Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Fixing Sendmail after March 2003 Security Update UNIX

I've seen posts on a lot of different forums where people are stuck trying to fix Sendmail after the March 2003 security update which was suppose to resolve issues with Sendmail, not break things. Today I came across what I think is the answer and got things working again.

Here's what you might be getting if you check your mail.log file in /var/log/. This is a sample from my log file.

Mar  5 12:14:50 fusion sendmail[3869]: h25HEoCQ003869: to=sboms@schawk.com,
  ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30036,
  relay=localhost [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by localhost

So how do you fix this you ask? Well, it should be quite simple. In my case, Apple didn't overwrite or change any of my config files (I had manually reconfigured Sendmail as per the instructions on the O'Reily site). What it seems is happening is that Sendmail is now using the submit.cf file for it's config file rather than sendmail.cf. Essentially, all I did was make a backup of the submit.cf file and copy my sendmail.cf file and rename it appropriately. Run these commands to accomplish this:

 % cd /etc/mail
 % cp submit.cf submit.cf.applesaved
 % cp sendmail.cf submit.cf
Now test out sending a message:
 % mail -v someone@somedomain.com
That's it. Sendmail should now be up and running again. I'm not sure of Apple's reasoning for making this change, but this fix seems to work. I've done this on two machines - a G4 tower and a Powerbook and they both worked fine now. Of couse, like anything, your mileage may vary but I'll be glad to help anyone who is stuck with this one.
    •    
  • Currently 1.75 / 5
  You rated: 2 / 5 (4 votes cast)
 
[12,483 views]  

Fixing Sendmail after March 2003 Security Update | 18 comments | Create New Account
Click here to return to the 'Fixing Sendmail after March 2003 Security Update' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Fixing Sendmail after March 2003 Security Update
Authored by: professor on Mar 10, '03 10:56:22AM

Are you trying to run sendmail 8.12.x (the march security update was to 8.12.8; MacOSX 10.2.4 came with 8.12.6) using old sendmail.cf files from 8.11?

(My best guess is that you are not running Jaguar, or have not been keeping up with the updates, as Apple's been using Sendmail 8.12 (and hence submit.cf) for a while now.)

That's a really bad idea, as is subverting the MSP process by tricking it into using sendmail.cf instead of submit.cf.

You should sit down and create new 8.12 configuration files. Sendmail will work better and will be more secure if you do.

Oh, and make sure that /System/Library/StartupItems/Sendmail/Sendmail says:

/usr/sbin/sendmail -L sm-mta -bd -q1h &
/usr/sbin/sendmail -L sm-msp-queue -Ac -q 20m &

as the lines to startup sendmail (one as an MTA, one as an MSP, using, respectively sendmail.cf and submit.cf). Apple spooged this on their first go-around.



[ Reply to This | # ]
Fixing Sendmail after March 2003 Security Update
Authored by: scottboms on Mar 10, '03 11:38:56AM

Thanks for the tip. I am running all the latest updates, but my original Sendmail config files were back from 10.2 or 10.2.1. I had recreated them after the March security update, but things still didn't work. I'll be making the appropriate changes to my Sendmail config this morning.



[ Reply to This | # ]
Confusion
Authored by: jzsimon on Mar 10, '03 11:51:49AM
Maybe somebody could straighten out us poor slobs who learned everything we know about sendmail from James Duncan Davidson's article Configuring sendmail on Jaguar.

For those sendmail experts who don't have the time to read that article, my summary of what it does is:
o Copy the file /usr/share/sendmail/conf/cf/generic-darwin.mc to /etc/mail/config.mc and modify it
o Run the new file through m4 with
> m4 /usr/share/sendmail/conf/m4/cf.m4 /etc/mail/config.mc > /tmp/sendmail.cf
o Replace /etc/mail/sendmail.cf with the new /tmp/sendmail.cf
o Tell sendmail to use /etc/mail/sendmail.cf via netinfo with
> sudo niutil -create . /locations/sendmail
> sudo niutil -createprop . /locations/sendmail sendmail.cf /etc/mail/sendmail.cf


Security Update 2003-03-03 fixed and updated sendmail but seems to have broken sendmail's former ability to read /etc/mail/sendmail.cf when told to by netinfo.

I've seen several "cures":
o Replace the /etc/mail/submit.cf file with my /etc/mail/sendmail.cf file. This got sendmail going again but sounded dangerous because sendmail is called twice for two different functions, and, I thought, once with sendmail.cf and once with submit.cf.
o Modify /System/Library/StartupItems/Sendmail/Sendmail so that the first call to sendmail gets the "-Am" switch, which forces it to use /etc/mail/sendmail.cf. This sounded safer because the second invocation still gets to use its original submit.cf.
o The posting above indicates we should make brand new .cf files, but I don't know how to make a new one that isn't exactly the same as the one I already made and want to use. And I don't know how a submit.cf file should differ from a sendmail.cf file.

Is there anything clean and relatively simple that we can do that doesn't involve turning off sendmail, or understanding all of sendmail, or suffering until James Duncan Davidson writes a new article?

Thanks for listening,
jzsimon

p.s. Speaking for myself, all I want to do is to read email sent locally by cron jobs--I don't even want sendmail to know about the rest of the internet if I can help it.

[ Reply to This | # ]
Confusion
Authored by: professor on Mar 10, '03 01:29:34PM

For those sendmail experts who don't have the time to read that article, my summary of what it does is:

  • Copy the file /usr/share/sendmail/conf/cf/generic-darwin.mc to /etc/mail/config.mc and modify it
  • Run the new file through m4 with
    % m4 /usr/share/sendmail/conf/m4/cf.m4 /etc/mail/config.mc
    > /tmp/sendmail.cf
  • Replace /etc/mail/sendmail.cf with the new /tmp/sendmail.cf

This is generic advice for producing a new (customized) sendmail.cf. In the end, /etc/mail/ should have a sendmail.cf and a submit.cf file.

  • Tell sendmail to use /etc/mail/sendmail.cf via netinfo with
    % sudo niutil -create . /locations/sendmail
    % sudo niutil -createprop . /locations/sendmail sendmail.cf /etc/mail/sendmail.cf
    
    Security Update 2003-03-03 fixed and updated sendmail but seems to have broken sendmail's former ability to read /etc/mail/sendmail.cf when told to by netinfo.

Utterly unnecessary. The default location for sendmail to find its configuration files is in /etc/mail. Unless you've overridden this in NETINFO, sendmail will work fine without this. (Which is why Apple didn't do it.)

I've seen several "cures":

  • Replace the /etc/mail/submit.cf file with my /etc/mail/sendmail.cf file. This got sendmail going again but sounded dangerous because sendmail is called twice for two different functions, and, I thought, once with sendmail.cf and once with submit.cf.
  • Modify /System/Library/StartupItems/Sendmail/Sendmail so that the first call to sendmail gets the "-Am" switch, which forces it to use /etc/mail/sendmail.cf. This sounded safer because the second invocation still gets to use its original submit.cf.

Both of these are wrong. The first invocation, with the "-bd" flag will cause sendmail to use sendmail.cf. The second invocation, with the "-Ac" flag will cause it to use submit.cf.

  • The posting above indicates we should make brand new .cf files, but I don't know how to make a new one that isn't exactly the same as the one I already made and want to use. And I don't know how a submit.cf file should differ from a sendmail.cf file.

Running the same sendmail.mc file through m4 with the cf/ from a new version of sendmail will produce a different sendmail.cf file as output (which is why it is good practice to rebuild your .cf files when updating sendmail).

Of course, if your /usr/share/sendmail/conf/ contains the config files from an old version of sendmail, you'll get the old version of sendmail.cf out.

If that's the case, you may need to download the sendmail sourcecode from sendmail.org and use the cf/ directory found there instead of /usr/share/sendmail/conf/ to build your new *.cf files.

Is there anything clean and relatively simple that we can do that doesn't involve turning off sendmail, or understanding all of sendmail, or suffering until James Duncan Davidson writes a new article?

I didn't think very highly of the article in the first place, and I can see that it has caused more confusion than enlightenment. The instruction for building the *.cf files from the sendmail 8.12.8 source directory is

% cd cf/cf
% cp [your customized .mc file] sendmail.mc
% ./Build sendmail.cf
% sudo make install-cf
% sudo /System/Library/StartupItems/Sendmail/Sendmail restart

Mr. Davidson makes it all sound much more complicated than it is.



[ Reply to This | # ]
hostnameProblems
Authored by: dconroy on Mar 10, '03 02:31:28PM
No updates 'broke' sendmail for me precisely because that is the procedure that I was following. i.e. regenerate the .cf files. One problem has been created though. When I set up sendmail in the first place I used the line define(`confDOMAIN_NAME', `myDomain.com') to make outgoing mail come from user@myDomain.com. This broke with the updates, so now mail comes from user@machine-name.local. Any suggestions on how to fix this? Thanks, DC.

[ Reply to This | # ]
Confusion
Authored by: jzsimon on Mar 10, '03 02:33:35PM

Thanks for the thoughtful reply. Unfortunately I'm still confused because some of the things you said do not seem to be valid on my system:

o After the security update, the first invocation of sendmail, with the -bd flag but without the -Am flag reads submit.cf, *not* sendmail.cf. This contrary to your statement and contrary to its behavior before the security update. For all I know it means that Apple's binary is broken. But it's also true that adding -Am did force sendmail to read sendmail.cf as it had before, which is what I thought I wanted (and you seem to agree). [Also, just for the record, the second invocation in my StartupItems/Sendmail/Sendmail file doesn't have the -Ac switch it has -C /etc/mail/submit.cf instead, though I would guess there is no difference in execution.]

o Netinfo doesn't tell sendmail what directory to use, it tells it which file to use. Before the update, I configured netinfo to tell sendmail to use sendmail.cf (in/etc/mail/), and the first invocation of sendmail did so. After the update, netinfo was still configured to tell sendmail to use sendmail.cf but instead sendmail uses submit.cf (as said above). Using netinfo for this purpose in Mac OS X is recommended by Apple in /etc/mail/README. But of course one arm at Apple my not read the README of another are at Apple. ;)

Also, you are correct in guessing that Apple did not update /usr/share/sendmail/conf/, so building new .cf files without downloading the source version of sendmail is impossible.

I agree Davidson's article spent a lot of time explaining simple things (much of what he said was how to write a shell script that performs what is recommended by Apple in /etc/mail/README) but I thought his tutorial on DontBlameSendmail and other sendmail configuration options was at a good level for those of us with famililarity with unix at the user level but not at the sysadmin level.

[Of course one can argue that turning unix users into recreational sysadmins is dangerous, and I'd agree, but that's a topic for a different forum. :) ]

In the meantime, I'll stick with my method two (use my old personal sendmail.cf and make sure it gets called by adding -Am) and rely on logcheck and my system log to make sure all those .cn users keep getting bounced off my smtp server.

jzsimon



[ Reply to This | # ]
Confusion
Authored by: professor on Mar 10, '03 03:29:03PM

o After the security update, the first invocation of sendmail, with the -bd flag but without the -Am flag reads submit.cf, *not* sendmail.cf. This contrary to your statement and contrary to its behavior before the security update. For all I know it means that Apple's binary is broken. But it's also true that adding -Am did force sendmail to read sendmail.cf as it had before, which is what I thought I wanted (and you seem to agree).
[Also, just for the record, the second invocation in my StartupItems/Sendmail/Sendmail file doesn't have the -Ac switch it has -C /etc/mail/submit.cf instead, though I would guess there is no difference in execution.]

From the sendmail manpage:

Parameters
   -Ac    Use  submit.cf  even if the operation mode does not
          indicate an initial mail submission.

   -Am    Use sendmail.cf even if the  operation  mode  indi-
          cates an initial mail submission.

   -bd    Run as a daemon.  Sendmail will  fork  and  run  in
          background listening on socket 25 for incoming SMTP
          connections.

   -Cfile Use alternate configuration file.  Sendmail refuses
          to run as root if an alternate  configuration  file
          is specified.

So I'm pretty sure "-bd" ought to imply "sendmail.cf". There is a subtle difference between "-Csubmit.cf" and "-Ac". When in doubt, I'd use the latter.

o Netinfo doesn't tell sendmail what directory to use, it tells it which file to use. Before the update, I configured netinfo to tell sendmail to use sendmail.cf (in/etc/mail/), and the first invocation of sendmail did so. After the update, netinfo was still configured to tell sendmail to use sendmail.cf but instead sendmail uses submit.cf (as said above). Using netinfo for this purpose in Mac OS X is recommended by Apple in /etc/mail/README. But of course one arm at Apple my not read the README of another are at Apple. ;)

Again, which .cf file to use should be determined by how sendmail is envoked. If the envocation is as I wrote in my first post, you should not need NETINFO to tell it. It can only trip you up down the road (my experience).

Also, you are correct in guessing that Apple did not update /usr/share/sendmail/conf/, so building new .cf files without downloading the source version of sendmail is impossible.

Easily remedied, eh?

I agree Davidson's article spent a lot of time explaining simple things (much of what he said was how to write a shell script that performs what is recommended by Apple in /etc/mail/README) but I thought his tutorial on DontBlameSendmail and other sendmail configuration options was at a good level for those of us with famililarity with unix at the user level but not at the sysadmin level.

I think there are a lot better tutorials on sendmail available on the 'net. They may not be MacOSX specific, but the only truly MacOSX-specific aspects of Davidson's article were

  1. The bit about NETINFO (which i think was superfluous).
  2. The fact that sendmail gets started by /System/Library/StartupItems/Sendmail/Sendmail
  3. The fact that Apple's installers have a nasty habit of changing "/" to be group-writable, and that sendmail doesn't like this. But I think the correct solution (ie, more secure) is to do a
    % sudo chmod 755/
    after running the installer, rather than (as he advocates) making sendmail bend over and not complain about running with a group-writable directory.


[ Reply to This | # ]
Confusion
Authored by: mnewman on Mar 10, '03 08:53:45PM

Well, guess what. I'm still confused. Is anyone out there willing to post step-by-step instructions for those of us who used the O'Reilly method (dontblamesendmail) to get sendmail running ought to do after applying the latest security update?

---
Mike Newman
Saipan and Narita Layover Pages:
http://net.saipan.com/personal/mike_newman/



[ Reply to This | # ]
Confusion
Authored by: AndyB40 on Mar 12, '03 04:41:41AM

I too would like to see what changes (step by step) are needed inside
the Sendmail file to fix the problem caused by the security update.



[ Reply to This | # ]
a little less confused now
Authored by: carsten on Mar 12, '03 03:38:54PM
Thanks for the info and instructions professor, this helped me a lot.

A few days ago my ISP had sent me email after their' scan determined I was using the old sendmail so I am eager to make sure I really am using the latest Sendmail.

I downloaded the latest source from sendmail.org. Then I copied /usr/share/sendmail/conf/cf/generic-darwin.mc to sendmail.mc and the rest of your instructions worked fine.

(I am not using any custom mc, and this generic file with my 10.2.4 is the same as the latest one in the Darwin CVS, except for some reason mine has RBL configuration entries. http://www.opensource.apple.com/cgi-bin/registered/cvs/sendmail/sendmail/cf/cf/generic-darwin.mc)

Now when I telnet localhost 25, I see "Sendmail 8.12.7/8.12.8" which is looking better, previously it showed "Sendmail 8.12.7/8.12.2".

I'm still a little troubled that part of the Sendmail version string appears to be the old version, and not 8.12.8. Also:


sendmail -d0 < /dev/null | perl -nle 'print if 1 .. /^$/'
tells me:

Version 8.12.7
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETINFO NETUNIX NEWDB NIS PIPELINING SCANF
                USERDB XDEBUG

Any suggestions?

[ Reply to This | # ]

Confusion
Authored by: baltwo on Mar 15, '03 02:26:28AM

I installed security update over 10.2.4 and sendmail sends my cron jobs exactly as written in the articles. Don't know what changed on your system.



