HP UX Bastille Software manual Sendmail.sendmaildaemon, Sendmail.vrfyexpn

Page 61

 

 

 

NOTE:

While processing the mail queue, sendmail does not accept inbound

 

 

 

 

 

 

connections.

 

 

 

 

 

 

NOTE:

The 15 minute interval can be changed later. See crontab(1).

Actions

 

 

Set a cron job to run /usr/sbin/sendmail -qevery 15 minutes.

Sendmail.sendmaildaemon

Headline

 

 

Stop sendmail from running in daemon mode.

Default

 

 

Y

 

Description

 

 

To send and receive mail, sendmail does not need to be running in daemon

 

 

 

mode. Unless you have a constant network connection, you cannot run

 

 

 

sendmail in daemon mode. Daemon mode means that sendmail is

 

 

 

constantly listening on a network connection waiting to receive mail. If you

 

 

 

disable daemon mode, HP-UX Bastille asks if you would like to run sendmail

 

 

 

every few minutes to process the queue of outgoing mail. Most programs send

 

 

 

mail immediately, and processing the queue takes care of transient errors. If

 

 

 

you receive all of your email through a POP/IMAP mailbox provided by your

 

 

 

ISP, you may not need daemon-mode sendmail, unless you run a special

 

 

 

fetchmail-style POP/IMAP-based retrieval program. For example, if you read

 

 

 

your mail with the Netscape common POP/IMAP read functionality, turn

 

 

 

daemon mode off. The only reason to run sendmail in daemon mode is if

 

 

 

you run a mail server.

Actions

 

 

In the /etc/rc.config.d/mailservs file, set SENDMAIL_SERVER=0.

Sendmail.vrfyexpn

 

Headline

 

 

Disable the VRFY and EXPN sendmail commands.

Default

 

 

Y

 

Description

 

 

An attacker can use the sendmail vrfy (verify recipient existence) and expn

 

 

 

(expand recipient alias/list contents) commands to learn more about accounts

 

 

 

on the system. For example, the expn command can be used to find out where

 

 

 

the postmaster and abuse aliases are redirected. This identifies which user

 

 

 

account belongs to the system administrator. These sendmail commands

 

 

 

can be disabled without breaking anything and make the system cracker's job

 

 

 

more difficult. The only reasons to leave them on are because you run an

 

 

 

old-fashioned friendly site, you use them to debug your own mail server, or

 

 

 

some software you use relies on this.

Actions

 

 

In the sendmail configuration file /etc/mail/sendmail.cf, append the

 

 

 

O PrivacyOptions=goaway line.

61

Page 60 Page 62
Image 61
Page 60 Page 62
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinter SecureInetd.deactivaterquotad SecureInetd.deactivaterecserv SecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents