Configuring Anti-Spam in AIX 4.3.3

Contents

This document describes how to configure sendmail anti-relay.

The information in this document applies to AIX Version 4.3.3 and sendmail 8.9.3.

Related documentation

The product documentation library is also available at the following URL:
http://www.rs6000.ibm.com/resource/Pubs/index.html

1. Ensure that the bos.net.tcp.adt fileset is installed on your system. If it is not, install it using SMIT. Check that the fileset is installed:

   	lslpp -l bos.net.tcp.adt
   

2. AIX 4.3.3 ships the necessary tools and macros to generate custom sendmail configuration files. Once the fileset bos.net.tcp.adt is loaded, you can find the tools in /usr/samples/tcpip/sendmail/cf. Enter:

   	cd /usr/samples/tcpip/sendmail/cf
   

3. The file aix433.mc is under this directory and contains the features that allow for sendmail customization. The one that allowed for open relay is FEATURE(promiscuous_relay)dnl. A typing error also exists in this file that you must change. Before making changes, rename the file so that you do not write over the original. Enter:

   	cp aix.mc aix433.norelay.mc
   

4. The original file looks like the example below, except for the comments. Use the comments as a guide in editing the new file. Using your favorite editor, open the file:

   	aix433.norelay.mc
   

   NOTE: The .mc file can be edited for whatever FEATURES are needed for your new sendmail.cf.

   These features are documented at http://www.sendmail.org/m4/features.html.

   Below is an example of a minimum .mc file:
   

   divert(0)dnl
   OSTYPE(aix43)dnl                                                             --->typing error 'aix43' changed                                                                                                                to read 'aix433'
   FEATURE(genericstable)dnl                                           --->remove line if not needed
   FEATURE(mailertable)dnl                                                --->remove line if not needed
   FEATURE(virtusertable)dnl                                           --->remove line if not needed
   FEATURE(domaintable)dnl                                                --->remove line if not needed
   FEATURE(allmasquerade)dnl
   FEATURE(promiscuous_relay)dnl                                     --->remove line to stop                                                                                                                  unauthorized relay
   FEATURE(accept_unresolvable_domains)dnl                  --->remove this line to enhance                                                                                                                   security
   FEATURE(accept_unqualified_senders)dnl                     --->remove this line to enhance                                                                                                                    security
   DOMAIN(generic)dnl
   MAILER(local)dnl
   MAILER(smtp)dnl
   MAILER(uucp) NOTE: If a line is not desired, it must be removed. Commenting them out does not work. The entry that is responsible for the relay is FEATURE(promiscuous_relay)dnl.

   Here is a basic example that will deny unauthorized relay:

   divert(0)dnl

   OSTYPE(aix433)dnl                                             --->note the edit to 'aix433'

   FEATURE(allmasquerade)dnl

   DOMAIN(generic)dnl

   MAILER(local)dnl

   MAILER(smtp)dnl

   Rebuild the new sendmail.cf file using the new options. You must be under the /usr/samples/tcpip/sendmail/cf directory, otherwise, it will not work. Enter:

   	m4 ../m4/cf.m4 aix433.norelay.mc > testmail.cf
   

   Now you should have a new testmail.cf file under the /usr/samples/tcpip/sendmail/cf directory. Rename your old sendmail.cf and replace it with the new one. Enter:

   	mv /etc/sendmail.cf /etc/sendmail.cf.orig
   	mv testmail.cf /etc/sendmail.cf
   

   You must make at least one change to the new sendmail.cf. Comment out the Fw-o /etc/sendmail.cw or create the /etc/sendmail.cw entry. Also note the line in the new sendmail.cf that points to the file where you specify the hosts or domains you want to allow to relay. Using your favorite editor, open the following file:

   	/etc/sendmail.cf
   

   Search for the following section and comment out the line as indicated below.

         # file containing names of hosts for which we receive email
         #Fw-o /etc/sendmail.cw
   

   NOTE: This is the entry for the file that will allow hosts to relay. No need to make any changes here.

   	#Hosts that will permit relaying ($=R)
   	FR-o /etc/mail/relay-domains
   

   Now you must add the domains for which your server will allow relay. Using your favorite editor, edit the following file:

   	/etc/mail/relay-domains
   

   NOTE: You may have to create the /etc/mail directory. Below are some sample entries.

           lab.net
           test.com
           lab.mail.edu
   

Finally, you must refresh the sendmail daemon to put the new configuration into effect. Enter:

	refresh -s sendmail

	lssrc -s sendmail

	Subsystem	Group	  PID    Status
	sendmail	mail	  5424   active

	startsrc -s sendmail -a "-bd -q30m"

This section explains what to do if sendmail fails to operate.

Using startsrc to start sendmail will hide error messages from you. To gain a hint as to why sendmail is failing to run, try starting sendmail like so:

        sendmail -bd -q30m

Any error messages will be displayed to the console as sendmail is started.