1 | # Copyright (c) 2000-2002 Sendmail, Inc. and its suppliers. |
---|
2 | # All rights reserved. |
---|
3 | # |
---|
4 | # By using this file, you agree to the terms and conditions set |
---|
5 | # forth in the LICENSE file which can be found at the top level of |
---|
6 | # the sendmail distribution. |
---|
7 | # |
---|
8 | # $Id: SECURITY,v 1.1.1.1 2003-04-08 15:08:11 zacheiss Exp $ |
---|
9 | # |
---|
10 | |
---|
11 | This file gives some hints how to configure and run sendmail for |
---|
12 | people who are very security conscious (you should be...). |
---|
13 | |
---|
14 | Even though sendmail goes through great lengths to assure that it |
---|
15 | can't be compromised even if the system it is running on is |
---|
16 | incorrectly or insecurely configured, it can't work around everything. |
---|
17 | This has been demonstrated by recent OS problems which have |
---|
18 | subsequently been used to compromise the root account using sendmail |
---|
19 | as a vector. One way to minimize the possibility of such problems |
---|
20 | is to install sendmail without set-user-ID root, which avoids local |
---|
21 | exploits. This configuration, which is the default starting with |
---|
22 | 8.12, is described in the first section of this security guide. |
---|
23 | |
---|
24 | |
---|
25 | ***************************************************** |
---|
26 | ** sendmail configuration without set-user-ID root ** |
---|
27 | ***************************************************** |
---|
28 | |
---|
29 | sendmail needs to run as root for several purposes: |
---|
30 | |
---|
31 | - bind to port 25 |
---|
32 | - call the local delivery agent (LDA) as root (or other user) if the LDA |
---|
33 | isn't set-user-ID root (unless some other method of storing e-mail in |
---|
34 | local mailboxes is used). |
---|
35 | - read .forward files |
---|
36 | - write e-mail submitted via the command line to the queue directory. |
---|
37 | |
---|
38 | Only the last item requires a set-user-ID/set-group-ID program to |
---|
39 | avoid problems with a world-writable directory. It is however |
---|
40 | sufficient to have a set-group-ID program and a group-writable |
---|
41 | queue directory. The other requirements listed above can be |
---|
42 | fulfilled by a sendmail daemon that is started by root. Hence this |
---|
43 | section explains how to use two sendmail configurations to accomplish |
---|
44 | the goal to have a sendmail binary that is not set-user-ID root, |
---|
45 | and hence is not open to system configuration/OS problems or at |
---|
46 | least less problematic in presence of those. |
---|
47 | |
---|
48 | The default configuration starting with sendmail 8.12 uses one |
---|
49 | sendmail binary which acts differently based on operation mode and |
---|
50 | supplied options. |
---|
51 | |
---|
52 | sendmail must be a set-group-ID (default group: smmsp, recommended |
---|
53 | gid: 25) program to allow for queueing mail in a group-writable |
---|
54 | directory. Two .cf files are required: sendmail.cf for the daemon |
---|
55 | and submit.cf for the submission program. The following permissions |
---|
56 | should be used: |
---|
57 | |
---|
58 | -r-xr-sr-x root smmsp ... /PATH/TO/sendmail |
---|
59 | drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue |
---|
60 | drwx------ root wheel ... /var/spool/mqueue |
---|
61 | -r--r--r-- root wheel ... /etc/mail/sendmail.cf |
---|
62 | -r--r--r-- root wheel ... /etc/mail/submit.cf |
---|
63 | |
---|
64 | [Notice: On some OS "wheel" is not used but "bin" or "root" instead, |
---|
65 | however, this is not important here.] |
---|
66 | |
---|
67 | That is, the owner of sendmail is root, the group is smmsp, and |
---|
68 | the binary is set-group-ID. The client mail queue is owned by |
---|
69 | smmsp with group smmsp and is group writable. The client mail |
---|
70 | queue directory must be writable by smmsp, but it must not be |
---|
71 | accessible for others. That is, do not use world read or execute |
---|
72 | permissions. In submit.cf the option UseMSP must be set, and |
---|
73 | QueueFileMode must be set to 0660. submit.cf is available in |
---|
74 | cf/cf/, which has been built from cf/cf/submit.mc. The file can |
---|
75 | be used as-is, if you want to add more options, use cf/cf/submit.mc |
---|
76 | as starting point and read cf/README: MESSAGE SUBMISSION PROGRAM |
---|
77 | carefully. |
---|
78 | |
---|
79 | The .cf file is chosen based on the operation mode. For -bm (default), |
---|
80 | -bs, and -t it is submit.cf (if it exists) for all others it is |
---|
81 | sendmail.cf. This selection can be changed by -Ac or -Am (alternative |
---|
82 | .cf file: client or mta). |
---|
83 | |
---|
84 | The daemon must be started by root as usual, e.g., |
---|
85 | |
---|
86 | /PATH/TO/sendmail -L sm-mta -bd -q1h |
---|
87 | |
---|
88 | (replace /PATH/TO with the right path for your OS, e.g., |
---|
89 | /usr/sbin or /usr/lib). |
---|
90 | |
---|
91 | Notice: if you run sendmail from inetd (which in general is not a |
---|
92 | good idea), you must specify -Am in addition to -bs. |
---|
93 | |
---|
94 | Mail will end up in the client queue if the daemon doesn't accept |
---|
95 | connections or if an address is temporarily not resolvable. The |
---|
96 | latter problem can be minimized by using |
---|
97 | |
---|
98 | FEATURE(`nocanonify', `canonify_hosts') |
---|
99 | define(`confDIRECT_SUBMISSION_MODIFIERS', `C') |
---|
100 | |
---|
101 | which, however, may have undesired side effects. See cf/README for |
---|
102 | a discussion. In general it is necessary to clean the queue either |
---|
103 | via a cronjob or by running a daemon, e.g., |
---|
104 | |
---|
105 | /PATH/TO/sendmail -L sm-msp-queue -Ac -q30m |
---|
106 | |
---|
107 | If the option UseMSP is not set, sendmail will complain during |
---|
108 | queue runs about bogus file permission. If you want a queue runner |
---|
109 | for the client queue, you probably have to change OS specific |
---|
110 | scripts to accomplish this (check the man pages of your OS for more |
---|
111 | information.) You can start this program as root, it will change |
---|
112 | its user id to RunAsUser (smmsp by default, recommended uid: 25). |
---|
113 | This way smmsp does not need a valid shell. |
---|
114 | |
---|
115 | Summary |
---|
116 | ------- |
---|
117 | |
---|
118 | This is a brief summary how the two configuration files are used: |
---|
119 | |
---|
120 | sendmail.cf For the MTA (mail transmission agent) |
---|
121 | The MTA is started by root as daemon: |
---|
122 | |
---|
123 | /PATH/TO/sendmail -L sm-mta -bd -q1h |
---|
124 | |
---|
125 | it accepts SMTP connections (on ports 25 and 587 by default); |
---|
126 | it runs the main queue (/var/spool/mqueue by default). |
---|
127 | |
---|
128 | submit.cf For the MSP (mail submission program) |
---|
129 | The MSP is used to submit e-mails, hence it is invoked |
---|
130 | by programs (and maybe users); it does not run as SMTP |
---|
131 | daemon; it uses /var/spool/clientmqueue by default; it |
---|
132 | can be started to run that queue periodically: |
---|
133 | |
---|
134 | /PATH/TO/sendmail -L sm-msp-queue -Ac -q30m |
---|
135 | |
---|
136 | |
---|
137 | Hints and Troubleshooting |
---|
138 | ------------------------- |
---|
139 | |
---|
140 | RunAsUser: FEATURE(`msp') sets the option RunAsUser to smmsp. |
---|
141 | This user must have the group smmsp, i.e., the same group as the |
---|
142 | clientmqueue directory. If you specify a user whose primary group |
---|
143 | is not the same as that of the clientmqueue directory, then you |
---|
144 | should explicitly set the group, e.g., |
---|
145 | |
---|
146 | FEATURE(`msp') |
---|
147 | define(`confRUN_AS_USER', `mailmsp:smmsp') |
---|
148 | |
---|
149 | STARTTLS: If sendmail is compiled with STARTTLS support on a platform |
---|
150 | that does not have HASURANDOMDEV defined, you either need to specify |
---|
151 | the RandFile option (as for the MTA), or you have to turn off |
---|
152 | STARTTLS in the MSP, e.g., |
---|
153 | |
---|
154 | DAEMON_OPTIONS(`Name=NoMTA, Addr=127.0.0.1, M=S') |
---|
155 | FEATURE(`msp') |
---|
156 | CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0, M=S') |
---|
157 | |
---|
158 | The first option is used to turn off STARTTLS when the MSP is |
---|
159 | invoked with -bs as some MUAs do. |
---|
160 | |
---|
161 | |
---|
162 | What doesn't work anymore |
---|
163 | ------------------------- |
---|
164 | |
---|
165 | Normal users can't use mailq anymore to see the MTA mail queue. |
---|
166 | There are several ways around it, e.g., changing QueueFileMode |
---|
167 | or giving users access via a program like sudo. |
---|
168 | |
---|
169 | sendmail -bv may give misleading output for normal users since it |
---|
170 | may not be able to access certain files, e.g., .forward files of |
---|
171 | other users. |
---|
172 | |
---|
173 | |
---|
174 | Alternative |
---|
175 | ----------- |
---|
176 | |
---|
177 | Instead of having one set-group-ID binary, it is possible to use |
---|
178 | two with different permissions: one for message submission |
---|
179 | (set-group-ID), one acting as daemon etc, which is only executable |
---|
180 | by root. In that case it is possible to remove features from |
---|
181 | the message submission program to have a smaller binary. |
---|
182 | You can use |
---|
183 | |
---|
184 | sh ./Build install-sm-mta |
---|
185 | |
---|
186 | to install a sendmail program to act as daemon etc under the name |
---|
187 | sm-mta. |
---|
188 | |
---|
189 | Set-User-Id |
---|
190 | ----------- |
---|
191 | |
---|
192 | If you really have to install sendmail set-user-ID root, first build |
---|
193 | the sendmail package normally using |
---|
194 | |
---|
195 | sh ./Build |
---|
196 | |
---|
197 | Then you can use |
---|
198 | |
---|
199 | sh ./Build install-set-user-id |
---|
200 | |
---|
201 | to install the package in the old (pre-8.12) way. Make sure that |
---|
202 | no submit.cf file is installed. See devtools/README about |
---|
203 | confSETUSERID_INSTALL which you need to define. |
---|