 Questions
and Answers
Amy Rich
Q I'm sick of spammers harvesting
addresses from our sendmail server by issuing dictionary attacks
and the like. Is there any way to prevent them from slamming our
mail servers in this way?
A You don't say which version
of sendmail you're running, so I'll assume something recent.
One approach is to accept all addresses at the gateway and then
bounce invalid mail on another machine. This will leave you with
a lot of undeliverable bounces if you receive a significant amount
of forged spam (which is usually the case). If you want to continue
to fight spam by dropping connections at the gateway machines, then
you can fight off things like dictionary attacks by limiting the
number of recipients per message and/or throttle the connection
if there are X number of bad recipients. The two sendmail configuration
lines to put in your mc are:
confMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage
[infinite] If set, allow no more than the
specified number of recipients in an SMTP
envelope. Further recipients receive a 452
error code (i.e., they are deferred for the
next delivery attempt).
This example sets the maximum number of recipients per message to
10:
define('confMAX_RCPTS_PER_MESSAGE', 10)dnl
confBAD_RCPT_THROTTLE BadRcptThrottle
[infinite] If set and more than the
specified number of recipients in an
envelope are rejected, sleep for one second
after each rejected RCPT command.
This example sets the maximum number of bad recipients per message
before sendmail throttles for one second to 2:
define('confBAD_RCPT_THROTTLE', 2)dnl
Q I usually install things for the ports
collection on my FreeBSD 5.1 machine just to play around with the
software. More often than not, I find that the software isn't
useful to me, so I'd like to remove the packages. I can remove
the single package just fine, but larger software programs have dependencies
so one port winds up installing many packages. When I then remove
the port, only the port itself is removed, and not any of the dependencies.
Is there a way to have a pkg_delete remove all of the software it
installed for any one port so I'm not left with a machine full
of unused packages?
A The standard pkg_delete won't
do this, but if you install portupgrade from /usr/ports/sysutils/portupgrade,
it comes with a program called pkg_deinstall that wraps pkg_delete.
You can specify the -R switch to delete packages required by the
given package name:
pkg_deinstall -R <package>
If you want to remove only some of the packages depended on by the
package you're trying to delete, specify the -i switch to do
an interactive removal:
pkg_deinstall -Ri <package>
Q I'm a security administrator
who's currently out of work and looking to get a certification
or two under my belt to give me an edge in the job market. Do you
have any suggestions about which certifications are the best?
A I actually receive this question
quite a bit, and it's a difficult one to answer without knowing
more about the environment where people are applying for jobs. Are
the people doing the interviewing and hiring more technical or managerial
in nature? Are they impressed by certifications that are better
known outside of the field or better respected by people inside
the field? Is it more important to have a broad but shallow knowledge
base, or a narrow expertise?
I recently read this article in Information Security magazine
that may be of use to those of you wondering which security certification
to obtain. This piece mostly covers the CISSP, but also touches
on various other security certifications: http://www.infosecuritymag.com/2003/jun/certifiable.shtml.
Q I know this falls under the category
of "if it hurts, don't do that," but I don't
have any control over the remote machine. The situation is this:
I'm trying to scp files from my local machine where my username
is bob, to a remote machine where my username is bob@remote.machine.
Yes, my username is bob@remote.machine. When I try to scp with the
following command:
scp file bob@remote.machine@remote.machine:~/
it tries to connect to remote.machine@remote.machine. Obviously it's
seeing the first @ and chopping off the rest as the hostname. I realize
that a username should never have an @ in it, but, as I said, I don't
have any control over that, and the people who run the box won't
listen to reason. I've tried various quoting methods to get this
to work, and I've come up with nothing so far. Any clue how I
could force this?
A First, you're right, the
usernames are bogus and who knows what else will break because of
that (email immediately comes to mind). But if that's what
you're stuck with, then so be it. There may be a way to escape
the @, but an easier suggestion is to use the -o flag to set the
username separately on the command line:
scp -oUser=bob@remote.machine file remote.machine:~/
Q I think my understanding of how the
sendmail access map works is flawed. I have the following entry refusing
email from peak-10.com in my access map:
peak-10.com 550 Access denied to spammers
I received an email from one of peak-10.com's servers, and it
was clearly identified in the Received headers of the message. That
message had the following entry in the mail log:
Aug 2 00:48:26 host.my.domain sm-mta[29531]: [ID 801593 mail.info] \
h624mPhx029531: from=<mail7@mail.play4keeps.com>, size=0, class=0, \
nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, \
relay=[66.129.125.8]
Shouldn't this message have been blocked, and if not, why?
