Linux Network Administratoramp;#039;s Guide (3rd Edition) [Electronic resources]

12.1. Installing the sendmail Distribution

sendmail is included in prepackaged form in most Linux distributions. Despite this fact, there are some good reasons to install sendmail from source, especially if you are security conscious. sendmail changes frequently to fix security problems and to add new features. Closing security holes and using new features are good reasons to update the sendmail release on your system. Additionally, compiling sendmail from source gives you more control over the sendmail environment. Subscribe to the sendmail-announce mailing list to receive notices of new sendmail releases, and monitor the http://www.sendmail.org/ site to stay informed about potential security threats and the latest sendmail developments.

12.1.1. Downloading sendmail Source Code

Download the sendmail source code distribution and the source code distribution signature file from http://www.sendmail.org/current-releasel, from any of the mirror sites, or from If you do not have the current sendmail PGP keys on your key ring, download the PGP keys needed to verify the signature. Adding the following step to the ftp session downloads the keys for the current year:

ftp> get PGPKEYS
local: PGPKEYS remote: PGPKEYS
227 Entering Passive Mode (209,246,26,22,244,238)
150 Opening BINARY mode data connection for 'PGPKEYS' (61916 bytes).
226 Transfer complete.
61916 bytes received in 0.338 secs (1.8e+02 Kbytes/sec)
ftp> quit
221 Goodbye.

If you downloaded new keys, add the PGP keys to your key ring. In the following example, gpg (Gnu Privacy Guard) is used:

# gpg --import PGPKEYS
gpg: key 16F4CCE9: not changed
gpg: key 95F61771: public key imported
gpg: key 396F0789: not changed
gpg: key 678C0A03: not changed
gpg: key CC374F2D: not changed
gpg: key E35C5635: not changed
gpg: key A39BA655: not changed
gpg: key D432E19D: not changed
gpg: key 12D3461D: not changed
gpg: key BF7BA421: not changed
gpg: key A00E1563: non exportable signature (class 10) - skipped
gpg: key A00E1563: not changed
gpg: key 22327A01: not changed
gpg: Total number processed: 12
gpg:               imported: 1  (RSA: 1)
gpg:              unchanged: 11

Of the twelve exportable keys in the PGPKEYS file, only one is exported to our key ring. The not changed comment for the other eleven keys shows that they were already installed on the key ring. The first time you import PGPKEYS, all twelve keys will be added to the key ring.

Before using the new key, verify its fingerprint, as in this gpg example:

# gpg --fingerprint 95F61771
pub  1024R/95F61771 2003-12-10 Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
Key fingerprint = 46 FE 81 99 48 75 30 B1  3E A9 79 43 BB 78 C1 D4

Compare the displayed fingerprint against Table 12-1, which contains fingerprints for sendmail signing keys.

If the fingerprint is correct, you can sign, and thus validate, the key. In this gpg example, we sign the newly imported sendmail key:

# gpg --edit-key 95F61771
gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: checking the trustdb
gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: checking at depth 1 signed=1 ot(-/q/n/m/f/u)=1/0/0/0/0/0
pub  1024R/95F61771  created: 2003-12-10 expires: never      trust: -/q
(1). Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
Command> sign
   
pub  1024R/95F61771  created: 2003-12-10 expires: never      trust: -/q
Fingerprint: 46 FE 81 99 48 75 30 B1  3E A9 79 43 BB 78 C1 D4
Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
How carefully have you verified the key you are about to sign actually belongs to the 
person named above?  If you don't know what to answer, enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection? 3
Are you really sure that you want to sign this key
with your key: "Winslow Henson <win.henson@vstout.vbrew.com>"
I have checked this key very carefully.
Really sign? y
   
You need a passphrase to unlock the secret key for
user: "Winslow Henson <win.henson@vstout.vbrew.com>"
1024-bit DSA key, ID 34C9B515, created 2003-07-23
Command> quit
Save changes? y

After the sendmail keys have been added to the key ring and signed,[1] verify the sendmail distribution tarball. Here we use the sendmail.8.12.11.tar.gz.sig signature file to verify the sendmail.8.12.11.tar.gz compressed tarball:

[1] It is necessary to download and import the PGPKEYS file only about once a year.

