1 2 SENDMAIL RELEASE 8 3 4This directory has the latest sendmail(TM) software from Sendmail, Inc. 5 6Report any bugs to sendmail-bugs@sendmail.ORG 7 8There is a web site at http://WWW.Sendmail.ORG/ -- see that site for 9the latest updates. 10 11+--------------+ 12| INTRODUCTION | 13+--------------+ 14 150. The vast majority of queries to <sendmail-questions@sendmail.org> 16 are answered in the README files noted below. 17 181. Read this README file, especially this introduction, and the DIRECTORY 19 PERMISSIONS sections. 20 212. Read the INSTALL file in this directory. 22 233. Read sendmail/README, especially: 24 a. the introduction 25 b. the BUILDING SENDMAIL section 26 c. the relevant part(s) of the OPERATING SYSTEM AND COMPILE QUIRKS section 27 28 You may also find these useful: 29 30 d. devtools/README 31 e. devtools/Site/README 32 f. mail.local/README 33 g. smrsh/README 34 354. Read cf/README. 36 37Sendmail is a trademark of Sendmail, Inc. 38 39+-----------------------+ 40| DIRECTORY PERMISSIONS | 41+-----------------------+ 42 43Sendmail often gets blamed for many problems that are actually the 44result of other problems, such as overly permissive modes on directories. 45For this reason, sendmail checks the modes on system directories and 46files to determine if they can be trusted. For sendmail to run without 47complaining, you MUST execute the following command: 48 49 chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue 50 chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue 51 52You will probably have to tweak this for your environment (for example, 53some systems put the spool directory into /usr/spool instead of 54/var/spool). If you set the RunAsUser option in your sendmail.cf, the 55/var/spool/mqueue directory will have to be owned by the RunAsUser user. 56As a general rule, after you have compiled sendmail, run the command 57 58 sendmail -v -bi 59 60to initialize the alias database. If it gives messages such as 61 62 WARNING: writable directory /etc 63 WARNING: writable directory /var/spool/mqueue 64 65then the directories listed have inappropriate write permissions and 66should be secured to avoid various possible security attacks. 67 68Beginning with sendmail 8.9, these checks have become more strict to 69prevent users from being able to access files they would normally not 70be able to read. In particular, .forward and :include: files in unsafe 71directory paths (directory paths which are group or world writable) will 72no longer be allowed. This would mean that if user joe's home directory 73was writable by group staff, sendmail would not use his .forward file. 74This behavior can be altered, at the expense of system security, by 75setting the DontBlameSendmail option. For example, to allow .forward 76files in group writable directories: 77 78 O DontBlameSendmail=forwardfileingroupwritabledirpath 79 80Or to allow them in both group and world writable directories: 81 82 O DontBlameSendmail=forwardfileinunsafedirpath 83 84Items from these unsafe .forward and :include: files will be marked 85as unsafe addresses -- the items can not be deliveries to files or 86programs. This behavior can also be altered via DontBlameSendmail: 87 88 O DontBlameSendmail=forwardfileinunsafedirpath, 89 forwardfileinunsafedirpathsafe 90 91The first flag allows the .forward file to be read, the second allows 92the items in the file to be marked as safe for file and program 93delivery. 94 95Other files affected by this strengthened security include class 96files (i.e. Fw /etc/mail/local-host-names), persistent host status files, 97and the files specified by the ErrorHeader and HelpFile options. Similar 98DontBlameSendmail flags are available for the class, ErrorHeader, and 99HelpFile files. 100 101If you have an unsafe configuration of .forward and :include: 102files, you can make it safe by finding all such files, and doing 103a "chmod go-w $FILE" on each. Also, do a "chmod go-w $DIR" for 104each directory in the file's path. 105 106 107+-----------------------+ 108| RELATED DOCUMENTATION | 109+-----------------------+ 110 111There are other files you should read. Rooted in this directory are: 112 113 FAQ 114 The FAQ (frequently answered questions) is no longer maintained 115 with the sendmail release. It is available at 116 http://www.sendmail.org/faq/ . The file FAQ is a reminder of 117 this and a pointer to the web page. 118 INSTALL 119 Installation instructions for building and installing sendmail. 120 KNOWNBUGS 121 Known bugs in the current release. 122 RELEASE_NOTES 123 A detailed description of the changes in each version. This 124 is quite long, but informative. 125 sendmail/README 126 Details on compiling and installing sendmail. 127 cf/README 128 Details on configuring sendmail. 129 doc/op/op.me 130 The sendmail Installation & Operations Guide. Be warned: if 131 you are running this off on SunOS or some other system with an 132 old version of -me, you need to add the following macro to the 133 macros: 134 135 .de sm 136 \s-1\\$1\\s0\\$2 137 .. 138 139 This sets a word in a smaller pointsize. 