test

Trusted Solaris Administrator's Procedures

Managing Mail (Tasks)

To Enable the IMAP Server to Authenticate Users

This procedure enables the mail server in a NIS+ domain to authenticate users, while protecting the NIS+ password table from being read.

  1. On the NIS+ master, assume the System Administrator role and go to an ADMIN_LOW workspace.

  2. Open the System_Admin folder in the Application Manager.

  3. Double-click the Add to NIS+ Administrative Group action and enter the IMAP server in its full principal name.

    The principal name has the format hostname.subdomain.domain.suffix.. For example:


    Group Name: admin
Principal Name: pigeon.aviary.eco.org.
    Note -

    Remember to type a period (.) at the end of the the domain name.

To Configure Users To Receive Mail Below Their Minimum Labels

The value upgrade means to upgrade a low-labeled message to the recipient's minimum label, and deliver it.

The value accept means to leave the message at the low label and deliver it.

The value return means to return the message to the sender (the default).

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Use the Set Mail Options action in the System_Admin folder in the Application Manager to open the sendmail.cf file for editing.

  3. Search for TSOL, and change the default settings to reflect site security policy. 


    # TSOL: Incoming mail below recipient's minimum label
# Possible values are return, upgrade, or accept
#O LabelTooLow=return
# Special case for mail labeled admin_low
#O LabelAdminLow=upgrade

To Modify a Mail Alias

  1. Assume the System Administrator role and go to an ADMIN_LOW workspace.

  2. Launch the SMC, open the Trusted Solaris Configuration toolbox, and choose the appropriate name service scope for your site (NIS or NIS+).

  3. Double-click the Users tool and enter the role password when prompted.

  4. Double-click the Mailing Lists tool, and follow the online help for creating and modifying mailing lists.

To Permit Users to See the Mail Queue

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace on the system where you want a user to be able to list the mail queue.

  2. Use the Set Mail Options action in the System_Admin folder in the Application Manager to open the sendmail.cf file for editing.

  3. Search for the restrictmailq option in the file.


    # Privacy flags
O PrivacyOptions=authwarnings,restrictmailq

  4. Remove the restrictmailq option.


    # Privacy flags
O PrivacyOptions=authwarnings

  5. Save and quit the file.

  6. Open the SMC at the appropriate scope and assign the Mail Management rights profile to the user.

    The user can now use the mailq and sendmail -bp commands show the mail queue at labels dominated by the user's process.

To Troubleshoot Mail Delivery Difficulties

  1. Check that there is a properly configured network connection between the sending and receiving hosts, as detailed in "To Check Network Connections for Sending Mail".

  2. Check the nsswitch.conf file and the mail aliases repositories.

    sendmail consults the local /aliases file, the NIS map mail.aliases, or the NIS+ mail_aliases table when determining where to deliver mail. Which alias file it consults depends on the nsswitch.conf(4) entry for aliases.

    For example, mail to janez from a process on her Trusted Solaris desktop tern would not go to janez@tern if sendmail consults the NIS+ mail_aliases table and finds an alias of janez@egret in that table for user janez.

To Trace sendmail for Trusted Solaris Information

  1. Assume the System Administrator role and go to an ADMIN_LOW workspace.

  2. Go to the /etc/init.d directory and stop sendmail.


    $ cd /etc/rc2.d
$ sendmail stop

  3. Debug sendmail using the sendmail -d command followed by the category 75 optionally followed by a dot (.) and a level, followed by a space and the address, followed by a message.

    A message can be included either by redirecting the contents of a file to the address, as shown below, or by entering return at the end of the line. In the latter case, a Subject: prompt comes up; after entering the subject, you can create a message from the command line, using the syntax of the mail(1) command.


    $ /usr/lib/sendmail -d75.9 janez@tern < /etc/motd

  4. Review the error messages.

  5. Restart sendmail when you are through.


    $ cd /etc/init.d
$ sendmail start

  6. Return to Step 7 in "To Check Network Connections for Sending Mail" if the user still has trouble sending or receiving mail.

To Check Network Connections for Sending Mail

  1. As a user, send mail using the mailx command.


    tern% mailx -v somebody@somehost
Subject: test1
testl
.

    Review the messages from mailx.

  2. Log in to the sending host or, if the mail server is not the same as the sending host, log in to the mail server at the label at which the user sends mail.

  3. Use the telnet command to connect to port 25 of the receiving host. 


    egret% telnet hostname 25

    If the connection is properly set up. that is, the trusted networking databases for the sending and the receiving hosts have the correct labels, the sendmail on the destination host prints a message like:


    220 hostname Sendmail version ready at date

    End the connection by typing quit.


    quit

    • If the connection seems to be set up properly, go to the following step.

    • If telnet sends an error message, then the connection is not properly set up. Use the following table to determine the next step.

    Type of host 

    Go to ... 

    Trusted Solaris host 

    Step 7 and Step 8

    label-cognizant non-Trusted Solaris host 

    Step 9

    unlabeled host (such as Solaris) 

    Step 10

  4. Assume a role with the Mail Management right.

  5. At the label of the outgoing mail, list the mail queue on the sending host or, if the mail server is not the same as the sending host, list the mail queue on the mail server.


    $ mailq | more

    Check the list to see if the mail is stuck on the mail server.

  6. Try the procedure under "To Trace sendmail for Trusted Solaris Information".

  7. If the destination host is running a Trusted Solaris 2.5.1 or later release, do these steps to make sure the destined user is able to receive mail within Trusted Solaris security policy:

    1. Check that the recipient has a valid user account.

      In the Trusted Solaris 8 and Trusted Solaris 8 4/01 releases, use the SMC User Accounts tool. In Trusted Solaris 2.5.1 and Trusted Solaris 7, use the Solstice User Manager.

    2. Note the account's minimum label and clearance.

    3. Check that the label of the mail is within the System Accreditation range of the destination host as specified in the label_encodings(4) file.

      sendmail does not deliver mail if the label of the mail is outside the System Accreditation Range.

    4. Check that the label of the mail is within the User Accreditation Range of the destination host as specified in the label_encodings(4) file.

      If the label of the mail is inside the System Accreditation Range but outside the User Accreditation Range, such as mail sent at ADMIN_LOW and ADMIN_HIGH, go to Step 8.

    5. Suggested fix:

      1. If the label of the mail being sent is not in the recipient's label range, try to find a mutually-acceptable label for the sender and the recipient. If one is found, change the label and try again.

      2. If the mail goes through, instruct the sender to send mail to that recipient at the mutually-acceptable label.

    6. If the mail is below the minimum label of the recipient, change the default Trusted Solaris options in the sendmail.cf file, if doing so is consistent with your site's security policy.

      See "Users Cannot Read Email Below Minimum Label" and "To Configure Users To Receive Mail Below Their Minimum Labels".

    7. To enable anyone to receive mail from system processes outside the User Accreditation Range if the tsoladminlowaccept or tsolotherlowreturn option are used, use the Rights tool to give the user the solaris.label.range authorization.

      The default administrative roles have the needed authorization in their profiles.

  8. For a destination host running the Trusted Solaris operating environment, check that the sending host has properly configured tnrhdb and tnrhtp entries for the receiving host.

    Note -

    You can use the tninfo(1M) command to check the tnrhdb(4)/tnrhtp(4) configuration. The -h hostname option lists the name of the template assigned to the specified host, while the -t template_name option lists the entries specified in the template, including the host type.

    1. Check that the destination host has the correct template name assigned to it in the tnrhdb database, and that the template in the tnrhtp file correctly specifies sun_tsol as the host type.

    2. Check that the minimum and maximum label set in the assigned template in tnrhtp allow communications at the label of the mail that is not being delivered.

    3. Once these checks are passed, try Step 3 in "To Check Network Connections for Sending Mail" to confirm that the network connection works.

  9. For a labeled destination host that is not a Trusted Solaris system, check that the sending host has properly configured tnrhdb/tnrhtp entries for the receiving host.

    Read the tnrhtp(4) man page if necessary to find out the correct host type and other options to specify in the template assigned to the host. For example, CIPSO type hosts require certain options, and RIPSO type hosts require other options.

    1. Create a template or use an appropriate one in the tnrhtp, and check that the correct template is assigned to the host in the tnrhdb database.

      Double-check the attributes in the template, for example, host type and labe range.

    2. Once these checks are passed, try Step 3 in "To Check Network Connections for Sending Mail" to confirm that the network connection works.

  10. If the destination host is running an unlabeled operating system, check that the sending host has properly configured tnrhdb/tnrhtp entries for the receiving host.

    1. Check that the destination host has been assigned the correct template name in the tnrhdb database, and that the template correctly defines the host's type as unlabeled.

    2. Check that the default label for the unlabeled host in the assigned template in the tnrhtp allows communications at the label of the mail that is not being delivered.

    3. Once these checks are passed, try Step 3 in "To Check Network Connections for Sending Mail" to confirm that the network connection works.

To Troubleshoot Loss of Mail Icons

If all mail icons disappear from the Front Panel, replace them from the $HOME/.dt/fp.dynamics directory.

  1. Assume the System Administrator role and go to an ADMIN_HIGH workspace.

  2. Investigate the account's .dt/fp.dynamics directory in its home directory.

    During the operation of the system, all changes to the Front Panel are stored in each account's .dt/fp.dynamics directory at the session clearance.

  3. Copy the contents of fp.dynamics to a backup directory and restore the files one by one until the Front Panel configuration is restored.

To Create a Multilevel Action for the Alternate Mail Application

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Use the Admin Editor action from the System_Admin folder to bring up the /usr/dt/appconfig/types/C/dtwm.fp file to edit.

  3. Find the control section for mail shown below. 


    CONTROL Mail
{
  TYPE                  icon
  CONTAINER_NAME        Top
  CONTAINER_TYPE        BOX
  POSITION_HINTS        5
  ICON                  DTmail
  LABEL                 Mail
  ALTERNATE_ICON        DtMnew
  MONITOR_TYPE          mail
  DROP_ACTION           Compose
  PUSH_ACTION           DTWmail
  PUSH_RECALL           true
  CLIENT_NAME           dtmail
  HELP_TOPIC            FPOnItemMail
  HELP_VOLUME           FPanel
}

  4. Copy the control text to a file whose name has the .fp extension, for example, mail.fp, and quit the dtwm.fp file.

  5. Bring up the Admin Editor action from the System_Admin folder and open the new mail.fp file for editing.

  6. Change the title of the mail control to OW_Mail.


    CONTROL OW_Mail

  7. Change the following variables to the following values:


     ICON          OWmailtool
 LABEL         OW Mail Tool

 PUSH_ACTION    OWmailtool

 CLIENT_NAME   mailtool

    The ICON field identifies the icon of the replacement application.

    The LABEL field changes the icon label that appears with the icon of the replacement application.

    The PUSH_ACTION field identifies the replacement action to be run when the user clicks on the new mail icon. The action name supplied here must be defined in the one of the application search paths. The OWmailtool action shown is defined in sunOW.dt in the /usr/dt/appconfig/types/locale directory.

    The CLIENT_NAME field identifies the executable for the replacement application. The path for CLIENT_NAME must be defined by an EXEC_STRING in the action's definition. For example, the OWmailtool action has EXEC_STRING defined as /usr/openwin/bin/mailtool.

  8. Change DROP_ACTION or leave as shown below. 


     DROP_ACTION     Compose

    Other mailers may or may not have a Compose action. For example, OpenWindows mailtool does not. If you leave the DROP_ACTION as Compose, if someone drags mail to the mail icon, a dtmail Compose window will come up. If you remove the DROP_ACTION, nothing happens if mail is dragged to the mail icon.

  9. Leave the rest of the variables unchanged, as shown below. 


     TYPE                   icon
 CONTAINER_NAME         Top
 CONTAINER_TYPE         BOX
 POSITION_HINTS         5


 ALTERNATE_ICON        DtMnew
 MONITOR_TYPE          mail

 PUSH_RECALL           true

 HELP_TOPIC            FPOnItemMail
 HELP_VOLUME           FPanel

    When PUSH_RECALL is true, an application that is launched for a second time uses an existing application window.

  10. Save the changes and quit the file.

  11. Place the mail.fp file, in an accessible directory, such as $HOME/secadmin.


    $ mv mail.fp /home/secadmin/cde_changes/

To Substitute an Alternate Mail Application for All Users

Caution - Caution -

Do this procedure on every system before users start getting mail. If you do it later, you will need to clean up the contents of directories created by the window system in every .dt/fp.dynamics directory in every SLD in every home directory MLD.

  1. Make sure that the alternate mail action has been fully tested.

  2. Assume the System Administrator role and go to an ADMIN_LOW workspace.

  3. In a terminal, go to the /etc/init.d directory and stop sendmail.


    $ cd /etc/init.d
$ sendmail stop

  4. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  5. Use the Admin Editor to replace the CONTROL Mail section of the /usr/dt/appconfig/types/locale/dtwm.fp file with the contents of the mail.fp file.

    Replace -- 


    CONTROL Mail
{
  TYPE                  icon
  CONTAINER_NAME        Top
  CONTAINER_TYPE        BOX
  POSITION_HINTS        5
  ICON                  DTmail
  LABEL                 Mail
  ALTERNATE_ICON        DtMnew
  MONITOR_TYPE          mail
  DROP_ACTION           Compose
  PUSH_ACTION           DTWmail
  PUSH_RECALL           true
  CLIENT_NAME           dtmail
  HELP_TOPIC            FPOnItemMail
  HELP_VOLUME           FPanel
}

    With the contents of the mail.fp file --


    CONTROL OW_Mail
{
  TYPE                  icon
  CONTAINER_NAME        Top
  CONTAINER_TYPE        BOX
  POSITION_HINTS        5
  ICON                  OWmailtool
  LABEL                 OW Mail Tool
  ALTERNATE_ICON        DtMnew
  MONITOR_TYPE          mail
  DROP_ACTION           Compose
  PUSH_ACTION           OWmailtool
  PUSH_RECALL           true
  CLIENT_NAME           mailtool
  HELP_TOPIC            FPOnItemMail
  HELP_VOLUME           FPanel
}

  6. Change the name of the CONTROL back to Mail and save the dtwm.fp file.


    CONTROL OWMail
:wq

  7. If the system has been receiving mail, remove all contents of the $HOME/.dt/fp.dynamics directory.

  8. Restart the Workspace Manager from the workspace menu to see the changes to the dtwm.fp go into effect in the Front Panel.

  9. Assume the System Administrator role and go to an ADMIN_LOW workspace.

  10. In a terminal emulator such as dtterm, restart sendmail.


    $ cd /etc/init.d
$ sendmail start

To Install an Alternate Mailer in the Front Panel

  1. Assume the System Administrator role and go to an ADMIN_LOW workspace on the system where you want to install an alternate mail program.

  2. In a terminal, go to the /etc/init.d directory and stop sendmail.


    $ cd /etc/init.d
$ sendmail stop

  3. Using the File Manager, change to the directory where the alternate mail application's control file (mail.fp) resides.

    The Security Administrator placed it in an accessible directory in Step 11 of "To Create a Multilevel Action for the Alternate Mail Application ".

  4. Add mail.fp to the /usr/dt/appconfig/types/locale or /etc/dt/appconfig/types/locale directory.

  5. Go to a user workspace.

  6. Click the Mailer subpanel access button to bring up the subpanel.

  7. Drag the icon for the alternate mailer's front panel control file to the Install Icon dropsite in the Mailer subpanel.

    The icon for the alternate mail application should appear in the Mail slider.

  8. Click the right mouse button while the pointer is over the alternate mail and select Copy to Main Panel.

  9. Remove each old mail icon in the subpanel by clicking the right mouse button over an icon for the old application and selecting Delete.

    Note -

    Remove all old icons. You cannot have a mixture of mail applications running at the same time.

  10. Select Restart Workspace Manager from the Workspace Menu to adjust the size of the subpanel.

  11. Return to the System Administrator workspace and restart sendmail. 


    $ cd /etc/init.d
$ sendmail start

  12. If this is an end user system, delete the System Administrator workspace.