Monday, May 28, 2007

Chrooting Sendmail and Restricting Relaying


Today I had a client call me in a panic. Their mail queue was full and mail was bouncing. Having a look at the mail sitting in the queue it was obvious that the mail server was being used as a mail relay. They have a dedicated server for web and mail at their hosting company. The problem is that they simply started using the mail server without customizing the configuration files and locking down who has access and who has the ability to send mail.

I helped them out with that and quickly stopped the spamming. Personally I think a rebuild is in order as I don't trust any machine that shows any signs of compromise. So in preparation for when they do decide to rebuild I wrote up a quick little guide to run Sendmail 8.12+ in a Chrooted environment and to restrict relaying. They will still need to further configure Sendmail but this will
help protect the server and other running services by confining the attacker so that they are only able to access the resources within the jail and not further compromise the system.

As the installation of Sendmail in question being used is only to relay mail from the webserver we can chroot Sendmail within a jail.

First we need to specify a root directory for the chroot jail and create the Directory Structure. For example:

/chroot/sendmail - This is the Sendmail chroot root directory

Create the following directories under the above directory:

/dev
/etc
/ect/mail
/lib
/lib/tls
/tmp/
/usr
/usr/bin
/usr/sbin
/usr/lib
/usr/lib/sasl2
/var
/var/run
/var/spool
/var/spool/mqueue

If you have not already done so add a user for Sendmail to run as and add the user to the mail group.

# useradd –u 501 –g mail –s /sbin/nologin –d /dev/null sendmail

This adds the user called sendmail. In the sendmail.mc file you need to enable the RunAsUser setting and change it to the new user.

define(‘confRUN_AS_USER`,`sendmail`) - Recreate the sendmail.cf file to enable this.

Next you need to populate the directories with the files required. Into the /chroot/sendmail/etc directory copy the following

Aliases
Aliases.db
Passwd
Group
Resolv.conf
Host.conf
Nsswitch.conf
Services
Hosts
Localtime

Edit the passwd and group files to contain only the users and groups required to run Sendmail.

Next copy the entire contents of the /etc/mail directory and all subdirectories into /chroot/sendmail/etc/ . This contains all your Sendmail configuration files.

Next you need to populate the /chroot/sendmail/dev directory. You will need to create the following devices, null and random, to allow Sendmail to function correctly.

# mknod /chroot/sendmail/dev/null c 1 3
# mknod /chroot/senmail/dev/random c 1 8

Both devices should be owned by root and should have the following permissions:

Null – 0666
Random – 0644

Next place a copy of the sendmail binary into /chroot/sendmail/usr/bin. Create symbolic links to this binary for the mailq and newaliases commands.

# ln –s /chroot/sendmail/usr/sbin/sendmail /chroot/sendmail/usr/bin/mailq
# ln –s /chroot/sendmail/usr/sbin/sendmail /chroot/sendmial/usr/sbin/newaliases

Sendmail will need various libraries in order to run in the chroot jail.

Run the following command:

# ldd /usr/sbin/sendmail

Record the list of binaries and copy them to their locations in the chroot jail.

NOTE: any libraries located in /usr/kerberos/lib should be copied to /chroot/sendmail/usr/lib. This is so that Sendmail can find them.

Sendmail will require the following additional libraries. These are usually located in /lib.

Libnss_dns.so.2
Libresolv.so.2
Libnss_files.so.2

Copy these to /chroot/sendmail/lib.

If you are using SASL then you need to copy all the files in the /usr/lib/sasl2 directory to /chroot/senmail/usr/lib/sals2.

Next we need to check the permissions and ownerships are correct. The /chroot/senmail/var/spool/mqueue directory needs to be owned by the user specified in the RunAsUser option.

# chown sendmail /chroot/senmail/var/spool/mqueue
# chmod 0700 /chroot/senmail/var/spool/mqueue

All files and databases must be readable by the sendmail user. Ensure that there are no group writable files in the chroot jail.

# chmod –R go-w /chroot/sendmail
# chmod 0400 /chroot/sendmail/etc/mail/*.cf

To start the chrooted sendmail run the following:

# chroot /chroot/sendmail /usr/sbin/sendmail –bd –q15m

We now want to restrict relaying in order to prevent the mail server being used as a spam relay.

Check the sendmail.cf file for the following:

FR-o /etc/mail/relay-domains (note this may need to be changed if you intend to use a chroot jail for sendmail)

This listing forces Sendmail to only accept relaying from the domains listed. The relay-domains file can contain hosts, domains, IP addresses and subnets.

Adding the following settings to the sendmail.mc file further modifies the behavior of the relay-domains file.

FEATURE(relay_hosts_only) - This allows relaying for only hosts listed in the relay-domains file.

Relaying can also be specified by using an access database file. Make sure the access db feature is enabled by checking for the following line in sendmail.mc:

FEATURE(`access_db’,`hash –T [TMPF] -o /etc/mail/access.db’) - replace the '[' and ']' with '<' and '>'. The 'greater than' and 'less than' signs are being interpreted as tags by Blogger and are getting stripped out and I can't be bothered to figure out a workaround tonight.

If access.db is not present add it and recreate sendmail.cf. The access database is located in the /etc/mail directory. Create the file using the makemap command. It takes input from a text file.

# makemap hash access.db '<' access (remove the ' from around the 'less than' sign)

The text file format is as follows:

[ip address] RELAY
[domain name] RELAY

There are different possible responses you can have. RELAY, REJECT, DISCARD and 554 [message].

This covers the basics for running Sendmail in a Chrooted environment and restricting relaying. I hope it helps someone out.

Cheers,
Dean

dean de beer

No comments: