Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A fix for sendmail in 10.1.5 UNIX
[Editor's note: Much of the following has been discussed in the comments to the 10.1.5 update article, but I thought it worth having the information in a standalone hint.]

I have a number of scripts that use the unix mail command (/usr/bin/mail, not the program) to send me messages when something interesting happens. These stopped working after I upgraded to 10.1.5 since the mail command failed with the message
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
It turns out that the new version of sendmail in 10.1.5 has improved security and some of the files and directories in 10.1.5 don't have quite the right mode for sendmail to work right as a submission program, although it still works ok (I think) as a daemon.

I found a page on the web site that explained what had changed and how the modes should be set. In brief, the files and directories that matter and the desired modes are
-r-xr-sr-x	root   smmsp	... /PATH/TO/sendmail
drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue
drwx------ root wheel ... /var/spool/mqueue
-r--r--r-- root wheel ... /etc/mail/
-r--r--r-- root wheel ... /etc/mail/
On my machine they were set as:
-r-sr-xr-x      root   smmsp    ... /usr/sbin/sendmail
drwxrwx--- root wheel ... /var/spool/clientmqueue
drwxr-x--- root wheel ... /var/spool/mqueue/
-rw-r--r-- root wheel ... /etc/mail/
-r--r--r-- root bin ... /etc/mail/
I think the important one that kept things from working was the incorrect owner and group for clientmqueue, but I fixed the others too. After that the mail command, as in
mail -s "Some subject"
message text
works again.
  • Currently 2.67 / 5
  You rated: 4 / 5 (3 votes cast)

A fix for sendmail in 10.1.5 | 15 comments | Create New Account
Click here to return to the 'A fix for sendmail in 10.1.5' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
which fix recomended?
Authored by: ppmax on Jun 06, '02 10:44:59AM

i read a previous hint which recomended rebuilding a sendmail config file to fix the issues with 10.1.5.

this fix is much easier--but are there any opinions about which fix to use?


[ Reply to This | # ]
fix dosn't work
Authored by: macubergeek on Jun 06, '02 02:18:15PM

none of the fixes works for me

[ Reply to This | # ]
fix dosn't work
Authored by: ppmax on Jun 06, '02 02:36:59PM

first: thanks to poster #2 who provided excellent reading materials. the mailing lists are an excellent resource.

next: here is a post of two relevent discussions. the first is relevent to macubergeek; the second is a step by step for configuring sendmail for 10.1.5. to give credit where credit is due: these were copied from the macosx-server-mailing list referenced above and posted by Chuq Von Rospach, and apple employee.

1. Every vendor will stomp on config files -- this ain't new to Software
Update. Apple's a lot better than most Unix vendors in my experience at
trying to do the right thing here. But think about the situation with, say, If you update sendmail from 8.11 to 8.12, the has
to be regenerated. Apple has three choices with that file:
1) install a new, erasing your customizations. You're upset.
2) leave it alone, breaking sendmail. You're upset.
3) do either of the above, but install a README telling you what needs to be
done -- which you won't read until long after you realize things are broken
and you're upset. If then.
There is no way to successfully handle an upgrade case like this without
breakage in common cases. Fortunately, upgrades like this are pretty rare.

The answer is to always, always keep copies of the files you've changed in
the areas of the filesystem that is "owned" by the OS

2. First -- sendmail is now 8.12.x instead of 8.11. That changes some stuff,
mostly for security-improvement reasons. "it worked in 8.10.4"
unfortuantely, isn't a good reason to hack that stuff back out again. You
want the security upgrades. Honest.

But one thing the upgrade didn't do is install an updated along
with the sendmail binary. So if you're a generic system, you have sendmail
8.12, and a sendmail 8.11 cf file. Those don't like each other, so the
system is broken out of the box. I've filed a bug in RADAR on that -- at the
least, we need to generate a .cf and put it somewhere with a README. Note
if you generated your own .cf file under 10.1.4 and before, you'll have to
generate a new one for 10.1.5, but in almost all circumstances, that's
simply running m4. If you did something that requires tweaking because of
the upgrade -- you probably know sendmail well enough to work it out.

To get up and running, here's what you do:

1) follow the instructions in /etc/mail/README. You do not need to change
the mc file -- it should work without changes, so you can skip the second
and third instructions (sudo cp and sudo vi) and run the m4 on the file.

2) the upgrade leaves the sendmail client queue directory with the incorrect
group, so you can't use it. To fix:
o ch /var/spool
o sudu chgrp smmsp clientmqueue

(I've filed a bug on this in RADAR)

3) the ugprade turns on write for group on the '/' directory. The correct
thing to do, I think, is to set DontBlameSendmail to not nag you about this,
but I've decided not to change the files, so the quick way to
Fix this nis:
o sudo chmod g-w /

Note this will mean you can't copy stuff into the root in the finder. If you
need that, figure out the DontBlameSendmail config items.

