Wednesday, November 4, 2009

Sendmail Command Line Tips and Tricks

# mailq
Prints the mail queue's contents, same as /usr/lib/sendmail –bp
# newaliases 
Rebuilds the aliases database file, same as /usr/lib/sendmail –bi  
# hoststat 
Prints persistent host status info, same as /usr/lib/sendmail -bh  
# purgestat
Purges (zeroes) persistent host status info, same as /usr/lib/sendmail -bH  
# smtpd
Runs in daemon mode, same as /usr/lib/sendmail –bd –q30  
# mailq –OmaxQueueRunSize=1
Quickly print the total number of messages within mail queue
# /usr/lib/sendmail –q –Otimeout.queuereturn=99d 
Purges the mail queue without timing out any messages. Useful if the mail server has been down longer than the queuereturn value set in the cf.
# /usr/lib/sendmail –bv foolist | grep –v deliverable 
Prints only undeliverable addresses from in the mail list foolist. Great for use in a shell script to remove badd addresses from a mailing list.

Command Line Switches  

-B 7bit 
Causes sendmail to clear the high-bit of every incoming byte.
-B 8bitmime 
Causes sendmail to preserve the high-bit or every incoming byte.
Uses ARPAnet/Grey-Book protocols to transfer mail.
Runs as daemon, like –bd, but does not fork and does not detach from controlling terminal.
Runs as daemon, forks and detaches.
Purges (zeroes) persistent host status info.
Prints persistent host status info.
Initializes the aliases database.
Causes sendmail to read and send message (this is the default)
Prints the contents of the mail queue.
Runs sendmail on standard I/O.  
Runs sendmail in rule testing mode.
Verifies address.
-C /tmp/
Uses as its configuration file.
Sets HoldExpensive option to true.

set debug mode.
  • -d0 – Shows general config
  • -d0.1 – Prints version
  • -d.04 – Prints local hostname and any aliases for it.
  • -d0.15 – Prints the list of delivery agents declared
  • -d0.20 – Prints address of each network interface
  • -d8 – Traces most DNS lookups
  • -d8.1 – Prints failure of low level MX searches.
  • -d8.2 – Prints calls to getcanonname
  • -d8.3 - Traces dropped local hostnames
  • -d8.5 – Shows hostnames tried in getcanonname
  • -d8.8 – Shows when MX lookups return the wrong type.
  • -d11 – Traces delivery agent calls
  • -d11.1 – Traces arguments passed to the delivery agent
  • -d11.2 - Prints the user ID that the delivery agent is invoked as
  • -d21 – Traces rewriting of addresses
  • -d21.1- Traces general ruleset rewriting
  • -d21.2 – Traces use of $& macro
  • -d21.3 – Shows $> subroutines called
  • -d21.4 – Displays result of rewrite
  • -d21.15 – Shows $digit replacement
  • -d21.35 – shows token by token LHS matching
  • -d27 – Traces aliasing
  • -d27.1 – Traces general aliasing
  • -d27.2 – Traces :include: files, alias self-references, and errors on home
  • -d27.3 – Traces the ~/.forward path and the alias wait
  • -d27.4 – Prints "not safe" when a file is unsafe to trust
  • -d27.9 – Shows uid/gid changes when reading :include: files
  • -d35 – Traces macros
  • -d35.9 shows macro values as they are defined
  • -d35.14 – Shows macro names being converted to integer id’s
  • -d35.24 – Shows macro expansion
  • -d37 – Traces options and class macros
  • -d37.1 – Traces the setting of options
  • -d37.8 – Traces the adding of words to a class
  • -d41 – Traces the queue
  • -d41.1 – Traces queue ordering
  • -d41.2 – Shows failure to open qf files
  • -d41.49 – Shows skipped queue files
  • -d41.50 – Show every file in queue
Set senders full name
Set senders address
Set minimum hop count
Set IgnoreDots option to true
Set macro
Set return DNS notify information
  • never – Never return the info
  • success – Return on successful delivery
  • failure – Return on failure
  • delay – Return on delayed delivery
Supresses aliasing  
Set an option (long name)
Set an option (short name)
Sets protocol in $r macro to UUCP and $s macro to test  
Sets queue processing to every 30 min 
Processes the queue once delivering only mail to 
-R hdrs
bounces only the headers  
-R full
Bounces headers and body
Sets SaveFromLine option to true
-T 5d
Sets Timeout.queuereturn option to 5 days  
Gathers a list of recipients from messages headers  
make this the initial MUA to MTA submission  
-V test123456 
Sets the DSN ENVID string to test123456  
Runs sendmail in verbose mode  
-X /var/tmp/trace.mail
Logs both sides of smtp transactions to trace.mail file.  

Rule Testing Mode (/usr/lib/sendmail –bt)

Prints help .
Defines macro r as UUCP
Prints the contents of ruleset 5
Displays list of delivery agents
Prints the value of macro name.
prints the contents of the class macro w
Returns the MX records for in the order they will be utilized  
/parse foo
Parses the value of the address foo, returns the value of crackaddr(), and the final parsed address including the delivery agent.
/try local foo
Rewrites the address foo based on the rules for local delivery
/tryflags HS 
Sets the flags used by /parse and /try to H for header and S for sender, can also use E for envelope and R for recipient
/canon foo
Transforms the hostname foo into its canonical form  
/map aliases foo
Looks up foo in the aliases database  
3,0 – me@foo 
Runs the address me@foo through rulesets 3 and 0

Linux Securirty Notes 15: IPTables 8: DMZ

IPTables with DMZ
Let consider the interface to setup/understand the DMZ.
  • eth0: external interface (
  • eth1: Internal Interface (
  • eth2: The DMZ zone (

Step 1:
Create DNAT for all the servers in the DMZ zone (eth2) for accessing the service externally
# iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to-destination
# iptables -t nat -A PREROUTING -d -p tcp --dport 443 -j DNAT --to-destination
If any request comes to firewall with the destination IP as and port as 80 will be DNATed to in DMZone.
Now test accessing the service in DMZone from Internel as well externel network. From both the network we will be able to access the server in the DMZone using the IP

Configure the split DNS or 2 DNS systems (Inside&Outside of the DMZone).
Setup rule for trusted network from the outside network(Internet) for the traffic which will allow system access (SSH).
# iptables -A FORWARD -s -j ACCEPT
# iptables -A FORWARD -s -m state --state ESTABLISHED -j ACCEPT
# iptables -P FORWARD DROP
This will deny all access to the DMZone from the internet hosts, only allows the Internal network. Because the default policy of FORWARD chain is set to drop, we need to create the "state match" for the hosts in the DMZone(This will deny sourcing a new connection from the DMZone, only established connection will be permitted).

Dual DMZ Configuration
This is the way of segmenting the servers to separate DMZones.
Let consider the interface to setup/understand the Dual DMZ.
  • eth0: externel interface (
  • eth1: Internel Interface (
  • eth2: The DMZ1 zone ( (Web servers)
  • eth3: The DMZ2 zone ( (DBMS, App servers like JBOSS, TOMCAT etc)
Using this method we will be able to control the traffic from one DMZone to another. This is used for the scenarios of Application servers which need to contact the DB Servers located on separate server.

Here we have to permit only the DMZ1 to contact the DMZ2. all other traffic will be denied.So the servers in the DMZ2 zone will be more secured.
# iptables -t nat -A FORWARD -s -d -j ACCEPT
# iptables -t nat -A FORWARD -m state --state ESTABLISED -s -j ACCEPT
# iptables -t nat -P FORWARD DROP
This will make only the DMZ1 to contact the DMZ2. And from DMZ2 only the established connection will be permitted. All other request will be dropped in the FORWARD chain.
These rules are the basic backbone for setting up the routing and Natting in DMZone. All other rules should be defined according to our network need.

Tuesday, November 3, 2009

Linux Securirty Notes 15: IPTables 7: NAT

IPTables NAT
    Network Address Translation is the feature that makes Linux based firewall mostly in use. NAT is commonly used to masquerade the IP address

    The NAT table contains 3 chains
    The DNAT is defined in the PREROUTING chain. Using this we will make available of our internal service to external (Internet).i.e, from internet to lan (changes the packets before it routes to lan)
    This is responsible for MASQUERADE (dynamic SNAT) & SNAT. When packet needs to leave from one subnet(internel) through the linux firewall to another it traverse through POSTROUTING chain. (Changes the packet after it leaves the route from lan). eg:- MASQUERADE option is used in certain cases like, if ISP provides the DHCP address and the internel LAN needs to brows, then we have to masquerade all the request from the lan to the DHCP address provided by isp
    Locally sourced/generated packets are subjected to NAT. Eg:- If the firewall has more than one IP address using this chain we can re-write the packets going out from this linux machine to a single IP.

    3 types of NATing is used.
  • masquerade
  • snat
  • dnat
        This feature of NAT is used to dynamically masquerade all the internal address to the external IP

The following example will masquerade all the outgoing traffic to the externel bound IP of the firewall.

# iptables -t nat -A POSTROUTING -j MASQUERADE

Another example that masquerades all the traffic from network

# iptables -t nat -A POSTROUTING -j MASQUERADE -s

    This will masquerade all the request from the subnet to the external ip of the firewall.
Test by enabling logging for nat and check the log file.

