Activating Sendmail on Mac OS X

Previous page
Table of content
Next page
   

Assuming you want to test the version of sendmail that came with your computer, you're about five minutes away from having a running sendmail on your system. First, however, you need to make a decision based on how you're going to be using your computer. Mac OS X is an operating system designed for Mac users. The admin group is often shared among multiple users, often with disregard for the role that those users play in the actual operation of the machine. Administrative users can write to the root level ( / ) of the drive, which is typical of the "Mac" way of doing things.

TIP

If you're planning to run sendmail as a full-time MTA, we recommend updating to the latest release, which you'll learn about later in this chapter.

Breaking the Mac Mold or the Sendmail Security Model

Sendmail, by default, has extremely strict permission requirements for the directory where it is installed:

  • Files that are group writable or are located in group-writable directories will not be read.

  • Files cannot be written to directories that are group writable.

  • .forward files that are links to other files will not be processed .

The root level of your Mac OS X file system is group writable, which immediately breaks the first rule. To adhere to the sendmail security model, you need to "break" the longstanding Mac tradition of being able to install applications and folders anywhere you want. The root level of the system must be off-limits for changes to anyone except the root user .

NOTE

Most software installation packages (MindVise, InstallerMaker, and so on) automatically authenticate as root and install software without needing a root login. Admin users, however, will not be able to manually add items at the root level.

CAUTION

If you're serious about running an MTA on your Mac OS X computer, you should think about running a dedicated server, not sharing a computer with general users.

Many sendmail attacks have been local exploits, allowing local users to gain root access. To be honest, if you're running a sendmail server and using it as a general use computer, you're asking for trouble. This is not a recommended Maximum Mac OS X Security practice.

Testing the Sendmail Path Permissions

To determine the current state of sendmail permissions at any time, open the Terminal and use the command /usr/sbin/sendmail -v -d44.4 -bv postmaster . This runs a test of all sendmail file permissions and reports on the results. (Only the relevant output is shown here).

[View full width] 
 
 [View full width] 
 #  /usr/sbin/sendmail -v -d44.4 -bv postmaster  safefile(/etc/mail/sendmail.cf, uid=0, gid=20, flags=6000, mode=400): safedirpath(/etc/mail, uid=0, gid=20, flags=6000, level=0, offset=0):         [dir /] mode 41775 WARNING safedirpath(/private/etc, uid=0, gid=20, flags=6000, level=1, offset=1):         [dir /private/etc] OK         [dir /etc/mail] OK         [uid 0, nlink 1, stat 100644, mode 400]         OK safefile(/etc/mail/local-host-names, uid=0, gid=20, flags=6580, mode=400): safedirpath(/etc/mail, uid=0, gid=20, flags=6580, level=0, offset=0):         [dir /] mode 41775 FATAL         [dir /etc/mail] Group writable directory /etc/mail/sendmail.cf: line 93: fileclass: cannot open '/etc/mail/local-host- names': graphics/ccc.gif Group writable directory safefile(/etc/mail/relay-domains, uid=0, gid=20, flags=6580, mode=400): safedirpath(/etc/mail, uid=0, gid=20, flags=6580, level=0, offset=0):         [dir /] mode 41775 FATAL         [dir /etc/mail] Group writable directory safefile(/etc/mail/service.switch, uid=0, gid=20, flags=6480, mode=400): safedirpath(/etc/mail, uid=0, gid=20, flags=6580, level=0, offset=0):         [dir /] mode 41775 FATAL         [dir /etc/mail] Group writable directory         No such file or directory safefile(/etc/mail/service.switch, uid=0, gid=20, flags=6480, mode=400): safedirpath(/etc/mail, uid=0, gid=20, flags=6580, level=0, offset=0):         [dir /] mode 41775 FATAL         [dir /etc/mail] Group writable directory         No such file or directory safedirpath(/var/spool/mqueue, uid=0, gid=20, flags=4, level=0, offset=0):         [dir /] mode 41775 WARNING safedirpath(/private/var, uid=0, gid=20, flags=4, level=1, offset=1):         [dir /private/var] OK         [dir /var/spool/mqueue] OK

The group-writable directories are flagged in the output, and, as you can see, many of these errors are fatal , meaning sendmail won't even run. This problem can be eliminated by either of two methods : removing the group write permissions or telling sendmail to ignore them.

Fixing Sendmail Path Permission

To remove group write permissions from your directory, open a Terminal window and type the following three commands: 

  sudo chmod g-w /   sudo chmod g-w /etc   sudo chmod g-w /etc/mail

Assuming you follow Apple's updates, your system directory permissions are at Apple's whim. Several sections in this book discuss how to counteract the effects of the Apple updates. It's the price we pay for automated updates and Apple's watchful eye. Table 13.2 contains the preferred sendmail directory and file modes.

Table 13.2. Sendmail Directory and File Permissions

Directory

Permission Mode

Owner

/

755

root

/var

755

root

/var/spool

755

root

/var/spool/mqueue

700

root

/etc

755

root

/etc/mail

755

root

/etc/mail/*

644

root

If you'd prefer to "slightly" break the sendmail model, you can limit the extent to which sendmail enforces its security checks by employing the DontBlameSendmail configuration option. This configuration directive forces sendmail to drop one or more of its security policies to make for a more " forgiving " installation.

