Solaris 9 sendmail irritations
Here's how to give a system administrator a heart attack: the default
Solaris 9 sendmail configuration apparently allows other machines that
your Solaris machine thinks are in your local domain to relay through
you. I say 'apparently' because there's nothing in the sendmail.mc about
this, and nothing clear in the generated
In other fun discoveries, the default sendmail configuration is also set up to relay all your mail through a machine called 'mailhost' in your domain. We don't have such a machine in our subdomain here, so god knows where any administrative mail my test machine may have been trying to send for the past month or so may have wound up.
Solaris 9 was shipped in 2002, and Sun actually started to care about security by that point; for example, it ships with tcpwrappers. In 2002, I would have thought that Sun would know that any open relaying is a bad idea.
In fact it turns out that Solaris sendmail's default configuration has
other dubious features, even for 2002: for example, it will happily
MAIL FROM addresses without domains or with unresolvable
domains. None of this is set visibly and explicitly in their supplied
.mc files; it is hiding away in the 'solaris-generic' set of settings
that those use.
The light at the end of the tunnel is that Solaris 9 actually includes another set of settings, 'solaris-antispam'; changing from 'solaris-generic' to these will give you much stronger settings. (These are in fact the default Sendmail settings, so Solaris deliberately shipped with a less secure, more open to spam and abuse sendmail configuration.)