Linux Network Administratoramp;#039;s Guide (3rd Edition) [Electronic resources] نسخه متنی

12.1. Installing the sendmail Distribution

sendmail is included in prepackaged form in
most Linux distributions. Despite this fact, there are some good
reasons to install sendmail from source, especially if you are
security conscious. sendmail changes frequently to fix security
problems and to add new features. Closing security holes and using
new features are good reasons to update the sendmail release on your
system. Additionally, compiling sendmail from source gives you more
control over the sendmail environment. Subscribe to the
sendmail-announce mailing list to receive
notices of new sendmail releases, and monitor the http://www.sendmail.org/ site to stay
informed about potential security threats and the latest sendmail
developments.

12.1.1. Downloading sendmail Source Code

Download the sendmail source code
distribution and the source code distribution signature file from
http://www.sendmail.org/current-releasel,
from any of the mirror sites, or from If
you do not have the current sendmail PGP keys on your key ring,
download the PGP keys needed to verify the signature. Adding the
following step to the ftp session downloads the
keys for the current year:

ftp> get PGPKEYS
local: PGPKEYS remote: PGPKEYS
227 Entering Passive Mode (209,246,26,22,244,238)
150 Opening BINARY mode data connection for 'PGPKEYS' (61916 bytes).
226 Transfer complete.
61916 bytes received in 0.338 secs (1.8e+02 Kbytes/sec)
ftp> quit
221 Goodbye.

If
you downloaded new keys, add the PGP keys to your key ring. In the
following example, gpg (Gnu Privacy Guard) is
used:

# gpg --import PGPKEYS
gpg: key 16F4CCE9: not changed
gpg: key 95F61771: public key imported
gpg: key 396F0789: not changed
gpg: key 678C0A03: not changed
gpg: key CC374F2D: not changed
gpg: key E35C5635: not changed
gpg: key A39BA655: not changed
gpg: key D432E19D: not changed
gpg: key 12D3461D: not changed
gpg: key BF7BA421: not changed
gpg: key A00E1563: non exportable signature (class 10) - skipped
gpg: key A00E1563: not changed
gpg: key 22327A01: not changed
gpg: Total number processed: 12
gpg:               imported: 1  (RSA: 1)
gpg:              unchanged: 11

Of the twelve exportable keys in the
PGPKEYS file, only one is exported to our key
ring. The not changed comment for the other
eleven keys shows that they were already installed on the key ring.
The first time you import PGPKEYS, all twelve
keys will be added to the key ring.

Before using
the new key, verify its fingerprint, as in this
gpg example:

# gpg --fingerprint 95F61771
pub  1024R/95F61771 2003-12-10 Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
Key fingerprint = 46 FE 81 99 48 75 30 B1  3E A9 79 43 BB 78 C1 D4

Compare the
displayed fingerprint against Table 12-1, which
contains fingerprints for sendmail signing keys.

If
the fingerprint is correct, you can sign, and thus validate, the key.
In this gpg example, we sign the newly imported
sendmail key:

# gpg --edit-key 95F61771
gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: checking the trustdb
gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: checking at depth 1 signed=1 ot(-/q/n/m/f/u)=1/0/0/0/0/0
pub  1024R/95F61771  created: 2003-12-10 expires: never      trust: -/q
(1). Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
Command> sign
   
pub  1024R/95F61771  created: 2003-12-10 expires: never      trust: -/q
Fingerprint: 46 FE 81 99 48 75 30 B1  3E A9 79 43 BB 78 C1 D4
Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
How carefully have you verified the key you are about to sign actually belongs to the 
person named above?  If you don't know what to answer, enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection? 3
Are you really sure that you want to sign this key
with your key: "Winslow Henson <win.henson@vstout.vbrew.com>"
I have checked this key very carefully.
Really sign? y
   
You need a passphrase to unlock the secret key for
user: "Winslow Henson <win.henson@vstout.vbrew.com>"
1024-bit DSA key, ID 34C9B515, created 2003-07-23
Command> quit
Save changes? y

After the sendmail keys have been added to
the key ring and signed,[1] verify the sendmail distribution tarball.
Here we use the sendmail.8.12.11.tar.gz.sig
signature file to verify the
sendmail.8.12.11.tar.gz compressed tarball:

[1] It is necessary to download
and import the PGPKEYS file only about once a
year.