Open the /etc/mail/sendmail.cf file in your favorite text editor, then search for the line that reads 

 #O DontBlameSendmail=safe

Replace the text with 

 O DontBlameSendmail=GroupWritableDirPathSafe

As the name may lead you to believe, this option makes sendmail consider directories with group write attributes set as "safe." Your sendmail installation is now operable and ready to be started.

In a recent OS update, a second configuration file submit.cf was added for a second instance of Sendmail that handles local message submissions. In order to use Sendmail locally, you will need to make the same changes to this file that you've made to sendmail.cf .

TIP

If you're interested in loosening the sendmail file permission reins even more, you can get a complete list of the DontBlameSendmail options at http://www.sendmail.org/tips/DontBlameSendmail.html. Keep in mind that the less strict the file permissions, the more likely it is that a local exploit could take place.

Removing NetInfo Dependence

By default, Mac OS X's sendmail distribution attempts to read its configuration from NetInfo. This can lead to hours of frustration as you try to determine why the configuration changes you're making in the /etc/mail/sendmail.cf file are simply being ignored. To fix the problem, execute these two commands (as root) to tell sendmail to pay attention to the correct config file: 

 #  niutil -create . /locations/sendmail   # niutil -createprop . /locations/sendmail sendmail.cf /etc/mail/sendmail.cf

Be absolutely certain that you've completed this step before proceeding; otherwise future examples within the chapter may not work as documented.

Setting Your Server Name

I'm making the assumption that you already have DNS support for your mail server and a static IP address for its use. At the very least, you should have an A record registered, and very probably an MX record. For more information on mail servers and DNS settings, check out http://www.graphicpower.com/techarticles/mailsvr.stm.

For whatever names you want your system to receive email, you must edit the file /etc/mail/local-host-names with the hostnames that identify your mail server. For example, my machine has both the names poisontooth.com and shadesofinsanity.com . For sendmail to recognize both of these as valid names, I've added them both to my local-host-names file: 

 #  more /etc/mail/local-host-names  poisontooth.com shadesofinsanity.com

Be sure to create and save this file before continuing with the setup. As with sendmail.cf , this should be owned by root and have the permission mode 644 .

Activating the Sendmail Daemon

Apple includes a script for starting sendmail in the /System/Library/StartupItems/Sendmail directory on both the Mac OS X Client and Server operating system distributions. The startup script looks for a corresponding MAILSERVER line in the /etc/hostconfig . You need to be logged in as root to make changes to this file.

Edit /etc/hostconfig , and look for this line: 

 MAILSERVER=-NO-

To activate sendmail, change -NO- to -YES- : 

 MAILSERVER=-YES-

Save the file, and you're ready to go.

NOTE

If you're a Mac OS X Server user, you should make sure that the Apple Mail Service is disabled, either through the Server Admin utility or by editing the /private/etc/watchdog.conf file.

Apple's Mail Service is started in watchdog.conf by this line: 

 mailservice:respawn:/usr/sbin/MailService -n

To run sendmail, be sure to set this line to 

 mailservice:off:/usr/sbin/MailService -n

Attempting to run both servers at the same time may result in your untimely insanity.

The next time you reboot your computer, sendmail will start. Alternatively, you can start sendmail immediately with sudo /usr/sbin/sendmail -bd -q1h . The two options used when starting sendmail, -bd and -q1h , tell the MTA to operate as a background daemon and set the queue processing interval to 1 hour . Table 13.3 contains a few of the sendmail switches that can be used to fine-tune the control of the MTA.

Table 13.3. Sendmail Runtime Options

Command-Line switch

Description

-bd

Run as a daemon on port 25.

-bD

Run as a daemon in the foreground. Useful for testing and debugging.

-bp

Show messages in the sendmail queue.

-d <#>

Set sendmail debugging level to the given number. For more information on debugging levels, visit http://www.unet.univie.ac.at/aix/aixbman/commadmn/ml_debug.htm

-C <filename>

Use an alternate configuration file (for testing). Sendmail will not run as root when an alternative config file is in use.

-q <#smhdw>

Set the interval at which stored queue items will be processed. Use one or more numbers , followed by s,m,h,d,w for second, minute, hour, day, or week values.

-qI <substring>

Process only items whose queue ID contains the given substring.

-qR <substring>

Process only items whose recipient line (To:) contains the given substring.

-qS <substring>

Process only items whose sender line (From:) contains the given substring.

-X <logfile>

Log all activity through sendmail to the named log file.

This is only a partial list of switches that may be of use during initial testing and deployment of sendmail. For a complete list of options, you'll need to look at the Sendmail Installation and Operation Guide (http://www.sendmail.org/~ca/email/doc8.10/op.html) ”not even the man pages list all the possible settings.

   
Top

Previous page
Table of content
Next page
Mac OS X Maximum Security
Maximum Mac OS X Security
ISBN: 0672323818
EAN: 2147483647
Year: 2003
Pages: 158
Authors: John Ray, William C. Ray
BUY ON AMAZON
Adobe After Effects 7.0 Studio Techniques
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Java How to Program (6th Edition) (How to Program (Deitel))
Postfix: The Definitive Guide
Microsoft WSH and VBScript Programming for the Absolute Beginner
InDesign Type: Professional Typography with Adobe InDesign CS2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy