Sendmail comes with several companion programs that you should be aware of.


These include:


Editmap
Mailstats
Makemap
Print aliases
SendMail Restricted SHell
Vacation


Editmap


You can edit a map, also called a database, in Sendmail by using the editmap program.


The maps that this program works with are dbm, hash, or btree, and does not include other maps such as nis, nisplus or ldap.


There are three things you can do with the editmap program, these are:


editmap -q = query a map
editmap -x = delete a key from a map
editmap -u = update the value for a key in the map


As we saw with rulesets, Sendmail works on the basic premise of a left hand side and a right hand side. The left hand side, called the key, contains the data that we are trying to match. The right hand side, called the value, contains the data that will replace the existing information.


Editmap supports the following switches:


-C (uppercase c) - Use an alternate Sendmail.cf file


-f (lowercase f) - Don't convert uppercase to lowercase


-N (uppercase n) - Include the null byte that terminates strings in the map (for alias maps).


The full command line for all three operations is:


editmap -q dbtype dbfile key
editmap -x dbtype dbfile key
editmap -u dbtype dbfile key new_value


dbtype - dbm, hash or btree


dbfile - the absolute path and filename of the database minus the .pag, .dir or .db file extension


key - the information that we want to match


new_value - the new value for that key


Mail Statistics


To enable mail statistics for your mail system, use:


define(`STATUS_FILE', `absolute_path_and_filename')


usually this is:


define(`STATUS_FILE', `/etc/mail/statistics')


If the file is missing or unwritable then statistics for the local machine will not be collected.


Use, touch /etc/mail/statistics to create the file if it does not exist, and then be sure to check its permissions.


To view the statistics after you've restarted Sendmail, use:


mailstats


The output is incredibly easy to read on your screen. To disable statistics simply remove the file or change the write permissions of the file.


Makemap


Makemap is used to create your databases. There is a separate web page for all the different types of databases that you can create for Sendmail to use.


Normally you'll create a flat ascii text file as an input file. You'll then feed this ascii text file to makemap which will then process the input file and create the database.


Sendmail will then access the database when it needs to look something up.


makemap dbtype outfile < infile


is the command line for the makemap command.


Command line switches include:


-c (lowercase c) - Set the cache size for hash or btree databases


-C (uppercase c) - Use an alternate Sendmail.cf file


-d (lowercase d) - Allow duplicate entries in the database


-D (uppercase d) - Use to specify the character to use to indicate a comment (which is ignored) instead of the default of '#'.


-e (lowercase e) - Allow empty data for keys


-f (lowercase f) - Don't convert uppercase to lowercase


-l (lowercase el) - List db types supported


-N (uppercase n) - Include the null byte that terminates strings in the map.


-o (lowercase oh) - Append to a file, don't overwrite it


-r (lowercase r) - Allow replacement of existing keys. Normally makemap complains if you repeat a key, and does not do the insert.


-s (lowercase s) - Skip security checks


-t (lowercase t) - Specify an alternative to whitespaces as a delimiter


-u (lowercase u) - Dump the contents of a database


-v (lowercase v) - Enable verbose operations


dbtype - dbm, hash, or btree


outfile - The name of the database to create, extensions will be added automatically .pag and .dir for dbm databases and .db for hash or btree


infile - the absolute path to and the name of the file to use as input


Do not use makemap to create the alias database, use newaliases instead.


Print Aliases


The praliases command allows you to view the contents of all the aliases defined in all of your aliases files on your system, after the aliases files are turned into databases.


Sendmail Restricted Shell


Sendmail normally runs any program it finds in your users ~/.forward file. This could include something like:


|"cp /bin/sh /home/usr/.x; chmod u+s /home/usr/.x"


To enable smrsh use:


FEATURE(`smrsh')


With smrsh defined, users can no longer run any program that they choose. They can only run programs that you allow them to run.


