Steps for setting up and running sendmail in a multiple security label environment
You must configure mail so that it can be exchanged only among equivalent security labels, essentially setting up multiple independent mail networks.
Before you begin
Procedure
Perform the following steps to set up and run sendmail in a multiple security label environment:
- Create host and domain names as follows:
- Decide whether you are using security label-specific domain names or separate host names.
- Define a VIPA in a network security zone with the appropriate
security label for each sendmail server to which you will bind. Tip: This step is optional if stack affinity is used with restricted stacks.
- Define the domains and host names in your DNS, or /etc/hosts
and /etc/ipnodes files. For example, if your system supported
the security labels SYSHIGH, SYSLOW, ORANGES and APPLES, the following
definitions are some sample /etc/hosts definitions:
; DIFFERENT HOST NAMES IN THE SAME DOMAIN 10.10.10.1 Z10HIGH.MYCORP.COM 10.10.10.2 Z10LOW.MYCORP.COM 10.10.10.3 Z10ORNGE.MYCORP.COM 10.10.10.4 Z10APPLE.MYCORP.COM ; SAME HOST NAMES IN DIFFERENT DOMAINS 192.168.10.41 ZOS10.SYSHIGH.MYCORP.COM 192.168.10.42 ZOS10.SYSLOW.MYCORP.COM 192.169.10.43 Z0S10.ORANGE.MYCORP.COM 192.168.10.44 ZOS10.APPLES.MYCORP.COM
- Set up stack affinity and resolver configuration, as described in Planning for interactive UNIX System Services users in a multilevel secure environment.
- If the sendmail servers are started by using started
procedures, take one of the following actions:
- Add a STDENV DD line to the JCL, specifying a file that sets the
environment variable RESOLVER_CONFIG to the appropriate file based
on the security label for this sendmail server. For example:
//STDENV DD PATH='/etc/seclbl/sendmail.env', // PATHOPTS=(ORDONLY)
- Set the RESOLVER_CONFIG environment variable to the appropriate
file (based on the security label of the sendmail server) using ENVAR
on the PARM keyword of the EXEC statement. For example:
//SENDMAIL EXEC PGM=BPXBATCH,REGION=4096K,TIME=NOLIMIT, // PARM=('PGM /usr/sbin/sendmail -bd -q1h -L sndmail1', // 'ENVAR("RESOLVER_CONFIG=/etc/resolv.conf")'
- Add a STDENV DD line to the JCL, specifying a file that sets the
environment variable RESOLVER_CONFIG to the appropriate file based
on the security label for this sendmail server. For example:
- Create security label-specific mail queue directories as
follows:
- If necessary, create the parent SYSMULTI directories. To create these directories, you must log on as a superuser
with the SYSMULTI security label and issue the following UNIX System Services commands:
mkdir /var mkdir /var/spool
- Create new mail queue directories for each security
label to be supported for sendmail. For each security
label to be supported for servers, repeat the following steps:
- Log on to a TSO user ID with that security label.
- Issue the following UNIX System Services commands, replacing seclbl with the security label name and sndmuser with the appropriate sendmail user ID:
mkdir /var/spool/seclbl mkdir /var/spool/seclbl/mqueue chown sndmuser:sndmgrp /var/spool/seclbl/mqueue mkdir /var/spool/seclbl/clientmqueue chown smmsp:smmspgrp /var/spool/seclbl/clientmqueue
Tip: Do not create /var/spool/seclbl or its subdirectories for SYSMULTI or any other security label that is not to be supported for sendmail. There will not be a server to use them. - Create a symbolic link for these mail directories. The following UNIX System Services command issued
by a superuser creates the symbolic link and directs the mail to the
appropriate queue:
ln -s '$SYSSECR/' /var/spool/secsymr
- If necessary, create the parent SYSMULTI directories. To create these directories, you must log on as a superuser
with the SYSMULTI security label and issue the following UNIX System Services commands:
- Change statements in the sendmail.mc configuration file
as follows:
- Change the location of the daemon pid file so that there
is a separate one for each security label:
define(`confPID_FILE', `/var/spool/secsymr/sendmail.pid')dnl
- Change the location of the local host names file so
that there is a separate one for each security label:
define(`confCW_FILE', `/etc/secsymr/local-host-names')dnl
- Change the location of the queue directories:
define(`MSP_QUEUE_DIR', `/var/spool/secsymr/clientmqueue')dnl define(`QUEUE_DIR', `/var/spool/secsymr/mqueue')dnl
- Define configuration file variables for the local host
name and domain name:
define(`MLS_hostname', esyscmd(`hostname -s'))dnl define(`MLS_domain', esyscmd(`domainname'))dnl
- Change the DAEMON_OPTIONS statements. Code
the ADDR parameter, specifying the unqualified local host name. For
each sendmail daemon you start, this name will be resolved within
the domain specific to the security label that daemon is running under.
For example:
FEATURE(`no_default_msa')dnl DAEMON_OPTIONS(`Name=MTA, Addr='MLS_hostname`, Family=inet ')dnl DAEMON_OPTIONS(`Name=MSA, Port=587, Addr='MLS_hostname`, Family=inet ')dnl
- Change the location of the daemon pid file so that there
is a separate one for each security label:
- Change statements in the submit.mc configuration file as
follows:
- Change the location of the client queue directory:
define(`MSP_QUEUE_DIR', `/var/spool/secsymr/clientmqueue')dnl
- Define configuration file variables for the local host
name and domain name:
define(`MLS_hostname', esyscmd(`hostname -s'))dnl define(`MLS_domain', esyscmd(`domainname'))dnl
- Change the FEATURE(`msp') statement. Code
the unqualified local host name for this system. For each user that
invokes /bin/sendmail, this name will be resolved within the domain
specific to the security label that user is running under. For example:
FEATURE(`msp', MLS_hostname)
Tip: If MX records in DNS should not be searched, brackets [] must be placed around the name or address.
- Change the location of the client queue directory:
- Use the m4 compiler to create sendmail.cf and submit.cf
files as follows:
- Create symbolic links for the submit.cf and sendmail.cf
files:
ln -s /etc/seclbl/mail/submit.cf /etc/mail/submit.cf ln -s /etc/seclbl/mail/sendmail.cf /etc/mail/sendmail.cf
- Log on with each security label to be supported for
mail and create the .cf files:
/etc/m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf /etc/m4 /etc/mail/submit.mc > /etc/mail/submit.cf
- Create symbolic links for the submit.cf and sendmail.cf
files:
- Create new system mailbox directories for each supported
security label. When sendmail is configured to use /usr/lib/tsmail,
you must configure /usr/mail to be a symbolic link to a security label-specific
directory. The following approach creates a set of security label-specific
mount points for mail file systems:
- Log on as a superuser with the SYSMULTI security label
and issue the following UNIX System Services commands:
mkdir /mailmnt ln -s '$SYSSECR/mail' /usr/mail
Tip: If another program other than /usr/lib/tsmail is used, these commands might need to be adjusted accordingly. - Perform the following steps for each security label
supported for mail on the system:
- Log on to a superuser ID using the security label.
- Set an environment variable to your current security label as
follows:
export SL=$(id -M)
- Issue the following UNIX System Services command:
mkdir /mailmnt/$SL
- Log on as a superuser with the SYSMULTI security label
and issue the following UNIX System Services commands:
- Start a separate instance of the sendmail daemon for each
security label you need to support. For instructions on
setting up the appropriate user IDs and groups for sendmail, see Steps for configuring z/OS UNIX sendmail. You can start sendmail daemons
either from UNIX System Services
or as started procedures. See the EZARACFM sample for examples of
defining user IDs and STARTED class profiles for sendmail. Repeat
either of the following steps to start a sendmail daemon for each
supported security label:
- From UNIX System Services:
- Log on to UNIX System Services with the security label that you want to support.
- Start the sendmail daemon from the command line.
- From the MVS™ console:
- Add a user ID and permit the user ID to the appropriate security label.
- Use the STARTED class to assign the user ID with the appropriate security label to the procedure.
- Start the procedure from the MVS console or using the AUTOLOG statement in PROFILE.TCPIP.
- From UNIX System Services:
Parent topic: z/OS UNIX sendmail