By connecting (SSH, “admin” user) to a Symantec Brightmail Gateway appliance 1, you are left in a restricted shell where only a limited set of commands is available. The undocumented “set-support” command may come in handy: it assigns a temporary password to the “support” user, a normal unix account with a standard shell.

giuliano@balrog ~ $ ssh admin@
admin@'s password:

bmail> set-support
Warning: Do NOT execute this script without explicit direction from a Symantec
Customer Support person.
Changing password for user support.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
User support enabled until 01/04/2010.
bmail> logout
Connection to closed.

giuliano@balrog ~ $ ssh support@
support@'s password:

[support@bmail support]$ echo $SHELL

What’s nice about the “support” user is that he can run tcpdump and access useful logfiles, e.g.:

support@bmail support]$ tail -f /data/logs/stats.maillog
2007 Mar 30 11:36:17 (info) delivery-mta/smtp[2008]: 45A689A9: to=, relay=[], delay=0, status=sent (250 OK)

A note about the restricted shell command “watch maillog” and the “/data/logs/stats.maillog” file.
The latter is the truly useful MTA log file (holding a realtime record of which messages are relayed through the appliance), while the “watch maillog” command shows entirely different stuff. There used to be a proper “watch stats.maillog” command, but at some point Symantec decided to remove it, can’t really tell why.

I originally learnt about the “set-support” command here (Symantec Support Forums).

If you need full root access, you can restart the appliance, break into GRUB’s command line interface, append a “1” to the kernel parameters in order to boot to runlevel 1 (single user mode). There you can change the root password to whatever you like and make Symantec’s Tech Support upset. 🙂 I had to do it a couple of times to replace a failed disk, though…

  1. Or Symantec Mail Security, like it was previously called. It’s an antispam device, coming in either hardware or virtual (VMware) appliance versions. Models I’ve seen: 8240, 8260. Almost “install and forget”, if you ask me. That means it works quite well! 😉