Smrsh creates a separate directory similar to a chroot jail. Only programs that are listed in this directory are allowed to be run by the users. On Solaris this directory is /var/adm/sm.bin. Refer to the smrsh man page for help on deciding what to place into this directory. Any program that is listed in this directory should not have the ability to drop to a shell prompt. You can use symbolic links for entries into /var/adm/sm.bin.


After smrsh has been defined and the directory populated, then smrsh can do its job.


Whenever a user tries to run a program from their ~/.forward file, smrsh is called to run that program. The first thing it does is to strip the leading path from the program name and then look for the program name in /var/adm/sm.bin. If it finds a match, it runs the program. If it doesn't find a match, the message is bounced.


Smrsh does not allow the following characters to be used as part of a command:


`<>;$() \n \r


As you can see, the users won't be able to chain commands together. However they could use:


&& or ||


if they know how to use these symbols.


Vacation


The vacation program is used to let people know that you are not reading your mail.


It is intended to be run from your ~/.forward file with entries that look something like:


\eric, "|/usr/bin/vacation -a allman eric"


which would send messages to you (assuming your login name was eric) and reply to any messages for ``eric'' or ``allman''.


Replace \eric with your mailbox name.


The first entry ensures that you receive a copy of the message. The second entry causes vacation to be run which sends a message to the sender of the message announcing that you are not reading your mail.


A backslash before a username inhibits further aliasing.


The first step to running vacation is to initialize the database:


/usr/bin/vacation -i


This allows vacation to track each sender's e-mail address so that the vacation reply is sent to them only once a week.


Next, you need to create your vacation reply:


vi ~/.vacation.msg


Your vacation message needs to contain at least two lines. These are:


From: Your Name <your@e-mail.address>
Subject: Any subject that you like


Followed by a blank line followed by any text that you like. This might include the days that you'll be away from your mail.


The last step is to add vacation to your ~/.forward file as was shown above.


There are a couple of switches that you should be aware of, these include:


/usr/bin/vacation -r 31 - sets the reply time to 31 days instead of the default of 7 days.


/usr/bin/vacation -x < list - List is an ascii text file with one e-mail address per line.


You could specify an entire domain by using @domain.name.


Any user in list will not be sent a copy of your vacation message.


In the Solaris 10 release, the vacation utility has been enhanced to enable a user to specify which incoming messages receive autogenerated replies. With this enhancement the user can avoid sharing confidential or contact information with unknown people. Messages from spammers or unknown people would not receive a reply.


This enhancement works by matching an incoming sender's email address to a list of domains or email addresses in a .vacation.filter file. This file is created by the user and is in the user's home directory. If a domain or email address match is found, a reply is sent. If no match is found, no reply is sent.


The .vacation.filter might contain entries such as these:


company.com
mydomain.com
onefriend@hisisp.com
anotherfriend@herisp.com


Note that each line contains one domain or one email address. Each entry must be on a separate line. For a sender's email address to match with an email address entry, the match must be exact, except for case. Whether the letters in the sender's address are lowercase or uppercase is ignored. For a sender's email address to match with a domain entry, the sender's address must contain the listed domain. For example, both somebody@dept.company.com and someone@company.com would be a match for a domain entry of company.com. For more information, see the vacation man page.


.forward Files


Users can create a .forward file in their home directories that sendmail, along with other programs, can use to redirect mail or send mail.


Situations to Avoid


The following list describes some situations that you can avoid or are easily fix.


If mail is not being delivered to the expected address, check the user's .forward file. The user might have put the .forward file in the home directory of host1, which forwards mail to user@host2. When the mail arrives at host2, sendmail checks for user in the NIS or NIS+ aliases and sends the message back to user@host1. This routing results in a loop and more bounced mail.


To avoid security problems, never put .forward files in the root and bin accounts. If necessary, forward the mail by using the aliases file instead.


Controls for .forward files


For the .forward files to be an effective part of mail delivery, ensure that the following controls (mostly permissions settings) are correctly applied.


