AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.

 View Only

  • 1.  Sendmail best practices, rewriting root, smarthosts

    Posted Wed June 15, 2022 04:44 PM
    In 7200-04 a new sendmail version was deployed where now we have /etc/mail/submit.cf in addition to /etc/mail/sendmail.cf.

    There are instructions on the IBM site for configuring masquerading for root:

    Configuring masquerading in AIX sendmail using generics table

    I don't like hand editing those files in such a fragile way. I know that the sendmail.cf is generated by m4 macros, and that many of them are in /usr/samples/tcpip/sendmail/. I think it would be much better to generate a config from the macros with local customizations instead. Minimizing the features by omission sounds better than hand editing.

    My goals are:

     - Disable sendmail listening on *:25, it can listen on 127.0.0.1:25 if needed. I don't want to show up on network security scans as a relay. Retries and the mail queue processing still require the daemon running.

     - Only send mail to an internal mail relay or smarthost. AIX should *never* try to send email by itself to the Internet.

     - Rewrite root's outbound mail "From" header replacing "root@hostname" to "hostname-root@company.com". Cron jobs and root mail must be able to be forwarded without tripping spam filters. That's the generics table from the IBM link.

     - Allow all users to send mail to the smarthost using only the mail command, no additional software. Database and application users should be able to mail command output and alerts without resorting to perl scripts, mutt, or additional mail tools.


    Does anyone have a sendmail.mc and submit.mc to share that can be m4'ed into .cf files?

    I would have thought a minimal configuration would have shipped by now.

    ------------------------------
    ========================
    Russell Adams
    https://adamssystems.nl/
    ========================
    ------------------------------


  • 2.  RE: Sendmail best practices, rewriting root, smarthosts

    Posted Fri June 17, 2022 07:04 AM
    As probably you want no client authentication (I deducted that from the ability to use "mail" command to send mail and MTA listening only on loopback), you may completely drop the idea of having MSA running. Use "FEATURE(`no_default_msa')dnl" in sendmail.mc and just do not confure MSA at all, then you do not have to worry about "submit.cf".
    To make sendmail listen on 127.0.0.1:25 only, use "DAEMON_OPTIONS(`Port=25, Addr=127.0.0.1, Family=inet, Name=MTA')dnl" in sendmail.mc.
    To make sendmail send all mail via some relay, use "define(`SMART_HOST', `your.smart.host')dnl" in sedmail.mc. I believe you may also use "define(`SMART_HOST', `[your.smart.host.ip]')dnl" if you prefer.
    I believe sendmail config files shipped with AIX handle genericstable, so all you have to do is use "FEATURE(`genericstable')dnl", "FEATURE(`generics_entire_domain')dnl" and define your domain in "GENERICS_DOMAIN(`my.domain')dnl".

    If you want to send attachments, installing mutt is worth considering as mutt makes it very simple (both interactively and in batch mode).

    ------------------------------
    Lech Szychowski
    ------------------------------

    Original Message


  • 3.  RE: Sendmail best practices, rewriting root, smarthosts

    Posted Fri June 17, 2022 11:09 AM
    Part of the problem is IBM isn't shipping the sendmail.mc file used to generate the AIX default sendmail.cf. So instead of updating the .mc and processing it with m4, their documentation is saying make fragile hand edits to a compiled file.

    I've gotten most of this working now, but cannot do a valid comparison against the original.

    ------------------------------
    ========================
    Russell Adams
    https://adamssystems.nl/
    ========================
    ------------------------------

    Original Message


  • 4.  RE: Sendmail best practices, rewriting root, smarthosts

    Posted Tue June 21, 2022 02:59 AM
    I have never seen it as a problem because for all situations where I need to reconfigure sendmail I am used to use my own .mc files but yeah, unfortunately that's true.

    ------------------------------
    Lech Szychowski
    ------------------------------

    Original Message


  • 5.  RE: Sendmail best practices, rewriting root, smarthosts

    Posted Wed June 22, 2022 04:56 AM

    It's been one of my pet peeves for the past thirty years.

    On at least two occasions, I've seen the justification that the reason the .mc files weren't shipped is that AIX's sendmail.cf is heavily hand-tweaked after the m4 step, but I've noticed that on 7.2, you have two mc files in /usr/samples/tcpip/sendmail/cf: aixsample.mc submit.mc

    Things that are generated differently: X400 (ROTFL), less secure options, 8-bit handling...  ex:

    # privacy flags
    -O PrivacyOptions=authwarnings noexpn novrfy # /etc/mail/sendmail.cf
    +O PrivacyOptions=authwarnings # Generated from /usr/samples/tcpip/sendmail/cf/aixsample.cf


    Drop in /usr/samples/tcpip/sendmail/cf/Makefile:

    all: aix.cf submit.cf

    aix.cf: aix.mc
    <TAB>m4 ../m4/cf.m4 aix.mc > aix.cf

    submit.cf: submit.mc
    <TAB>m4 ../m4/cf.m4 submit.mc > submit.cf

    diff:
    <TAB>diff -u /etc/mail/submit.cf submit.cf
    <TAB>diff -u /etc/mail/sendmail.cf aix.cf

    Copy aixsample.mc to aix.mc


    make; make diff |more

    Massage the aix.mc until you have an equivalent sendmail.cf, repeat with the submit.mc file.



    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------

    Original Message


  • 6.  RE: Sendmail best practices, rewriting root, smarthosts

    Posted Wed June 22, 2022 06:08 AM
    While undoubtedly possible, this seems to me more like an academic exercise than a really needed effort.
    As I mentioned before in my expetience there has never been any need to recreate source .mc/.m4 files for .cf file distributed in AIX. What does .cf provided by IBM have that is really needed nowadays? I do not have to support things like Decnet, X400 and UUCP, so my experience is kinda limited in these areas, but when it comes do (E)SMTP with or without TLS/SSL my own .mc files seem to do the job for me...

    ------------------------------
    Lech Szychowski
    ------------------------------

    Original Message


  • 7.  RE: Sendmail best practices, rewriting root, smarthosts

    Posted Wed June 22, 2022 06:51 AM
    How else are you expected to send mail to kremvax ?

    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------

    Original Message


Related Content