Author: adamo

I am a Greek DevOps Engineer ranting about everything, from email to sports; to living in Athens, Greece.

sendmail: implementing a “catch all” address

You may find yourself in a situation where you may need to implement a “catch all” email address, i.e. every email that is directed to your domain regardless whether the user exits or not, not to be rejected but instead directed to a single mailbox. There are various approaches to the problem, and we will see some here:

First, the easy way:

Using FEATURE(`virtusertable’) one can do that in a single line:

@example.com          catch-all@delivery.host.name

You can even exclude some addresses and have email delivered to their own mailbox instead of catch-all:

user1@example.com          user1@delivery.host.name
user2@example.com          user2@delivery.host.name
@example.com                 catch-all@delivery.host.name

The sendmail.mc way:

Normally the above trick which is adequately described in cf/README and the bat book, should be enough. But there may be cases that it is not the solution that you want, or simply because it-is-not-invented-here. For example you may want to redirect to catch-all all email directed to existing users of the system, as opposed to the virtusertable trick which does this unconditionally:

LOCAL_CONFIG
Kuser user -m -a.FOUND

LOCAL_RULE_0
R$- < @ $=w . > $*        $: $(user $1 $) < @ $2 . > $3
R$- . FOUND < @ $=w . > $*          $@ catch-all < @ $2 . > $3

Or, you may want to redirect to the catch-all address all email directed to non-existing users of the system:

MODIFY_MAILER_FLAGS(`LOCAL', `-w')dnl
FEATURE(`local_procmail')dnl
MAILER(`smtp')dnl

LOCAL_CONFIG
Kuser user -m -a.FOUND

LOCAL_RULE_0
R$- < @ $=w . > $*        $(user $1 $)
R$- . FOUND          $#local $: $1
R$-                    $#local $: bit-bucket

In fact (with bit-bucket aliased to /dev/null) the above example silently discards every email not directed to an existing user.

The Phenomenon of Science

Internet Systematics is a blog maintained by Yannis Corovesis (a well known Engineer from the stone ages of the Greek Internet) and is the result of his observations as well as of his participation into the process of building the global Internet over the years.

In his latest post he mentions Turchin‘s book “The Phenomenon of Science” which apparently is out of print. But thanks to the Internet, not out of availability: You can read it from Scribd, or even download it from here.

nmap book

This landed today at nmap-hackers: Fyodor finished “Nmap network scanning” and it is shipping. From the book’s abstract:

Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap’s original author suits all levels of security and networking professionals. The reference guide documents every Nmap feature and option, while the remainder demonstrates how to apply them to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine.

16 – game over

Κάποιος κάποτε αποφάσισε πως ένας άνθρωπος είναι ικανός να φέρει όπλο για να επιτελέσει την εργασία του.

Τώρα ένα παιδί είναι νεκρό.

Αύριο θα είναι τα δικά μας παιδιά.

O Μπαμπάκης ρωτάει γιατί μένουμε εδώ ακόμα. Δε θα φύγουμε εμείς από την πόλη μας. Δε θα φύγουμε εμείς από τη χώρα μας. Αυτοί θα φύγουν.

Νύχτα.

Μια εκλογική εμπειρία…

– Τι επιτροπή είναι αυτή για την οποία ψηφίσαμε;
– Για την Υγιεινή και την Ασφάλεια της Εργασίας (Ν.1568/1985)
– Επιτροπές χωρίς λεφτά τι αξία έχουν;

Συγκρατήθηκα…

Για την ιστορία και προς μεγάλη μου έκπληξη, εκλέχτηκα σε αυτήν την επιτροπή (συγκροτήθηκε για πρώτη φορά από το 1985). Για να δούμε τι θα καταφέρουμε.

#include <std/disclaimer.h>

The New School of Information Security

I just finished reading “The New School of Information Security” which is written by Adam Shostack and Andrew Stewart. Reader of this blog thanasisk and I disagree on the value of the book. He considers it as overrated while I say that it is simply different.

I read this book in the bus (while going to work and returning from it). First of all, it is not a book. I would call it a long paper (160 pages long). Second, every two or three pages the message of the book repeats itself: We need objective data. If one wants to summarize “The New School” in two bullets, these would be:

  • We need objective data, so let’s start sharing data and not wait for others to share first.
  • Amateurs study Cryptography; Professionals study Economics.