# gpg --verify sendmail.8.12.11.tar.gz.sig sendmail.8.12.11.tar.gz
gpg: Signature made Sun 18 Jan 2004 01:08:52 PM EST using RSA key ID 95F61771
gpg: Good signature from "Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=2 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=2/0/0/0/0/0

Based on this, the distribution tarball can be safely restored. The tarball creates a directory and gives it a name derived from the sendmail release number. The tarball downloaded in this example would create a directory named sendmail-8.12.11. The files and subdirectories used to compile and configure sendmail are all contained within this directory.

12.1.2. Compiling sendmail

Compile sendmail using the Build utility provided by the sendmail developers. For most systems, a few commands, similar to the following, are all that is needed to compile sendmail:

# cd sendmail-8.12.11
# ./Build

A basic Build command should work unless you have unique requirements. If you do, create a custom configuration, called a site configuration, for the Build command to use. sendmail looks for site configurations in the devtools/Site directory. On a Linux system, Build looks for site configuration files named site.linux.m4, site.config.m4, and site.post.m4. If you use another filename, use the -f argument on the Build command line to identify the file. For example:

$ ./Build -f ourconfig.m4

As the file extension .m4 file implies, the Build configuration is created with m4 commands. Three commands are used to set the variables used by Build.

define

The define command modifies the current value stored in the variable.

APPENDDEF

The APPENDDEF macro appends a value to an existing list of values stored in a variable.

PREPENDDEF

The PREPENDDEF macro prepends a value to an existing list of values stored in a variable.

As an example assume that the devtools/OS/Linux file, which defines Build characteristics for all Linux systems, puts the manpages in /usr/man:[2]

[2] Notice that m4 uses unbalanced single quotes, i.e., `'.

define(`confMANROOT', `/usr/man/man')

Further assume that our Linux systems stores manpages in /usr/share/man. Adding the following line to the devtools/Site/site.config.m4 file directs Build to set the manpage path to /usr/share/man:

define(`confMANROOT', `/usr/share/man/man')

Here is another example. Assume you must configure sendmail to read data from an LDAP server. Further, assume that you use the command sendmail -bt -d0.1 to check the sendmail compiler options and the string LDAPMAP does not appear in the "Compiled with:" list. You need to add LDAP support by setting LDAP values in the site.config.m4 file and recompiling sendmail as shown below:

# cd devtools/Site
# cat >> site.config.m4
APPENDDEF(`confMAPDEF', `-DLDAPMAP')
APPENDDEF(`confLIBS', `-lldap -llber')
Ctrl-D
# cd ../../
# ./Build -c

Notice the Build command. If you make changes to the siteconfig.m4 file and rerun Build, use the -c command-line argument to alert Build of the changes.

Most custom Build configurations are no more complicated than these examples. However, there are more than 100 variables that can be set for the Build configurationfar too many to cover in one chapter. See the devtools/README file for a complete list.

12.1.3. Installing the sendmail Binary

Because the sendmail binary is no longer installed as set-user-ID root, you must create a special user ID and group ID before installing sendmail. Traditionally, the sendmail binary was set-user-ID root so that any user could submit mail via the command line and have it written to the queue directory. However, this does not really require a set-user-ID root binary. With the proper directory permissions, a set-group-ID binary works fine, and presents less of a security risk.

Create the smmsp user and group for sendmail to use when it runs as a mail submission program. Do this using the tools appropriate to your system. Here are the /etc/passwd and /etc/group entries added to a sample Linux system:

# grep smmsp /etc/passwd
smmsp:x:25:25:Mail Submission:/var/spool/clientmqueue:/sbin/nologin
# grep smmsp /etc/group
smmsp:x:25:

Before installing the freshly compiled sendmail, back up the current sendmail binary, the sendmail utilities, and your current sendmail configuration files. (You never know; you might need to drop back to the old sendmail configuration if the new one doesn't work as anticipated.) After the system is backed up, install the new sendmail and utilities as follows:

# ./Build install

Running Build install installs sendmail and the utilities, and produces more than 100 lines of output. It should run without error. Notice that Build uses the smmsp user and group when it creates the /var/spool/clientmqueue directory and when it installs the sendmail binary. A quick check of the ownership and permissions for the queue directory and the sendmail binary shows this:

drwxrwx---    2 smmsp    smmsp        4096 Jun  7 16:22 clientmqueue
-r-xr-sr-x    1 root     smmsp      568701 Jun  7 16:51 /usr/sbin/sendmail

After sendmail is installed, it must be configured. The topic of most of this chapter is how to configure sendmail.

