INSTALL INSTRUCTIONS This is basically my HOW-TO install sendmail on a RedHat system with POP before SMTP authorization. These instructions were tested and written using various RedHat 5.X to 7.X servers and these exact instructions were tested on RedHat 7.3. I also have reports that these instructions work fine with RedHat 8.0 and there are some notes on this in the contrib/ directory. UPDATE: These instructions were updated for sendmail-8.12.4 and RedHat 7.2 on April 27, 2002. UPDATE: These instructions were updated for sendmail-8.12.4 and a patch for vacation on June 17, 2002. UPDATE: These instructions were updated for sendmail-8.12.5 and tested with RedHat 7.3 on July 25, 2002. NOTE: The patch for the bug in vacation we discovered was incorporated in Sendmail 8.12.5 and is no longer needed. UPDATE: These instructions were updated for sendmail-8.12.6 and patched with smrsh patch on October 4, 2002 UPDATE: Added Privacy Options and Trusted Parameter for HTTPD to sendmail.mc UPDATE: sendmail source file has correct MD5 checksum per http://www.cert.org/advisories/CA-2002-28.html. If you used the version we mirror, you do not have the trojan. UPDATE: sendmail init file on older versions of redhat (pre-8.0) doesn't have the clientmqueue runner. A modified sendmail-init tested with RH 7.1 UPDATE: Instructions updated for sendmail-8.12.7 and smrsh patch no longer needed. UPDATE: After years of using Stunnel, I am once again experimenting with the STARTTLS (SSL) support available in sendmail. Many sources were helpful including J. Heiss' in particular http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml After much testing, I have decided that SSL for IMAP and Sendmail still isn't there. I recommend continuing to use stunnel but to add starttls to port 25 and using the signed certificates is a neat addition to work with. UPDATE: Sendmail 8.12.8 upgrade to fix root exploit - critical UPDATE: Sendmail 8.12.9 upgrade to fix critical exploit -- The information for the exploit is in the wild and is public. UPDATE: Minor documentation updates and added contrib/ directory -- 4-16-03 NOTE FROM SENDMAIL.ORG: 2002-12-30: Note: if you encounter the following error *** ERROR: FEATURE() should be before MAILER() while creating a cf file then please apply this patch to cf/m4/proto.m4 and try again Patch located at http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/sendmail-source/smrsh-20020924.patch kevin@mcgrail.com -- #WGET, UNTAR & INSTALL THE VARIOUS SUPPORT DISTRIBUTIONS #CREATE A TEMP DIR FOR THE TAR FILES rm -rf /tmp/20030330SENDMAIL/ mkdir /tmp/20030330SENDMAIL/ cd /tmp/20030330SENDMAIL/ #GET ALL THE FILES wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/sendmail-source/sendmail.8.12.9.tar.gz wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/Linux-OS wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/popauth.m4 wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/poprelayd-KAM.pl wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail.mc wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/openssl.cnf wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail-ca-ssl.cnf wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail-ssl.cnf wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/site.config.m4.additions wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/sendmail-source/openssl-0.9.7b.tar.gz #CLEAR OUT OLD SOURCE rm -rf /usr/src/sendmail-* rm -rf /usr/src/openssl-* # INSTALL OPENSSL FOR STARTTLS (SSL) SUPPORT # # UPDATED: 07-25-03 to v0.9.7b for security reasons # UPDATED: 03-12-03 to v0.9.7a for security reasons # ADDED: 1-30-03 # # HOMEPAGE: http://www.openssl.org/ # # Install openssl v0.9.7b: cd /usr/src tar zxvf /tmp/20030330SENDMAIL/openssl-0.9.7b.tar.gz cd openssl-0.9.7b/ ./config shared make make test make install # Add the follwoing line to /etc/ld.so.conf # # /usr/local/ssl/lib # vim /etc/ld.so.conf # #Update ldconfig # ldconfig -v #UNINSTALL THE DEFAULT SENDMAIL THAT COMES WITH THE OS, BUT SAVE SOME OF THE IMPORTANT FILES: tar cvfz sendmail-save.tar.gz /etc/rc.d/init.d/sendmail /etc/sendmail.mc /etc/mail/sendmail.mc /etc/mail/sendmail.cf /etc/sendmail.cf /etc/aliases /etc/mail/ /etc/pam.d/smtp /etc/sysconfig/sendmail /usr/lib/sasl/Sendmail.conf rpm -e sendmail --nodeps # INSTALL SENDMAIL USING A FEW PATCHES AND CONFIGURATION FILES: # # UPDATED: 1-30-03 # # HOMEPAGE: http://www.sendmail.org/ # # Install sendmail v8.12.9 cd /usr/src/ tar zxvf /tmp/20030330SENDMAIL/sendmail.8.12.9.tar.gz cd sendmail-8.12.9 cp /tmp/20030330SENDMAIL/sendmail.mc cf/cf cp /tmp/20030330SENDMAIL/popauth.m4 cf/hack #RH 7.X Change -- This fixes some non standard paths that Redhat uses # #You can also fix this at a minimum by doing a ln -s /usr/share/man /usr/man. Thanks to Greg Smith #for pointing this out. cp -f /tmp/20030330SENDMAIL/Linux-OS devtools/OS/Linux #Add an SMMSP User Sendmail 8.12.X Change /usr/sbin/adduser -M -u 102 -s /bin/false smmsp #Add SSL Support cat /tmp/20030330SENDMAIL/site.config.m4.additions >> devtools/Site/site.config.m4 sh Build sh Build install cd cf/cf sh Build sendmail.cf #Install the Configuration files / Make dirs / etc. sh Build install-cf mkdir /var/spool/mqueue chmod 755 /etc/mail /var/spool/mqueue chown root.mail /var/spool/mqueue cp sendmail.mc /etc/mail/ #NOTE: Poprelayd-KAM requires DB_File which is an ext module of perl and may need to be manually installed. # i.e. 'cd /usr/src/perl-5.6.1/ext/DB_Files/; perl Makefile.PL; make; make install; cd /etc/mail' makemap hash /etc/mail/popauth.db < /dev/null cp /tmp/20030330SENDMAIL/poprelayd-KAM.pl /usr/local/sbin/ chmod +x /usr/local/sbin/poprelayd-KAM.pl ###Add Poprelay Daemon to /etc/rc.d/rc.local (i.e. add a line that says this /usr/local/sbin/poprelayd-KAM.pl -d) ###run Poprelay delay /usr/local/sbin/poprelayd-KAM.pl -d #CREATE CERTIFICATES cd /tmp/20030330SENDMAIL/ #EDIT THE CONFIG vi sendmail-ca-ssl.cnf #CREATE THE CERTIFICATE AUTHORITY FILES /usr/bin/openssl req -new -x509 -keyout /usr/local/ssl/private/cakey.pem -out /usr/local/ssl/certs/cacert.pem -days 3650 -nodes -config sendmail-ca-ssl.cnf #INTERACTIVE chmod 400 /usr/local/ssl/private/cakey.pem #EDIT THE CONFIG -- NOTE: DO NOT USE THE SAME CN FOR BOTH THE CA AND THE CERTIFICATE BELOW vi sendmail-ssl.cnf #CREATE THE CERTIFICATE /usr/local/ssl/bin/openssl req -new -x509 -keyout /usr/local/ssl/private/sendmail.key -out /usr/local/ssl/certs/sendmail.csr -days 3650 -nodes -config sendmail-ssl.cnf #INTERACTIVE chmod 400 /usr/local/ssl/private/sendmail.key #SIGN THE CERTIFICATE WITH THE CA FILE ABOVE cd /usr/local/ssl mv openssl.cnf openssl.old cp /tmp/20030330SENDMAIL/openssl.cnf . echo "20030330" > serial touch index.txt /usr/local/ssl/bin/openssl x509 -x509toreq -in /usr/local/ssl/certs/sendmail.csr -signkey /usr/local/ssl/private/sendmail.key -out /tmp/tmp.pem /usr/local/ssl/bin/openssl ca -config /usr/local/ssl/openssl.cnf -policy policy_anything -days 3650 -out /usr/local/ssl/certs/sendmail.pem -infiles /tmp/tmp.pem #INTERACTIVE rm /tmp/tmp.pem #STILL BUGGY: #SETUP CERTS FOR REDHAT RPM OF IMAP SERVICES FOR SSL #STILL BUGGY: cd /usr/share/ssl/certs #STILL BUGGY: rm -f imapd.pem ipop3d.pem #STILL BUGGY: ln -s /usr/local/ssl/certs/imapd.pem imapd.pem #STILL BUGGY: ln -s /usr/local/ssl/certs/imapd.pem ipop3d.pem #STILL BUGGY: #STILL BUGGY: #CREATE THE CERTIFICATE #STILL BUGGY: cd /tmp/20030330SENDMAIL/ #STILL BUGGY: /usr/local/ssl/bin/openssl req -new -x509 -keyout /usr/local/ssl/certs/imapd.csr -out /usr/local/ssl/certs/imapd.csr -days 3650 -nodes -config sendmail-ssl.cnf #STILL BUGGY: #INTERACTIVE #STILL BUGGY: #STILL BUGGY: #SIGN THE CERTIFICATE WITH THE CA FILE ABOVE #STILL BUGGY: /usr/local/ssl/bin/openssl x509 -x509toreq -signkey /usr/local/ssl/certs/imapd.csr -in /usr/local/ssl/certs/imapd.csr -out /tmp/tmp.pem #STILL BUGGY: #STILL BUGGY: /usr/local/ssl/bin/openssl ca -config /usr/local/ssl/openssl.cnf -policy policy_anything -days 3650 -out /usr/local/ssl/certs/imapd.pem -infiles /tmp/tmp.pem #STILL BUGGY: #STILL BUGGY: #IMPORTANT: COPY THE PRIVATE KEY FROM IMAPD.CSR TO IMAPD.PEM #STILL BUGGY: #STILL BUGGY: #INTERACTIVE #STILL BUGGY: rm /tmp/tmp.pem #STILL BUGGY: chmod 400 /usr/local/ssl/certs/imapd.pem /usr/local/ssl/certs/imapd.csr #WITH THESE INSTRUCTIONS #Restore Saved files and Move files to proper locations cd /tmp/20030330SENDMAIL/ tar zxvf sendmail-save.tar.gz mv /tmp/20030330SENDMAIL/etc/rc.d/init.d/sendmail /etc/rc.d/init.d cd /etc/rc3.d; ln -s ../init.d/sendmail S80sendmail cd /etc/rc0.d; ln -s ../init.d/sendmail K30sendmail mv /tmp/20030330SENDMAIL/etc/aliases /etc/mail/ mv /tmp/20030330SENDMAIL/etc/pam.d/smtp /etc/pam.d/ mv /tmp/20030330SENDMAIL/etc/sysconfig/sendmail /etc/sysconfig/ mv /tmp/20030330SENDMAIL/etc/mail/access /etc/mail mv /tmp/20030330SENDMAIL/etc/mail/domaintable /etc/mail mv /tmp/20030330SENDMAIL/etc/mail/local-host-names /etc/mail mv /tmp/20030330SENDMAIL/etc/mail/mailertable /etc/mail mv /tmp/20030330SENDMAIL/etc/mail/Makefile /etc/mail mv /tmp/20030330SENDMAIL/etc/mail/trusted-users /etc/mail mv /tmp/20030330SENDMAIL/etc/mail/virtusertable /etc/mail mv /tmp/20030330SENDMAIL/usr/lib/sasl/Sendmail.conf /usr/lib/sasl/ #Recreate db files /usr/bin/newaliases cd /etc/mail make all #Create smrsh dir and link procmail and vacation mkdir /usr/adm; mkdir /usr/adm/sm.bin; cd /usr/adm/sm.bin #OPTIONAL -- The Current Patch MAY close the procmail security whole smrsh but may not: ln -s /usr/bin/procmail procmail ln -s /usr/bin/vacation vacation #START HER UP! /etc/rc.d/init.d/sendmail start #GET RID OF THE TEMP DIR FOR THE TAR FILES (OPTIONAL) rm -rf /tmp/20030330SENDMAIL/