Actually the second bullet is the title of chapter 6. People forget that cryptographers study cryptography. We apply it!

So does this book bring any new knowledge on the table? It depends on who you are. For me, who has passed from a variety of information security outposts (from security oriented system administration, to running an emergency response team and passing the CISA exam among others) the book does not offer any new knowledge. It clearly points out the “generalist versus specialist” debate (if you read sage-members sometimes such threads occur) and pushes the reader to think outside of his domain of expertise.

Information Security is always a lot more than what you deal with. So what did I get by reading the book?

So is this book overrated? Well if you have the experience that thanasisk carries you can live without reading it. Is it different? Since it is a 160 pages long paper (manifest if you like) of course. Is it readable? Yes! Should you read it? If you are an eager mind dealing with system administration or information security (at any level; from junior to senior) definately yes! It will always remind you that Information Security is a whole lot more than what you think it is, dealing or interested with. For it certainly is not only writing policies, running a vulnerablity scanner or finding that next buffer overflow that will give you root access.

For me the most powerful statement of the book remains the title of chapter 6:

Amateurs study Cryptography; Professionals study Economics.

PS: Adam Shostack blogs interesting stuff over at Emergent Chaos.

sendmail: when local users are not users of the system – part 2

Continuing from the previous post in this series, let’s see how one can deal with incoming email that must be delivered both to physical users of the system and users not visible via /etc/passwd:

LOCAL_CONFIG
Kuser user -m -a.FOUND

LOCAL_RULE_0
# Unconditionally redirect email to abuse and Postmaster
RPostmaster  < @ $=w . > $*        $: Postmaster  < @example.com. > $3
Rabuse  < @ $=w . > $*        $: abuse  < @example.com. > $3

# Deliver email to yiorgos locally
Ryiorgos  < @ $=w . > $*        $# local $: $1

# Delete email directed to all other users in /etc/passwd
R$-  < @ $=w . > $*        $(user $1 $)
R$- . FOUND        $#local $: bit-bucket

# The following is valid only if sendmail is instructed to not check /etc/passwd.
# This is achieved with MODIFY_MAILER_FLAGS(`LOCAL', `-w')dnl
R$- < @ $=w . > $*        $#custom.local $: $1

What does the above snippet do? The first set of rules accepts all incoming email addressed to Postmaster and abuse and redirects it to Postmaster@example.com and abuse@example.com.

The second set of rules accepts and delivers locally all incoming email addressed to user yiorgos.

The third set deletes all incoming email for all other users listed in /etc/passwd. One may refine that using a (sendmail) class definition and decide to do so for incoming email addressed to users like man, daemon, lp etc. Remember that in Ruleset 0 you cannot call $#discard.

Assuming that you have written a special delivery agent (to save email in a database for example) for “local” users not found in /etc/passwd, the last rule calls that delivery agent for the given username.

Of course if you are in a certain mood of BOFHiness, you can add similar rules that return random error codes to the sender. The expressiveness of sendmail’s modem-noise is unlimited…

(part 1)

sendmail: when local users are not users of the system

Suppose that you are running a sendmail server which is the final delivery server and that the users of the mail system are not physical users on the server (ie. they do not exist in /etc/passwd). What choices do you have in order to accept valid local email?

  1. Use LDAP.
  2. Edit mbdb.c and add a map. You can add your custom map and the relevant hooks to support the external directory of your choice. Read the source on how to do that.
  3. Edit mbdb.c and wrap getpwnam(3). Similar to the above but it may seem easier in some cases, especially if the users are kept in /etc/passwd like file. The first time I saw such a trick was when I was reading TACACS+ code.
  4. Use MAILER(`local’) without the w flag, which means that /etc/passwd is not consulted prior to forking the mail delivery agent. This is accomplished by:

    MODIFY_MAILER_FLAGS(`LOCAL’, `-w’)dnl

    That way the local mailer and not sendmail decides whether the user exists or not. You have to write your own delivery agent.

Of the above choices I rely heavily on #3 (although I am not using flat files) and lately I used #4. LDAP is always my last choice. I am sure there are other choices though.

(part 2)