Lines Matching +full:group +full:- +full:default
1 # Copyright (c) 2000-2002 Proofpoint, Inc. and its suppliers.
8 # $Id: SECURITY,v 1.52 2013-11-22 20:51:54 ca Exp $
20 sendmail without set-user-ID root, which avoids local exploits.
21 This configuration, which is the default starting with 8.12, is
26 ** sendmail configuration without set-user-ID root **
31 - bind to port 25
32 - call the local delivery agent (LDA) as root (or other user) if the LDA
33 isn't set-user-ID root (unless some other method of storing e-mail in
35 - read .forward files
36 - write e-mail submitted via the command line to the queue directory.
38 Only the last item requires a set-user-ID/set-group-ID program to
39 avoid problems with a world-writable directory. It is however
40 sufficient to have a set-group-ID program and a group-writable
44 the goal to have a sendmail binary that is not set-user-ID root,
48 The default configuration starting with sendmail 8.12 uses one
52 sendmail must be a set-group-ID (default group: smmsp, recommended
53 gid: 25) program to allow for queueing mail in a group-writable
58 -r-xr-sr-x root smmsp ... /PATH/TO/sendmail
59 drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue
60 drwx------ root wheel ... /var/spool/mqueue
61 -r--r--r-- root wheel ... /etc/mail/sendmail.cf
62 -r--r--r-- root wheel ... /etc/mail/submit.cf
67 That is, the owner of sendmail is root, the group is smmsp, and
68 the binary is set-group-ID. The client mail queue is owned by
69 smmsp with group smmsp and is group writable. The client mail
75 be used as-is, if you want to add more options, use cf/cf/submit.mc
79 The .cf file is chosen based on the operation mode. For -bm (default),
80 -bs, and -t it is submit.cf (if it exists) for all others it is
81 sendmail.cf. This selection can be changed by -Ac or -Am (alternative
86 /PATH/TO/sendmail -L sm-mta -bd -q1h
92 good idea), you must specify -Am in addition to -bs.
105 /PATH/TO/sendmail -L sm-msp-queue -Ac -q30m
112 its user id to RunAsUser (smmsp by default, recommended uid: 25).
117 -------
124 /PATH/TO/sendmail -L sm-mta -bd -q1h
126 it accepts SMTP connections (on ports 25 and 587 by default);
127 it runs the main queue (/var/spool/mqueue by default).
130 The MSP is used to submit e-mails, hence it is invoked
132 daemon; it uses /var/spool/clientmqueue by default; it
135 /PATH/TO/sendmail -L sm-msp-queue -Ac -q30m
139 -------------------------
142 This user must have the group smmsp, i.e., the same group as the
143 clientmqueue directory. If you specify a user whose primary group
145 should explicitly set the group, e.g.,
160 invoked with -bs as some MUAs do.
164 -------------------------
170 sendmail -bv may give misleading output for normal users since it
176 -----------
178 Instead of having one set-group-ID binary, it is possible to use
180 (set-group-ID), one acting as daemon etc, which is only executable
185 sh ./Build install-sm-mta
188 sm-mta.
191 Set-User-Id
192 -----------
194 If you really have to install sendmail set-user-ID root, first build
201 sh ./Build install-set-user-id
203 to install the package in the old (pre-8.12) way. Make sure that