I upgraded sendmail on a Solaris 7 server to version 8.14.3.
I checked the existing version of sendmail on the system.
# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 mail.example.com ESMTP Sendmail 8.13.6/8.13.6; Sun, 28 Jun 2009 13:27:48 -0400 (EDT) quit 221 2.0.0 mail.example.com closing connection Connection closed by foreign host.
You can also check the version of sendmail with
sendmail -d0.1 -bt < /dev/null
# /usr/lib/sendmail -d0.1 -bt < /dev/null
Version 8.13.6
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NDBM NETINET NETUNIX NIS NISPLUS PIPELINING SCANF
XDEBUG
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail
(canonical domain name) $j = mail.example.com
(subdomain name) $m = example.com
(node name) $k = mail
========================================================
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> #I downloaded ftp://ftp.sendmail.org/pub/sendmail/sendmail-current.tar.gz. I then unzipped and untarred the file I downloaded.
# gunzip sendmail-current.tar.gz # tar -xvf sendmail-current.tar.gz
The README file stated the following:
Sendmail often gets blamed for many problems that are actually the
result of other problems, such as overly permissive modes on directories.
For this reason, sendmail checks the modes on system directories and
files to determine if they can be trusted. For sendmail to run without
complaining, you MUST execute the following command:
chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
So I checked the permissions on those directories.
# ls -ld / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue drwxr-xr-x 36 root root 1536 Jun 23 15:59 / drwxr-xr-x 35 root sys 4096 Jun 24 13:11 /etc drwxr-xr-x 2 root mail 1024 Jun 23 09:44 /etc/mail drwxrwxr-x 32 root sys 1024 May 3 2005 /usr drwxr-xr-x 28 root sys 512 Apr 26 2005 /var drwxr-xr-x 15 root bin 512 Mar 26 15:26 /var/spool drwxr-x--- 2 root bin 3072 Jun 23 16:21 /var/spool/mqueue
The root account was already the owner for all of the directories, so
there was no need to issue the chown root command for those
directories. The README file indicated that group and others shouldn't
have write permission on any of the directories. The sys group did have
write permission on the /usr directory. I decided to leave
the permissions as they were on that directory.
I made backup copies of the existing /etc/mail/sendmail.cf and
/etc/mail/sendmail.mc files and then, as an extra precautionary
measure, backed up everything in /etc/mail.
# cp -p /etc/mail/sendmail.cf /home/jsmith/sysinfo/sendmail.cf.062809 # cp -p /etc/mail/sendmail.mc /home/jsmith/sysinfo/sendmail.mc.062809 # tar -cvf /home/jsmith/sysinfo/etc-mail.tar /etc/mail # gzip /home/jsmith/sysinfo/etc-mail.tar
The INSTALL file stated the following:
Please read sendmail/SECURITY before continuing; you have to create a new user smmsp and a new group smmsp for the default installation. Then install the sendmail binary built in step 3 by cd-ing back to sendmail/ and running "sh ./Build install".
The smmsp account and group already existed on the system.
# grep smmsp /etc/passwd smmsp:x:1025:25:Sendmail:/home/smmsp:/bin/false # grep smmsp /etc/group smmsp::25:
I then executed the sh ./Build command from the directory
where I had untarred the sendmail-current.tar file. After
that process was completed I ran sh ./Build install from
the same directory.