140 141 142+--------------+ 143| RELATED RFCS | 144+--------------+ 145 146There are several related RFCs that you may wish to read -- they are 147available via anonymous FTP to several sites. For a list of the 148primary repositories see: 149 150 http://www.isi.edu/in-notes/rfc-retrieval.txt 151 152They are also online at: 153 154 http://www.ietf.org/ 155 156They can also be retrieved via electronic mail by sending 157email to one of: 158 159 mail-server@nisc.sri.com 160 Put "send rfcNNN" in message body 161 nis-info@nis.nsf.net 162 Put "send RFCnnn.TXT-1" in message body 163 sendrfc@jvnc.net 164 Put "RFCnnn" as Subject: line 165 166For further instructions see: 167 168 http://www.isi.edu/in-notes/rfc-editor/rfc-info 169 170Important RFCs for electronic mail are: 171 172 RFC821 SMTP protocol 173 RFC822 Mail header format 174 RFC974 MX routing 175 RFC976 UUCP mail format 176 RFC1123 Host requirements (modifies 821, 822, and 974) 177 RFC1413 Identification server 178 RFC1869 SMTP Service Extensions (ESMTP spec) 179 RFC1652 SMTP Service Extension for 8bit-MIMEtransport 180 RFC1870 SMTP Service Extension for Message Size Declaration 181 RFC2045 Multipurpose Internet Mail Extensions (MIME) Part One: 182 Format of Internet Message Bodies 183 RFC1344 Implications of MIME for Internet Mail Gateways 184 RFC1428 Transition of Internet Mail from Just-Send-8 to 185 8-bit SMTP/MIME 186 RFC1891 SMTP Service Extension for Delivery Status Notifications 187 RFC1892 Multipart/Report Content Type for the Reporting of 188 Mail System Administrative Messages 189 RFC1893 Enhanced Mail System Status Codes 190 RFC1894 An Extensible Message Format for Delivery Status 191 Notifications 192 RFC1985 SMTP Service Extension for Remote Message Queue Starting 193 RFC2033 Local Mail Transfer Protocol (LMTP) 194 RFC2034 SMTP Service Extension for Returning Enhanced Error Codes 195 RFC2476 Message Submission 196 RFC2487 SMTP Service Extension for Secure SMTP over TLS 197 RFC2554 SMTP Service Extension for Authentication 198 199Other standards that may be of interest (but which are less directly 200relevant to sendmail) are: 201 202 RFC987 Mapping between RFC822 and X.400 203 RFC1049 Content-Type header field (extension to RFC822) 204 205Warning to AIX users: this version of sendmail does not implement 206MB, MR, or MG DNS resource records, as defined (as experiments) in 207RFC1035. 208 209 210+---------+ 211| WARNING | 212+---------+ 213 214Since sendmail 8.11 and later includes hooks to cryptography, the 215following information from OpenSSL applies to sendmail as well. 216 217PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY 218SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING 219TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME 220PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR 221COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL 222SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE 223YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT 224AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR 225ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. 226 227If you use OpenSSL then make sure you read their README file which 228contains information about patents etc. 229 230 231+-------------------+ 232| DATABASE ROUTINES | 233+-------------------+ 234 235IF YOU WANT TO RUN THE NEW BERKELEY DB SOFTWARE: **** DO NOT **** 236use the version that was on the Net2 tape -- it has a number of 237nefarious bugs that were bad enough when I got them; you shouldn't have 238to go through the same thing. Instead, get a new version via the web at 239http://www.sleepycat.com/. This software is highly recommended; it gets 240rid of several stupid limits, it's much faster, and the interface is 241nicer to animals and plants. If the Berkeley DB include files 242are installed in a location other than those which your compiler searches, 243you will need to provide that directory when building: 244 245 Build -I/path/to/include/directory 246 247If you are using Berkeley DB versions 1.85 or 1.86, you are *strongly* 248urged to upgrade to DB version 2 or later, available from 249http://www.sleepycat.com/. Berkeley DB versions 1.85 and 1.86 are known to 250be broken in various nasty ways (see http://www.sleepycat.com/db.185.html), 251and can cause sendmail to dump core. In addition, the newest versions of 252gcc and the Solaris compilers perform optimizations in those versions that 253may cause fairly random core dumps. 254 255If you have no choice but to use Berkeley DB 1.85 or 1.86, and you are 256using both Berkeley DB and files in the UNIX ndbm format, remove ndbm.h 257and ndbm.o from the DB library after building it. You should also apply 258all of the patches for DB 1.85 and 1.86 found at the Sleepycat web site 259(see http://www.sleepycat.com/db.185.html), as they fix some of the known 260problems. 261 262If you are using a version of Berkeley DB 2 previous to 2.3.15, and you 263are using both Berkeley DB and files in the UNIX ndbm format, remove dbm.o 264from the DB library after building it. No other changes are necessary. 265 266If you are using Berkeley DB version 2.3.15 or greater, no changes are 267necessary. 