A Regardless of what the received
headers say, sendmail could not resolve the IP address of the foreign
machine when it connected to yours. The hostname you see in the
received headers is what's fed to sendmail during the HELO
phase and can be easily forged. Because of this, the relay host
was identified only by its IP address instead of its hostname. To
block this message, you would need to block it by IP, 66.129.125.8.
Q I have an old PowerPC-based RS/6000
that I'd like to use to learn AIX systems administration. It
would be cool if I could install 5.2, but I don't know if my
machine will support it. I know Sun has a canonical list of what
hardware is supported under what OS, but does IBM have something
similar?
A Some of the PowerPC machines
will run 5.2, but not all of them. If you run the command:
bootinfo -p
And your system claims to be chrp, then 5.2 will run on it. If you
have a PreP platform or MiroChannel bus, then 5.2 won't run.
IBM has stopped supporting these with new OS releases. You can also
take a look at the 5.2 release notes at:
http://publib.boulder.ibm.com/pseries/aixgen/relnotes/ \
52RELNOTES/10073902.htm#support
to see whether your hardware falls under any of the categories they've
stopped supporting. Similar documents can be found for 5.1 and 4.3
at:
http://publib.boulder.ibm.com/pseries/aixgen/relnotes/52_relnotes.htm
Q I notice you answered some OS X questions,
so I have one of my own. I'm a die-hard Unix workstation user,
and I really hate the placement of the control key on PCs and Macs.
I know how to swap control and caps lock under X, but how do I do
it for OS X in general? I'm assuming there has to be some way.
A If you want a software solution
that will work on laptops as well as desktops, take a look at uControl
(http://gnufoo.org/ucontrol/ucontrol.html). I've had
good luck getting this to work by itself, but it doesn't seem
to play well in conjunction with bbkeys (which I use to map window
manager functions to my laptop's function keys). When using
the two together, sometimes the control key becomes sticky and can
cause all sorts of havoc.
If you have a USB keyboard (which rules out the built-in keyboards
on laptops), you can modify the info.plist file for the keyboard.
Edit: /System/Library/Extensions/IOUSBFamily.kext/Contents/PlugIns/AppleUSBKeyboard.kext/Contents/Info.plist
and under the section labeled "IOKitPersonalities/AppleUSBKeyboard"
add the lines:
<key>Swap control and capslock</key>
<integer>1</integer>
You can also use the PropertyListEditor application that comes with
the developer tools package to add the property.
Now move/remove the device driver cache /System/Library/Extensions.mkext
so that it will be rebuilt including the new modified driver when
you next reboot.
Q I'm trying to integrate majordomo
into my sendmail 8.12.9 setup. Because I don't want authentication
warnings, I've added majordomo to the trusted users file in
my mc:
FEATURE('use_ct_file')
define('confCT_FILE', '/etc/mail/trusted-users')
/etc/mail/trusted-users contains the following:
root
daemon
majordom
I rebuilt the cf and stopped and started sendmail to make sure the
changes took effect. I know this is working because sendmail shows
all three when I dump the info via the command line:
# echo '$=t' | sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> daemon
majordom
root
When I send mail out via majordomo, though, I get the following header:
X-Authentication-Warning: mail.my.domain: majordom set sender to \
majordomo@mail.my.domain using -f
I'm completely at a loss here, and I figure this must be a bug.
It seems like someone else would have reported something so blatant,
though.
A If you're using 8.12.9,
you're probably also using submit.cf for local mail. If so,
you'll also want to add FEATURE('use_ct_file') to
submit.mc and rebuild submit.cf.
Q I'm running FreeBSD 4.8-STABLE
on Intel hardware. I've modified my crontab to run a new script.
Now I get the following message every five minutes:
Cron <root@bsd-server> root /usr/libexec/atrun root: not found
I didn't change the atrun line at all, so I'm not sure what
the problem is. Any hints on what I munged?
