Changes in Version 8.13 of sendmail
Starting in the Solaris 10 release, version 8.13 is the default. Although this new
version of sendmail provides many new features, the FallBackSmartHost option is the most significant
addition. Because of this option you no longer need to use main.cf and subsidiary.cf.
The main.cf file was used in environments that supported MX records. The subsidiary.cf
file was used in environments without a fully operative DNS. In such environments a smart
host was used instead of MX records. The FallBackSmartHost option provides unified configuration. It
operates like an MX record of last possible preference for all environments. To ensure
that mail gets delivered to clients, this option, if enabled, provides a well-connected (or smart)
host that serves as a backup (or failover) for MX records that fail.
For more information about version 8.13, see the following sections:
Additionally, starting in the Solaris 10 1/06 release, SMTP can run with Transport Layer
Security (TLS). See the following description.
Support for Running SMTP With TLS in Version 8.13 of sendmail
Communications between SMTP servers and clients are not usually controlled or trusted on either
end. This lack of security might allow a third party to monitor and even alter
a communication between a server and a client. Starting in the Solaris 10 1/06
release, SMTP can use Transport Layer Security (TLS) in version 8.13 of sendmail to resolve
this problem. This extended service to SMTP servers and clients provides the following:
Note - The implementation of TLS is based on the Secure Sockets Layer (SSL) protocol.
STARTTLS is the SMTP keyword that initiates a secure SMTP connection by using TLS. This
secure connection might be between two servers or between a server and a client.
A secure connection is defined as follows:
When the client issues the STARTTLS command, the server responds with one of
the following:
The 220 response requires the client to start the TLS negotiation. The 501 response notes
that the client incorrectly issued the STARTTLS command. STARTTLS is issued with no parameters.
The 454 response necessitates that the client apply rule set values to determine whether to
accept or maintain the connection.
Note that to maintain the Internet's SMTP infrastructure, publicly used servers must not require
a TLS negotiation. However, a server that is used privately might require the client
to perform a TLS negotiation. In such instances, the server returns this response:
530 Must issue a STARTTLS command first
The 530 response instructs the client to issue the STARTTLS command to establish a
connection.
The server or client can refuse a connection if the level of authentication and
privacy is not satisfactory. Alternately, because most SMTP connections are not secure, the server
and client might maintain an unsecure connection. Whether to maintain or refuse a connection is
determined by the configuration of the server and the client.
Support for running SMTP with TLS is not enabled by default. TLS is enabled
when the SMTP client issues the STARTTLS command. Before the SMTP client can issue
this command, you must set up the certificates that enable sendmail to use TLS. See
How to Set SMTP to Use TLS. Note that this procedure includes defining new configuration file options and rebuilding your sendmail.cf
file.
Configuration File Options for Running SMTP With TLS
The following table describes the configuration file options that are used to run SMTP
with TLS. If you declare any of these options, use one of the following
syntaxes:
O OptionName=argument # for the configuration file
-O OptionName=argument # for the command line
define(`m4Name',argument) # for m4 configuration
Table 14-13 Configuration File Options for Running SMTP With TLS
Option |
Description |
|---|
CACertFile |
m4 name: confCACERT Argument: filename Default value: undefined Identifies the file that contains one CA certificate. |
CACertPath |
m4
name: confCACERT_PATH Argument: path Default value: undefined Identifies the path to the directory that contains certificates
of CAs. |
ClientCertFile |
m4 name: confCLIENT_CERT Argument: filename Default value: undefined Identifies the file that contains the certificate
of the client. Note that this certificate is used when sendmail acts as
a client. |
ClientKeyFile |
m4 name: confCLIENT_KEY Argument: filename Default value: undefined Identifies the file that contains the private
key that belongs to the client certificate. |
CRLFile |
m4 name: confCRL Argument: filename Default value: undefined Identifies the
file that contains the certificate revocation status, which is used for X.509v3 authentication. |
DHParameters |
m4 name:
confDH_PARAMETERS Argument: filename Default value: undefined Identifies the file that contains the Diffie-Hellman (DH) parameters. |
RandFile |
m4 name:
confRAND_FILE Argument: file:filename or egd:UNIX socket Default value: undefined Uses the file: prefix to identify the file
that contains random data or uses the egd: prefix to identify the UNIX socket.
