Upgrading Sendmail on Solaris


Copyright 2002, 2003 Andy Barclay
OpenContent License (OPL)

Title: Upgrade of sendmail to 8.12.2 on buggs.unixpeople.com
Date: April 7, 2002

Overview
========
This document details the process that was followed to upgrade sendmail
on buggs.unixpeople.com. It includes notes on why we upgraded, how sendmail
was built, and how the cf files were generated. It also includes some details
as to how the new sendmail architecture works.

Why upgrade?
============
The sendmail upgrade was driven mainly by a desire to decrease the
amount of spam that is recieved on this machine. The upgrade also
has two positive side effects:

1) When patches are applied to a Solaris system, usually the sendmail.cf
file and the sendmail binary are over-written. This usually results in
having to manually restore the sendmail.cf, and possibly the sendmail
binary to avoid mail failures. If only the sendmail.cf is restored, then
version mismatch messages often result. By removing the stock sendmail
packages, sendmail patches will not be installed, and we will not
have this problem.

2) The latest sendmail is a built upon a more robust security model which
will further enhance the overall security of the system.

The upgrade plan
================
The process for upgrading sendmail is:
-Backup /etc/mail
-Remove the stock sendmail packages (SUNWsndr, SUNWsndu)
-Install the new package, UPsndml
-Restore the /etc/mail/local-host-names, /etc/mail/relay-domains, 
/etc/mail/aliases, and /etc/mail/genericstable

Building and Installing Sendmail
================================
Pre-requisites
--------------
On the machine where sendmail is being built, the following must be
installed or upgraded:
-gcc
	- download package from http://sunfreeware.com
-db software 2.3.15 or later
	- download from http://sleepycat.com
	../dist/configure
	make
	sudo make install
-openssl version 0.9.6e
	-download from http://www.openssl.org
	-follow instructions on building openssl located at http://www.unixpeople.com

Download and extract Sendmail 8.12.2 from http://www.sendmail.org

Build the binaries:
sendmail-8.12.2$ ./Build

Create account and group for sendmail
/etc/passwd
	smmsp:x:4025:4025:Sendmail Service Account:/home/sendmail:/bin/false
/etc/group
	smmsp:x:4025:

$ sudo pwconv

Create a "marker" file that we can use to find out what files are installed:
$ touch /tmp/marker

Install the binaries and config files:
sendmail-8.12.2$ sudo ./Build install

Find all the files that were installed
$ cd /
$ sudo find . -newer /tmp/marker -print >/tmp/sendmail.files

Collect all the files and build a Solaris package:
$ sudo tar cf /tmp/sendmail.tar `cat /tmp/sendmail.files`

Build sendmail into a Solaris package:
There is more information on package building available in
the Howto section of: http://www.unixpeople.com

The sendmail package, UPsndml, contains all the files, but also
has a pre-install script that:
	-creates the smmsp group and user (finds a unique uid and gid)
In addition, the postinstall script does the following:
	-creates a startup script, /etc/init.d/sendmail
	-sets up links in /etc/rc2.d and /etc/rc0.d
	-creates /var/spool/clientmqueue and /var/spool/mqueue
	-sets ownership and perms on:
		/var/spool/clientmqueue,
		/var/spool/mqueue
		/usr/lib/sendmail

Configuring Sendmail
====================
Now that sendmail has been installed, we need to create a few
configuration files. A very bland sendmail.cf file was installed
as part of the package.

When the Bat-book was released by O'Reily and Associates, it was
recognised that building a sendmail.cf file from scratch is simply
un-maintainable. A method of generating a configuration file
from a set of macros was devised. The macros are run through the
m4 macro processor to generate the sendmail.cf file.

The resultant configuration file should enable:
	-local and smtp mail delivery
	-anti-spam checking against the spamcop DNS server
	-sender address re-writing

The first thing to do is to create the file unixpeople.mc
----------
divert(-1)
#
# This is for unixpeople.com
#

divert(0)dnl
VERSIONID(`$Id: unspoken.mc,v 8.13 2002/04/04 abarclay Exp $')
OSTYPE(solaris2)dnl
DOMAIN(generic)dnl
FEATURE(genericstable,`dbm /etc/mail/genericstable')dnl
GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl
FEATURE(masquerade_entire_domain)dnl
FEATURE(always_add_domain)dnl
FEATURE(allmasquerade)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(dnsbl, `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?" $&{client_addr}')dnl
FEATURE(dnsbl, `unconfirmed.dsbl.org', `Rejected - See http://unconfirmed.dsbl.org/')dnl
FEATURE(dnsbl, `relays.osirusoft.com', `Rejected - See http://relays.osirusoft.com/')dnl
FEATURE(`dnsbl', `relays.ordb.org', `Rejected - see http://ordb.org/')dnl
MAILER(local)dnl
MAILER(smtp)dnl
----------

NOTE: NOTE: NOTE:
Please don't use the relays.osirusoft.com black list. It includes SPEWS
which tends to be really, really fascist. While working at collation.com,
spews actually blacklisted pretty much the entire network block of our
ISP, cogent.

