xref: /freebsd/contrib/sendmail/src/SECURITY (revision f0a75d274af375d15b97b830966b99a02b7db911)
1# Copyright (c) 2000-2002 Sendmail, Inc. and its suppliers.
2#	All rights reserved.
3#
4# By using this file, you agree to the terms and conditions set
5# forth in the LICENSE file which can be found at the top level of
6# the sendmail distribution.
7#
8#	$Id: SECURITY,v 1.51 2002/09/23 21:29:18 ca Exp $
9#
10
11This file gives some hints how to configure and run sendmail for
12people who are very security conscious (you should be...).
13
14Even though sendmail goes through great lengths to assure that it
15can't be compromised even if the system it is running on is
16incorrectly or insecurely configured, it can't work around everything.
17This has been demonstrated by recent OS problems which have
18subsequently been used to compromise the root account using sendmail
19as a vector.  One way to minimize the possibility of such problems
20is to install sendmail without set-user-ID root, which avoids local
21exploits.  This configuration, which is the default starting with
228.12, is described in the first section of this security guide.
23
24
25*****************************************************
26** sendmail configuration without set-user-ID root **
27*****************************************************
28
29sendmail needs to run as root for several purposes:
30
31- bind to port 25
32- call the local delivery agent (LDA) as root (or other user) if the LDA
33  isn't set-user-ID root (unless some other method of storing e-mail in
34  local mailboxes is used).
35- read .forward files
36- write e-mail submitted via the command line to the queue directory.
37
38Only the last item requires a set-user-ID/set-group-ID program to
39avoid problems with a world-writable directory.  It is however
40sufficient to have a set-group-ID program and a group-writable
41queue directory.  The other requirements listed above can be
42fulfilled by a sendmail daemon that is started by root.  Hence this
43section explains how to use two sendmail configurations to accomplish
44the goal to have a sendmail binary that is not set-user-ID root,
45and hence is not open to system configuration/OS problems or at
46least less problematic in presence of those.
47
48The default configuration starting with sendmail 8.12 uses one
49sendmail binary which acts differently based on operation mode and
50supplied options.
51
52sendmail must be a set-group-ID (default group: smmsp, recommended
53gid: 25) program to allow for queueing mail in a group-writable
54directory.  Two .cf files are required:  sendmail.cf for the daemon
55and submit.cf for the submission program.  The following permissions
56should be used:
57
58-r-xr-sr-x	root   smmsp	... /PATH/TO/sendmail
59drwxrwx---	smmsp  smmsp	... /var/spool/clientmqueue
60drwx------	root   wheel	... /var/spool/mqueue
61-r--r--r--	root   wheel	... /etc/mail/sendmail.cf
62-r--r--r--	root   wheel	... /etc/mail/submit.cf
63
64[Notice: On some OS "wheel" is not used but "bin" or "root" instead,
65however, this is not important here.]
66
67That is, the owner of sendmail is root, the group is smmsp, and
68the binary is set-group-ID.  The client mail queue is owned by
69smmsp with group smmsp and is group writable.  The client mail
70queue directory must be writable by smmsp, but it must not be
71accessible for others. That is, do not use world read or execute
72permissions.  In submit.cf the option UseMSP must be set, and
73QueueFileMode must be set to 0660.  submit.cf is available in
74cf/cf/, which has been built from cf/cf/submit.mc.  The file can
75be used as-is, if you want to add more options, use cf/cf/submit.mc
76as starting point and read cf/README:  MESSAGE SUBMISSION PROGRAM
77carefully.
78
79The .cf file is chosen based on the operation mode.  For -bm (default),
80-bs, and -t it is submit.cf (if it exists) for all others it is
81sendmail.cf.  This selection can be changed by -Ac or -Am (alternative
82.cf file: client or mta).
83
84The daemon must be started by root as usual, e.g.,
85
86/PATH/TO/sendmail -L sm-mta -bd -q1h
87
88(replace /PATH/TO with the right path for your OS, e.g.,
89/usr/sbin or /usr/lib).
90
91Notice: if you run sendmail from inetd (which in general is not a
92good idea), you must specify -Am in addition to -bs.
93
94Mail will end up in the client queue if the daemon doesn't accept
95connections or if an address is temporarily not resolvable.  The
96latter problem can be minimized by using
97
98	FEATURE(`nocanonify', `canonify_hosts')
99	define(`confDIRECT_SUBMISSION_MODIFIERS', `C')
100
101which, however, may have undesired side effects.  See cf/README for
102a discussion.  In general it is necessary to clean the queue either
103via a cronjob or by running a daemon, e.g.,
104
105/PATH/TO/sendmail -L sm-msp-queue -Ac -q30m
106
107If the option UseMSP is not set, sendmail will complain during
108queue runs about bogus file permission.  If you want a queue runner
109for the client queue, you probably have to change OS specific
110scripts to accomplish this (check the man pages of your OS for more
111information.)  You can start this program as root, it will change
112its user id to RunAsUser (smmsp by default, recommended uid: 25).
113This way smmsp does not need a valid shell.
114
115Summary
116-------
117
118This is a brief summary how the two configuration files are used:
119
120sendmail.cf	For the MTA (mail transmission agent)
121	The MTA is started by root as daemon:
122
123		/PATH/TO/sendmail -L sm-mta -bd -q1h
124
125	it accepts SMTP connections (on ports 25 and 587 by default);
126	it runs the main queue (/var/spool/mqueue by default).
127
128submit.cf	For the MSP (mail submission program)
129	The MSP is used to submit e-mails, hence it is invoked
130	by programs (and maybe users); it does not run as SMTP
131	daemon; it uses /var/spool/clientmqueue by default; it
132	can be started to run that queue periodically:
133
134		/PATH/TO/sendmail -L sm-msp-queue -Ac -q30m
135
136
137Hints and Troubleshooting
138-------------------------
139
140RunAsUser: FEATURE(`msp') sets the option RunAsUser to smmsp.
141This user must have the group smmsp, i.e., the same group as the
142clientmqueue directory.  If you specify a user whose primary group
143is not the same as that of the clientmqueue directory, then you
144should explicitly set the group, e.g.,
145
146	FEATURE(`msp')
147	define(`confRUN_AS_USER', `mailmsp:smmsp')
148
149STARTTLS: If sendmail is compiled with STARTTLS support on a platform
150that does not have HASURANDOMDEV defined, you either need to specify
151the RandFile option (as for the MTA), or you have to turn off
152STARTTLS in the MSP, e.g.,
153
154	DAEMON_OPTIONS(`Name=NoMTA, Addr=127.0.0.1, M=S')
155	FEATURE(`msp')
156	CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0, M=S')
157
158The first option is used to turn off STARTTLS when the MSP is
159invoked with -bs as some MUAs do.
160
161
162What doesn't work anymore
163-------------------------
164
165Normal users can't use mailq anymore to see the MTA mail queue.
166There are several ways around it, e.g., changing QueueFileMode
167or giving users access via a program like sudo.
168
169sendmail -bv may give misleading output for normal users since it
170may not be able to access certain files, e.g., .forward files of
171other users.
172
173
174Alternative
175-----------
176
177Instead of having one set-group-ID binary, it is possible to use
178two with different permissions: one for message submission
179(set-group-ID), one acting as daemon etc, which is only executable
180by root.  In that case it is possible to remove features from
181the message submission program to have a smaller binary.
182You can use
183
184	sh ./Build install-sm-mta
185
186to install a sendmail program to act as daemon etc under the name
187sm-mta.
188
189Set-User-Id
190-----------
191
192If you really have to install sendmail set-user-ID root, first build
193the sendmail package normally using
194
195	sh ./Build
196
197Then you can use
198
199	sh ./Build install-set-user-id
200
201to install the package in the old (pre-8.12) way.  Make sure that
202no submit.cf file is installed.  See devtools/README about
203confSETUSERID_INSTALL which you need to define.
204