sendmail blues

sendmail blues

[Yuri Csapo]

[-- Attachment #1: Type: text/plain, Size: 2177 bytes --]

Hi all, I've an unusual (for me) problem:

- I'm running RHEL release 3 (taroon). I know, I know. Nothing I can do - it's the application 
vendor's requirement.
- This application also MUST have some Sun MTA installed and running, even if we don't use it - and 
we don't. This MTA sits on ports SMTP, SSMTP, IMAP and POP, HTTP and HTTPS and provides services to 
the application only, NOT TO THE OS.
- We still need to be able to mail admin stuff such as logwatch and others. RedHat comes with 
sendmail and we are trying to keep this box as close as possible to default configuration.
- The sendmail queue runner by itself is not enough because I can't find a way to make it expand 
aliases - root messages end up going to root@mines.edu, which is not where I want them to go.
- Sendmail won't start because the silly Sun app is squatting on port 25.
- If I use DaemonPortOptions to tell sendmail to listen on a different port then I get sendmail to 
start but I haven't found a way to make the queue runner send to that port on localhost. The runner 
ends up connecting to port 25, which is the Sun MTA, who proceeds to deny the connection.

Does anybody know how to do one of the following:

- make the sendmail queue runner expand aliases
- make the queue runner send to a port other than 25
- make sendmail behave like in the good old days and forgo the need for the queue runner

Some options that have crossed my mind but which I'm trying to avoid:

- redirect port 25 using iptables
- modify sendmail's source and recompile (ugh)
- give up on sendmail and install exim or postfix or something that can be understood by someone who 
hasn't read the Bat Book in the last 6 years and who is not particularly inclined to read it again.

Any other ideas?

TIA

Yuri

-- 
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone:  (303) 273-3503
Fax:      (303) 273-3475
Email:   ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

[-- Attachment #2: ycsapo.vcf --]
[-- Type: text/x-vcard, Size: 200 bytes --]

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard

Re: sendmail blues

[Gerardo Juarez-Mondragon]

Yuri,

Another possibility: why not configure the 'killer' MTA application to
use other ports: 20025 instead of 25, etc. (adding 20000 to each seems
like a good idea). After all, you don't use it. It's logical it should
sit there, but out of the way. The other road is much more bumpy, I
can assure you.

Gerardo

On Fri, Nov 6, 2009 at 3:54 PM, Yuri Csapo <ycsapo@exchange.mines.edu> wrote:
> Hi all, I've an unusual (for me) problem:
>
> - I'm running RHEL release 3 (taroon). I know, I know. Nothing I can do -
> it's the application vendor's requirement.
> - This application also MUST have some Sun MTA installed and running, even
> if we don't use it - and we don't. This MTA sits on ports SMTP, SSMTP, IMAP
> and POP, HTTP and HTTPS and provides services to the application only, NOT
> TO THE OS.
> - We still need to be able to mail admin stuff such as logwatch and others.
> RedHat comes with sendmail and we are trying to keep this box as close as
> possible to default configuration.
> - The sendmail queue runner by itself is not enough because I can't find a
> way to make it expand aliases - root messages end up going to
> root@mines.edu, which is not where I want them to go.
> - Sendmail won't start because the silly Sun app is squatting on port 25.
> - If I use DaemonPortOptions to tell sendmail to listen on a different port
> then I get sendmail to start but I haven't found a way to make the queue
> runner send to that port on localhost. The runner ends up connecting to port
> 25, which is the Sun MTA, who proceeds to deny the connection.
>
> Does anybody know how to do one of the following:
>
> - make the sendmail queue runner expand aliases
> - make the queue runner send to a port other than 25
> - make sendmail behave like in the good old days and forgo the need for the
> queue runner
>
> Some options that have crossed my mind but which I'm trying to avoid:
>
> - redirect port 25 using iptables
> - modify sendmail's source and recompile (ugh)
> - give up on sendmail and install exim or postfix or something that can be
> understood by someone who hasn't read the Bat Book in the last 6 years and
> who is not particularly inclined to read it again.
>
> Any other ideas?
>
> TIA
>
> Yuri
>
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone:  (303) 273-3503
> Fax:      (303) 273-3475
> Email:   ycsapo@mines.edu
>
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster
>

Re: sendmail blues

[Max Gribov]

On Fri, 2009-11-06 at 14:54 -0700, Yuri Csapo wrote:
> Hi all, I've an unusual (for me) problem:
> - give up on sendmail and install exim or postfix or something that can be understood by someone who 
> hasn't read the Bat Book in the last 6 years and who is not particularly inclined to read it again.

well, if you install postfix you can make it listen on localhost only,
and have its queue connect to the right place.

ubuntu default postfix config from any installation has the correct
configuration, you just have to comment out these 2 lines:
default_transport = error
relay_transport = error

it should be a very easy install


> 
> Any other ideas?
> 
> TIA
> 
> Yuri
> 

Re: sendmail blues

[Yuri Csapo]

[-- Attachment #1: Type: text/plain, Size: 3563 bytes --]

Gerardo,

Thank you for your reply. It is a good idea. I just need to check if it impacts the application as 
it may be that it e-mails itself on port 25. I'll check.

