.

L-oracle8i: etc/mail>ll *.pid
-rw-r--r-- 1 root mail 34 Feb 13 14:07 sendmail.pid

regards
Yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)

Animesh Chakraborty · ‎03-19-2003

Hi,
There is no error.
It is starting and working fine but .pid file is not getting created when started with -bm option.
Can some one attach the /sbin/init.d/sendmail scripts where sendmail is creating .pid file with -bm option.
Thanks
Animesh

Did you take a backup?

Balaji N · ‎03-19-2003

hi
checked up the sendmail startup script. there is no entry for creation of pid file. it just reads the file to see if sendmail is running.

i guess the file name is hardcoded inside the sendmail binary itself.

-balaji

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

U.SivaKumar_2 · ‎03-19-2003

Hi,

Don't specify -bm option explicitly. As it taken by default.

sendmail.pid will be created only if the sendmail will fork and become a daemon , for which -bd option is very very necessary.

regards,

U.SivaKumar

Innovations are made when conventions are broken

Duncan Edmonstone · ‎03-19-2003

Animesh,

I guess the reason you want to get rid of the sendmail banner is so that hackers don't know the version of sendmail yes?

Problem is that all you have to do is type 'help' at the sendmail prompt and more often than not it will tell you the version there...

You can change this too of course by editing the following line in sendmail.cf:

O HelpFile=/usr/share/lib/sendmail.hf

My favorite is to point it to a file with the contents 'HACKERS DON'T NEED HELP!'

Cheers

Duncan

I am an HPE Employee

Seth Parker · ‎03-19-2003

I've got a follow-on question to Animesh's original ones. If you change the startup of sendmail where it doesn't run as a daemon, do you need to set the privacy options?

Sorry if this is boneheaded, but it seems that if there is no daemon running, you don't need to change the privacy options.

Thanks,
Seth

Animesh Chakraborty · ‎03-19-2003

Hi Shivkumar,
Understood your point. But now my problem is I can not stop sendmail using /sbin/init.d/sendmail stop command because no .pid file is created.

Did you take a backup?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: sendmail banner

sendmail banner