12.1. Installing the sendmail Distribution

sendmail is included in prepackaged form in most Linux distributions. Despite this fact, there are some good reasons to install sendmail from source, especially if you are security conscious. sendmail changes frequently to fix security problems and to add new features. Closing security holes and using new features are good reasons to update the sendmail release on your system. Additionally, compiling sendmail from source gives you more control over the sendmail environment. Subscribe to the sendmail-announce mailing list to receive notices of new sendmail releases, and monitor the http://www.sendmail.org/ site to stay informed about potential security threats and the latest sendmail developments.

12.1.1. Downloading sendmail Source Code

Download the sendmail source code distribution and the source code distribution signature file from http://www.sendmail.org/current-releasel, from any of the mirror sites, or from If you do not have the current sendmail PGP keys on your key ring, download the PGP keys needed to verify the signature. Adding the following step to the ftp session downloads the keys for the current year:

ftp> get PGPKEYS
local: PGPKEYS remote: PGPKEYS
227 Entering Passive Mode (209,246,26,22,244,238)
150 Opening BINARY mode data connection for 'PGPKEYS' (61916 bytes).
226 Transfer complete.
61916 bytes received in 0.338 secs (1.8e+02 Kbytes/sec)
ftp> quit
221 Goodbye.

If you downloaded new keys, add the PGP keys to your key ring. In the following example, gpg (Gnu Privacy Guard) is used:

# gpg --import PGPKEYS
gpg: key 16F4CCE9: not changed
gpg: key 95F61771: public key imported
gpg: key 396F0789: not changed
gpg: key 678C0A03: not changed
gpg: key CC374F2D: not changed
gpg: key E35C5635: not changed
gpg: key A39BA655: not changed
gpg: key D432E19D: not changed
gpg: key 12D3461D: not changed
gpg: key BF7BA421: not changed
gpg: key A00E1563: non exportable signature (class 10) - skipped
gpg: key A00E1563: not changed
gpg: key 22327A01: not changed
gpg: Total number processed: 12
gpg:               imported: 1  (RSA: 1)
gpg:              unchanged: 11

Of the twelve exportable keys in the PGPKEYS file, only one is exported to our key ring. The not changed comment for the other eleven keys shows that they were already installed on the key ring. The first time you import PGPKEYS, all twelve keys will be added to the key ring.

Before using the new key, verify its fingerprint, as in this gpg example:

# gpg --fingerprint 95F61771
pub  1024R/95F61771 2003-12-10 Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
Key fingerprint = 46 FE 81 99 48 75 30 B1  3E A9 79 43 BB 78 C1 D4

Compare the displayed fingerprint against Table 12-1, which contains fingerprints for sendmail signing keys.

If the fingerprint is correct, you can sign, and thus validate, the key. In this gpg example, we sign the newly imported sendmail key:

# gpg --edit-key 95F61771
gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: checking the trustdb
gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: checking at depth 1 signed=1 ot(-/q/n/m/f/u)=1/0/0/0/0/0
pub  1024R/95F61771  created: 2003-12-10 expires: never      trust: -/q
(1). Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
Command> sign
   
pub  1024R/95F61771  created: 2003-12-10 expires: never      trust: -/q
Fingerprint: 46 FE 81 99 48 75 30 B1  3E A9 79 43 BB 78 C1 D4
Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>
How carefully have you verified the key you are about to sign actually belongs to the 
person named above?  If you don't know what to answer, enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection? 3
Are you really sure that you want to sign this key
with your key: "Winslow Henson <win.henson@vstout.vbrew.com>"
I have checked this key very carefully.
Really sign? y
   
You need a passphrase to unlock the secret key for
user: "Winslow Henson <win.henson@vstout.vbrew.com>"
1024-bit DSA key, ID 34C9B515, created 2003-07-23
Command> quit
Save changes? y

After the sendmail keys have been added to the key ring and signed,[1] verify the sendmail distribution tarball. Here we use the sendmail.8.12.11.tar.gz.sig signature file to verify the sendmail.8.12.11.tar.gz compressed tarball:

[1] It is necessary to download and import the PGPKEYS file only about once a year.