Masquerading Port:

#iptables -A POSTROUTING -t nat -p tcp -j MASQUERADE --to-ports 1024-10240

    This will masquerade all the ports to the range from 1024 to 10240. So when a external client makes connection to the internal server (for eg:- # telnet 22) then the port allocated to the client will be in between 1024 to 10240. As a result the internal system will be only able to source the port in range of 1024 to 10240.


        This feature of NAT is used to masquerade a particular internal ip adress to a given external address. Though SNAT and masquerading perform the same fundamental function, mapping one address space into another one, the details differ slightly. Most noticeably, masquerading chooses the source IP address for the outbound packet from the IP bound to the interface through which the packet will exit. i.e, SNAT permits 1-to-1 and/or 1-to-many mappings. It is used when we have a static public IP address.

This example will masquerade all the outgoing traffic from the subnet 10.0.0./8 to the ip

# iptables -t nat -A POSTROUTING -s -j SNAT --to-source


# iptables -t nat -A POSTROUTING -j SNAT -s --to-source

SNAT using multiple address:

# iptables -A POSTROUTING -p tcp -s  -j SNAT --to-source
# iptables -A POSTROUTING -p tcp -s -j SNAT --to-source

    The first rule will nat all the traffic from source to, and second rule states that all other traffic from the subnet should be NATed to
Test the functionality by enabling the LOG and use # netstat -ant

    This feature of NAT is used to translate the packet coming to a perticular destination.Destination NAT with netfilter is commonly used to publish or make available of a internal network service to a publicly accessible IP. The connection tracking mechanism of netfilter will ensure that subsequent packets exchanged in either direction (which can be identified as part of the existing DNAT connection) are also transformed.

In this following example, all packets arriving on the router with a destination of will depart from the router with a destination of

# iptables -t nat -A PREROUTING -d -j DNAT --to-destination

 Make the internal mail server available for external access.

# iptables -A PREROUTING -t nat -d -p tcp --dport 25 -j DNAT --to-destination
# iptables -A PREROUTING -t nat -d -p tcp --dport 110 -j DNAT --to-destination

    Here if any request comes to the ip of with the destination port of 25 or 110, then IPTables will redirect (nat) to the internel address of

Netmap TAGRGET in NAT:

    It is implemented in NAT table PREROUTING Chain. This is used to translate the one to one address from one subnet to another subnet.
For Eg:-
Consider we have one subnet and we need to translate all the ip in this subnet equalent to

# iptables -A PREROUTING -t nat -s -j NETMAP --to

    This will convert/rewrite all the packets coming from the subnet to
i.e, the request from the ip will be masked as

Monday, November 2, 2009

Linux Securirty Notes 15: IPTables 6: Routing - Forward Chain

IPTables Routing (Forward Chain)
           The Forward chain holds the rules that take care of routing
Enabling the Routing.
This is the key utilities which shows the running kernel parameters.
#syscltl net.ipv4.ip_forward
This will show the status of the IPV4 routing in our local system.
# echo 1 > /proc/sys/net/ipv4/ip_forward
This will turn on the routing in kernel.
# vim /etcv/sysctl.conf
net.ipv4.ip_forward = 1
This will make the routing permanent.
# route add -net netmask gw
This will make the net routing in Linux host.

Forward Chain to Manage the Routing.
     All the packets that is subjected to route will traverse through Forward Chain in a Linux router.

Defining the Forward chain policy
1. Initially make the default policy to Drop all the routing traffic in firewall
# iptables -P FORWARD DROP
This will make all the routing traffic to be dropped as a default policy.
2. Specify only certain source network to be routed
# iptables -A FORWARD -s -d -j ACCEPT
This will allow the traffic from network to But the traffic from network if comes back will not be accepted until & unless we define a state rule or a rule that allows the traffic from the given source.
# iptables -A FORWARD -m state --state NEW,ESTABLISHED -s -j ACCPET
This will allow and route all the new and established connection from the network to any destination
3. Accept the return traffic
# iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
This will allow/accept all the established connection in the forward chain. This will allow the return traffic.
or define a rule that allows the return traffic from the network Here usage of the "state" rule makes the definition of the firewall rule more easier and secure.

Logging the routing traffic in FORWARD Chain:
# iptables -N ROUTELOG
# iptables -A FORWARD -j ROUTELOG
This will create a new chain and starts logging all the routing activities.

Allowing a subnet to access outer world web
# iptables -A FORWARD -s -p tcp --dport 80 -j ACCEPT

Allow the UDP(DNS) queries to outside
# iptables -A FORWARD -s -p udp --dport 53 -j ACCEPT