The dnsbl feature enables the anti-spam checking.

REDHAT notes:
=============
It seems that linux wants to use procmail to do local delivery.
In that case, delete the following line from unixpeople.mc
-----------------
MAILER(local)
-----------------
and replace it with:
-----------------
FEATURE(local_procmail)
define(`PROCMAIL_MAILER_PATH', /usr/bin/procmail)dnl
-----------------

The sender address rewriting is enabled by the genericstable feature, and
its operation is modified by the masquerade_entire_domain, always_add_domain,
allmasquerade, and masquerade_envelope features. 

Files
-----
/etc/mail/relay-domains
	-This file controls what domains or IP address ranges can relay
mail through this system. Entries should be one per line. Woody does
not currently allow any external servers to relay mail through it.
As an example, assume that we wanted Woody to allow relaying for any host
on the 199.71.122.0 class C address. In that case, we could put
the following in the relay-domains file:
--------
199.71.122
--------

/etc/mail/local-host-names
	-This file controls what names sendmail will believe it should
be the final destination for. This file should contain every domain
which may occur on the right-hand side of mail addresses handled by this 
machine. The following example shows only a few entries, but the real file
on buggs contains many, many more.
-------
buggs.unixpeople.com
buggs.unixpeople.internal
unixpeople.internal
unixpeople.com
buggs.unixpeople.com
buggs.unixpeople.internal
-------

/etc/mail/genericstable
	-This file handles the re-writing of sender (From:) addresses.
By default, mail sent from the host will have a From: address of:
loginname@fullyQualifiedHostName
Example: abarclay@buggs.unixpeople.com

By using masquerading, we can make all addresses appear to be from
a single different name
Example:
foobar@unixpeople.com, john@unixpeople.com, mary@unixpeople.com, etc.

But, since buggs hosts multiple domains, and different users have different
preferred e-mail addresses, the proper solution is to map addresses on
a per user basis. Sendmail does this with the genericstable.
NOTE: only unqualified addresses, or addresses that have a domain part
that is in the sendmail "G" class, will be subject to re-mapping.
Sendmail 8.12.2 always fully qualify the e-mail address.
The genericstable will look similar to:
------
abarclay@buggs.unixpeople.com abarclay@ccsonline.cc
erics@buggs.unixpeople.com erics@yachtwire.com
playball@buggs.unixpeople.com playball@novatobaberuth.org
------

Finally, we need to convert the genericstable to dbm format.
/etc/mail$ cat genericstable |sudo makekey dbm genericstable

/etc/mail/aliases
	-This file contains aliases for non-real e-mail names that are
mapped to real user names. For example, e-mail sent to security@unixpeople.com
will be aliased to Andy and Jeff and Oscar
------
security: abarclay,jeff,omiranda
------

Generating the configuration file
----------------------------------
Now that the unixpeople.mc file is created, you can generate the
config file.
sendmail-8.12.2/cf/cf$ ./Build unixpeople.cf

Copy the unixpeople.cf /etc/mail/sendmail.cf

What is the new sendmail architecture?
======================================
The new sendmail architecture has two daemons. 

Daemon 1
	-known as the Mail Transmission Agent (MTA)
	-runs as root, but setgid smmsp
	-NO LONGER setuid root
	-binds to port 25
	-switches effective uid to smmsp
	-waits for connections
		-when a connection arrives, it forks and invokes a local
		mailer to deliver the mail to /var/spool/mqueue

Daemon 2
	-known as the Mail Submission Program (MSP)
	-retries the client queue periodically, looking for
	submitted mail that could not be deliverred at that point
	-runs as user smmsp

The MSP is invoked in non-daemon mode by programs and possibly by users
to submit mail to the Mail system.

References
==========
Read the following from the sendmail download:
INSTALL
sendmail/security
README
cf/README
cf/cf/README

http://spam.abuse.net
http://www.cauce.org
http://mail-abuse.org
http://spamcop.net