Re: [OT] Sendmail: Open relay was tested as closed but...

Dan Thurman <dant@xxxxxxxxx> · Sun, 20 Apr 2014 14:00:09 -0700

On 04/20/2014 01:38 PM, jdow wrote:
Heartbleed... Anybody running an OpenSSL server has compromised passwords
for anybody using the system at least from when the vulnerability was
revealed until it was repaired should consider every password on the
system is compromised. They should ALL be changed, pronto. And you should
make sure it is the right person changing the passwords.

{^_^}

I have F8 and F18. F8 is not affected by HB and F18 is HB
fixed (recompiled) and certificates regenerated. Both Fedora
versions have the same "open-relay" issues and both have
similar or nearly identical sendmail.mc configurations.

Here is my sendmail.mc file and
let me know if there is a problem?:

dnl #----------------------------------------------
dnl # You MUST enable SASLAUTHD for this to work!
dnl #----------------------------------------------

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
OSTYPE(`linux')dnl

dnl ### do STARTTLS
define(`CERT_DIR',         `/etc/pki/tls/certs')dnl
define(`confCACERT_PATH',  `CERT_DIR')dnl
define(`confCACERT',       `CERT_DIR/ca-bundle.crt')dnl
define(`confCRL',          `CERT_DIR/ca-bundle.crt')dnl
define(`confSERVER_CERT',  `CERT_DIR/sendmail.pem')dnl
define(`confSERVER_KEY',   `CERT_DIR/sendmail.pem')dnl
define(`confCLIENT_CERT',  `CERT_DIR/sendmail.pem')dnl
define(`confCLIENT_KEY',   `CERT_DIR/sendmail.pem')dnl

dnl ###
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`confALIAS_WAIT', `0')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN 
PLAIN')dnl
define(`confCONNECTION_RATE_THROTTLE', `2')dnl Denial of Service Attacks
define(`confCON_EXPENSIVE', `true')dnl
define(`confDEF_CHAR_SET', `iso-8859-1')dnl
define(`confDEF_USER_ID', ``8:12'')dnl
define(`confDIAL_DELAY', `20s')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`confLOG_LEVEL', `9')dnl
define(`confMAX_DAEMON_CHILDREN', `30')dnl    Denial of service Attacks
define(`confMAX_HOP', `35')dnl
define(`confMAXRCPTSPERMESSAGE', `50')dnl     Denial of service Attacks
define(`confMAX_MESSAGE_SIZE', `15000000')dnl Denial of service Attacks
define(`confMAXRCPTSPERMESSAGE', `50')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, 
{if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, 
{cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confNO_RCPT_ACTION', `add-apparently-to')dnl
define(`confPRIVACY_FLAGS', 
`authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnl
define(`confQUEUE_LA', `5')dnl
define(`confQUEUE_SORT_ORDER', `Time')dnl
define(`confREFUSE_LA', `12')dnl
define(`confSEPARATE_PROC', `False')dnl
define(`confSINGLE_LINE_FROM_HEADER', `True')dnl
define(`confSMTP_LOGIN_MSG', `$j')dnl
define(`confTO_CONNECT', `20s')dnl
define(`confTO_DATABLOCK', `35m')dnl
define(`confTO_DATAFINAL', `35m')dnl
define(`confTO_DATAINIT', `6m')dnl
define(`confTO_HELO', `5m')dnl
define(`confTO_HOSTSTATUS', `2m')dnl
define(`confTO_IDENT', `0')dnl
define(`confTO_INITIAL', `6m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confWORK_RECIPIENT_FACTOR', `1000')dnl
define(`confWORK_TIME_FACTOR', `3000')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL M=s')dnl
EXPOSED_USER(`root')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
dnl FEATURE(`authinfo',`hash /etc/mail/authinfo.db')dnl
FEATURE(always_add_domain)dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`block_bad_helo')dnl
FEATURE(delay_checks)dnl

FEATURE(`dnsbl',    `b.barracudacentral.org', `"Rejected 
["$&{client_addr}"] by barracudacentral.org"')dnl
FEATURE(`dnsbl',    `zen.spamhaus.org',       `"Rejected 
["$&{client_addr}"] by spamhaus.org"')dnl
FEATURE(`dnsbl',    `dnsbl.sorbs.net',        `"Rejected 
["$&{client_addr}"] by dnsbl.sorbs.net"')dnl
FEATURE(`enhdnsbl', `bl.spamcop.net',         `"Rejected 
["$&{client_addr}"] by spamcop.net"', `t')dnl
FEATURE(`dnsbl',    `relays.ordb.org'         `"Rejected 
["$&{client_addr}"] by relays.ordb.org"')dnl
dnl FEATURE(`dnsbl',    `relays.osirusoft.com',   `"Rejected 
["$&{client_addr}"] by relays.osirusoft.com"')dnl

FEATURE(`generics_entire_domain')dnl
dnl FEATURE(`greet_pause', `3000')dnl
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(lookupdotdomain)dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`nouucp',`reject')dnl
FEATURE(redirect)dnl
dnl FEATURE(`relay_based_on_MX')dnl
FEATURE(relay_hosts_only)dnl
FEATURE(`relay_entire_domain')dnl
FEATURE(`require_rdns') dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(use_ct_file)dnl
FEATURE(use_cw_file)dnl
FEATURE(`virtuser_entire_domain')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl

LOCAL_DOMAIN(`MYHOST.com')dnl
dnl LOCAL_DOMAIN(`localhost.localdomain')dnl

MAILER(local)dnl
MAILER(smtp)dnl
dnl MAILER(procmail)dnl

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org