Yuri

Gerardo Juarez-Mondragon wrote:
> Yuri,
> 
> Another possibility: why not configure the 'killer' MTA application to
> use other ports: 20025 instead of 25, etc. (adding 20000 to each seems
> like a good idea). After all, you don't use it. It's logical it should
> sit there, but out of the way. The other road is much more bumpy, I
> can assure you.
> 
> Gerardo
> 
> On Fri, Nov 6, 2009 at 3:54 PM, Yuri Csapo <ycsapo@exchange.mines.edu> wrote:
>> Hi all, I've an unusual (for me) problem:
>>
>> - I'm running RHEL release 3 (taroon). I know, I know. Nothing I can do -
>> it's the application vendor's requirement.
>> - This application also MUST have some Sun MTA installed and running, even
>> if we don't use it - and we don't. This MTA sits on ports SMTP, SSMTP, IMAP
>> and POP, HTTP and HTTPS and provides services to the application only, NOT
>> TO THE OS.
>> - We still need to be able to mail admin stuff such as logwatch and others.
>> RedHat comes with sendmail and we are trying to keep this box as close as
>> possible to default configuration.
>> - The sendmail queue runner by itself is not enough because I can't find a
>> way to make it expand aliases - root messages end up going to
>> root@mines.edu, which is not where I want them to go.
>> - Sendmail won't start because the silly Sun app is squatting on port 25.
>> - If I use DaemonPortOptions to tell sendmail to listen on a different port
>> then I get sendmail to start but I haven't found a way to make the queue
>> runner send to that port on localhost. The runner ends up connecting to port
>> 25, which is the Sun MTA, who proceeds to deny the connection.
>>
>> Does anybody know how to do one of the following:
>>
>> - make the sendmail queue runner expand aliases
>> - make the queue runner send to a port other than 25
>> - make sendmail behave like in the good old days and forgo the need for the
>> queue runner
>>
>> Some options that have crossed my mind but which I'm trying to avoid:
>>
>> - redirect port 25 using iptables
>> - modify sendmail's source and recompile (ugh)
>> - give up on sendmail and install exim or postfix or something that can be
>> understood by someone who hasn't read the Bat Book in the last 6 years and
>> who is not particularly inclined to read it again.
>>
>> Any other ideas?
>>
>> TIA
>>
>> Yuri
>>
>> --
>> Yuri Csapo
>> Academic Computing & Networking
>> Colorado School of Mines
>> CT-256
>> Phone:  (303) 273-3503
>> Fax:      (303) 273-3475
>> Email:   ycsapo@mines.edu
>>
>> Please use the following link to open a service request:
>> http://helpdesk.mines.edu
>> ===========================================
>> With a PC, I always felt limited
>> by the software available.
>> On Unix, I am limited only by my knowledge.
>> --Peter J. Schoenster
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone:  (303) 273-3503
Fax:      (303) 273-3475
Email:   ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

[-- Attachment #2: ycsapo.vcf --]
[-- Type: text/x-vcard, Size: 200 bytes --]

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard

Re: sendmail blues

[Yuri Csapo]

[-- Attachment #1: Type: text/plain, Size: 1422 bytes --]

Max,

Thank you for your reply. Listening on localhost only won't help unfortunately, as the Sun app sits 
on that too. A pity, as it would have been easy to do that on sendmail - and it's not every day that 
you can use the words 'easy' and 'sendmail' in the same sentence :)

Yuri

Max Gribov wrote:
> On Fri, 2009-11-06 at 14:54 -0700, Yuri Csapo wrote:
>> Hi all, I've an unusual (for me) problem:
>> - give up on sendmail and install exim or postfix or something that can be understood by someone who 
>> hasn't read the Bat Book in the last 6 years and who is not particularly inclined to read it again.
> 
> well, if you install postfix you can make it listen on localhost only,
> and have its queue connect to the right place.
> 
> ubuntu default postfix config from any installation has the correct
> configuration, you just have to comment out these 2 lines:
> default_transport = error
> relay_transport = error
> 
> it should be a very easy install
> 
> 
>> Any other ideas?
>>
>> TIA
>>
>> Yuri
>>
> 

-- 
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone:  (303) 273-3503
Fax:      (303) 273-3475
Email:   ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

[-- Attachment #2: ycsapo.vcf --]
[-- Type: text/x-vcard, Size: 200 bytes --]

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard

Re: sendmail blues

[Max Gribov]

