Wandering Thoughts archives

2005-11-19

Solaris 9 sendmail irritations

Here's how to give a system administrator a heart attack: the default Solaris 9 sendmail configuration apparently allows other machines that your Solaris machine thinks are in your local domain to relay through you. I say 'apparently' because there's nothing in the sendmail.mc about this, and nothing clear in the generated /etc/mail/sendmail.cf either.

In other fun discoveries, the default sendmail configuration is also set up to relay all your mail through a machine called 'mailhost' in your domain. We don't have such a machine in our subdomain here, so god knows where any administrative mail my test machine may have been trying to send for the past month or so may have wound up.

Solaris 9 was shipped in 2002, and Sun actually started to care about security by that point; for example, it ships with tcpwrappers. In 2002, I would have thought that Sun would know that any open relaying is a bad idea.

In fact it turns out that Solaris sendmail's default configuration has other dubious features, even for 2002: for example, it will happily accept MAIL FROM addresses without domains or with unresolvable domains. None of this is set visibly and explicitly in their supplied .mc files; it is hiding away in the 'solaris-generic' set of settings that those use.

The light at the end of the tunnel is that Solaris 9 actually includes another set of settings, 'solaris-antispam'; changing from 'solaris-generic' to these will give you much stronger settings. (These are in fact the default Sendmail settings, so Solaris deliberately shipped with a less secure, more open to spam and abuse sendmail configuration.)

solaris/SolarisRelayingSendmail written at 00:34:18; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.