The .forward file must be writable only by the owner of the file. This restriction prevents other users from breaking security.


The paths that lead to the home directory must be owned and writable by root only. For example, if a .forward file is in /export/home/terry, /export and /export/home must be owned and writable by root only.


The actual home directory should be writable only by the user.


The .forward file cannot be a symbolic link, and this file cannot have more than one hard link.


.forward.hostname File


You can create a .forward.hostname file to redirect mail that is sent to a specific host.


For example, if a user's alias has changed from sandy@phoenix.example.com to sandy@example.com, place a .forward.phoenix file in the home directory for sandy.


% cat .forward.phoenix


sandy@example.com
"|/usr/bin/vacation sandy"


% cat .vacation.msg


From: sandy@example.com (via the vacation program)
Subject: my alias has changed


My alias has changed to sandy@example.com.
Please use this alias in the future.
The mail that I just received from you
has been forwarded to my new address.


Sandy


In this example, mail can be forwarded to the correct place while the sender is notified of the alias change. Because the vacation program permits only one message file, you can forward only one message at a time. However, if the message is not host specific, one vacation message file can be used by .forward files for many hosts.


.forward+detail File


Another extension to the forwarding mechanism is the .forward+detail file. The detail string can be any sequence of characters except operator characters. The operator characters are .:%&!^[]+. By using this type of file, you can determine if someone else is using your email address without your knowledge. For instance, if a user tells someone to use the email address sandy+test1@example.com, the user would be able to identify any future mail that was delivered to this alias. By default, any mail that is sent to the sandy+test1@example.com alias is checked against the alias and the .forward+detail files. If no matches are made, the mail falls back to delivery to sandy@example.com, but the user is able to see a change in the To: mail header.


How to Disable .forward Files


This procedure, which prevents automated forwarding, disables the .forward file for a particular host.


1. Become superuser or assume an equivalent role.


2. Make a copy of /etc/mail/cf/domain/solaris-generic.m4 or your site-specific domain m4 file.


# cd /etc/mail/cf/domain
# cp solaris-generic.m4 mydomain.m4


mydomain - Use the file name of your choice.


3. Add the following line to the file that you just created.


define('confFORWARD_PATH','')dnl


If a value for confFORWARD_PATH already exists in the m4 file, replace the value with this null value.


4. Build and install a new configuration file.


Note - When you edit the .mc file, remember to change DOMAIN ('solaris-generic') to DOMAIN('mydomain').


How to Change the .forward-File Search Path


If, for example, you want to put all .forward files in a common directory, follow these instructions.


1. Become superuser or assume an equivalent role.


2. Make a copy of /etc/mail/cf/domain/solaris-generic.m4 or your site-specific domain m4 file.


# cd /etc/mail/cf/domain
# cp solaris-generic.m4 mydomain.m4


mydomain - Use the file name of your choice.


3. Add the following line to the file that you just created.


define('confFORWARD_PATH','$z/.forward:/var/forward/$u')dnl


If a value for confFORWARD_PATH already exists in the m4 file, replace the value with this new value.


4. Build and install a new configuration file.


Note - When you edit the .mc file, remember to change DOMAIN ('solaris-generic') to DOMAIN('mydomain').


In order for people to be able to run a program from their .forward file, Sendmail insists that their shell (that is, the shell listed for that user in the passwd entry) be a "valid" shell, meaning a shell listed in /etc/shells. If /etc/shells does not exist, a default list is used.


If you're having problems deciding what to include in /etc/shells, Sendmail supplies a script that is available at http://www.sendmail.org/vendor/sun/gen-etc-shells.html.


There are some weird things that AFS throws into the mix, and these can keep a program from running or running correctly out of .forward files or the system-wide aliases.


Next Section: Tuning - 18 of 32

This Web Site Copyright © 1997 - 2008
by Alan Pae - All Rights Reserved