GENERAL OUTLINE =============== TITLE: Sendmail LFS VERSION: 3.1+ AUTHOR: Sam Halliday SYNOPSIS: This hint covers the building and configuring of a Sendmail/Procmail mail handling system, with Sendmail not running as root. Some mail clients are recommended. ACKNOWLEDGEMENTS: Based on the sendmail hint by J. Jones CHANGELOG: 0.1 first release with a changelog, added spam support and better 'cf' support 0.1.1 fixed typo in the 'mc' file 0.1.2 added extra spam support 0.1.3 fix a file locking security bug 0.1.4 fix the fix i didnt really fix ;) 0.1.5 fix permissions, restructure and upgrade to LFS-3.1 initscripts (this was almost a total rewrite) 0.1.6 a few more permission fixes, update sendmail version 0.1.7 note about opts in procmail, changed parts of the pine install, updated procmail version as the latest development is now 'stable', fixed 80 character wrapping, and edited some version tags in mc files. 0.1.8 fixed aliases.db problem, removed default antispam support, but added more detail and a test to check that it works. Removed default DECNET support, but mentioned how to add it again. Fixed a silly line in the permissions section. Made a workaround to the .forward problem. Please somebody help me with the real fix! 0.1.9 fix a permission problem... sheesh! well, I can send mail now, hope everyone else can (everything from 0.1.5 to here was done without a network available to me, so please forgive all the silly errors) 0.1.10 add a patch for a security vulnerability in sendmail 8.12.6, and change the download location to reflect sendmail's new stance against the recent trojan 0.1.11 fix the formatting problem in the man pages 0.1.12 fix the firewall command line, added note about signature checking removed old maintainer email address as it doesn't exist anyway. 0.1.13 edit the initscript to process the failed messages in the clientmqueue. 0.1.14 thanks to Duncan Webb for a fix to the submit.mc 0.1.15 notes on berkeleydb and added ssl support 0.1.16 upgraded db, sendmail and removed group 'mail' setup 0.1.17 upgrade sendmail. 8.12.7 has a serious security bug. 0.1.18 upgrade sendmail. 8.12.8 has a serious security bug (its like deja vu, all over again) HINT: Software you need ================= Sendmail: http://www.sendmail.org Handles sending and receiving of mail by the SMTP protocol Latest stable version at time of writing is 8.12.9. Procmail: http://www.procmail.org Our local delivery agent (makes sure mail goes to the correct boxes) Latest stable version at time of writing is 3.22 Berkeley DB: http://www.sleepycat.com/download.html Sendmail uses this library to store much of it's configuration. Latest stable version at time of writing is 4.1.25 although requires a patch found at the same location. Make sure you run md5sum and check the signatures of the packages! The recent sendmail trojan was a lesson to us all! Optional ======== Mail Clients Pine: http://www.washington.edu/pine/ Console based mail client (for for ssh'ing in and reading mail) Sylpheed Claws: http://sourceforge.net/projects/sylpheed-claws GTK+ based email client (when you are at your machine with X running) Why you might need this hint ============================ Sendmail is a mail server for sending and receiving mail. If you do not have a static IP or domain name attached to your machine, you should think again before installing sendmail, read the BLFS book for alternatives. If however you do need a mail server for receiving mail, this is the LFS hint you need. However, if you just wish to send mail locally, don't let this put you off installing sendmail as it is an incredibly powerful package which you may one day wish to use! Sendmail is not a POP3 or IMAP server by itself. Building the required packages ============================== Berkeley Database: You may want to build the database with back-wards compatibility, so that you can use this functionality with older and unmaintained packages (--enable-compat185). Try passing (--help) to