268 269The underlying database file formats changed between Berkeley DB versions 2701.85 and 1.86, again between DB 1.86 and version 2.0, and finally between 271DB 2.X and 3.X. If you are upgrading from one of those versions, you must 272recreate your database file(s). Do this by rebuilding all maps with 273makemap and rebuilding the alias file with newaliases. 274 275 276+--------------------+ 277| HOST NAME SERVICES | 278+--------------------+ 279 280If you are using NIS or /etc/hosts, it is critical that you 281list the long (fully qualified) name somewhere (preferably first) in 282the /etc/hosts file used to build the NIS database. For example, the 283line should read 284 285 128.32.149.68 mastodon.CS.Berkeley.EDU mastodon 286 287**** NOT **** 288 289 128.32.149.68 mastodon 290 291If you do not include the long name, sendmail will complain loudly 292about ``unable to qualify my own domain name (mastodon) -- using 293short name'' and conclude that your canonical name is the short 294version and use that in messages. The name "mastodon" doesn't mean 295much outside of Berkeley, and so this creates incorrect and unreplyable 296messages. 297 298 299+-------------+ 300| USE WITH MH | 301+-------------+ 302 303This version of sendmail notices and reports certain kinds of SMTP 304protocol violations that were ignored by older versions. If you 305are running MH you may wish to install the patch in contrib/mh.patch 306that will prevent these warning reports. This patch also works 307with the old version of sendmail, so it's safe to go ahead and 308install it. 309 310 311+----------------+ 312| USE WITH IDENT | 313+----------------+ 314 315Sendmail 8 supports the IDENT protocol, as defined by RFC 1413. 316Note that the RFC states a client should wait at least 30 seconds 317for a response. As of 8.10.0, the default Timeout.ident is 5 seconds 318as many sites have adopted the practice of dropping IDENT queries. 319This has lead to delays processing mail. 320 321No ident server is included with this distribution. It is available 322from: 323 324 ftp://ftp.lysator.liu.se/pub/ident/servers/ 325 http://sf.www.lysator.liu.se/~pen/pidentd/ 326 327+-------------------------+ 328| INTEROPERATION PROBLEMS | 329+-------------------------+ 330 331Microsoft Exchange Server 5.0 332 We have had a report that ``about 7% of messages from Sendmail 333 to Exchange were not being delivered with status messages of 334 "connection reset" and "I/O error".'' Upgrading Exchange from 335 Version 5.0 to Version 5.5 Service Pack 2 solved this problem. 336 337CommuniGate Pro 338 CommuniGate Pro 3.2.4 does not accept the AUTH= -parameter on 339 the MAIL FROM command if the client is not authenticated. Use 340 341 define(`confAUTH_OPTIONS', `A') 342 343 in .mc file if you have compiled sendmail with Cyrus SASL 344 and you communicate with CommuniGate Pro servers. 345 346+---------------------+ 347| DIRECTORY STRUCTURE | 348+---------------------+ 349 350The structure of this directory tree is: 351 352cf Source for sendmail configuration files. These are 353 different than what you've seen before. They are a 354 fairly dramatic rewrite, requiring the new sendmail 355 (since they use new features). 356contrib Some contributed tools to help with sendmail. THESE 357 ARE NOT SUPPORTED by sendmail -- contact the original 358 authors if you have problems. (This directory is not 359 on the 4.4BSD tape.) 360devtools Build environment. See devtools/README. 361doc Documentation. If you are getting source, read 362 op.me -- it's long, but worth it. 363include Include files used by multiple programs in the distribution. 364libsmdb sendmail database library with support for Berkeley DB 1.X, 365 Berkeley DB 2.X, Berkeley DB 3.X, and NDBM. 366libsmutil sendmail utility library with functions used by different 367 programs. 368mail.local The source for the local delivery agent used for 4.4BSD. 369 THIS IS NOT PART OF SENDMAIL! and may not compile 370 everywhere, since it depends on some 4.4-isms. Warning: 371 it does mailbox locking differently than other systems. 372mailstats Statistics printing program. 373makemap A program that creates the keyed maps used by the $( ... $) 374 construct in sendmail. It is primitive but effective. 375 It takes a very simple input format, so you will probably 376 expect to preprocess must human-convenient formats 377 using sed scripts before this program will like them. 378 But it should be functionally complete. 379praliases A program to print the DBM or NEWDB version of the 380 aliases file. 381rmail Source for rmail(8). This is used as a delivery 382 agent for for UUCP, and could presumably be used by 383 other non-socket oriented mailers. Older versions of 384 rmail are probably deficient. RMAIL IS NOT PART OF 385 SENDMAIL!!! The 4.4BSD source is included for you to 386 look at or try to port to your system. There is no 387 guarantee it will even compile on your operating system. 388smrsh The "sendmail restricted shell", which can be used as 389 a replacement for /bin/sh in the prog mailer to provide 390 increased security control. NOT PART OF SENDMAIL! 391sendmail Source for the sendmail program itself. 392test Some test scripts (currently only for compilation aids). 393vacation Source for the vacation program. NOT PART OF SENDMAIL! 394 395$Revision: 8.71.4.8 $, Last updated $Date: 2001/07/31 22:42:46 $ 396