A poorly or carelessly administered aliases file can easily be used to gain privileged status. For example, many vendors ship systems with a decode alias in the /etc/mail/aliases
file. The intention is to provide an easy way for users to transfer binary files using mail. At the sending site the user converts the binary to ASCII with uuencode, then mails the result to the decode
alias at the receiving site. That alias pipes the mail message through the /usr/bin/uuencode program, which converts the ASCII back into the original binary file.
Remove the decode alias line from your /etc/mail/aliases file. Similarly, every alias that executes a program that you did not place there yourself and check completely should be
questioned and probably removed.
Edit the aliases file vi /etc/mail/aliases and remove the following lines:
# Basic system aliases -- these MUST be present.
# General redirections for pseudo accounts.
# Well-known aliases.
# trap decode to catch security attacks
# Person who should get root's mail
For the changes to take effect you will need to run:
[root@deep] /# /usr/bin/newaliases
You need to prevent your Sendmail being abused by unauthorized users, Sendmail now includes powerful Anti-Spam features, which can help prevent your mail server from being abused by unauthorized users. To do
this, make a change to the configuration file to block off spammers. Edit the sendmail.cf file, vi /etc/mail/sendmail.cf and change the line:
Setting the goaway
option causes Sendmail to disallow all SMTP EXPN
commands, it also causes it to reject all SMTP VERB
commands and to
disallow all SMTP VRFY
commands. These changes prevent spammers from using the EXPN
commands in Sendmail.
You have to restrict who can examine the queues contents, ordinarily, anyone may examine the mail queue's contents by using the mailq command. To restrict who may examine the queues contents, you
must specify the restrictmailq option in the /etc/mail/sendmail.cf file. With this option, Sendmail allows only users who are in the same group as the group ownership of the queue
directory root to examine the contents. This allows the queue directory to be fully protected with mode 0700, while selected users are still able to see the contents.
Edit the sendmail.cf file, vi /etc/mail/sendmail.cf and change the line:
Now we change the mode of our queue directory to be fully protected:
[root@deep] /# chmod 0700 /var/spool/mqueue
Now re-start the sendmail process manually for the change to take effect:
[root@deep] /# /etc/rc.d/init.d/sendmail restart
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
We have already added the goaway option to the line PrivacyOptions= in sendmail.cf file. Now we can just add the restrictmailq option to this line.
Any non-privileged user who attempts to examine the mail queue content will get this message:
[user@deep /]$ /usr/bin/mailq
You are not permitted to see the queue