see other API's you may build, such as java, c++ and tcl. Be warned that if you build Openoffice you may have conflicts as it requires an older version of Berkeley-DB. This package takes the standard GNUmake environment variables for optimisations and now is the best time to set them; export CFLAGS='-s -O2 -march=i386 -fomit-frame-pointer' unpack db tarball patch -p0 < ../patch.4.1.25.1 # Apply the patch cd build_unix ../dist/configure --prefix=/usr --enable-compat185 make make docdir=/usr/doc/berkeleydb install ldconfig Procmail: Procmail requires a Sendmail file to exist in order to compile, so we trick it into believing that we have Sendmail installed already by touching the future location. Again takes the standard GNUmake environment variables for optimisations. Be aware that the -O3 opt kills the procmail initial check, as the test program seems to take forever to compile with inlining of functions! unpack procmail tarball touch /usr/sbin/sendmail make CFLAGS="$CFLAGS" LOCKINGTEST='/tmp' make CFLAGS="$CFLAGS" LOCKINGTEST='/tmp' install make CFLAGS="$CFLAGS" LOCKINGTEST='/tmp' install-suid Unfortunately, I have never been able to get Procmail to work without setting run-as-root suid. It needs root privileges to read users config files from their home directory. With a different setting, this functionality would be lost. Sendmail: Sendmail runs on TCP port 25, and by default runs as root. Although Sendmail has now gained the respect of the community as being safe to run as root, I still do not like having daemons running on open ports as root. So we will create the group/user pair 'smmsp': groupadd -g 18 smmsp useradd -g smmsp -G mail -u 18 smmsp Unlike Procmail and most other programs, which use a text based rc file for configuration, sendmail uses preprocessed text files for its compile configuration. The same technique is used at run time for incoming (sendmail.cf) and outgoing mail (submit.cf). You create an 'mc' file which is then processed by the m4 macro processor to create the 'cf' config file. Editing a 'cf' file directly is NOT recommended. After unpacking sendmail, in order to avoid a user.group install which we may not be able to accomodate, create the config file with the following after setting your CFLAGS to what you desire (leaving them blank is also OK, but do not skip the 'sed' script even if they are empty) chmod a+w devtools/OS/Linux cat > devtools/OS/Linux << "EOF" define(`confDEPEND_TYPE', `CC-M') define(`confSM_OS_HEADER', `sm_os_linux') define(`confMANROOT', `/usr/man/man') define(`confLIBS', `-ldl') define(`confEBINDIR', `/usr/sbin') APPENDDEF(`confLIBSEARCH', `crypt nsl') define(`confLD', `ld') define(`confMTCCOPTS', `-D_REENTRANT') define(`confMTLDOPTS', `-lpthread') define(`confLDOPTS_SO', `-shared') define(`confSONAME',`-soname') define(`confOPTIMIZE',`LFSOPTS') define(`confMANGRP',`root') define(`confMANOWN',`root') define(`confSBINGRP',`root') define(`confUBINGRP',`root') define(`confUBINOWN',`root') EOF cp devtools/OS/Linux devtools/OS/Linux.orig sed -e "s:LFSOPTS:${CFLAGS} \-s:g" devtools/OS/Linux.orig \ > devtools/OS/Linux If you wish to use OpenSSL support, then also type this (always use up to date releases of OpenSSL!) cat >> devtools/OS/Linux << "EOF" APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -DHASURANDOMDEV') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') EOF Now we build some preliminaries: cd sendmail sh Build cd .. Now create the config file 'sendmail.mc' and 'submit.mc'. Read cf/README for all the options you can use if you ever wish to modify your setup. We may need to update this configuration in the future, so it is a good idea to copy over all necessary files into /etc/mail. The sendmail startup script will regenerate the config files on startup so unless you want to edit the script, place them as shown; mkdir -p /etc/mail cp cf/README /etc/mail cp -r cf/m4 /etc/mail cp -r cf/ostype /etc/mail cp -r cf/domain /etc/mail cp -r cf/feature /etc/mail cp -r cf/mailer /etc/mail cp -r cf/sh /etc/mail cat > cf/cf/sendmail.mc << "EOF" OSTYPE(linux) DOMAIN(generic) FEATURE(smrsh) FEATURE(`nouucp',`reject') FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable') FEATURE(`access_db',`hash -T /etc/mail/access') FEATURE(`no_default_msa') MODIFY_MAILER_FLAGS(`LOCAL', `-S') define(`confTRUSTED_USER', `smmsp') define(`confRUN_AS_USER', `smmsp:smmsp') define(`confCW_FILE', `-o /etc/mail/local-domains') MAILER(local) MAILER(smtp) EOF cat > cf/cf/submit.mc << "EOF" FEATURE(`msp') define(`confCF_VERSION', `Submit') define(`__OSTYPE__',`linux') define(`confTIME_ZONE', `USE_TZ') define(`confTRUSTED_USER', `smmsp') define(`confRUN_AS_USER', `smmsp:smmsp') EOF A brief description is that we are fork()'ing the listening sendmail daemon to use user smmsp. Berkeley DB support has also been enabled here. For a fuller explanation, read your locally stored /etc/mail/README. Sendmail also fork's as user smmsp to send mails, this avoids any possible local exploits. To add a database lookup of known spammer IP addresses, simply add one of the following to you sendmail.cf file to the end of the FEATURE section. FEATURE(`dnsbl', `blackholes.mail-abuse.org', `"Listed on http://mail-abuse.org"') FEATURE(`dnsbl', `sbl.spamhaus.org', `"Listed on http://spamhaus.org/SBL"') FEATURE(`dnsbl', `relays.visi.com', `"Listed on http://relays.visi.com"') To test that your IP lookup for blackholes.mail-abuse.org is working, Russell Nelson has put together an auto-responder. His instructions are: Send mail to nelson-rbl-test@crynwr.com from the server whose block you are testing. Expect one reply from crynwr.com with the SMTP conversation. If you get another reply from crynwr.com, then your spam filter is broken. Please note that the RBL, RSS, and DUL zones are now closed to all but paying customers, so don't expect this to work unless you have organised with them previously, with $/£. Since I have no need of this service I have never checked that it is working correctly... I would appreciate mail with success stories! We will disable SSL connection support as default, as a lot of MTA's implement the protocol incorrectly, but if you are in a situation where SSL connections are an absolute necessity, then I refer you to your locally stored /etc/mail/README file where you may read the section on 'STARTTLS'. You may need to create a 'certs' folder to store certificates. Now compile the 'cf' files from our 'mc' files cd cf/cf sh Build sendmail.cf sh Build submit.cf Install the setup files and create some needed system directories mkdir -p /var/spool/mqueue /var/lib/smrsh cp sendmail.cf /etc/mail cp sendmail.mc /etc/mail cp submit.cf /etc/mail cp submit.mc /etc/mail Build it and install! cd ../../ sh Build sh Build install The Sendmail restricted shell is what will be executed (in place of /bin/sh) in order to process any commands that may appear in a user's .forward file. It can only execute a program if it appears in it's command directory. This will allow smrsh to execute Procmail and vacation, and nothing else. You should never allow it to execute any shell, as it will defeat any security advantages gained by using it. Execute the following: cd /var/lib/smrsh ln -s /usr/bin/procmail ln -s /usr/bin/vacation Create the file /etc/mail/aliases as follows. See man 5 aliases for an explanation of this file cat > /etc/mail/aliases << "EOF" postmaster: root MAILER-DAEMON: root EOF And the file /etc/mail/access. This file is quite powerful.. you should read the /etc/mail/README section about it to fully understand it. cat > /etc/mail/access << "EOF" localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY #example line to block spammers: #spammer@aol.com ERROR:"550 spam sucks" EOF Do the next line and also after any change to /etc/mail/access makemap hash /etc/mail/access < /etc/mail/access add lines to /etc/mail/local-domains such as @ Or simply create an empty file by touch /etc/mail/local-domains At this stage