cvs commit: hints sendmail.txt

timothy at linuxfromscratch.org timothy at linuxfromscratch.org
Sat Sep 28 09:19:09 PDT 2002


timothy     02/09/28 09:19:09

  Modified:    .        sendmail.txt
  Log:
  Updates by author.
  
  Revision  Changes    Path
  1.19      +226 -158  hints/sendmail.txt
  
  Index: sendmail.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/sendmail.txt,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- sendmail.txt	6 Aug 2002 17:18:45 -0000	1.18
  +++ sendmail.txt	28 Sep 2002 16:19:08 -0000	1.19
  @@ -2,8 +2,8 @@
   ===============
   
   TITLE:		Sendmail
  -LFS VERSION:	3.0+
  -AUTHOR:		Sam Halliday <sam at neutrino.phy.uct.ac.za>
  +LFS VERSION:	3.1+
  +AUTHOR:		Sam Halliday <fommil AT yahoo DOT ie>
   
   SYNOPSIS:
   	This hint covers the building and configuring of a Sendmail/Procmail
  @@ -20,6 +20,17 @@
   0.1.2   added extra spam support
   0.1.3   fix a file locking security bug
   0.1.4   fix the fix i didnt really fix ;)
  +0.1.5   fix permissions, restructure and upgrade to LFS-3.1 initscripts
  +        (this was almost a total rewrite)
  +0.1.6   a few more permission fixes, update sendmail version
  +0.1.7   note about opts in procmail, changed parts of the pine install,
  +        updated procmail version as the latest development is now 'stable',
  +        fixed 80 character wrapping, and edited some version tags in mc files.
  +0.1.8   fixed aliases.db problem, removed default antispam support, but added
  +        more detail and a test to check that it works. Removed default DECNET
  +        support, but mentioned how to add it again. Fixed a silly line in the
  +        permissions section. Made a workaround to the .forward problem. Please
  +        somebody help me with the real fix!
   
   HINT:
   
  @@ -28,11 +39,11 @@
   
   Sendmail:  ftp://ftp.sendmail.org/pub/sendmail/
   	Handles sending and receiving of mail by the SMTP protocol
  -	Latest stable version at time of writing is 8.12.5
  +	Latest stable version at time of writing is 8.12.6
   
   Procmail:  http://www.procmail.org/
   	Our local delivery agent (makes sure mail goes to the correct boxes)
  -	Latest stable version at time of writing is 3.15.2
  +	Latest stable version at time of writing is 3.22
   
   Berkeley DB:  http://www.sleepycat.com/download.html
   	Sendmail uses this library to store much of it's configuration.
  @@ -53,12 +64,13 @@
   ==============================
   
   Berkeley Database:
  -We want to build the database with back-wards compatibility, so that we don't
  -run into package conflictions later (--enable-compat185). Try passing (--help)
  -to see other API's you may build, such as java and tcl. This package takes the
  -standard GNUmake environment variables for optimisations.
  +You may want to build the database with back-wards compatibility, so that you
  +can use this functionality with older and unmaintained packages.
  +(--enable-compat185). Try passing (--help) to see other API's you may build,
  +such as java and tcl. This package takes the standard GNUmake environment
  +variables for optimisations.
   
  -export CFLAGS='-O2 -march=i686 -mcpu=i686'
  +export CFLAGS='-s -O2 -march=i686 -fomit-frame-pointer'
   
   unpack db tarball
   cd build_unix
  @@ -71,23 +83,24 @@
   Procmail requires a Sendmail file to exist in order to compile, so we trick it
   into believing that we have Sendmail installed already by touching the future
   location. Again takes the standard GNUmake environment variables for
  -optimisations.
  +optimisations. Be aware that the -O3 opt kills the procmail initial check, as
  +the test program seems to take forever to compile with inlining of functions!
   
  -unpack Procmail tarball
  +unpack procmail tarball
   touch /usr/sbin/sendmail
  -make
  -make install
  -make install-suid
  +make CFLAGS="$CFLAGS" LOCKINGTEST='/tmp'
  +make CFLAGS="$CFLAGS" LOCKINGTEST='/tmp' install
  +make CFLAGS="$CFLAGS" LOCKINGTEST='/tmp' install-suid
   
   Unfortunately, I have never been able to get Procmail to work without setting
  -run-as-root suid, so for now, type this. Hopefully when i next update this hint,
  -i will show how to run it as user smmsp (it needs root privileges to read
  -users config files from their home directory. This functionality would be lost)
  +run-as-root suid. It needs root privileges to read users config files from
  +their home directory. With a different setting, this functionality would be
  +lost.
   
   Sendmail:
   
   Sendmail runs on TCP port 25, and by default runs as root. Although Sendmail
  -has now gained the respect of the community as being safe to run run as root,
  +has now gained the respect of the community as being safe to run as root,
   I still do not like having daemons running on open ports as root. So we will
   create the group/user pair 'smmsp'.
   This will be quite an out of the ordinary install, as I intend to allow the
  @@ -102,33 +115,49 @@
   useradd -g smmsp -G mail -u 18 smmsp
   
   Unlike Procmail and most other programs, which use a text based rc file for
  -configuration, Sendmail uses a preprocessed .cf text file for its configuration.
  -You create an 'mc' file which is then processed by the m4 macro processor to
  -create your 'cf' config file. Editing the 'cf' file  directly is NOT recommended
  -'sendmail.cf' is used for incoming mail, 'submit.cf' for outgoing.
  -
  -unpack Sendmail
  -go to the file "devtools/OS/Linux"
  -at the end, add the following lines to avoid the user.group setup that sendmail
  -would otherwise require you to employ just for the install. You may also specify
  -your optimisations in this file:
  -
  -        define(`confMANGRP',`root')
  -        define(`confMANOWN',`root')
  -        define(`confSBINGRP',`root')
  -        define(`confUBINGRP',`root')
  -        define(`confUBINOWN',`root')
  +configuration, sendmail uses preprocessed text files for its compile
  +configuration. The same technique is used at run time for incoming
  +(sendmail.cf) and outgoing mail (submit.cf). You create an 'mc' file which is
  +then processed by the m4 macro processor to create the 'cf' config file.
  +Editing a 'cf' file directly is NOT recommended.
  +
  +After unpacking sendmail, in order to avoid a user.group install which we
  +may not be able to accomodate, create the config fie with:
  +
  +cat > devtools/OS/Linux << "EOF"
  +define(`confDEPEND_TYPE', `CC-M')
  +define(`confSM_OS_HEADER', `sm_os_linux')
  +define(`confMANROOT', `/usr/man/man')
  +define(`confLIBS', `-ldl')
  +define(`confEBINDIR', `/usr/sbin')
  +APPENDDEF(`confLIBSEARCH', `crypt nsl')
  +define(`confLD', `ld')
  +define(`confMTCCOPTS', `-D_REENTRANT')
  +define(`confMTLDOPTS', `-lpthread')
  +define(`confLDOPTS_SO', `-shared')
  +define(`confSONAME',`-soname')
  +define(`confOPTIMIZE',`-s -O3 -march=i686 -fomit-frame-pointer')
  +define(`confMANGRP',`root')
  +define(`confMANOWN',`root')
  +define(`confSBINGRP',`root')
  +define(`confUBINGRP',`root')
  +define(`confUBINOWN',`root')
  +EOF
   
  +You may notice that the line with `confOPTIMIZE' allows you to specify
  +optimisations, i use this level and have never encountered any problems.
   Now we build some preliminaries:
   
  -cd sendmail/ && sh Build && cd ../
  +cd sendmail
  +sh Build
  +cd ..
   
  -Now create our config file 'sendmail.mc'. Read cf/README for all the options
  -you can use if you ever wish to modify your setup. We may need to update
  -this configuration in the future, so it is a good idea to copy over all
  -necessary files into /etc/mail. The sendmail startup script will regenerate
  -the config files on startup so unless you want to edit the script, place them
  -as shown;
  +Now create the config file 'sendmail.mc' and 'submit.mc'. Read cf/README
  +for all the options you can use if you ever wish to modify your setup.
  +We may need to update this configuration in the future, so it is a good 
  +idea to copy over all necessary files into /etc/mail. The sendmail startup
  +script will regenerate the config files on startup so unless you want to
  +edit the script, place them as shown;
   
   mkdir -p /etc/mail
   cp cf/README /etc/mail
  @@ -137,47 +166,66 @@
   cp -r cf/domain /etc/mail
   cp -r cf/feature /etc/mail
   cp -r cf/mailer /etc/mail
  -
  -cd cf/cf
  -create file sendmail.mc containing (remove spaces before the lines):
  -
  -        divert(0)dnl
  -        VERSIONID(`$Id: sendmail.txt,v 1.18 2002/08/06 17:18:45 timothy Exp $')
  -        OSTYPE(linux)dnl
  -        DOMAIN(generic)dnl
  -        FEATURE(smrsh)dnl
  -        FEATURE(`nouucp',`reject')dnl
  -        FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
  -        FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl
  -        FEATURE(`no_default_msa')
  -	FEATURE(`dnsbl', `sbl.spamhaus.org', `"Listed on SBL -
  -see <http://spamhaus.org/SBL/>"')dnl
  -        FEATURE(`dnsbl', `relays.visi.com', `"Listed on RSL -
  -see <http://relays.visi.com/>"')dnl
  -        MODIFY_MAILER_FLAGS(`LOCAL', `-S')
  -        define(`confTRUSTED_USER', `smmsp')dnl
  -        define(`confRUN_AS_USER', `smmsp:smmsp')
  -        define(`confCW_FILE', `-o /etc/mail/local-domains')dnl
  -        MAILER(local)dnl
  -        MAILER(smtp)dnl
  -
  -also make sure the `dnsbl' features each occupy only one line. If you do not
  -require spam blocking by IP lookup, you can delete those lines.
  +cat > cf/cf/sendmail.mc << "EOF"
  +VERSIONID(`$Id: sendmail.txt,v 1.19 2002/09/28 16:19:08 timothy Exp $')
  +OSTYPE(linux)
  +DOMAIN(generic)
  +FEATURE(smrsh)
  +FEATURE(`nouucp',`reject')
  +FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')
  +FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')
  +FEATURE(`no_default_msa')
  +MODIFY_MAILER_FLAGS(`LOCAL', `-S')
  +define(`confTRUSTED_USER', `smmsp')
  +define(`confRUN_AS_USER', `smmsp:smmsp')
  +define(`confCW_FILE', `-o /etc/mail/local-domains')
  +MAILER(local)
  +MAILER(smtp)
  +EOF
  +cat > cf/cf/submit.mc << "EOF"
  +VERSIONID(`$Id: sendmail.txt,v 1.19 2002/09/28 16:19:08 timothy Exp $')
  +define(`confCF_VERSION', `Submit')
  +define(`__OSTYPE__',`')
  +define(`confTIME_ZONE', `USE_TZ')
  +FEATURE(`msp')
  +define(`confTRUSTED_USER', `smmsp')
  +define(`confRUN_AS_USER', `smmsp:smmsp')
  +EOF
   
   A brief description is that we are fork()'ing the listening sendmail daemon
  -to use user smmsp. We are also consulting an online database of known spamming
  -IP addresses. Berkeley DB support has also been enabled here. For a fuller
  -explaination, read your locally stored /etc/mail/README
  +to use user smmsp. Berkeley DB support has also been enabled here. For a fuller
  +explanation, read your locally stored /etc/mail/README. Sendmail also fork's
  +as user smmsp to send mails, this avoids any possible local exploits.
  +To add a database lookup of known spammer IP addresses, simply add one of the
  +following to you sendmail.cf file to the end of the FEATURE section.
  +
  +FEATURE(`dnsbl', `blackholes.mail-abuse.org', `"Listed on http://mail-abuse.org"')
  +FEATURE(`dnsbl', `sbl.spamhaus.org', `"Listed on http://spamhaus.org/SBL"')
  +FEATURE(`dnsbl', `relays.visi.com', `"Listed on http://relays.visi.com"')
  +
  +To test that your IP lookup for blackholes.mail-abuse.org is working, Russell
  +Nelson has put together an auto-responder. His instructions are:
  +Send mail to nelson-rbl-test at crynwr.com from the server whose block you are
  +testing. Expect one reply from ns.crynwr.com with the SMTP conversation. If
  +you get another reply from linux.crynwr.com, then your spam filter is broken.
  +
  +If you use a DEC network, then add the following line to your submit.mc
  +define(`_USE_DECNET_SYNTAX_', `1')
   
  +cd cf/cf
   sh Build sendmail.cf
  +sh Build submit.cf
   
   Install the setup files and create some needed system directories
   
   mkdir -p /var/spool/mqueue /var/lib/smrsh
   cp sendmail.cf /etc/mail
   cp sendmail.mc /etc/mail
  +cp submit.cf /etc/mail
  +cp submit.mc /etc/mail
   
   Build it and install!
  +
   cd ../../
   sh Build
   sh Build install
  @@ -193,112 +241,116 @@
   ln -s /usr/bin/procmail
   ln -s /usr/bin/vacation
   
  -add the following to a new file /etc/mail/aliases. See man 5 aliases for
  +Create the file /etc/mail/aliases as follows. See man 5 aliases for
   an explanation of this file
   
  -        postmaster: root
  -        MAILER-DAEMON: root
  +cat > /etc/mail/aliases << "EOF"
  +postmaster: root
  +MAILER-DAEMON: root
  +EOF
  +
  +And the file /etc/mail/access. This file is quite powerful.. you should
  +read the /etc/mail/README section about it to fully understand it.
  +
  +cat > /etc/mail/access << "EOF"
  +localhost.localdomain           RELAY
  +localhost                       RELAY
  +127.0.0.1                       RELAY
  +#example line to block spammers:
  +#spammer at aol.com ERROR:"550 spam sucks"
  +EOF
   
  -add the following to new file /etc/mail/access. This file only has to exist
  -and null content is OK.  This file is quite powerful.. you should read the
  -/etc/mail/README section about it to fully understand it.
  -
  -        localhost.localdomain           RELAY
  -        localhost                       RELAY
  -        127.0.0.1                       RELAY
  -        #example line to block spammers:
  -        #spammer at aol.com ERROR:"550 spam sucks"
  +Do the next line and also after any change to /etc/mail/access
   
  -do the next line after any change to "/etc/mail/access"
   makemap hash /etc/mail/access < /etc/mail/access
   
   add lines to /etc/mail/local-domains such as
           @<your domain here>
  +Or simply create an empty file by
   
  -run 'sendmail -v -bi' to upgrade the sendmail alias list
  +touch /etc/mail/local-domains
   
  -Now we will setup all the permissions and so forth for all the directories. i
  -have generally not used numeric ids... to make it easier for the reader ;):
  +At this stage it is important to set the permissions correctly in the /etc/mail
  +directory or sendmail will not be able to upgrade or read it's own databases.
  +Set the permissions by issuing
  +
  +touch /etc/mail/aliases.db
  +chown -R smmsp.root /etc/mail/
  +chmod -R o-wrx /etc/mail
  +chown -R root.smmsp /var/spool/mqueue
  +chmod 770 /var/spool/mqueue
  +chown -R root.smmsp /var/spool/clientmqueue
  +chmod 770 /var/spool/clientmqueue
  +chmod 1777 /var/mail
   
  -cd /var/spool
  -chown root.smmsp clientmqueue
  -chown root.smmsp mqueue
  -chmod o-wrx mqueue
  -chmod o-wrx clientmqueue
  -chmod 7777 /var/mail
  -chmod -R o-r /etc/mail 
  -chown -R root.smmsp /etc/mail
  +Now run `sendmail -v -bi` to upgrade the sendmail alias list.
   
   OK, now we will do the unconventional stuff... you can skip this section if you
   just want a standard install where anyone can use Sendmail. What we do is create
   a folder which only has entry permissions set for members of a group 'mail' and
  -move the Sendmail binary into the folder. then we make a symbolic link from this
  -new location to the default so nothing is disrupted. So now you need to be a
  -member of 'mail' to be able to access the binary!
  +move the Sendmail binary into the folder. Then we make a symbolic link from this
  +new location to the default so that nothing is disrupted. You need to be a
  +member of the group 'mail' to be able to access the binary!
   
   cd /usr/sbin
  -chown smmsp.smmsp sendmail
  -chmod a-wrx sendmail
  -chmod g+s sendmail
  -chmod a+x sendmail
   mkdir sendmailbin
  -chown root.mail sendmailbin
  -chmod o-rwx sendmailbin
   mv sendmail sendmailbin/
   ln -s /usr/sbin/sendmailbin/sendmail /usr/sbin/sendmail
  +chown root.mail sendmailbin
  +chmod o-rwx sendmailbin
  +chown smmsp.smmsp sendmailbin/sendmail
  +chmod 2111 sendmailbin/sendmail
   
  -We must do one final thing to allow us to send mail... we have not yet set up the
  -submit.mc file, so edit the local file /etc/mail/submit.mc and add the following
  -lines (without the spaces before)
  -
  -	define(`confTRUSTED_USER', `smmsp')dnl
  -	define(`confRUN_AS_USER', `smmsp:smmsp')
  -
  -this makes sendmail fork as user smmsp when sending mails also (to avoid local
  -exploits)
  -
  -OK, Sendmail is now installed and should be working once we run the startup
  +OK, sendmail is now installed and should be working once we run the startup
   script, speaking of which...
   
  ----START OF SENDMAIL SCRIPT---
  -#!/bin/sh
  +cat > /etc/rc.d/init.d/sendmail << "EOF"
  +#!/bin/bash
   
  -source /etc/init.d/functions
  +source /etc/sysconfig/rc
  +source $rc_functions
   
   case "$1" in
  -  start)
  -        echo -n "Starting Sendmail... "
  -	/usr/bin/m4 /etc/mail/m4/cf.m4 /etc/mail/sendmail.mc \
  -		> /etc/mail/sendmail.cf
  -	chmod 444 /etc/mail/sendmail.cf
  -	/usr/bin/m4 /etc/mail/m4/cf.m4 /etc/mail/submit.mc \
  -		> /etc/mail/submit.cf
  -	chmod 444 /etc/mail/submit.cf
  -        makemap hash /etc/mail/access < /etc/mail/access
  -        /usr/bin/newaliases > /dev/null 2>&1
  -        /usr/sbin/sendmail -bs -bd -q1m &&
  -        evaluate_retval
  -        ;;
  -  stop)
  -        echo -n "Shutting down Sendmail..."
  -        killproc sendmail
  -        ;;
  -  restart)
  -        $0 stop
  -        /usr/bin/sleep 1
  -        $0 start
  -        ;;
  -  *)
  -        echo "Usage: $0 {start|stop|restart}"
  -        exit 1
  +        start)
  +                echo "Starting sendmail..."
  +                /usr/bin/m4 /etc/mail/m4/cf.m4 /etc/mail/sendmail.mc \
  +			> /etc/mail/sendmail.cf
  +                chmod 444 /etc/mail/sendmail.cf
  +                /usr/bin/m4 /etc/mail/m4/cf.m4 /etc/mail/submit.mc \
  +			> /etc/mail/submit.cf
  +                chmod 444 /etc/mail/submit.cf
  +                /usr/sbin/makemap hash /etc/mail/access < /etc/mail/access
  +                /usr/bin/newaliases > /dev/null 2>&1
  +                /usr/sbin/sendmail -bs -bd -q1m &&
  +                evaluate_retval
  +                ;;
  +
  +        stop)
  +                echo "Stopping sendmail..."
  +                killproc sendmail
  +                ;;
  +
  +        restart)
  +                $0 stop
  +                sleep 1
  +                $0 start
  +                ;;
  +
  +        status)
  +                statusproc sendmail
  +                ;;
  +
  +        *)
  +                echo "Usage: $0 {start|stop|restart|status}"
  +                exit 1
  +                ;;
   esac
  ----END OF SENDMAIL SCRIPT---
  -
  -when you send or receive an email you can check that sendmail is running as
  -smmsp by issuing "ps -u smmsp v"
  +EOF
  +chmod 755 /etc/rc.d/init.d/sendmail
   