# gpg --verify sendmail.8.12.11.tar.gz.sig sendmail.8.12.11.tar.gz
gpg: Signature made Sun 18 Jan 2004 01:08:52 PM EST using RSA key ID 95F61771
gpg: Good signature from "Sendmail Signing Key/2004 <sendmail@Sendmail.ORG>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=2 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=2/0/0/0/0/0

Based on this, the distribution tarball can be safely restored. The tarball creates a directory and gives it a name derived from the sendmail release number. The tarball downloaded in this example would create a directory named sendmail-8.12.11. The files and subdirectories used to compile and configure sendmail are all contained within this directory.

12.1.2. Compiling sendmail

Compile sendmail using the Build utility provided by the sendmail developers. For most systems, a few commands, similar to the following, are all that is needed to compile sendmail:

# cd sendmail-8.12.11
# ./Build

A basic Build command should work unless you have unique requirements. If you do, create a custom configuration, called a site configuration, for the Build command to use. sendmail looks for site configurations in the devtools/Site directory. On a Linux system, Build looks for site configuration files named site.linux.m4, site.config.m4, and site.post.m4. If you use another filename, use the -f argument on the Build command line to identify the file. For example:

$ ./Build -f ourconfig.m4

As the file extension .m4 file implies, the Build configuration is created with m4 commands. Three commands are used to set the variables used by Build.

define

The define command modifies the current value stored in the variable.

APPENDDEF

The APPENDDEF macro appends a value to an existing list of values stored in a variable.

PREPENDDEF

The PREPENDDEF macro prepends a value to an existing list of values stored in a variable.

As an example assume that the devtools/OS/Linux file, which defines Build characteristics for all Linux systems, puts the manpages in /usr/man:[2]

[2] Notice that m4 uses unbalanced single quotes, i.e., `'.

define(`confMANROOT', `/usr/man/man')

Further assume that our Linux systems stores manpages in /usr/share/man. Adding the following line to the devtools/Site/site.config.m4 file directs Build to set the manpage path to /usr/share/man:

define(`confMANROOT', `/usr/share/man/man')

Here is another example. Assume you must configure sendmail to read data from an LDAP server. Further, assume that you use the command sendmail -bt -d0.1 to check the sendmail compiler options and the string LDAPMAP does not appear in the "Compiled with:" list. You need to add LDAP support by setting LDAP values in the site.config.m4 file and recompiling sendmail as shown below:

# cd devtools/Site
# cat >> site.config.m4
APPENDDEF(`confMAPDEF', `-DLDAPMAP')
APPENDDEF(`confLIBS', `-lldap -llber')
Ctrl-D
# cd ../../
# ./Build -c

Notice the Build command. If you make changes to the siteconfig.m4 file and rerun Build, use the -c command-line argument to alert Build of the changes.

Most custom Build configurations are no more complicated than these examples. However, there are more than 100 variables that can be set for the Build configurationfar too many to cover in one chapter. See the devtools/README file for a complete list.

12.1.3. Installing the sendmail Binary

Because the sendmail binary is no longer installed as set-user-ID root, you must create a special user ID and group ID before installing sendmail. Traditionally, the sendmail binary was set-user-ID root so that any user could submit mail via the command line and have it written to the queue directory. However, this does not really require a set-user-ID root binary. With the proper directory permissions, a set-group-ID binary works fine, and presents less of a security risk.

Create the smmsp user and group for sendmail to use when it runs as a mail submission program. Do this using the tools appropriate to your system. Here are the /etc/passwd and /etc/group entries added to a sample Linux system:

# grep smmsp /etc/passwd
smmsp:x:25:25:Mail Submission:/var/spool/clientmqueue:/sbin/nologin
# grep smmsp /etc/group
smmsp:x:25:

Before installing the freshly compiled sendmail, back up the current sendmail binary, the sendmail utilities, and your current sendmail configuration files. (You never know; you might need to drop back to the old sendmail configuration if the new one doesn't work as anticipated.) After the system is backed up, install the new sendmail and utilities as follows:

# ./Build install

Running Build install installs sendmail and the utilities, and produces more than 100 lines of output. It should run without error. Notice that Build uses the smmsp user and group when it creates the /var/spool/clientmqueue directory and when it installs the sendmail binary. A quick check of the ownership and permissions for the queue directory and the sendmail binary shows this:

drwxrwx---    2 smmsp    smmsp        4096 Jun  7 16:22 clientmqueue
-r-xr-sr-x    1 root     smmsp      568701 Jun  7 16:51 /usr/sbin/sendmail

After sendmail is installed, it must be configured. The topic of most of this chapter is how to configure sendmail.