NOTE:

While processing the mail queue, sendmail does not accept inbound

 

 

 

 

 

 

connections.

 

 

 

 

 

 

NOTE:

The 15 minute interval can be changed later. See crontab(1).

Actions

 

 

Set a cron job to run /usr/sbin/sendmail -qevery 15 minutes.

Sendmail.sendmaildaemon

Headline

 

 

Stop sendmail from running in daemon mode.

Default

 

 

Y

 

Description

 

 

To send and receive mail, sendmail does not need to be running in daemon

 

 

 

mode. Unless you have a constant network connection, you cannot run

 

 

 

sendmail in daemon mode. Daemon mode means that sendmail is

 

 

 

constantly listening on a network connection waiting to receive mail. If you

 

 

 

disable daemon mode, HP-UX Bastille asks if you would like to run sendmail

 

 

 

every few minutes to process the queue of outgoing mail. Most programs send

 

 

 

mail immediately, and processing the queue takes care of transient errors. If

 

 

 

you receive all of your email through a POP/IMAP mailbox provided by your

 

 

 

ISP, you may not need daemon-mode sendmail, unless you run a special

 

 

 

fetchmail-style POP/IMAP-based retrieval program. For example, if you read

 

 

 

your mail with the Netscape common POP/IMAP read functionality, turn

 

 

 

daemon mode off. The only reason to run sendmail in daemon mode is if

 

 

 

you run a mail server.

Actions

 

 

In the /etc/rc.config.d/mailservs file, set SENDMAIL_SERVER=0.

Sendmail.vrfyexpn

 

Headline

 

 

Disable the VRFY and EXPN sendmail commands.

Default

 

 

Y

 

Description

 

 

An attacker can use the sendmail vrfy (verify recipient existence) and expn

 

 

 

(expand recipient alias/list contents) commands to learn more about accounts

 

 

 

on the system. For example, the expn command can be used to find out where

 

 

 

the postmaster and abuse aliases are redirected. This identifies which user

 

 

 

account belongs to the system administrator. These sendmail commands

 

 

 

can be disabled without breaking anything and make the system cracker's job

 

 

 

more difficult. The only reasons to leave them on are because you run an

 

 

 

old-fashioned friendly site, you use them to debug your own mail server, or

 

 

 

some software you use relies on this.

Actions

 

 

In the sendmail configuration file /etc/mail/sendmail.cf, append the

 

 

 

O PrivacyOptions=goaway line.

61

Page 60 Page 62
Page 61
Image 61
HP UX Bastille Software manual Sendmail.sendmaildaemon, Sendmail.vrfyexpn
Page 60 Page 62
Top Page Image Contents