1# Copyright (c) 2000-2002 Sendmail, Inc. and its suppliers. 2# All rights reserved. 3# 4# By using this file, you agree to the terms and conditions set 5# forth in the LICENSE file which can be found at the top level of 6# the sendmail distribution. 7# 8# $Id: SECURITY,v 1.51 2002/09/23 21:29:18 ca Exp $ 9# 10 11This file gives some hints how to configure and run sendmail for 12people who are very security conscious (you should be...). 13 14Even though sendmail goes through great lengths to assure that it 15can't be compromised even if the system it is running on is 16incorrectly or insecurely configured, it can't work around everything. 17This has been demonstrated by recent OS problems which have 18subsequently been used to compromise the root account using sendmail 19as a vector. One way to minimize the possibility of such problems 20is to install sendmail without set-user-ID root, which avoids local 21exploits. This configuration, which is the default starting with 228.12, is described in the first section of this security guide. 23 24 25***************************************************** 26** sendmail configuration without set-user-ID root ** 27***************************************************** 28 29sendmail needs to run as root for several purposes: 30 31- bind to port 25 32- call the local delivery agent (LDA) as root (or other user) if the LDA 33 isn't set-user-ID root (unless some other method of storing e-mail in 34 local mailboxes is used). 35- read .forward files 36- write e-mail submitted via the command line to the queue directory. 37 38Only the last item requires a set-user-ID/set-group-ID program to 39avoid problems with a world-writable directory. It is however 40sufficient to have a set-group-ID program and a group-writable 41queue directory. The other requirements listed above can be 42fulfilled by a sendmail daemon that is started by root. Hence this 43section explains how to use two sendmail configurations to accomplish 44the goal to have a sendmail binary that is not set-user-ID root, 45and hence is not open to system configuration/OS problems or at 46least less problematic in presence of those. 47 48The default configuration starting with sendmail 8.12 uses one 49sendmail binary which acts differently based on operation mode and 50supplied options. 51 52sendmail must be a set-group-ID (default group: smmsp, recommended 53gid: 25) program to allow for queueing mail in a group-writable 54directory. Two .cf files are required: sendmail.cf for the daemon 55and submit.cf for the submission program. The following permissions 56should be used: 57 58-r-xr-sr-x root smmsp ... /PATH/TO/sendmail 59drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue 60drwx------ root wheel ... /var/spool/mqueue 61-r--r--r-- root wheel ... /etc/mail/sendmail.cf 62-r--r--r-- root wheel ... /etc/mail/submit.cf 63 64[Notice: On some OS "wheel" is not used but "bin" or "root" instead, 65however, this is not important here.] 66 67That is, the owner of sendmail is root, the group is smmsp, and 68the binary is set-group-ID. The client mail queue is owned by 69smmsp with group smmsp and is group writable. The client mail 70queue directory must be writable by smmsp, but it must not be 71accessible for others. That is, do not use world read or execute 72permissions. In submit.cf the option UseMSP must be set, and 73QueueFileMode must be set to 0660. submit.cf is available in 74cf/cf/, which has been built from cf/cf/submit.mc. The file can 75be used as-is, if you want to add more options, use cf/cf/submit.mc 76as starting point and read cf/README: MESSAGE SUBMISSION PROGRAM 77carefully. 78 79The .cf file is chosen based on the operation mode. For -bm (default), 80-bs, and -t it is submit.cf (if it exists) for all others it is 81sendmail.cf. This selection can be changed by -Ac or -Am (alternative 82.cf file: client or mta). 83 84The daemon must be started by root as usual, e.g., 85 86/PATH/TO/sendmail -L sm-mta -bd -q1h 87 88(replace /PATH/TO with the right path for your OS, e.g., 89/usr/sbin or /usr/lib). 90 91Notice: if you run sendmail from inetd (which in general is not a 92good idea), you must specify -Am in addition to -bs. 93 94Mail will end up in the client queue if the daemon doesn't accept 95connections or if an address is temporarily not resolvable. The 96latter problem can be minimized by using 97 98 FEATURE(`nocanonify', `canonify_hosts') 99 define(`confDIRECT_SUBMISSION_MODIFIERS', `C') 100 101which, however, may have undesired side effects. See cf/README for 102a discussion. In general it is necessary to clean the queue either 103via a cronjob or by running a daemon, e.g., 104 105/PATH/TO/sendmail -L sm-msp-queue -Ac -q30m 106 107If the option UseMSP is not set, sendmail will complain during 108queue runs about bogus file permission. If you want a queue runner 109for the client queue, you probably have to change OS specific 110scripts to accomplish this (check the man pages of your OS for more 111information.) You can start this program as root, it will change 112its user id to RunAsUser (smmsp by default, recommended uid: 25). 113This way smmsp does not need a valid shell. 114 115Summary 116------- 117 118This is a brief summary how the two configuration files are used: 119 120sendmail.cf For the MTA (mail transmission agent) 121 The MTA is started by root as daemon: 122 123 /PATH/TO/sendmail -L sm-mta -bd -q1h 124 125 it accepts SMTP connections (on ports 25 and 587 by default); 126 it runs the main queue (/var/spool/mqueue by default). 127 128submit.cf For the MSP (mail submission program) 129 The MSP is used to submit e-mails, hence it is invoked 130 by programs (and maybe users); it does not run as SMTP 131 daemon; it uses /var/spool/clientmqueue by default; it 132 can be started to run that queue periodically: 133 134 /PATH/TO/sendmail -L sm-msp-queue -Ac -q30m 135 136 137Hints and Troubleshooting 138------------------------- 139 140RunAsUser: FEATURE(`msp') sets the option RunAsUser to smmsp. 141This user must have the group smmsp, i.e., the same group as the 142clientmqueue directory. If you specify a user whose primary group 143is not the same as that of the clientmqueue directory, then you 144should explicitly set the group, e.g., 145 146 FEATURE(`msp') 147 define(`confRUN_AS_USER', `mailmsp:smmsp') 148 149STARTTLS: If sendmail is compiled with STARTTLS support on a platform 150that does not have HASURANDOMDEV defined, you either need to specify 151the RandFile option (as for the MTA), or you have to turn off 152STARTTLS in the MSP, e.g., 153 154 DAEMON_OPTIONS(`Name=NoMTA, Addr=127.0.0.1, M=S') 155 FEATURE(`msp') 156 CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0, M=S') 157 158The first option is used to turn off STARTTLS when the MSP is 159invoked with -bs as some MUAs do. 160 161 162What doesn't work anymore 163------------------------- 164 165Normal users can't use mailq anymore to see the MTA mail queue. 166There are several ways around it, e.g., changing QueueFileMode 167or giving users access via a program like sudo. 168 169sendmail -bv may give misleading output for normal users since it 170may not be able to access certain files, e.g., .forward files of 171other users. 172 173 174Alternative 175----------- 176 177Instead of having one set-group-ID binary, it is possible to use 178two with different permissions: one for message submission 179(set-group-ID), one acting as daemon etc, which is only executable 180by root. In that case it is possible to remove features from 181the message submission program to have a smaller binary. 182You can use 183 184 sh ./Build install-sm-mta 185 186to install a sendmail program to act as daemon etc under the name 187sm-mta. 188 189Set-User-Id 190----------- 191 192If you really have to install sendmail set-user-ID root, first build 193the sendmail package normally using 194 195 sh ./Build 196 197Then you can use 198 199 sh ./Build install-set-user-id 200 201to install the package in the old (pre-8.12) way. Make sure that 202no submit.cf file is installed. See devtools/README about 203confSETUSERID_INSTALL which you need to define. 204