Trusted Solaris Administrator's Procedures

To Check Network Connections for Sending Mail

  1. As a user, send mail using the mailx command.


    tern% mailx -v somebody@somehost
    Subject: test1
    testl
    .

    Review the messages from mailx.

  2. Log in to the sending host or, if the mail server is not the same as the sending host, log in to the mail server at the label at which the user sends mail.

  3. Use the telnet command to connect to port 25 of the receiving host.


    egret% telnet hostname 25
    

    If the connection is properly set up. that is, the trusted networking databases for the sending and the receiving hosts have the correct labels, the sendmail on the destination host prints a message like:


    220 hostname Sendmail version ready at date
    

    End the connection by typing quit.


    quit
    
    • If the connection seems to be set up properly, go to the following step.

    • If telnet sends an error message, then the connection is not properly set up. Use the following table to determine the next step.

    Type of host 

    Go to ... 

    Trusted Solaris host 

    Step 7 and Step 8

    label-cognizant non-Trusted Solaris host 

    Step 9

    unlabeled host (such as Solaris) 

    Step 10

  4. Assume a role with the Mail Management right.

  5. At the label of the outgoing mail, list the mail queue on the sending host or, if the mail server is not the same as the sending host, list the mail queue on the mail server.


    $ mailq | more 
    

    Check the list to see if the mail is stuck on the mail server.

  6. Try the procedure under "To Trace sendmail for Trusted Solaris Information".

  7. If the destination host is running a Trusted Solaris 2.5.1 or later release, do these steps to make sure the destined user is able to receive mail within Trusted Solaris security policy:

    1. Check that the recipient has a valid user account.

      In the Trusted Solaris 8 and Trusted Solaris 8 4/01 releases, use the SMC User Accounts tool. In Trusted Solaris 2.5.1 and Trusted Solaris 7, use the Solstice User Manager.

    2. Note the account's minimum label and clearance.

    3. Check that the label of the mail is within the System Accreditation range of the destination host as specified in the label_encodings(4) file.

      sendmail does not deliver mail if the label of the mail is outside the System Accreditation Range.

    4. Check that the label of the mail is within the User Accreditation Range of the destination host as specified in the label_encodings(4) file.

      If the label of the mail is inside the System Accreditation Range but outside the User Accreditation Range, such as mail sent at ADMIN_LOW and ADMIN_HIGH, go to Step 8.

    5. Suggested fix:

      1. If the label of the mail being sent is not in the recipient's label range, try to find a mutually-acceptable label for the sender and the recipient. If one is found, change the label and try again.

      2. If the mail goes through, instruct the sender to send mail to that recipient at the mutually-acceptable label.

    6. If the mail is below the minimum label of the recipient, change the default Trusted Solaris options in the sendmail.cf file, if doing so is consistent with your site's security policy.

      See "Users Cannot Read Email Below Minimum Label" and "To Configure Users To Receive Mail Below Their Minimum Labels".

    7. To enable anyone to receive mail from system processes outside the User Accreditation Range if the tsoladminlowaccept or tsolotherlowreturn option are used, use the Rights tool to give the user the solaris.label.range authorization.

      The default administrative roles have the needed authorization in their profiles.

  8. For a destination host running the Trusted Solaris operating environment, check that the sending host has properly configured tnrhdb and tnrhtp entries for the receiving host.


    Note -

    You can use the tninfo(1M) command to check the tnrhdb(4)/tnrhtp(4) configuration. The -h hostname option lists the name of the template assigned to the specified host, while the -t template_name option lists the entries specified in the template, including the host type.


    1. Check that the destination host has the correct template name assigned to it in the tnrhdb database, and that the template in the tnrhtp file correctly specifies sun_tsol as the host type.

    2. Check that the minimum and maximum label set in the assigned template in tnrhtp allow communications at the label of the mail that is not being delivered.

    3. Once these checks are passed, try Step 3 in "To Check Network Connections for Sending Mail" to confirm that the network connection works.

  9. For a labeled destination host that is not a Trusted Solaris system, check that the sending host has properly configured tnrhdb/tnrhtp entries for the receiving host.

    Read the tnrhtp(4) man page if necessary to find out the correct host type and other options to specify in the template assigned to the host. For example, CIPSO type hosts require certain options, and RIPSO type hosts require other options.

    1. Create a template or use an appropriate one in the tnrhtp, and check that the correct template is assigned to the host in the tnrhdb database.

      Double-check the attributes in the template, for example, host type and labe range.

    2. Once these checks are passed, try Step 3 in "To Check Network Connections for Sending Mail" to confirm that the network connection works.

  10. If the destination host is running an unlabeled operating system, check that the sending host has properly configured tnrhdb/tnrhtp entries for the receiving host.

    1. Check that the destination host has been assigned the correct template name in the tnrhdb database, and that the template correctly defines the host's type as unlabeled.

    2. Check that the default label for the unlabeled host in the assigned template in the tnrhtp allows communications at the label of the mail that is not being delivered.

    3. Once these checks are passed, try Step 3 in "To Check Network Connections for Sending Mail" to confirm that the network connection works.