# gpg --verify sendmail.8.12.11.tar.gz.sig sendmail.8.12.11.tar.gz
gpg: Signature made Sun 18 Jan 2004 01:08:52 PM EST using RSA key ID 95F61771
gpg: Good signature from "Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=2 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=2/0/0/0/0/0

Based on this, the distribution tarball can be safely restored. The
tarball creates a directory and gives it a name derived from the
sendmail release number. The tarball downloaded in this example would
create a directory named sendmail-8.12.11. The
files and subdirectories used to compile and configure sendmail are
all contained within this directory.

12.1.2. Compiling sendmail

Compile sendmail using the
Build utility provided by the sendmail developers.
For most systems, a few commands, similar to the following, are all
that is needed to compile sendmail:

# cd sendmail-8.12.11
# ./Build

A basic Build command
should work unless you have unique requirements. If you do, create a
custom configuration, called a site
configuration, for the Build command to
use. sendmail looks for site configurations in the
devtools/Site directory. On a Linux system,
Build looks for site configuration files named
site.linux.m4,
site.config.m4, and
site.post.m4. If you use another filename, use
the -f argument on the Build
command line to identify the file. For example:

$ ./Build -f ourconfig.m4

As the file extension
.m4 file implies, the Build
configuration is created with m4 commands. Three commands are used to
set the variables used by Build.

define

The define command modifies the current value
stored in the variable.

APPENDDEF

The APPENDDEF macro appends a value to an existing
list of values stored in a variable.

PREPENDDEF

The PREPENDDEF macro prepends a value to an
existing list of values stored in a variable.

As an example assume that the devtools/OS/Linux
file, which defines Build characteristics for all
Linux systems, puts the manpages in
/usr/man:[2]

[2] Notice that m4 uses
unbalanced single quotes, i.e., `'.

define(`confMANROOT', `/usr/man/man')

Further assume that our Linux systems stores manpages in
/usr/share/man. Adding the following line to the
devtools/Site/site.config.m4 file directs
Build to set the manpage path to
/usr/share/man:

define(`confMANROOT', `/usr/share/man/man')

Here is another example. Assume you must
configure sendmail to read data from an LDAP server. Further, assume
that you use the command sendmail -bt -d0.1 to
check the sendmail compiler options and the string
LDAPMAP does not appear in the
"Compiled with:" list. You need to
add LDAP support by setting LDAP values in the
site.config.m4 file and recompiling sendmail as
shown below:

# cd devtools/Site
# cat >> site.config.m4
APPENDDEF(`confMAPDEF', `-DLDAPMAP')
APPENDDEF(`confLIBS', `-lldap -llber')
Ctrl-D
# cd ../../
# ./Build -c

Notice the Build
command. If you make changes to the
siteconfig.m4 file and rerun
Build, use the -c command-line
argument to alert Build of the changes.

Most custom
Build configurations are no more complicated than
these examples. However, there are more than 100 variables that can
be set for the Build configurationfar too
many to cover in one chapter. See the
devtools/README file for a complete list.

12.1.3. Installing the sendmail Binary

Because the sendmail binary is no longer
installed as set-user-ID root, you must create a special user ID and
group ID before installing sendmail. Traditionally, the sendmail
binary was set-user-ID root so that any user could submit mail via
the command line and have it written to the queue directory. However,
this does not really require a set-user-ID root binary. With the
proper directory permissions, a set-group-ID binary works fine, and
presents less of a security risk.

Create the
smmsp user and group for sendmail to use when it
runs as a mail submission program. Do this using the tools
appropriate to your system. Here are the
/etc/passwd and /etc/group
entries added to a sample Linux system:

# grep smmsp /etc/passwd
smmsp:x:25:25:Mail Submission:/var/spool/clientmqueue:/sbin/nologin
# grep smmsp /etc/group
smmsp:x:25:

Before
installing the freshly compiled sendmail, back up the current
sendmail binary, the sendmail utilities, and your current sendmail
configuration files. (You never know; you might need to drop back to
the old sendmail configuration if the new one
doesn't work as anticipated.) After the system is
backed up, install the new sendmail and utilities as follows:

# ./Build install

Running
Build install installs sendmail and the utilities,
and produces more than 100 lines of output. It should run without
error. Notice that Build uses the
smmsp user and group when it creates the
/var/spool/clientmqueue directory and when it
installs the sendmail binary. A quick check of the ownership and
permissions for the queue directory and the sendmail binary shows
this:

drwxrwx---    2 smmsp    smmsp        4096 Jun  7 16:22 clientmqueue
-r-xr-sr-x    1 root     smmsp      568701 Jun  7 16:51 /usr/sbin/sendmail

After sendmail is installed, it must be configured. The topic of most
of this chapter is how to configure sendmail.