At the end of the build install process, I saw the following:
../../devtools/bin/install.sh -c -o bin -g bin -m 555 smrsh /usr/lib ../../devtools/bin/install.sh -c -o bin -g bin -m 444 smrsh.0 /usr/share/man/cat8/smrsh.8 cp: cannot create /usr/share/man/cat8/smrsh.8: No such file or directory make[1]: *** [install-docs] Error 1 make[1]: Leaving directory `/home/jsmith/sendmail-8.14.3/obj.SunOS.5.7.sun4/smrs h' Making all in: /home/jsmith/sendmail-8.14.3/vacation Configuration: pfx=, os=SunOS, rel=5.7, rbase=5, rroot=5.7, arch=sun4, sfx=, var iant=optimized Making in /home/jsmith/sendmail-8.14.3/obj.SunOS.5.7.sun4/vacation make[1]: Entering directory `/home/jsmith/sendmail-8.14.3/obj.SunOS.5.7.sun4/vac ation' ../../devtools/bin/install.sh -c -o bin -g bin -m 555 vacation /usr/bin ../../devtools/bin/install.sh -c -o bin -g bin -m 444 vacation.0 /usr/share/man/cat1/vacation.1 cp: cannot create /usr/share/man/cat1/vacation.1: No such file or directory make[1]: *** [install-docs] Error 1 make[1]: Leaving directory `/home/jsmith/sendmail-8.14.3/obj.SunOS.5.7.sun4/vaca tion' make: *** [all] Error 2 #
When I attempted to check the version of sendmail, I saw the following:
# telnet 127.0.0.1 25 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused
I was able to start sendmail successfully afterwards, though
and /usr/lib/sendmail -d0.1 -bt < /dev/null
showed the version number for sendmail to be 8.14.3
# /etc/init.d/sendmail start
# /usr/lib/sendmail -d0.1 -bt < /dev/null
Version 8.14.3
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NDBM NETINET NETUNIX NIS NISPLUS PIPELINING SCANF
XDEBUG
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail
(canonical domain name) $j = mail.example.com
(subdomain name) $m = example.com
(node name) $k = mail
========================================================
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> #However, when I used telnet to connect to the SMTP port and
check the version number, I saw two versions listed: 8.14.3/8.13.6.
# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 mail.example.com ESMTP Sendmail 8.14.3/8.13.6; Sun, 28 Jun 2009 14:10:29 -04 00 (EDT) quit 221 2.0.0 mail.example.com closing connection Connection closed by foreign host.
I realized that was because I had kept the existing
/etc/mail/sendmail.cf file rather than using one for the
new version of sendmail. I had skipped the steps listed below, which
were in the INSTALL file.
4. Change to the cf/cf/ directory (that's not a typo): Copy whichever .mc file best matches your environment to sendmail.mc. Next, tailor it as explained in cf/README. Then run "sh ./Build sendmail.cf". 5. Back up your current /etc/mail/sendmail.cf and the sendmail binary (whose location varies from operating system to operating system, but is usually in /usr/sbin or /usr/lib). 6. Install sendmail.cf as /etc/mail/sendmail.cf and submit.cf as /etc/mail/submit.cf. This can be done in the cf/cf by using "sh ./Build install-cf".
The sendmail.cf file is generated from a sendmail.mc
file, so I checked the contents of the sendmail.mc on the
system. I found it was created from an even earlier version of sendmail than
the one that was running on the system when I started the upgrade to version
8.14.3.
# cat /etc/mail/sendmail.mc divert(0)dnl VERSIONID(`$Id: sendmail.mc,v 8.12.9 10/20/2005 20:49 jim Exp $')dnl OSTYPE(solaris2)dnl DOMAIN(generic)dnl FEATURE(`relay_hosts_only')dnl define(`confPRIVACY_FLAGS',`authwarnings,noexpn,novrfy')dnl MAILER(local)dnl MAILER(smtp)dnl
So changed the working directory to the cf/cf directory
beneath the directory where I had untarred the new version of sendmail
and checked the .mc files there for the one that would be appropriate
to the operating system version on this server.
# pwd /home/jsmith/sendmail-8.14.3/cf/cf # ls Build generic-hpux9.cf huginn.cs.mc Makefile generic-hpux9.mc knecht.mc README generic-linux.cf mail.cs.mc chez.cs.mc generic-linux.mc mail.eecs.mc clientproto.mc generic-mpeix.cf mailspool.cs.mc cs-hpux10.mc generic-mpeix.mc python.cs.mc cs-hpux9.mc generic-nextstep3.3.cf s2k-osf1.mc cs-osf1.mc generic-nextstep3.3.mc s2k-ultrix4.mc cs-solaris2.mc generic-osf1.cf submit.cf cs-sunos4.1.mc generic-osf1.mc submit.mc cs-ultrix4.mc generic-solaris.cf tcpproto.mc cyrusproto.mc generic-solaris.mc ucbarpa.mc generic-bsd4.4.cf generic-sunos4.1.cf ucbvax.mc generic-bsd4.4.mc generic-sunos4.1.mc uucpproto.mc generic-hpux10.cf generic-ultrix4.cf vangogh.cs.mc generic-hpux10.mc generic-ultrix4.mc
The generic-solaris.mc one seemed the most appropriate for
the server, since it is running Solaris 7. I checked the contents of the
generic-solaris.mc file. It contained the following lines:
divert(0)dnl
VERSIONID(`$Id: generic-solaris.mc,v 8.13 2001/06/27 21:46:30 gshapiro Exp $')
OSTYPE(solaris2)dnl
DOMAIN(generic)dnl
MAILER(local)dnl
MAILER(smtp)dnlI decided to use the m4 command to create a new version
of /etc/mail/sendmail.cf from it, but I saw an error message
afterwards when I tried restarting sendmail.
# m4 generic-solaris.mc > /etc/mail/sendmail.cf
# /etc/init.d/sendmail restart
Usage: /etc/init.d/sendmail { start | stop }
# /etc/init.d/sendmail stop
# /etc/init.d/sendmail start
554 5.0.0 /etc/mail/sendmail.cf: line 1: invalid argument to V line: "ERSIONID(I
d: generi"
554 5.0.0 No local mailer defined
554 5.0.0 QueueDirectory (Q) option must be setSo I decided to follow the steps in the INSTALL file, instead.
# cp generic-solaris.mc sendmail.mc # sh ./Build sendmail.cf Using M4=/usr/ccs/bin/m4 rm -f sendmail.cf /usr/ccs/bin/m4 ../m4/cf.m4 sendmail.mc > sendmail.cf || ( rm -f sendmail.cf && exit 1 ) echo "### sendmail.mc ###" >>sendmail.cf sed -e 's/^/# /' sendmail.mc >>sendmail.cf chmod 444 sendmail.cf # sh ./Build install-cf Using M4=/usr/ccs/bin/m4 ../../devtools/bin/install.sh -c -o root -g bin -m 0444 sendmail.cf /etc/mail/se ndmail.cf ../../devtools/bin/install.sh -c -o root -g bin -m 0444 submit.cf /etc/mail/subm it.cf # /etc/init.d/sendmail stop # /etc/init.d/sendmail start #
When I then checked the sendmail version information, I saw only 8.14.3 listed.
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mail.example.com ESMTP Sendmail 8.14.3/8.14.3; Sun, 28 Jun 2009 15:11:45 -04
00 (EDT)
# /usr/lib/sendmail -d0.1 -bt < /dev/null
Version 8.14.3
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NDBM NETINET NETUNIX NIS NISPLUS PIPELINING SCANF
XDEBUG
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail
(canonical domain name) $j = mail.example.com
(subdomain name) $m = example.com
(node name) $k = mail
========================================================
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> #I then checked to make sure that sendmail was listening on all interfaces, since the system has multiple network interfaces. It was listening on all interfaces.
# netstat -a | grep smtp
*.smtp *.* 0 0 0 0 LISTEN
localhost.smtp localhost.36959 32768 0 32768 0 TIME_WAITI then realized I hadn't disabled the vrfy and
expn commands, which I had previously disabled as a security
measure.