4) Add the line:

/usr/sbin/sendmail -C /etc/mail/ -q1h



After the first invocation of sendmail.

5) Set MAILSERVER to YES in /etc/hostconfig

6) restart.

You should now have a functioning mail system under 10.1.5.

Note: under sendmail 8.11 (MacOS X 10.1.4 and before) you didn't need a
sendmail daemon running for local-only mail delivery. Under sendmail 8.12
(MacOS 10.1.5) you do. If you want to, say, mail to "root," you now need to turn on a sendmail daemon. This is
required by the new security regimen in sendmail 8.12 to protect sendmail (a
setuid-root program) from access by hackers on the local system.

If you change this (by hacking or replacing, you are opening
yourself up to security problems. My recommendation: DON'T DO IT. If you
insist, don't complain to me later.

If you only want to send mail to non-local accounts (i.e., with no copy kept on the machine), you can configure to use a system other than localhost for delivery. You'll need to
decipher sendmail's instructions on how to do so -- I haven't done it yet.
If you aren't comfortable whacking sendmail, then don't do it. Just do the
above and keep it simple. I've filed an RFE in RADAR to suggest that
creating a that is configured for this case, and a README
explaining how to customize it for your smart mailhost, is a very good thing
to have.

Hopefully, this will get this straightened out a bit for folks.

[ Reply to This | # ]
fix does work
Authored by: cj69collins on Jun 10, '02 09:39:38PM
Thank you. Between your hint for getting sendmail working, it works like a champ. Using this article to setup IMAP, and figuring out I could forward mail to IMAP:username@localhost, I now get my system messages through Entourage. Notes: > Get the latest devtools to compile WU IMAPd. [Found this hint in the forums.] > Beware of It did not work for me. I edited env_unix.c, replacing line 676 with this:
sprintf(tmp, "%s/Library/Mail/Mailboxes", home); myHomeDir = cpystr (tmp); /* set home directory */
> You need to change ~root/.forward from /dev/null to IMAP:username@localhost for the trick to work. > You also need to change /etc/crontab to something similar to the following
30 17 * * * root sh /etc/daily 2>&1 | tee /var/log/daily.out | mail -s "daily output" root 40 17 * * 2 root sh /etc/weekly 2>&1 | tee /var/log/weekly.out | mail -s "weekly output" root 50 17 1 * * root sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "monthly output" root

[ Reply to This | # ]
fix dosn't work
Authored by: richardjpratt on Jun 14, '02 11:37:49PM

If you want to know how to set DontBlameSendmail you can see this article:

It duplicates a lot of the good advice you've already mentioned.

[ Reply to This | # ]
Advice from Apple
Authored by: JohnnyMnemonic on Jun 06, '02 12:27:18PM
The Mac OS X Server mailing list, hosted by Apple here (with browsable archives here (by recent date, in html) and here (older archives, plain text) have naturally talked about this at some length. (You may need to enter user/pass of "archives" and "archives" to view the archives.)

Although some folks mentioned circumventing the new security measures of sendmail, like in the above comment, Chuq Von Rospach, employee of Apple and maintainer (? some official capacity, at least) recommends strongly against.

You can read a summary of what his recommendation is here. He does a better job of explaining it than I, but basically--sendmail was updated with better security. The old cf file was not. Disabling the security of sendmail to make your old cf file work is NOT want you want to do; instead, update your cf file. Read the post and the README for more. Browse the archives to find the whole discussion, but a good part of it is in this thread (Sendmail- OSX 10.1.5 (localhost connection refusal).

[ Reply to This | # ]
It worked! [fix dosn't work]
Authored by: protoplasm on Jun 06, '02 04:29:08PM

Thanks ppmax.

After I updgraded to 10.1.5 my sendmail broke. I made the group and ownership changes posted on the initial post but this didn't work. When I restarted sendmail I received this error:

Starting mail services
user@[/usr/local/bin]: Msmtp: Warning: first argument in [IPC] mailer must be TCP or FILE
Mesmtp: Warning: first argument in [IPC] mailer must be TCP or FILE
Msmtp8: Warning: first argument in [IPC] mailer must be TCP or FILE
Mdsmtp: Warning: first argument in [IPC] mailer must be TCP or FILE
Mrelay: Warning: first argument in [IPC] mailer must be TCP or FILE

Yuck. Following your instructions worked, however. One change though in step 4: You said, " /Library/StartupItems/Sendmail/Sendmail ". This should be /System/Library/StartupItems/Sendmail/Sendmail.

Have a great day!

[ Reply to This | # ]
Re: It worked! [fix dosn't work]
Authored by: haumann on Jun 06, '02 05:18:04PM

That begins to answer a question. I've started getting the same six "... mailer must be TCP or FILE" warnings when running the daily cron script under 10.1.5. But how does one rebuild a sendmail config file to fix the issue?

[ Reply to This | # ]
Re: It worked! [fix doesn't work]
Authored by: RiotNrrrd on Jun 06, '02 05:35:27PM

Read /etc/mail/README to rebuild your /etc/mail/ file to be version 8.12.2.

Or check MacFixIt for my posting yesterday on this very same topic.

[ Reply to This | # ]
Oops! I just found it
Authored by: haumann on Jun 06, '02 05:39:32PM

Sorry, my bad. I found the key reply message above.

[ Reply to This | # ]
another problem
Authored by: protoplasm on Jun 06, '02 05:58:15PM
From the cmd line I type: mail -s "test message"
message blah blah

It returns: send-mail: setgroups: Operation not permitted
/Users/protsman/dead.letter... Saved message in /Users/protsman/dead.letter

I look in /var/log/mail.log and find this:

Jun 6 16:39:06 legolas sendmail[336]: g56Ld0pL000336:, ctladdr=protplasm (501/20), delay=00:00:06, xdelay=00:00:00, mailer=relay, pri=30044, relay=localhost, dsn=5.1.2, stat=Host unknown (Name server: localhost: host not found)

Anyone know what went wrong? (it worked before 10.1.5). Looking at an old log (before 10.1.5 update) I see a few differences. First, mailer in the old log says 'mailer=esmtp'; and second, relay says ''; and third, dsn says 'dsn=2.0.0'. And, of course, stat equals Sent in the old log.

Any ideas why these are different? What did I miss?

[ Reply to This | # ]
another problem -- update
Authored by: protoplasm on Jun 06, '02 06:49:45PM
A clarification ... it looks like this is supposed to happen due to tighter security (perhaps???). Sending mail from the cmd line fails. However, sending mail from a client (, also returned an error. So, I modified my Sendmail script (/System/Library/StartupItems/Sendmail/Sendmail). I changed this line: /usr/sbin/sendmail -C /etc/mail/ -q1h & to this: /usr/sbin/sendmail -bd -q1h & So, I can now finally send email (again). I'm not certain why the first config doesn't work though.

[ Reply to This | # ]
Same here
Authored by: Anonymous on Jun 18, '02 09:04:31PM

I've been hacking the hell out of all the sendmail-related files I can find, wildly guessing at what their owners, groups, and perms should be. I now have something with the minimal errors, but unfortunately it's the most cryptic.

send-mail: setgroups: Operation not permitted /Volumes/docs/joe/dead.letter... Saved message in /Volumes/docs/joe/dead.letter

Wonderful. I have *no* clue what's happening here. setgroups (in the manpage) is a function to set the current program's group id. This looks like sendmail trying to sgid itself. Unfortunately, setgroups fails if the caller is not root - which it *should be* in the case of sendmail! Something is odd somewhere. I'm going to triple-check ownership and bits on the sendmail binary...

Oh, and somewhere along the way I lost those excessive "mailer must be TCP or FILE" warnings. I don't know how I did it, but they've disappeared. Good riddance.

[ Reply to This | # ]
Try Postfix instead
Authored by: the_saintz on Jun 06, '02 05:40:18PM

This is kind of asinine, seeing as you're talking about using Sendmail, but...

Since OS X's version of Sendmail has some flaws (slow, sometimes hangs/refuses to launch, etc.) I decided to try Postfix. There are good instructions I found at Postfix is much faster (both at starting up and at actually sending), has better security (from what I can tell), and in general solved my problems with Sendmail. Although it's harder to configure than Sendmail, I think it's easier to configure Postfix than it would be to "Properly" configure the OS X version of Sendmail (so that it starts correctly and quickly everytime, doesn't get messed up when a new update comes out, doesn't get so picky about permissions but is still secure, etc.). It also didn't give me any trouble when I updated to 10.1.5. This might be a better long-term solution, therefore, if you can invest the hour to compile and config it.

[ Reply to This | # ]
sendmail is only listening to localhost
Authored by: SonicMcTails on Aug 09, '02 02:31:56AM

I can only get sendmail to listen to localhost. I need to make so I can connect from any computer (even if this means the my SMTP server could be used to spam). Can anyone help me ?

[ Reply to This | # ]