1261363Sgshapiro# Copyright (c) 2000-2002 Proofpoint, Inc. and its suppliers. 290792Sgshapiro# All rights reserved. 390792Sgshapiro# 490792Sgshapiro# By using this file, you agree to the terms and conditions set 590792Sgshapiro# forth in the LICENSE file which can be found at the top level of 690792Sgshapiro# the sendmail distribution. 790792Sgshapiro# 8266692Sgshapiro# $Id: SECURITY,v 1.52 2013-11-22 20:51:54 ca Exp $ 990792Sgshapiro# 1090792Sgshapiro 1190792SgshapiroThis file gives some hints how to configure and run sendmail for 1290792Sgshapiropeople who are very security conscious (you should be...). 1390792Sgshapiro 1490792SgshapiroEven though sendmail goes through great lengths to assure that it 1590792Sgshapirocan't be compromised even if the system it is running on is 1690792Sgshapiroincorrectly or insecurely configured, it can't work around everything. 1790792SgshapiroThis has been demonstrated by recent OS problems which have 1890792Sgshapirosubsequently been used to compromise the root account using sendmail 1990792Sgshapiroas a vector. One way to minimize the possibility of such problems 2090792Sgshapirois to install sendmail without set-user-ID root, which avoids local 2190792Sgshapiroexploits. This configuration, which is the default starting with 2290792Sgshapiro8.12, is described in the first section of this security guide. 2390792Sgshapiro 2490792Sgshapiro 2590792Sgshapiro***************************************************** 2690792Sgshapiro** sendmail configuration without set-user-ID root ** 2790792Sgshapiro***************************************************** 2890792Sgshapiro 2990792Sgshapirosendmail needs to run as root for several purposes: 3090792Sgshapiro 3190792Sgshapiro- bind to port 25 3290792Sgshapiro- call the local delivery agent (LDA) as root (or other user) if the LDA 3390792Sgshapiro isn't set-user-ID root (unless some other method of storing e-mail in 3490792Sgshapiro local mailboxes is used). 3590792Sgshapiro- read .forward files 3690792Sgshapiro- write e-mail submitted via the command line to the queue directory. 3790792Sgshapiro 3890792SgshapiroOnly the last item requires a set-user-ID/set-group-ID program to 3990792Sgshapiroavoid problems with a world-writable directory. It is however 4090792Sgshapirosufficient to have a set-group-ID program and a group-writable 4190792Sgshapiroqueue directory. The other requirements listed above can be 4290792Sgshapirofulfilled by a sendmail daemon that is started by root. Hence this 4390792Sgshapirosection explains how to use two sendmail configurations to accomplish 4490792Sgshapirothe goal to have a sendmail binary that is not set-user-ID root, 4590792Sgshapiroand hence is not open to system configuration/OS problems or at 4690792Sgshapiroleast less problematic in presence of those. 4790792Sgshapiro 4890792SgshapiroThe default configuration starting with sendmail 8.12 uses one 4990792Sgshapirosendmail binary which acts differently based on operation mode and 5090792Sgshapirosupplied options. 5190792Sgshapiro 5290792Sgshapirosendmail must be a set-group-ID (default group: smmsp, recommended 5390792Sgshapirogid: 25) program to allow for queueing mail in a group-writable 5490792Sgshapirodirectory. Two .cf files are required: sendmail.cf for the daemon 5590792Sgshapiroand submit.cf for the submission program. The following permissions 5690792Sgshapiroshould be used: 5790792Sgshapiro 5890792Sgshapiro-r-xr-sr-x root smmsp ... /PATH/TO/sendmail 5990792Sgshapirodrwxrwx--- smmsp smmsp ... /var/spool/clientmqueue 6090792Sgshapirodrwx------ root wheel ... /var/spool/mqueue 6190792Sgshapiro-r--r--r-- root wheel ... /etc/mail/sendmail.cf 