220 mail.example.com ESMTP Sendmail 8.14.3/8.14.3; Sun, 28 Jun 2009 15:44:3 7 -0400 (EDT) help 214-2.0.0 This is sendmail version 8.14.3 214-2.0.0 Topics: 214-2.0.0 HELO EHLO MAIL RCPT DATA 214-2.0.0 RSET NOOP QUIT HELP VRFY 214-2.0.0 EXPN VERB ETRN DSN AUTH 214-2.0.0 STARTTLS 214-2.0.0 For more info use "HELP <topic>". 214-2.0.0 To report bugs in the implementation see 214-2.0.0 http://www.sendmail.org/email-addresses.html 214-2.0.0 For local information send email to Postmaster at your site. 214 2.0.0 End of HELP info vrfy jsmith 250 2.1.5 John Smith <jsmith@mail.example.com>
The following lines had been in the previous sendmail.mc
file, but I hadn't included it in the new one.
FEATURE(`relay_hosts_only')dnl
define(`confPRIVACY_FLAGS',`authwarnings,noexpn,novrfy')dnl
The FEATURE(`relay_hosts_only')dnl line allowed some relaying
through the server. Domains from which you are willing to allow relaying can be
placed in the file /etc/mail/relay-domains. Email from anything
listed in this file will be accepted for relaying. But by using
FEATURE(`relay_hosts_only'), only specific hosts will be allowed
to relay. Since I no longer want any system to be able to relay mail
through the server, I don't need that line now.
But I do need define(`confPRIVACY_FLAGS',`authwarnings,noexpn,novrfy')
in sendmail.mc, since I want to disable the use
of the expn and vrfy commands, which can be used
by spammers to verify email addresses on the system. So copied
cf/cf/generic-solaris.mc to sendmail.mc again.
Then I added the line to the bottom of sendmail.mc, so it
now contained the following lines:
divert(0)dnl
VERSIONID(`$Id: generic-solaris.mc,v 8.13 2001/06/27 21:46:30 gshapiro Exp $')
OSTYPE(solaris2)dnl
DOMAIN(generic)dnl
MAILER(local)dnl
MAILER(smtp)dnl
define(`confPRIVACY_FLAGS',`authwarnings,noexpn,novrfy')dnlI then overwrote the sendmail.mc in /etc/mail
with the new one, so I would have it readily available for generating a
new /etc/mail/sendmail.cf file, if needed.
I tried m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf,
which I normally use on my Linux sendmail server, again, but, as before, I
got an error message, so followed the instructions listed in the INSTALL
file again after sendmail wouldn't start
# cp sendmail.mc /etc/mail/sendmail.mc # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf # /etc/init.d/sendmail stop # /etc/init.d/sendmail start 554 5.0.0 /etc/mail/sendmail.cf: line 1: invalid argument to V line: "ERSIONID(I d: generi" 554 5.0.0 No local mailer defined 554 5.0.0 QueueDirectory (Q) option must be set
I was able to successfully restart sendmail after following the instructions in the INSTALL file that came with this version of sendmail.
# pwd /home/jsmith/sendmail-8.14.3/cf/cf # sh ./Build sendmail.cf Using M4=/usr/ccs/bin/m4 rm -f sendmail.cf /usr/ccs/bin/m4 ../m4/cf.m4 sendmail.mc > sendmail.cf || ( rm -f sendmail.cf && exit 1 ) echo "### sendmail.mc ###" >>sendmail.cf sed -e 's/^/# /' sendmail.mc >>sendmail.cf chmod 444 sendmail.cf # sh ./Build install-cf Using M4=/usr/ccs/bin/m4 ../../devtools/bin/install.sh -c -o root -g bin -m 0444 sendmail.cf /etc/mail/se ndmail.cf ../../devtools/bin/install.sh -c -o root -g bin -m 0444 submit.cf /etc/mail/subm it.cf # ls -l /etc/mail/sendmail.cf -r--r--r-- 1 root bin 41671 Jun 28 16:31 /etc/mail/sendmail.cf # /etc/init.d/sendmail stop # /etc/init.d/sendmail start #
I then verified that the vrfy and expn
commands no longer worked.
# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 mail.example.com ESMTP Sendmail 8.14.3/8.14.3; Sun, 28 Jun 2009 16:37:44 -04 00 (EDT) ehlo laptop 250-mail.example.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP vrfy jsmith 252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger) expn somelist 502 5.7.0 Sorry, we do not allow this operation