A This usually happens when you
use the crontab command to install the file /etc/crontab, e.g.:
crontab /etc/crontab
/etc/crontab has a different syntax than the user crontabs, so when
you install /etc/crontab as a user crontab in this manner, it spits
out errors. To fix this, remove the user crontab you installed by
doing:
crontab -r
If you're just editing /etc/crontab, you don't need to let
the system know that it's changed, since it will see that automatically
on the next cron run. If you'd rather put new things in a user
crontab, then use the syntax explained in the crontab(5) man page.
If you're creating scripts that should be run periodically (daily,
weekly, monthly), consider putting it in /usr/local/etc/peridoic under
the corresponding directory. See the periodic(8) man page for more
information on adding these sorts of scripts.
Q I just inherited an HP system
with a huge head on it. The machine doesn't get used very often,
so I'd like the monitor to go into powersave mode after the
console has been idle for a certain period of time. I know how to
do this with various other systems, but I don't see anything
intuitive with HP/UX. Where would I find the settings to do this?
A In modern versions of HP/UX,
monitor power management is handled by DPMS (Display Power Management
Signaling), if your monitor supports it. DPMS is a standard defined
by VESA (Video Electronic Standards Association) that defines the
following states:
| Screen Option Value |
State |
DPMS Compliance Requirements |
Power Savings |
Recovery Time |
| 0 |
Screen Saver |
N/A |
None |
(< 1 sec) |
| 1 |
Stand-by |
Optional |
Minimal |
Short |
| 2 |
Suspend |
Mandatory |
Substantial |
Longer |
| 3 |
Off |
Mandatory |
Maximum |
System |
By default, DPMS uses the screensaver level (0) and provides no
power savings. If you want to turn on suspend or power the monitor
off, you can use the X Server Configuration Tool under sam, choosing
"Modify Screen Options." You can also manually change
the file /etc/X11/X0screens and set the variable MinimumMonitorPowerSaveLevel
to one of the above numbers, for example:
MinimumMonitorPowerSaveLevel 2
Take a look at /usr/lib/X11/Xserver/info/screens/hp for more information.
Q I'm rather new to administering
BIND, and I tend to make some syntax mistakes. Is there a tool out
there that will debug my changes before I start/restart BIND so
that I don't take the nameservers out of commission with bad
zone files or config files?
A You don't say which version
of BIND, so I'll presume that you're running the latest
release of BIND 9. If this is the case, there are two programs that
come with the distribution that will do exactly what you want. To
check your named.conf syntax, run named-checkconf. It checks the
syntax but not the semantics of your configuration file (with no
arguments, it defaults to /etc/named.conf). To check your zone files,
run named-checkzone:
named-checkconf /etc/namedb/named.conf
named-checkzone your.zone /etc/namedb/your.zone.file
For more information, see the man page for each command.
Q I'm running FreeBSD 4.8-STABLE
and I'm trying to replace sendmail with exim. I've built
and installed it and modified /etc/mail/mailer.conf. I can't
seem to get the daemon to start properly, though. Here's my
mailer.conf file:
sendmail /usr/exim/bin/exim
send-mail /usr/exim/bin/exim
mailq /usr/exim/bin/exim -bp
newaliases /usr/bin/true
When the system boots, I get the following message, which looks like
it's trying to mash bits of sendmail and exim together:
Starting standard daemons: cron sendmailexim abandoned: unknown, \
malformed, or incomplete option -L sendmail-clientmqueueexim \
abandoned: unknown, malformed, or incomplete option -L
A It looks as if you still have sendmail
enabled in /etc/rc.conf. Be sure to change the following line:
sendmail_enable="YES"
to:
sendmail_enable="NONE"
Also make sure that the exim startup script, /usr/local/etc/rc.d/exim.sh
exists. You may also want to add NO_SENDMAIL=TRUE to /etc/make.conf
if you're going to remove the sendmail binaries and don't
want them rebuilt when you do a make world.
You also could have installed exim from the ports collection (based
on your path to the exim binary, it doesn't look like you did),
which would have then generated the rc.d script for you.
Amy Rich, president of the Boston-based Oceanwave Consulting,
Inc. (http://www.oceanwave.com), has been a UNIX systems
administrator for more than 10 years. She received a BSCS at Worcester
Polytechnic Institute, and can be reached at: qna@oceanwave.com.
| 