12.1. Installing the sendmail Distribution

sendmail is included in prepackaged form in
most Linux distributions. Despite this fact, there are some good
reasons to install sendmail from source, especially if you are
security conscious. sendmail changes frequently to fix security
problems and to add new features. Closing security holes and using
new features are good reasons to update the sendmail release on your
system. Additionally, compiling sendmail from source gives you more
control over the sendmail environment. Subscribe to the
sendmail-announce mailing list to receive
notices of new sendmail releases, and monitor the http://www.sendmail.org/ site to stay
informed about potential security threats and the latest sendmail
developments.

12.1.1. Downloading sendmail Source Code

Download the sendmail source code
distribution and the source code distribution signature file from
http://www.sendmail.org/current-releasel,
from any of the mirror sites, or from If
you do not have the current sendmail PGP keys on your key ring,
download the PGP keys needed to verify the signature. Adding the
following step to the ftp session downloads the
keys for the current year:

ftp> get PGPKEYS
local: PGPKEYS remote: PGPKEYS
227 Entering Passive Mode (209,246,26,22,244,238)
150 Opening BINARY mode data connection for 'PGPKEYS' (61916 bytes).
226 Transfer complete.
61916 bytes received in 0.338 secs (1.8e+02 Kbytes/sec)
ftp> quit
221 Goodbye.

If
you downloaded new keys, add the PGP keys to your key ring. In the
following example, gpg (Gnu Privacy Guard) is
used:

# gpg --import PGPKEYS
gpg: key 16F4CCE9: not changed
gpg: key 95F61771: public key imported
gpg: key 396F0789: not changed
gpg: key 678C0A03: not changed
gpg: key CC374F2D: not changed
gpg: key E35C5635: not changed
gpg: key A39BA655: not changed
gpg: key D432E19D: not changed
gpg: key 12D3461D: not changed
gpg: key BF7BA421: not changed
gpg: key A00E1563: non exportable signature (class 10) - skipped
gpg: key A00E1563: not changed
gpg: key 22327A01: not changed
gpg: Total number processed: 12
gpg:               imported: 1  (RSA: 1)
gpg:              unchanged: 11

Of the twelve exportable keys in the
PGPKEYS file, only one is exported to our key
ring. The not changed comment for the other
eleven keys shows that they were already installed on the key ring.
The first time you import PGPKEYS, all twelve
keys will be added to the key ring.

Before using
the new key, verify its fingerprint, as in this
gpg example:

# gpg --fingerprint 95F61771
pub  1024R/95F61771 2003-12-10 Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
Key fingerprint = 46 FE 81 99 48 75 30 B1  3E A9 79 43 BB 78 C1 D4

Compare the
displayed fingerprint against Table 12-1, which
contains fingerprints for sendmail signing keys.

If
the fingerprint is correct, you can sign, and thus validate, the key.
In this gpg example, we sign the newly imported
sendmail key:

# gpg --edit-key 95F61771
gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: checking the trustdb
gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: checking at depth 1 signed=1 ot(-/q/n/m/f/u)=1/0/0/0/0/0
pub  1024R/95F61771  created: 2003-12-10 expires: never      trust: -/q
(1). Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
Command> sign
   
pub  1024R/95F61771  created: 2003-12-10 expires: never      trust: -/q
Fingerprint: 46 FE 81 99 48 75 30 B1  3E A9 79 43 BB 78 C1 D4
Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
How carefully have you verified the key you are about to sign actually belongs to the 
person named above?  If you don't know what to answer, enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection? 3
Are you really sure that you want to sign this key
with your key: "Winslow Henson <win.henson@vstout.vbrew.com>"
I have checked this key very carefully.
Really sign? y
   
You need a passphrase to unlock the secret key for
user: "Winslow Henson <win.henson@vstout.vbrew.com>"
1024-bit DSA key, ID 34C9B515, created 2003-07-23
Command> quit
Save changes? y

After the sendmail keys have been added to
the key ring and signed,[1] verify the sendmail distribution tarball.
Here we use the sendmail.8.12.11.tar.gz.sig
signature file to verify the
sendmail.8.12.11.tar.gz compressed tarball:

[1] It is necessary to download
and import the PGPKEYS file only about once a
year.

# gpg --verify sendmail.8.12.11.tar.gz.sig sendmail.8.12.11.tar.gz
gpg: Signature made Sun 18 Jan 2004 01:08:52 PM EST using RSA key ID 95F61771
gpg: Good signature from "Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=2 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=2/0/0/0/0/0

Based on this, the distribution tarball can be safely restored. The
tarball creates a directory and gives it a name derived from the
sendmail release number. The tarball downloaded in this example would
create a directory named sendmail-8.12.11. The
files and subdirectories used to compile and configure sendmail are
all contained within this directory.

12.1.2. Compiling sendmail

Compile sendmail using the
Build utility provided by the sendmail developers.
For most systems, a few commands, similar to the following, are all
that is needed to compile sendmail:

# cd sendmail-8.12.11
# ./Build

A basic Build command
should work unless you have unique requirements. If you do, create a
custom configuration, called a site
configuration, for the Build command to
use. sendmail looks for site configurations in the
devtools/Site directory. On a Linux system,
Build looks for site configuration files named
site.linux.m4,
site.config.m4, and
site.post.m4. If you use another filename, use
the -f argument on the Build
command line to identify the file. For example:

$ ./Build -f ourconfig.m4

As the file extension
.m4 file implies, the Build
configuration is created with m4 commands. Three commands are used to
set the variables used by Build.

define

The define command modifies the current value
stored in the variable.

APPENDDEF

The APPENDDEF macro appends a value to an existing
list of values stored in a variable.

PREPENDDEF

The PREPENDDEF macro prepends a value to an
existing list of values stored in a variable.

As an example assume that the devtools/OS/Linux
file, which defines Build characteristics for all
Linux systems, puts the manpages in
/usr/man:[2]

[2] Notice that m4 uses
unbalanced single quotes, i.e., `'.

define(`confMANROOT', `/usr/man/man')

Further assume that our Linux systems stores manpages in
/usr/share/man. Adding the following line to the
devtools/Site/site.config.m4 file directs
Build to set the manpage path to
/usr/share/man:

define(`confMANROOT', `/usr/share/man/man')

Here is another example. Assume you must
configure sendmail to read data from an LDAP server. Further, assume
that you use the command sendmail -bt -d0.1 to
check the sendmail compiler options and the string
LDAPMAP does not appear in the
"Compiled with:" list. You need to
add LDAP support by setting LDAP values in the
site.config.m4 file and recompiling sendmail as
shown below:

# cd devtools/Site
# cat >> site.config.m4
APPENDDEF(`confMAPDEF', `-DLDAPMAP')
APPENDDEF(`confLIBS', `-lldap -llber')
Ctrl-D
# cd ../../
# ./Build -c

Notice the Build
command. If you make changes to the
siteconfig.m4 file and rerun
Build, use the -c command-line
argument to alert Build of the changes.

Most custom
Build configurations are no more complicated than
these examples. However, there are more than 100 variables that can
be set for the Build configurationfar too
many to cover in one chapter. See the
devtools/README file for a complete list.

12.1.3. Installing the sendmail Binary

Because the sendmail binary is no longer
installed as set-user-ID root, you must create a special user ID and
group ID before installing sendmail. Traditionally, the sendmail
binary was set-user-ID root so that any user could submit mail via
the command line and have it written to the queue directory. However,
this does not really require a set-user-ID root binary. With the
proper directory permissions, a set-group-ID binary works fine, and
presents less of a security risk.

Create the
smmsp user and group for sendmail to use when it
runs as a mail submission program. Do this using the tools
appropriate to your system. Here are the
/etc/passwd and /etc/group
entries added to a sample Linux system:

# grep smmsp /etc/passwd
smmsp:x:25:25:Mail Submission:/var/spool/clientmqueue:/sbin/nologin
# grep smmsp /etc/group
smmsp:x:25:

Before
installing the freshly compiled sendmail, back up the current
sendmail binary, the sendmail utilities, and your current sendmail
configuration files. (You never know; you might need to drop back to
the old sendmail configuration if the new one
doesn't work as anticipated.) After the system is
backed up, install the new sendmail and utilities as follows:

# ./Build install

Running
Build install installs sendmail and the utilities,
and produces more than 100 lines of output. It should run without
error. Notice that Build uses the
smmsp user and group when it creates the
/var/spool/clientmqueue directory and when it
installs the sendmail binary. A quick check of the ownership and
permissions for the queue directory and the sendmail binary shows
this:

drwxrwx---    2 smmsp    smmsp        4096 Jun  7 16:22 clientmqueue
-r-xr-sr-x    1 root     smmsp      568701 Jun  7 16:51 /usr/sbin/sendmail

After sendmail is installed, it must be configured. The topic of most
of this chapter is how to configure sendmail.