INSTALL INSTRUCTIONS This is basically my HOW-TO install sendmail on a RedHat system with POP before SMTP authorization. These instructions were tested and written using various RedHat 5.X to 7.X servers and these exact instructions were tested on RedHat 7.3. I also have reports that these instructions work fine with RedHat 8.0 and there are some notes on this in the contrib/ directory. UPDATE: These instructions were updated for sendmail-8.12.4 and RedHat 7.2 on April 27, 2002. UPDATE: These instructions were updated for sendmail-8.12.4 and a patch for vacation on June 17, 2002. UPDATE: These instructions were updated for sendmail-8.12.5 and tested with RedHat 7.3 on July 25, 2002. NOTE: The patch for the bug in vacation we discovered was incorporated in Sendmail 8.12.5 and is no longer needed. UPDATE: These instructions were updated for sendmail-8.12.6 and patched with smrsh patch on October 4, 2002 UPDATE: Added Privacy Options and Trusted Parameter for HTTPD to sendmail.mc UPDATE: sendmail source file has correct MD5 checksum per http://www.cert.org/advisories/CA-2002-28.html. If you used the version we mirror, you do not have the trojan. UPDATE: sendmail init file on older versions of redhat (pre-8.0) doesn't have the clientmqueue runner. A modified sendmail-init tested with RH 7.1 is located in this dir UPDATE: Instructions updated for sendmail-8.12.7 and smrsh patch no longer needed. UPDATE: After years of using Stunnel, I am once again experimenting with the STARTTLS (SSL) support available in sendmail. Many sources were helpful including J. Heiss' in particular http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml After much testing, I have decided that SSL for IMAP and Sendmail still isn't there. I recommend continuing to use stunnel but to add starttls to port 25 and using the signed certificates is a neat addition to work with. UPDATE: Sendmail 8.12.8 upgrade to fix root exploit - critical UPDATE: Sendmail 8.12.9 upgrade to fix critical exploit -- The information for the exploit is in the wild and is public. UPDATE: Minor documentation updates and added contrib/ directory -- 4-16-03 UPDATE: Sendmail 8.12.10 upgrade to fix security exploit -- 9-17-03 UPDATE: Sendmail 8.12.11 upgrade for minor bugs -- 03-03-04 UPDATE: PopRelayd-KAM.pl completely rewritten with support for RCPT Throttle database and numerous fixes -- 08-09-04 NOTE FROM SENDMAIL.ORG: 2002-12-30: Note: if you encounter the following error *** ERROR: FEATURE() should be before MAILER() while creating a cf file then please apply this patch to cf/m4/proto.m4 and try again Patch located at http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/sendmail-source/smrsh-20020924.patch kevin@mcgrail.com -- #WGET, UNTAR & INSTALL THE VARIOUS SUPPORT DISTRIBUTIONS #CREATE A TEMP DIR FOR THE TAR FILES rm -rf /tmp/20040303SENDMAIL/ mkdir /tmp/20040303SENDMAIL/ cd /tmp/20040303SENDMAIL/ #GET ALL THE FILES wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/sendmail-source/sendmail.8.12.11.tar.gz wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/Linux-OS wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/popauth.m4 wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/poprelayd-KAM.pl wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail.mc wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/openssl.cnf wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail-ca-ssl.cnf wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail-ssl.cnf wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/site.config.m4.additions wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/sendmail-source/openssl-0.9.7d.tar.gz wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail-init #CLEAR OUT OLD SOURCE rm -rf /usr/src/sendmail-* rm -rf /usr/src/openssl-* # INSTALL OPENSSL FOR STARTTLS (SSL) SUPPORT # HOMEPAGE: http://www.openssl.org/ # # UPDATED: 9-18-02 thanks to Robbie Robinson -- THIS IS A CRITICAL UPDATE! # UPDATED: 1-30-03 Added the compilation of the shared library # UPDATED: 03-12-03 CRITICAL UPDATE -- We are seeing in the wild DoS attacks related to mod_ssl and the Slapper worm. # This is the exploit that was closed after 0.9.6e and we are crossing fingers. However, besides that # problem, there is an upcoming paper to be released that will describe exploits that this patch will fix. # UPDATED: 06-22-03 ANOTHER important update to 0.9.6b # UPDATED: 9-20-03: Security Fix & Bug Fix: 9-30-03 Upgrade to openssl v0.9.7c # UPDATED: 03-17-04: Security Fix / DoS Potention: Upgraded to openssl v0.9.7d # # Install openssl v0.9.7d: cd /usr/src tar zxvf /tmp/20040303SENDMAIL/openssl-0.9.7d.tar.gz cd openssl-0.9.7d/ ./config shared make make test make install # Add the follwoing line to /etc/ld.so.conf # # /usr/local/ssl/lib # vim /etc/ld.so.conf # #Update ldconfig # ldconfig -v #UNINSTALL THE DEFAULT SENDMAIL THAT COMES WITH THE OS, BUT SAVE SOME OF THE IMPORTANT FILES: tar cvfz /tmp/20040303SENDMAIL/sendmail-save.tar.gz /etc/rc.d/init.d/sendmail /etc/sendmail.mc /etc/mail/sendmail.mc /etc/mail/sendmail.cf /etc/sendmail.cf /etc/aliases /etc/mail/ /etc/pam.d/smtp /etc/sysconfig/sendmail /usr/lib/sasl/Sendmail.conf rpm -e sendmail --nodeps # INSTALL SENDMAIL USING A FEW PATCHES AND CONFIGURATION FILES: # # UPDATED: 1-30-03 # UPDATED: 9-17-03 # # HOMEPAGE: http://www.sendmail.org/ # # Install sendmail v8.12.11 cd /usr/src/ tar zxvf /tmp/20040303SENDMAIL/sendmail.8.12.11.tar.gz cd sendmail-8.12.11 cp /tmp/20040303SENDMAIL/sendmail.mc cf/cf cp /tmp/20040303SENDMAIL/popauth.m4 cf/hack #RH 7.X Change -- This fixes some non standard paths that Redhat uses # #You can also fix this at a minimum by doing a ln -s /usr/share/man /usr/man. Thanks to Greg Smith #for pointing this out. cp -f /tmp/20040303SENDMAIL/Linux-OS devtools/OS/Linux #Add an SMMSP User Sendmail 8.12.X Change /usr/sbin/adduser -M -u 102 -s /bin/false smmsp #Add SSL Support cat /tmp/20040303SENDMAIL/site.config.m4.additions >> devtools/Site/site.config.m4 #Add Milter Support echo "APPENDDEF(\`conf_sendmail_ENVDEF', \`-DMILTER')" >> devtools/Site/site.config.m4 sh Build sh Build install cd libmilter sh Build -c sh Build install cd .. cd cf/cf sh Build sendmail.cf cd /usr/src/sendmail-8.12.11/obj.`uname`.`uname -r`.`uname -m`/libsm cp -f libsm.a /usr/lib/ #DELETE YOUR OBJECTS TO PREVENT LINKING AGAINST THEM rm -r /usr/src/sendmail-8.12.11/obj.`uname`.`uname -r`.`uname -m` #Install the Configuration files / Make dirs / etc. cd /usr/src/sendmail-8.12.11/cf/cf sh Build install-cf mkdir /var/spool/mqueue chmod 755 /etc/mail /var/spool/mqueue chown root.mail /var/spool/mqueue cp submit.mc sendmail.mc /etc/mail/ #NOTE: Poprelayd-KAM requires DB_File which is an ext module of perl and may need to be manually installed. # i.e. 'cd /usr/src/perl-5.6.1/ext/DB_Files/; perl Makefile.PL; make; make install; cd /etc/mail' # it is also typically available as an rpm, i.e rpm --install perl-DB_File-1.75-36.1.73.i386.rpm makemap hash /etc/mail/popauth.db < /dev/null makemap hash /etc/mail/rcpt_flood.db < /dev/null chmod 644 /etc/mail/popauth.db /etc/mail/rcpt_flood.db cp /tmp/20040303SENDMAIL/poprelayd-KAM.pl /usr/local/sbin/ chmod +x /usr/local/sbin/poprelayd-KAM.pl ###Add Poprelay Daemon to /etc/rc.d/rc.local (i.e. add a line that says this /usr/local/sbin/poprelayd-KAM.pl -d) ###run Poprelay delay /usr/local/sbin/poprelayd-KAM.pl -d #OPTIONAL SSL CERT SECTION #CREATE CERTIFICATES cd /tmp/20040303SENDMAIL/ #EDIT THE CONFIG vi sendmail-ca-ssl.cnf #CREATE THE CERTIFICATE AUTHORITY FILES /usr/bin/openssl req -new -x509 -keyout /usr/local/ssl/private/cakey.pem -out /usr/local/ssl/certs/cacert.pem -days 3650 -nodes -config sendmail-ca-ssl.cnf #INTERACTIVE chmod 400 /usr/local/ssl/private/cakey.pem #EDIT THE CONFIG -- NOTE: DO NOT USE THE SAME CN FOR BOTH THE CA AND THE CERTIFICATE BELOW (See note at end) vi sendmail-ssl.cnf #CREATE THE CERTIFICATE /usr/local/ssl/bin/openssl req -new -x509 -keyout /usr/local/ssl/private/sendmail.key -out /usr/local/ssl/certs/sendmail.csr -days 3650 -nodes -config sendmail-ssl.cnf #INTERACTIVE chmod 400 /usr/local/ssl/private/sendmail.key #SIGN THE CERTIFICATE WITH THE CA FILE ABOVE cd /usr/local/ssl mv openssl.cnf openssl.old cp /tmp/20040303SENDMAIL/openssl.cnf . echo "20030917" > serial touch index.txt /usr/local/ssl/bin/openssl x509 -x509toreq -in /usr/local/ssl/certs/sendmail.csr -signkey /usr/local/ssl/private/sendmail.key -out /tmp/tmp.pem /usr/local/ssl/bin/openssl ca -config /usr/local/ssl/openssl.cnf -policy policy_anything -days 3650 -out /usr/local/ssl/certs/sendmail.pem -infiles /tmp/tmp.pem #INTERACTIVE rm /tmp/tmp.pem #STILL BUGGY: #SETUP CERTS FOR REDHAT RPM OF IMAP SERVICES FOR SSL #STILL BUGGY: cd /usr/share/ssl/certs #STILL BUGGY: rm -f imapd.pem ipop3d.pem #STILL BUGGY: ln -s /usr/local/ssl/certs/imapd.pem imapd.pem #STILL BUGGY: ln -s /usr/local/ssl/certs/imapd.pem ipop3d.pem #STILL BUGGY: #STILL BUGGY: #CREATE THE CERTIFICATE #STILL BUGGY: cd /tmp/20040303SENDMAIL/ #STILL BUGGY: /usr/local/ssl/bin/openssl req -new -x509 -keyout /usr/local/ssl/certs/imapd.csr -out /usr/local/ssl/certs/imapd.csr -days 3650 -nodes -config sendmail-ssl.cnf #STILL BUGGY: #INTERACTIVE #STILL BUGGY: #STILL BUGGY: #SIGN THE CERTIFICATE WITH THE CA FILE ABOVE #STILL BUGGY: /usr/local/ssl/bin/openssl x509 -x509toreq -signkey /usr/local/ssl/certs/imapd.csr -in /usr/local/ssl/certs/imapd.csr -out /tmp/tmp.pem #STILL BUGGY: #STILL BUGGY: /usr/local/ssl/bin/openssl ca -config /usr/local/ssl/openssl.cnf -policy policy_anything -days 3650 -out /usr/local/ssl/certs/imapd.pem -infiles /tmp/tmp.pem #STILL BUGGY: #STILL BUGGY: #IMPORTANT: COPY THE PRIVATE KEY FROM IMAPD.CSR TO IMAPD.PEM #STILL BUGGY: #STILL BUGGY: #INTERACTIVE #STILL BUGGY: rm /tmp/tmp.pem #STILL BUGGY: chmod 400 /usr/local/ssl/certs/imapd.pem /usr/local/ssl/certs/imapd.csr #Restore Saved files and Move files to proper locations cd /tmp/20040303SENDMAIL/ tar zxvf sendmail-save.tar.gz mv /tmp/20040303SENDMAIL/etc/rc.d/init.d/sendmail /etc/rc.d/init.d #OLD WAY: cd /etc/rc.d/rc3.d; ln -s ../init.d/sendmail S80sendmail #OLD WAY cd /etc/rc.d/rc0.d; ln -s ../init.d/sendmail K30sendmail chkconfig sendmail on mv /tmp/20040303SENDMAIL/etc/aliases /etc/mail/ mv /tmp/20040303SENDMAIL/etc/pam.d/smtp /etc/pam.d/ mv /tmp/20040303SENDMAIL/etc/sysconfig/sendmail /etc/sysconfig/ mv /tmp/20040303SENDMAIL/etc/mail/access /etc/mail mv /tmp/20040303SENDMAIL/etc/mail/domaintable /etc/mail mv /tmp/20040303SENDMAIL/etc/mail/local-host-names /etc/mail mv /tmp/20040303SENDMAIL/etc/mail/mailertable /etc/mail mv /tmp/20040303SENDMAIL/etc/mail/Makefile /etc/mail mv /tmp/20040303SENDMAIL/etc/mail/trusted-users /etc/mail mv /tmp/20040303SENDMAIL/etc/mail/virtusertable /etc/mail mv /tmp/20040303SENDMAIL/usr/lib/sasl/Sendmail.conf /usr/lib/sasl/ #Alternate RH7 init script for sendmail -- Adds Submission Queue (*NECESSARY FOR MIMEDEFANG!*) mv /tmp/20040303SENDMAIL/sendmail-init /etc/rc.d/init.d/sendmail chmod +x /etc/rc.d/init.d/sendmail echo CLIENTQUEUE=5m >> /etc/sysconfig/sendmail #Recreate db files /usr/bin/newaliases make -C /etc/mail #Create smrsh dir and link procmail and vacation mkdir /usr/adm; mkdir /usr/adm/sm.bin; cd /usr/adm/sm.bin #OPTIONAL -- The Current Patch MAY close the procmail security whole smrsh but may not: ln -s /usr/bin/procmail procmail ln -s /usr/bin/vacation vacation # IF YOU WANT TO USE 'mailstats' touch /var/log/sendmail.st #START HER UP! /etc/rc.d/init.d/sendmail start #GET RID OF THE TEMP DIR FOR THE TAR FILES (OPTIONAL) rm -rf /tmp/20040303SENDMAIL/ NOTE ABOUT CN: The CN is the CommonName which is the name of your server, say for example, www.pccc.com. If you make a certificate and a CA certificate and both of them have the same CN, then some browsers/SSL implementations will not work. For the CA cert, we recommend something like "Company Name's CA" and for the cert we recommend the name of the box. For example, here is the cert for https://spam.peregrinehw.com/ View the cert: openssl x509 -noout -text -in /usr/local/ssl/certs/spam.peregrinehw.com.crt Certificate: Data: Version: 3 (0x2) Serial Number: 537067828 (0x20030134) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Virginia, L=Fairfax City, O=Peregrine Hardeware, Inc., CN=Peregrine Hardware, Inc's CA Validity Not Before: Mar 5 20:59:24 2003 GMT Not After : Mar 2 20:59:24 2013 GMT Subject: C=US, ST=Virginia, L=Fairfax, O=Peregrine Hardware, Inc., OU=SpamAssassin, CN=spam.peregrinehw.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e6:5e:07:5c:bb:2c:bc:d4:57:93:70:53:8b:b4: 48:2a:bf:e0:b0:fa:6d:33:8c:bd:d1:bd:68:68:2c: cd:8c:b6:cd:32:33:8e:40:8c:22:0a:7d:c0:60:5c: f0:ab:c1:f1:de:0e:94:cd:34:a1:e4:92:aa:84:fc: 74:d4:5a:81:04:42:46:2c:6a:79:90:b4:3a:2d:f0: 28:78:6b:f0:4e:6d:8c:9f:46:5e:c1:e6:d3:a6:a6: d6:c6:68:ee:c9:a9:c7:73:53:1c:9d:54:b1:8f:22: 84:23:be:49:92:7f:c2:c0:bd:1b:72:d8:81:83:1c: 02:f3:f4:d8:d5:c7:dd:22:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9F:D2:B1:6F:5F:AF:18:75:1C:ED:6E:58:09:82:9D:AD:03:1F:54:7E X509v3 Authority Key Identifier: DirName:/C=US/ST=Virginia/L=Fairfax City/O=Peregrine Hardeware, Inc./CN=Peregrine Hardware, Inc's CA serial:00 Signature Algorithm: md5WithRSAEncryption bd:e5:fc:e0:1f:6e:04:bb:76:d0:ea:74:10:b3:b3:d1:1f:3e: 63:37:92:49:89:61:8d:d1:12:e2:54:fb:68:d2:93:93:dd:04: 08:11:7e:da:49:c8:8b:68:84:53:be:91:b3:bc:7c:92:1f:17: 36:2b:98:59:61:48:b0:e0:98:c4:30:cd:94:41:78:0f:35:73: 8c:d0:99:ba:e4:60:cd:7f:fa:cf:81:38:02:0d:8f:04:7b:28: 0f:c8:78:90:02:94:fa:4e:e9:c0:c9:8d:5c:82:de:a7:91:b0: 64:a1:69:ad:39:dd:50:b1:c1:32:6c:6d:2e:69:16:02:cf:f8: a9:ce