2006-08-17
Introduction
This page contains various short tricks relating to the administration of a NetBSD server. I came across the problems described here and (usually after quite some frustration) came up with the provided solutions. I will try to update this page whenever I come across new problems. This will help me when I ever want to re-configure my NetBSD server and hopefully other people will find the information presented here useful too. It is just a matter of time until Google finds this page.
Each section is tagged with a date, reflecting its last update. I will try to order the sections in a sensible way, which means that the sections are not chronologically ordered.
Last update: 2009-04-14
Table of contents
- Forwarding daily (insecurity) output to an external address
- Enabling masquerading using sendmail
- Masquerading and the root account
2006-08-16
Forwarding daily (insecurity) output to an external address
By default NetBSD's daily insecurity report is sent to root. Like me you may not log in as root for extended periods of time. Perhaps you may not log in to your box at all for extended periods of time. To keep up to date with my server's security, I decided to forward all mail that is sent to root to my user account. Mail sent to my user account, in turn, is forwarded to an external email address.
-
To do this, log in as root and open the file
/etc/mail/aliases:-
Uncomment the lines for user root (and user operator if you like) and fill in your own username ('stephan' in my case):
# Well-known aliases -- these should be filled in! root: stephan operator: stephan
-
Now, add a new line (for example at the bottom of the file) that describes where mail that is being sent to your account should be forwarded to:
# Added by Stephan # stephan: stephan@please.dont.spam.me.nl
-
-
Now run
newaliases(1)to update the database.
2006-08-16
Enabling masquerading using sendmail
My NetBSD server is one of several computers that share one IP using NAT. Each of these computers has a hostname that is only known inside the LAN. I configured sendmail to forward any mail sent by the system to the root user to an external email address (see above).
Most mail servers will not accept this mail however, since the originating address's domain name is the nonexistent hostname that is only known inside my LAN. Returning this mail is not possible either, as the domain does not exist. This causes the mail to be delivered to the recipient in the form of an attachment that is part of an error message sent by the recipient's mail server.
To solve this problem, I needed to tell sendmail to use the (existing)
hostname that I am given by my ISP instead of the local hostname of my
NetBSD box. This is called masquerading and requires you to
alter the configuration file /etc/mail/sendmail.cf. This
file is very complex but thankfully there is an easy alternative to
directly editing it.
sendmail.cf is generated by m4(1) using the
much more readable directives in the file
/usr/share/sendmail/cf/netbsd-proto.mc. To enable
masquerading, what needs to be done is editing (a copy of)
netbsd-proto.mc and using it to regenerate
sendmail.cf. Here we go.
-
Log in as root and
# cd /usr/share/sendmail/cf
# cp netbsd-proto.mc yourhost.mc
For clarity, alter the name of
yourhost.mcto reflect your server's hostname. -
Open
yourhost.mcand add the following lines before theMAILERdirectives:MASQUERADE_AS(`yourdomain.com')dnl MASQUERADE_DOMAIN(`.yourdomain.com')dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl
Alter
yourdomain.comto reflect the hostname that you were given by your ISP. Please also note the single dot before the domain name on the second line. -
Now update the sendmail configuration and restart the daemon:
# m4 yourhost.mc > /etc/mail/sendmail.cf
# /etc/rc.d/sendmail restart
-
Depending on the version of sendmail you are running, it may be possible that mail sent by root is still not masqueraded. If this is a problem for you like it was for me, see the section below.
2006-08-16
Masquerading and the root account
As I wrote above, I wanted to forward mail that was sent by the system to an external email address. To do this, I also had to enable masquerading. Most of the mail that is sent by the system is sent under the root account. This poses an additional problem on my server, because sendmail is configured to disable masquerading for mail that is being sent by root (in other words, the root account is exposed).
To solve this problem, it is necessary to adjust the sendmail configuration once more. Before you continue, be sure to read the section on masquerading above and follow the steps described there (or verify that you already did something similar). If you do not want to do that, skip to the end of this section to read about a fast alternative hack.
The file /usr/share/sendmail/cf/yourhost.mc that you
created above contains the directive DOMAIN(generic)dnl.
This means that the directives in
/usr/share/sendmail/domain/generic.m4 also apply. It is in
this file that the exposure of root is defined. Let's solve this.
-
Log in as root and
# cd /usr/share/sendmail/domain
# cp generic.m4 yourhost.m4
For clarity, alter the name of
yourhost.m4to reflect your server's hostname. -
Open
yourhost.m4and remove the following line:EXPOSED_USER(`root')
-
Go back to the file
yourhost.mcthat you created earlier:# cd /usr/share/sendmail/cf
-
Open
yourhost.mcand alter theDOMAINdirective to reflect the name of your newly created m4-file (excluding its extension):DOMAIN(yourhost)dnl
-
Once again update the sendmail configuration and restart the daemon:
# m4 yourhost.mc > /etc/mail/sendmail.cf
# /etc/rc.d/sendmail restart
Ooh, yes, I promised a fast hack as an alternative to the process
described above. This requires you to directly edit
sendmail.cf.
-
Open
/etc/mail/sendmail.cfand remove the following line:C{E}root
That's it. I prefer the former method because it does not interfere
with any future adjustments to sendmail.cf through
m4(1).