6290792Sgshapiro-r--r--r-- root wheel ... /etc/mail/submit.cf 6390792Sgshapiro 6494334Sgshapiro[Notice: On some OS "wheel" is not used but "bin" or "root" instead, 6594334Sgshapirohowever, this is not important here.] 6694334Sgshapiro 6790792SgshapiroThat is, the owner of sendmail is root, the group is smmsp, and 6890792Sgshapirothe binary is set-group-ID. The client mail queue is owned by 6990792Sgshapirosmmsp with group smmsp and is group writable. The client mail 7090792Sgshapiroqueue directory must be writable by smmsp, but it must not be 7190792Sgshapiroaccessible for others. That is, do not use world read or execute 7290792Sgshapiropermissions. In submit.cf the option UseMSP must be set, and 7390792SgshapiroQueueFileMode must be set to 0660. submit.cf is available in 7490792Sgshapirocf/cf/, which has been built from cf/cf/submit.mc. The file can 7590792Sgshapirobe used as-is, if you want to add more options, use cf/cf/submit.mc 7690792Sgshapiroas starting point and read cf/README: MESSAGE SUBMISSION PROGRAM 7790792Sgshapirocarefully. 7890792Sgshapiro 7990792SgshapiroThe .cf file is chosen based on the operation mode. For -bm (default), 8090792Sgshapiro-bs, and -t it is submit.cf (if it exists) for all others it is 8190792Sgshapirosendmail.cf. This selection can be changed by -Ac or -Am (alternative 8290792Sgshapiro.cf file: client or mta). 8390792Sgshapiro 8490792SgshapiroThe daemon must be started by root as usual, e.g., 8590792Sgshapiro 8690792Sgshapiro/PATH/TO/sendmail -L sm-mta -bd -q1h 8790792Sgshapiro 8890792Sgshapiro(replace /PATH/TO with the right path for your OS, e.g., 8990792Sgshapiro/usr/sbin or /usr/lib). 9090792Sgshapiro 9190792SgshapiroNotice: if you run sendmail from inetd (which in general is not a 9290792Sgshapirogood idea), you must specify -Am in addition to -bs. 9390792Sgshapiro 9490792SgshapiroMail will end up in the client queue if the daemon doesn't accept 9590792Sgshapiroconnections or if an address is temporarily not resolvable. The 9690792Sgshapirolatter problem can be minimized by using 9790792Sgshapiro 9890792Sgshapiro FEATURE(`nocanonify', `canonify_hosts') 9990792Sgshapiro define(`confDIRECT_SUBMISSION_MODIFIERS', `C') 10090792Sgshapiro 10190792Sgshapirowhich, however, may have undesired side effects. See cf/README for 10290792Sgshapiroa discussion. In general it is necessary to clean the queue either 10390792Sgshapirovia a cronjob or by running a daemon, e.g., 10490792Sgshapiro 10590792Sgshapiro/PATH/TO/sendmail -L sm-msp-queue -Ac -q30m 10690792Sgshapiro 10790792SgshapiroIf the option UseMSP is not set, sendmail will complain during 10890792Sgshapiroqueue runs about bogus file permission. If you want a queue runner 10990792Sgshapirofor the client queue, you probably have to change OS specific 11090792Sgshapiroscripts to accomplish this (check the man pages of your OS for more 11190792Sgshapiroinformation.) You can start this program as root, it will change 11290792Sgshapiroits user id to RunAsUser (smmsp by default, recommended uid: 25). 11390792SgshapiroThis way smmsp does not need a valid shell. 11490792Sgshapiro 11590792SgshapiroSummary 11690792Sgshapiro------- 11790792Sgshapiro 11890792SgshapiroThis is a brief summary how the two configuration files are used: 11990792Sgshapiro 12090792Sgshapirosendmail.cf For the MTA (mail transmission agent) 12190792Sgshapiro The MTA is started by root as daemon: 12290792Sgshapiro 12390792Sgshapiro /PATH/TO/sendmail -L sm-mta -bd -q1h 12490792Sgshapiro 12590792Sgshapiro it accepts SMTP connections (on ports 25 and 587 by default); 12690792Sgshapiro it runs the main queue (/var/spool/mqueue by default). 12790792Sgshapiro 12890792Sgshapirosubmit.cf For the MSP (mail submission program) 12990792Sgshapiro The MSP is used to submit e-mails, hence it is invoked 13090792Sgshapiro by programs (and maybe users); it does not run as SMTP 13190792Sgshapiro daemon; it uses /var/spool/clientmqueue by default; it 13290792Sgshapiro can be started to run that queue periodically: 13390792Sgshapiro 13490792Sgshapiro /PATH/TO/sendmail -L sm-msp-queue -Ac -q30m 13590792Sgshapiro 13690792Sgshapiro 13790792SgshapiroHints and Troubleshooting 13890792Sgshapiro------------------------- 13990792Sgshapiro 14090792SgshapiroRunAsUser: FEATURE(`msp') sets the option RunAsUser to smmsp. 14190792SgshapiroThis user must have the group smmsp, i.e., the same group as the 14290792Sgshapiroclientmqueue directory. If you specify a user whose primary group 14390792Sgshapirois not the same as that of the clientmqueue directory, then you 14490792Sgshapiroshould explicitly set the group, e.g., 14590792Sgshapiro 14690792Sgshapiro FEATURE(`msp') 14790792Sgshapiro define(`confRUN_AS_USER', `mailmsp:smmsp') 14890792Sgshapiro 14990792SgshapiroSTARTTLS: If sendmail is compiled with STARTTLS support on a platform 15090792Sgshapirothat does not have HASURANDOMDEV defined, you either need to specify 15190792Sgshapirothe RandFile option (as for the MTA), or you have to turn off 15290792SgshapiroSTARTTLS in the MSP, e.g., 15390792Sgshapiro 15490792Sgshapiro DAEMON_OPTIONS(`Name=NoMTA, Addr=127.0.0.1, M=S') 15590792Sgshapiro FEATURE(`msp') 15690792Sgshapiro CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0, M=S') 15790792Sgshapiro 15890792SgshapiroThe first option is used to turn off STARTTLS when the MSP is 15990792Sgshapiroinvoked with -bs as some MUAs do. 16090792Sgshapiro 16190792Sgshapiro 16290792SgshapiroWhat doesn't work anymore 16390792Sgshapiro------------------------- 16490792Sgshapiro 16590792SgshapiroNormal users can't use mailq anymore to see the MTA mail queue. 16690792SgshapiroThere are several ways around it, e.g., changing QueueFileMode 16790792Sgshapiroor giving users access via a program like sudo. 16890792Sgshapiro 16990792Sgshapirosendmail -bv may give misleading output for normal users since it 17090792Sgshapiromay not be able to access certain files, e.g., .forward files of 17190792Sgshapiroother users. 17290792Sgshapiro 17390792Sgshapiro 17490792SgshapiroAlternative 17590792Sgshapiro----------- 17690792Sgshapiro 17790792SgshapiroInstead of having one set-group-ID binary, it is possible to use 17890792Sgshapirotwo with different permissions: one for message submission 17990792Sgshapiro(set-group-ID), one acting as daemon etc, which is only executable 18090792Sgshapiroby root. In that case it is possible to remove features from 18190792Sgshapirothe message submission program to have a smaller binary. 18290792SgshapiroYou can use 18390792Sgshapiro 18490792Sgshapiro sh ./Build install-sm-mta 18590792Sgshapiro 18690792Sgshapiroto install a sendmail program to act as daemon etc under the name 18790792Sgshapirosm-mta. 18890792Sgshapiro 18990792SgshapiroSet-User-Id 19090792Sgshapiro----------- 19190792Sgshapiro 19294334SgshapiroIf you really have to install sendmail set-user-ID root, first build 19394334Sgshapirothe sendmail package normally using 19490792Sgshapiro 19594334Sgshapiro sh ./Build 19694334Sgshapiro 19794334SgshapiroThen you can use 19894334Sgshapiro 19990792Sgshapiro sh ./Build install-set-user-id 20090792Sgshapiro 20194334Sgshapiroto install the package in the old (pre-8.12) way. Make sure that 202110560Sgshapirono submit.cf file is installed. See devtools/README about 203110560SgshapiroconfSETUSERID_INSTALL which you need to define. 204