On Fri, 2009-11-06 at 16:53 -0700, Yuri Csapo wrote:
> Max,
> 
> Thank you for your reply. Listening on localhost only won't help unfortunately, as the Sun app sits 
> on that too. A pity, as it would have been easy to do that on sendmail - and it's not every day that 
> you can use the words 'easy' and 'sendmail' in the same sentence :)

try commenting out in /etc/postfix/master.cf:
smtp      inet  n       -       -       -       -       smtpd

that way smtp wont run on a tcp socket
local delivery should be ok

> 
> Yuri
> 
> Max Gribov wrote:
> > On Fri, 2009-11-06 at 14:54 -0700, Yuri Csapo wrote:
> >> Hi all, I've an unusual (for me) problem:
> >> - give up on sendmail and install exim or postfix or something that can be understood by someone who 
> >> hasn't read the Bat Book in the last 6 years and who is not particularly inclined to read it again.
> > 
> > well, if you install postfix you can make it listen on localhost only,
> > and have its queue connect to the right place.
> > 
> > ubuntu default postfix config from any installation has the correct
> > configuration, you just have to comment out these 2 lines:
> > default_transport = error
> > relay_transport = error
> > 
> > it should be a very easy install
> > 
> > 
> >> Any other ideas?
> >>
> >> TIA
> >>
> >> Yuri
> >>
> > 
> 

Re: sendmail blues

[Glynn Clements]

Yuri Csapo wrote:

> Does anybody know how to do one of the following:
> 
> - make the sendmail queue runner expand aliases
> - make the queue runner send to a port other than 25
> - make sendmail behave like in the good old days and forgo the need for the queue runner

Sendmail only uses submit.cf if it exists, otherwise it uses
sendmail.cf. Also, you can force a particular configuration with the
-Ac and -Am switches.

However: if /usr/sbin/sendmail isn't setuid-root (like it was in the
"good old days"), direct delivery (bypassing the submission queue)
won't work for anyone other than root.

FWIW, the rationale behind having a separate MSP is to eliminate the
need for sendmail to be setuid-root; instead, the sendmail binary is
setgid to the "smmsp" group.

When sendmail is invoked by a normal user, setgid-smmsp is sufficient
to add the message to the submission queue. The daemon is started by
root, and runs with root privilege, so it is capable of completing the
delivery process.

BTW, Local delivery shouldn't require that anything is listening on
port 25. However, you may have to tell sendmail what constitutes
"local"; it's possible that sendmail is treating "localhost" as a
normal (remote) domain rather than a local one.

-- 
Glynn Clements <glynn@gclements.plus.com>

Re: sendmail blues

[Yuri Csapo]

Glynn,

Thank you for the thorough answer - reminded me of "the good old days."

Glynn Clements wrote:
> Sendmail only uses submit.cf if it exists, otherwise it uses
> sendmail.cf. Also, you can force a particular configuration with the
> -Ac and -Am switches.

I was not aware of this. I'll do some tests Monday.

> FWIW, the rationale behind having a separate MSP is to eliminate the
> need for sendmail to be setuid-root; instead, the sendmail binary is
> setgid to the "smmsp" group.

I understand the rationale. And I suppose it makes sense these days when 
a lot of people running Linux are desktop users who have no idea and no 
desire to learn better. Sendmail was hit hard in the early days of the 
Eternal September because of this, so they had to do something. OTOH I 
always thought it very silly how everybody runs away from the root user, 
designing mechanisms to prevent its use (i.e. root can't log on to a 
default install of Ubuntu). It ends up turning sudo into Linux's version 
of Microsoft's OK button - people use without reading, understanding or 
caring, compounding the problem. Of course you shouldn't be root for 
your day-to-day tasks but there's nothing wrong with using root when 
that's required. It's a matter of common sense and best practices. Sorry 
for the rant, you just happened to push one of my buttons... <sm>

> 
> BTW, Local delivery shouldn't require that anything is listening on
> port 25. However, you may have to tell sendmail what constitutes
> "local"; it's possible that sendmail is treating "localhost" as a
> normal (remote) domain rather than a local one.
> 

Local delivery is not what I'm looking for. I want this box to forward 
along to our smart host.

Thanks

Yuri

Re: sendmail blues

[Glynn Clements]

Yuri Csapo wrote:

> > BTW, Local delivery shouldn't require that anything is listening on
> > port 25. However, you may have to tell sendmail what constitutes
> > "local"; it's possible that sendmail is treating "localhost" as a
> > normal (remote) domain rather than a local one.
> 
> Local delivery is not what I'm looking for. I want this box to forward 
> along to our smart host.

If it wasn't for the need to expand aliases locally, you could just
use:

	FEATURE(`msp', `smarthost.mydomain.com')dnl

and not run the "normal" sendmail daemon.

If the Sun MTA doesn't use port 587, try:

	FEATURE(`msp',`[127.0.0.1]',`MSA')dnl

in submit.mc and:

	FEATURE(`no_default_msa')dnl
	DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')dnl

in sendmail.mc.

This should force the MSP to send to port 587, and the main daemon to
listen *only* on port 587.

The cf files don't provide any way to specify an arbitrary port, but
you could always modify feature/msp.m4 to allow this
(LOCAL_MAILER_ARGS needs to be set to "TCP $h <port>" when
MAILER(`local') is processed), or just modify submit.cf manually.

-- 
Glynn Clements <glynn@gclements.plus.com>