Re: sendmail / temp files

Fred Martin_1 · ‎02-20-2003

In user's home directories, mail files sometimes appear, named after the user, owned by the user - group mail. For example:

fred.23123
fred.1123

They look like copies of the user's /var/mail file.

Can someone explain what these files are, and how they get to be left behind?

Also if there is information about the files in the O'Reily Sendmail book, give me a chapter or page number....

Thanks
Fred

fmartin@applicatorssales.com

Fred Martin_1 · ‎02-20-2003

Ok this is becoming a crisis, these files are filling up /home as fast as I can move them out to a temp area.

I can't keep home at less than 100%

What is causing this?

Fred

fmartin@applicatorssales.com

someone_4 · ‎02-20-2003

Hi Fred,
As far as I know there is not anything in sendmail its sef that would put the files in the home dir of the user. There is an option in the sendmail.cf that specifies where the files go but if the orginal files are still in /var/mail and they are only copies in /home/fred then I would think that it is some kind of script that is putting them there.

check cron
crontab -l

also do a
ps -ef|grep cp
ps-ef|grep fred

do an ll on the files and see if the time they were created has anything to do with the extention. It could be a date/time stamp.

Richard

Ross Zubritski · ‎02-20-2003

Fred,

Are you running a "plug-in" like procmail? If so, ensure that /*#define MAILSPOOLHOME "/.mail" /* is not uncommented in the authenticate.c file. If it was compiled with this option enabled, it is spooling mail to /home/username as well as /var/mail. This is called home directory mail spooling.

Regards.

RZ

Jeff Schussele · ‎02-20-2003

Hi Fred,

Run
ps -ef | grep mail
See if someone or cron is running mail -f & specifying a non-default mail file.

Also users can define an alternate $HOME/mbox for saved mail. Users might be auto-reading their mail & saving it to this "mbox" in their home dir.

Rgds,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

S.K. Chan · ‎02-20-2003

Also check is user "fred" has a .forward file that does this. Just another possibility that I can think of.

Mark Landin · ‎02-20-2003

What is the mail reader being used?

Fred Martin_1 · ‎02-20-2003

OK there is a process:

root 22532 22517 0 13:48:11 ? 0:00 sendmail: NAA22532 host-63-149-24-82.norco-usa.com [63.149.24.8

Never seen anything like that before.

Fred

fmartin@applicatorssales.com

Fred Martin_1 · ‎02-20-2003

I don't have any unix savvy users, all that log in go directly into a database package. Pine is used by all unix users. Eudora from PCs.

I really think this is a sendmail breach of some sort; if you've seen my other sendmail threads in this area of the forum you'll know I've been having problems with huge amounts of spam, etc. the last few weeks. I just yesterday started locking down some sendmail settings (denying expn and vrfy for example).

fmartin@applicatorssales.com

Fred Martin_1 · ‎02-20-2003

Ok jumped the gun on that sendmail process, that was a normal incoming sendmail logon for delivery of mail.

There is no sendmail process running continuously except for the one sendmail service that I start at boot time.

fmartin@applicatorssales.com

Fred Martin_1 · ‎02-20-2003

I'm pretty sure those home directory files are being created by sendmail. The group ownership is 'mail'

fmartin@applicatorssales.com

someone_4 · ‎02-20-2003

hi
What do you see in /var/adm/syslog/mail.log if you grep for the ip
63.149.24.82 or usa.com?

Richard

Steven E. Protter · ‎02-20-2003

Its good that you locked down sendmail functions.

If a user got a dollar prompt, and typed elm, a .mail directory would be created and what looks like a subset of the mail file will be downloaded.

Do your users have dollar prompt access or the ability to break out of some process?

If they can telnet, they can create the conditions you report. If there is no need for telnet access, why do they have it?

You can replace it with secure shell for authorized users.

Off the top of my head, I have the following enhancement suggestions.

Secure shell(link here, cookbook attached).
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=T1471AA&date=

A security hardening tool, Bastille that will do some of what you are trying to do.
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6849AA&date=

Security Patch Check
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6834AA&date=

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Fred Martin_1 · ‎02-20-2003

No one has access to a unix shell except two admins. Everyone that telnets in, gets launched into a database directly; no trap door available to the OS.

fmartin@applicatorssales.com

Fred Martin_1 · ‎02-20-2003

Things seemed to calm down on their own; disk space stopped growing in /home.

I don't really have any evidence but I'm guessing that something filled up /var, which forced sendmail to deliver mail to /home/user instead of /var/mail/user. Or something like that.

Everything went away before I could figure it out unfortunately.

fmartin@applicatorssales.com

Fred Martin_1 · ‎02-20-2003

Finally figured this thing out.

It was a disk space issue after all!

Someone emailed out a word document containing graphics and objects. Size was 44 MB.

They Cc'd it to several people -locally- as well.

The receiving server rejected it due to size and -bounced-it-back- with the attachment.

User -tried-again- to send it due to rejection, and Cc'd it -again-, it -bounced-back-again- .......

Well when all was said and done, there where many many copies of this file on our server, /var/mail was full, then /home got full (I was right, sendmail was delivering to temp files in user's homes after /var got full).

Just shoot me now.
fred

fmartin@applicatorssales.com

Jeff Schussele · ‎02-20-2003

Hi Fred,

NO, in this case, it's shoot the USER!
I do believe it's time for a little end-user *education* - if you know what I mean?

Explain to this user that the next time they bring the server to it's knees, you'll be glad to immediately let ALL other users know what happened & WHO did it.

A little well applied peer pressure never hurts ;~)

Rgds,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

W.C. Epperson · ‎02-21-2003

No reason to shoot anyone. Set the "O MaxMessageSize=" line in sendmail.cf to some reasonable size. Many sites limit it to 2-5Mb.

If you don't set this for the server handling inbound mail from outside, you're a sitting duck for a DOS attack from outside regardless of who you shoot.

"I have great faith in fools; self-confidence, my friends call it." --Poe

Fred Martin_1 · ‎02-24-2003

From the description in the .cf file, the limit setting only affects inbound mail to the server 'from a remote system'.

I'm assuming that means all remote systems, even though they're on my network - for example a PC that pops in to this HP-UX sendmail server. If a PC user sends an email to another local user it will be sent to this server, and I assume would truncate an over-sized email.

Does that sound right?

fmartin@applicatorssales.com

Robin Wakefield · ‎02-24-2003

Hi Fred,

It won't truncate, it will reject the message.

Local users to other local users - it all depends if this server acts as a hub for your company. If both users are on the same server, chances are the message won't touch your "mail server", but will be delivered locally.

rgds, Robin

Fred Martin_1 · ‎02-24-2003

Yeah that answers the question.
Thanks!

fmartin@applicatorssales.com

Fred Martin_1 · ‎02-24-2003

Interesting - the comments in my sendmail.cf file say that the message will be truncated. Rejection sounds better! No point in truncating an attachment :)

I'll test it anyway to see which it does.

fmartin@applicatorssales.com

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: sendmail / temp files

sendmail / temp files