  -If you intend on using a Firewall, you will have to open port 25 up to NEW
  -connections. eg.
  +When you send or receive an email you can check that sendmail is running as
  +smmsp by issuing "ps -u smmsp v". If you intend on using a Firewall, you
  +will have to open port 25 up to NEW connections. eg. for iptables
   
   /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state \
   	--state NEW -j ACCEPT &&
  @@ -307,26 +359,42 @@
   ==========
   
   Now we need a mail client program which users can send and read their email
  -with. I recommend one of two, 'pine' for console or 'sylpheed claws' for GTK+
  -in an X environment.
  +with. I recommend two; 'pine' for console and 'sylpheed-claws' for GTK+ in
  +an X environment.
   
   Pine:
   This will install Pine the mail client for a console. It also has openssl
  -support, see the relevant hint for that.
  +support, see the BLFS book for that. Unfortunately the compile is totally
  +non-standard and the authors should be ashamed of themselves! You must
  +edit the file imap/src/osdep/unix/Makefile (in the slx section) in order
  +to add optimisations to the imap build. We will install for shadow password
  +support, but PAM support is also available if you replace the 'slx' with
  +'lnp'.
   
   ./build clean
  -./build lnp DEBUG='-O2 -march=i686 -mcpu=i686' MAILSPOOL='/var/mail' \
  -	DEFSSLD='/usr/lib/ssl' EXTRACFLAGS='-O2 -march=i686 -mcpu=i686' \
  -	EXTRALDFLAGS='-O2 -march=i686 -mcpu=i686'
  -cd bin  
  -install pine /usr/bin/
  +./build slx CC="$CC" MAILSPOOL='/var/mail' SSLINCLUDE='/usr/include/openssl' \
  +	SSLCERTS='/etc/ssl/certs' SSLTYPE=unix DEBUG="$CFLAGS"
  +strip pine/pine
  +install pine/pine /usr/bin/
   
   Sylpheed Claws:
   You will need GTK+-1.2 for this one. 'GPG made easy' (www.gnupg.org/gpgme.html)
  -and GPG are needed for GPG support. pspell for spelling and openssl for SSL.
  -./configure --prefix=/usr/X11R6 --enable-pspell --enable-gpgme --enable-ssl
  +and GPG are needed for GPG support. The new 'all in one' aspell for spelling
  +and openssl for SSL.
  +./configure --prefix=/usr/X11R6 --enable-aspell --enable-gpgme --enable-ssl
   make 
   make install    
   
   Happy emailing!
   
  +BUGS:
  +
  +The man sendmail page is incorrectly formatted, i will need to write a sed
  +script to fix the page...
  +
  +Procmail, despite being suid root, is running as smmsp and is therefore unable
  +to read user's .forward files unless their home directories are world readable!
  +As a workaround, set the permissions on everyone's home directories to
  +`chown <user>.smmsp`. This does not need to be run recursively, but requires
  +that the .forward and .procmailrc files be world readble, or also set
  +`chown <user>.smmsp`. I would LOVE to hear the real fix for this.
  
  
  
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe hints' in the subject header of the message



More information about the hints mailing list