I should have qualified my statements acknowledging that sendmail can often be used as an open relay. In this case, we're sending email only outbound, and the IPSEC firewall pretty much precludes anyone from off platform connecting to the SMTP mail daemon on z/OS USS.
You assert that CSSMTP was designed to eliminate those exposures... Which refers back to the open relay discussion... Certainly can't deny that CSSMTP cannot be used as an open SMTP mail gateway. My assertion would be that it's not because it closes the vulnerabilities inherent to sendmail being usable as an open gateway --- rather it implements an entirely different protocol that the SMTPD used and thus precludes any clients using SMTP as a protocol to communicate with a sendmail daemon local to the platform. That's NOT a design... Yes. I agree that most mainframe email is outbound only. On Thu, 21 Mar 2019 17:47:28 +0000, Allan Staller <[email protected]> wrote: >CSSMTP was designed to mitigate several concerns with the SMTP client. > >As far as I can recall, there were some configuration options, that if not >addressed, allowed the SMTP client to be a mail relay (among several others). >CSSMTP was designed to eliminate those exposures. > >I am not aware of any shops that use SMTP "to the mainframe". i.e. the >mainframe is not usually the target for inbound communications. >This would require a "email server" to be running on the mainframe (HRC >anyone?) > >In most cases, and part of the logic related to the design of CSSMTP, is the >"predicate" that the mainframe is only interested in outbound communications. > >Not sure if the above addresses your original issue, > >HTH, > > > > >-----Original Message----- >From: IBM Mainframe Discussion List <[email protected]> On Behalf Of >Baxter, Bruce (ITS) >Sent: Thursday, March 21, 2019 11:03 AM >To: [email protected] >Subject: SMTP Mail from z/OS > >I'm going to cross post this to mvs-oe as well as here... > >The folks that support Comm Server in-house have approached me about replacing >the SMTPD (which is apparently a USS / OE facility) with CSSMTP, and I've got >some thoughts about the particulars of their implementation that don't sit >well with me. > >I'm a relatively passionate and ardent z mainframe bigot - it's a great >platform to work on. As mainframe folks tend to be, I'm a student of many >platforms. I was shocked when I went back and looked that I wrote an SMTP >client in Cobol a full 25 years ago that is deeply imbedded in all my shop's >batch jobs sending reports and notifications. SMTP Port 25 sendmail / >postfix is a staple and defacto standard worldwide as far as I can tell... > >When we had issues with our Lotus Notes MTA being reliably available and I >couldn't prevail on the owners of that to make it enterprise bulletproof, we >had our z/OS Comm Server folks fire up the local USS SMTPD sendmail daemon. >It's been announced that function will be deprecated in the future and will be >replaced by CSSMTP. After reading through the doc, I can't help but think >that IBM z/OS CS support has lost their marbles. They're removing support for >clients that want to send email via a local sendmail daemon listening on port >25 (or 587). That doesn't make sense... > >So my questions are: > > > * Is anyone else using a local sendmail daemon on their system? From MVS? > From USS? > * Has anyone seen the process that is documented by the Sendmail / CSSMTP > bridge used ANYWHERE but on z/OS? (I've never seen any script that used the > sendmail command to send mail on any linux or aix system I've been on - > they'd all use the mail command) > * Is anyone using JES spool to send email off the platform? > > > >Bruce Baxter >Assistant Director of IT | Revenue and Employment Portfolio | Architecture > >Office of Information Technology Services Building 8, W.A. Harriman State >Office Campus, Albany, NY 12227 7th floor, #137 >(518) 292-7846 | [email protected]<mailto:[email protected]> >https://apac01.safelinks.protection.outlook.com/?url=www.its.ny.gov&data=02%7C01%7Callan.staller%40HCL.COM%7C193e1a9b3a2f44f288f108d6ae18375d%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636887816409940089&sdata=E8rMBEFznuqVT1KGYNvb%2FL9gckHXDe6sAuL%2FV5shf1w%3D&reserved=0<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.its.ny.gov%2F&data=02%7C01%7Callan.staller%40HCL.COM%7C193e1a9b3a2f44f288f108d6ae18375d%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636887816409940089&sdata=jb27XWMm5%2BiHH8PMYnjlW5XflUyToBBBRE9dWmmsxkw%3D&reserved=0> > > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, send email to >[email protected] with the message: INFO IBM-MAIN >::DISCLAIMER:: >-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >The contents of this e-mail and any attachment(s) are confidential and >intended for the named recipient(s) only. E-mail transmission is not >guaranteed to be secure or error-free as information could be intercepted, >corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses >in transmission. The e mail and its contents (with or without referred errors) >shall therefore not attach any liability on the originator or HCL or its >affiliates. Views or opinions, if any, presented in this email are solely >those of the author and may not necessarily reflect the views or opinions of >HCL or its affiliates. Any form of reproduction, dissemination, copying, >disclosure, modification, distribution and / or publication of this message >without the prior written consent of authorized representative of HCL is >strictly prohibited. If you have received this email in error please delete it >and notify the sender immediately. Before opening any email and/or >attachments, please check them for viruses and other defects. >-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