Note that because the Solaris OS supports the random number generator device, this option does not
need to be specified. See the random(7D) man page. |
ServerCertFile |
m4 name: confSERVER_CERT Argument: filename Default value:
undefined Identifies the file that contains the server's certificate. This certificate is used when sendmail
acts as a server. |
Timeout.starttls |
m4 name: confTO_STARTTLS Argument: amount of time Default value: 1h Sets the amount of time
the SMTP client waits for a response to the STARTTLS command. |
TLSSrvOptions |
m4 name: confTLS_SRV_OPTIONS Argument: V Default
value: undefined Determines whether the server asks for a certificate from the client. If this
option is set to V, no client verification is performed. |
For sendmail to support SMTP's use of TLS, the following options must be defined:
CACertPath
CACertFile
ServerCertFile
ClientKeyFile
Other options are not required.
Macros for Running SMTP With TLS
The following table describes the macros that are used by the STARTTLS command.
Table 14-14 Macros for Running SMTP With TLS
Macro |
Description |
|---|
${cert_issuer} |
Holds
the distinguished name (DN) of the certification authority (CA), which is the certificate issuer. |
${cert_subject} |
Holds
the DN of the certificate that is called the cert subject. |
${cn_issuer} |
Holds the common name
(CN) of the CA, which is the cert issuer. |
${cn_subject} |
Holds the CN of the certificate that
is called the cert subject. |
${tls_version} |
Holds the version of TLS that is used for the
connection. |
${cipher} |
Holds a set of cryptographic algorithms (known as a cipher suite) that is used for
the connection. |
${cipher_bits} |
Holds in bits the key length of the symmetric encryption algorithm that is
used for the connection. |
${verify} |
Holds the result of the verification of the certificate that
was presented. Possible values are as follows:
OK – The verification succeeded. NO – No certificate was presented. NOT – No certificate was requested. FAIL – The certificate that was presented could not be verified. NONE – STARTTLS has not been performed. TEMP – Temporary error occurred. PROTOCOL – SMTP error occurred. SOFTWARE – STARTTLS handshake failed.
|
${server_name} |
Holds the name of the server with the
current outgoing SMTP connection. |
${server_addr} |
Holds the address of the server with the current outgoing
SMTP connection. |
Rule Sets for Running SMTP With TLS
The following table describes rule sets that determine whether an SMTP connection that uses
TLS should be accepted, continued, or refused.
Table 14-15 Rule Sets for Running SMTP With TLS
Rule Set |
Description |
|---|
tls_server |
Acting as a client, sendmail uses
this rule set to determine whether the server is currently supported by TLS. |
tls_client |
Acting as
a server, sendmail uses this rule set to determine whether the client is
currently supported by TLS. |
tls_rcpt |
This rule set requires verification of the recipient's MTA. This recipient restriction
makes attacks such as DNS spoofing impossible. |
TLS_connection |
This rule set checks the requirement that is
specified by the RHS of the access map against the actual parameters of the
current TLS connection. |
try_tls |
sendmail uses this rule set to determine the feasibility of using STARTTLS
when connecting to another MTA. If the MTA cannot properly implement STARTTLS, then STARTTLS
is not used. |
For more information, see the following:
Security Considerations Related to Running SMTP With TLS
As a standard mail protocol that defines mailers that run over the Internet, SMTP
is not an end-to-end mechanism. Because of this protocol limitation, TLS security through SMTP does
not include mail user agents. Mail user agents act as an interface between users
and a mail transfer agent such as sendmail.
Also, mail might be routed through multiple servers. For complete SMTP security the entire
chain of SMTP connections must have TLS support.
Finally, the level of negotiated authentication and privacy between each pair of servers or
a client and server pair must be considered. For more information, see Authentication Services in System Administration Guide: Security Services.