it is important to set the permissions correctly in the /etc/mail directory or sendmail will not be able to upgrade or read it's own databases. Set the permissions by issuing touch /etc/mail/aliases.db chown -R smmsp.root /etc/mail/ chmod -R o-wrx /etc/mail chmod o+x /etc/mail chown -R root.smmsp /var/spool/mqueue chmod 770 /var/spool/mqueue chown -R root.smmsp /var/spool/clientmqueue chmod 770 /var/spool/clientmqueue chmod 1777 /var/mail Now run `sendmail -v -bi` to upgrade the sendmail alias list. OK, sendmail is now installed and should be working once we run the startup script, speaking of which... cat > /etc/rc.d/init.d/sendmail << "EOF" #!/bin/bash source /etc/sysconfig/rc source $rc_functions case "$1" in start) echo "Starting sendmail..." /usr/bin/m4 /etc/mail/m4/cf.m4 /etc/mail/sendmail.mc \ > /etc/mail/sendmail.cf chmod 444 /etc/mail/sendmail.cf /usr/bin/m4 /etc/mail/m4/cf.m4 /etc/mail/submit.mc \ > /etc/mail/submit.cf chmod 444 /etc/mail/submit.cf /usr/sbin/makemap hash /etc/mail/access < /etc/mail/access /usr/bin/newaliases > /dev/null 2>&1 /usr/sbin/sendmail -bs -bd -q1m /usr/sbin/sendmail -Ac -qf evaluate_retval ;; stop) echo "Stopping sendmail..." killproc sendmail ;; restart) $0 stop sleep 1 $0 start ;; status) statusproc sendmail ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 ;; esac EOF chmod 755 /etc/rc.d/init.d/sendmail When you send or receive an email you can check that sendmail is running as smmsp by issuing "ps -u smmsp v". If you intend on using a Firewall, you will have to open port 25 up to NEW connections. eg. for iptables /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state \ --state NEW -j ACCEPT BUGFIX: sendmail has some incorrectly formatted man pages, so if you experience trouble, run this for A in sendmail/mailq.1 sendmail/newaliases.1 vacation/vacation.1 do /bin/cp -f $A /usr/share/man/man1/ ; done /bin/cp -f sendmail/aliases.5 /usr/share/man/man5/ ; for A in mailstats/mailstats.8 \ makemap/makemap.8 smrsh/smrsh.8 \ sendmail/sendmail.8 praliases/praliases.8 \ editmap/editmap.8 do /bin/cp -f $A /usr/share/man/man8/ ; done ADDITIONAL ========== Now we need a mail client program which users can send and read their email with. I recommend two; 'pine' for console and 'sylpheed-claws' for GTK+ in an X environment. Pine: This will install Pine the mail client for a console. It also has openssl support, see the BLFS book for that. Unfortunately the compile is totally non-standard and the authors should be ashamed of themselves! You must edit the file imap/src/osdep/unix/Makefile (in the slx section) in order to add optimisations to the imap build. We will install for shadow password support, but PAM support is also available if you replace the 'slx' with 'lnp'. ./build clean ./build slx CC="$CC" MAILSPOOL='/var/mail' SSLINCLUDE='/usr/include/openssl' \ SSLCERTS='/etc/ssl/certs' SSLTYPE=unix DEBUG="$CFLAGS" strip pine/pine install pine/pine /usr/bin/ Sylpheed Claws: You will need GTK+-1.2 for this one. 'GPG made easy' (www.gnupg.org/gpgme.html) and GPG are needed for GPG support. The new 'all in one' aspell for spelling and of course, OpenSSL for SSL. ./configure --prefix=/usr/X11R6 --enable-aspell --enable-gpgme --enable-openssl make make install Happy emailing! BUGS: Procmail, despite being suid root, is running as smmsp and is therefore unable to read user's .forward files unless their home directories are world readable! As a workaround, set the permissions on everyone's home directories to `chown .smmsp`. This does not need to be run recursively, but requires that the .forward and .procmailrc files be world readble, or also set `chown .smmsp`. I would LOVE to hear the real fix for this. NOTES: Feedback and patches are most welcome! Consider the 'AUTHOR' field mearly a formality for saying 'contact'. This hint is community owned/written and wishes to stay that way. For further reading, I direct you to http://www.sendmail.org/faq and the numerous books available on sendmail.