Additional Command-Line Options in Version 8.13 of sendmail
The following table describes additional command-line options that are available in version 8.13 of
sendmail. Other command-line options are described in the sendmail(1M) man page.
Table 14-16 Command-Line Options Available in Version 8.13 of sendmail
Option |
Description |
|---|
-D logfile |
Sends debugging output
to the indicated logfile, instead of including this information with the standard output. |
-q[!]Qsubstr |
Specifies the
processing of quarantined jobs that have this substr, which is a substring of
the quarantine reason. See the description of the -Qreason option. If ! is
added, this option processes quarantined jobs that do not have this substr. |
-Qreason |
Quarantines a
normal queue item with this reason. If no reason is given, the quarantined queue item is
unquarantined. This option works with the -q[!]Qsubstr option. The substr is a portion
(or substring) of the reason. |
Additional and Revised Configuration File Options in Version 8.13 of sendmail
The following table describes the added and revised configuration file options. If you declare
any of these options, use one of the following syntaxes.
O OptionName=argument # for the configuration file
-O OptionName=argument # for the command line
define(`m4Name',argument) # for m4 configuration
Table 14-17 Configuration File Options Available in Version 8.13 of sendmail
Option |
Description |
|---|
ConnectionRateWindowSize |
m4 name: confCONNECTION_RATE_WINDOW_SIZE Argument: number Default value:
60 Sets the number of seconds for incoming connections to be maintained. |
FallBackSmartHost |
m4 name: confFALLBACK_SMARTHOST Argument:
hostname To ensure that mail gets delivered to the clients, this option provides a well-connected
host that serves as a backup (or failover) for MX records that fail. |
InputMailFilters |
m4 name:
confINPUT_MAIL_FILTERS Argument: filename Lists the input mail filters for the sendmail daemon. |
PidFile |
m4 name: confPID_FILE Argument: filename Default
value: /var/run/sendmail.pid As in previous releases, the file name is macro-expanded before it is opened.
Additionally, in version 8.13, the file is unlinked when sendmail exits. |
QueueSortOrder |
m4 name: confQUEUE_SORT_ORDER Added argument:
none In version 8.13 none is used to specify no sorting order. |
RejectLogInterval |
m4 name: confREJECT_LOG_INTERVAL Argument:
period-of-time Default value: 3h, which represents three hours. When a daemon connection is refused for the
period-of-time specified, the information is logged. |
SuperSafe |
m4 name: confSAFE_QUEUE Short name: s Added argument: postmilter Default value:
true If postmilter is set, sendmail defers synchronizing the queue file until all milters have signaled acceptance
of the message. For this argument to be useful, sendmail must be running as
an SMTP server. Otherwise, postmilter operates as if you are using the true
argument. |
Additional and Revised FEATURE() Declarations in Version 8.13 of sendmail
The following table describes the added and revised FEATURE() declarations. This m4 macro uses the
following syntax.
FEATURE(`name', `argument')
Table 14-18 FEATURE() Declarations Available in Version 8.13 of sendmail
Name of FEATURE() |
Description |
|---|
conncontrol |
Works with the access_db rule set to check the number
of incoming SMTP connections. For details, see /etc/mail/cf/README. |
greet_pause |
Adds the greet_pause rule set, which enables
open proxy and SMTP slamming protection. For details, see /etc/mail/cf/README. |
local_lmtp |
The default argument continues to
be mail.local, which is the LMTP-capable mailer in this Solaris release. However, in version 8.13,
if a different LMTP-capable mailer is used, its path name can be specified as
a second parameter and the arguments that are passed to the second parameter can
be specified in the third parameter. For example: FEATURE(`local_lmtp', `/usr/local/bin/lmtp', `lmtp') |
mtamark |
Provides experimental support for “Marking Mail Transfer
Agents in Reverse DNS with TXT RRs” (MTAMark). For details, see /etc/mail/cf/README. |
ratecontrol |
Works with the
access_db rule set to control connection rates for hosts. For details, see /etc/mail/cf/README. |
use_client_ptr |
If this
FEATURE() is enabled, the rule set check_relay overrides its first argument with this argument,
$&{client_ptr}. |