[ Reply to This | # ]
Fixing Sendmail after March 2003 Security Update
Authored by: bluehz on Mar 10, '03 12:26:18PM
I too was having this same problem. As usual every time Apple updates something - it usually breaks sendmail. I personally only use sendmail to mail out crontask output to another full mailserver running on another box on my LAN. I ran across a nice tip though that may save me the grief of having to fix sendmail eacha nd every time Apple updates. The tip was to just replace sendmail with postfix via fink. The theory being that since postfix is not in your standard system layout (rather it lives in /sw) then it won't get broken each time Apple updates. So I did just that - installed postfix via Fink.
fink install postfix
It remains to be seen whether it survives an Apple update - but the theory sounds solid. Beside that postfix is known to be much more secure than sendmail anyway. Configuration is also much easier than sendmail. I personally use and recommend Qmail as full-fledged mailserver. Its installation can be a bit hairy - but with a little work you can have am extremely configurable and secure Qmail installation with imap, mailing list, web interface configuration, etc. You can get the OS X Qmail installer here:

http://www.apple.com/downloads/macosx/unix_open_source/qmailsecureemailserverinstaller.html

and here are some tips for setup/installation:

http://www.macosxhints.com/article.php?story=20020709091327481&query=qmail

[ Reply to This | # ]

More confusion
Authored by: tjj on Mar 10, '03 02:49:39PM

Hmmm, confused indeed. I too used the oreilly article getting sendmail to pass on output from cronjobs. However, I don't think my sendmail broke immediately after the sec-update. I think it first broke after running either the weekly or monthly cleanup job. I then added a # to a out-commented line in the config.mc file and updated as per the instructions on the oreilly site. This got things working. I then checked the sendmail binary for this line
[xxx:/usr/sbin] xxx% strings sendmail | grep 'Dropped invalid comments from header address'
Dropped invalid comments from header address

which, according to the sendmail.org site should be present after the patch.
Sendmail version stated when i do mail -v.... is ESMTP Sendmail 8.12.7/8.12.6. Is this ok? I mean, the specified line IS in the sendmail binary...

Digression (sorry): I have my /Users/myusername sym-linked to another volume: /Volumes/Users/myusername and sendmail keeps complaining about the permissions of /Volumes beeing world writable. I keep changing it to
drwxrwxr-t 7 root wheel 238 Mar 10 17:10 /Volumes/
Am I causing trouble by removing th e world writable ability?

Think I may look into this qmail when the time is available...
TIA



[ Reply to This | # ]
Fixing Sendmail after March 2003 Security Update
Authored by: yosithezet on Mar 10, '03 04:57:25PM

[191][david@localhost-11:46pm]/<1>mail] > fink apropos postfix
Information about 771 packages read in 2 seconds.

[192][david@localhost-11:46pm]/<1>mail] >



[ Reply to This | # ]
postfix via fink
Authored by: jzsimon on Mar 10, '03 09:07:37PM

> fink info postfix-release
Information about 1459 packages read in 7 seconds.


postfix-release-1.1.11-2: Mail transfer agent that's fast and secure
Postfix is a mail transfer agent designed to be fast, secure, and easy to
configure. It is meant to be Sendmail compatible so that it does not cause
problems for existing Sendmail users who want to make the switch to
another MTA.
.
This is an official release of Postfix. According to the Postfix web site:
"Official releases do not change except for bugfixes and for portability
fixes. New features are tested out in experimental releases..."
.
Usage Notes:
You need to do a few things to set Postfix up before you can use it:
.
1) Edit /sw/etc/postfix/main.cf. In particular, edit myorigin,
mydestination and mynetworks in that file. The file is well commented.
.
2) Edit the aliases in NetInfo so that root and postmaster redirect mail
to a real, live person. To do that, run:
.
sudo niutil -createprop . /aliases/root members youremail
.
Where youremail is a valid email address. If you check your mail on
this computer, you can just use your user name. Otherwise, you will
probably want to use your regular email address.
.
3) Run 'sudo mta-switch postfix' to move the old sendmail out of the way
and place symlinks to postfix in its place. You may need to do this
after upgrades of Mac OS X from Apple.
.
4) Run 'sudo daemonic enable postfix'. This will create a Postfix startup
item, but it won't actually start Postfix. To do that, you can run
'sudo postfix start'.
.
Removing postfix via Fink will automatically disable it and re-enable
sendmail.
.
Web site: http://www.postfix.org/
.
Maintainer: Daniel Parks <daniel@mwdesign.dyndns.org>



[ Reply to This | # ]
postfix via fink
Authored by: Johnny_B on Mar 19, '03 05:43:42PM

I love you man :O)

And I wondered, this line:

sudo niutil -createprop . /aliases/root members youremail

There where no such alias user here (root), so is it okay to just use the postmaster ? Like...

sudo niutil -createprop . /aliases/postmaster members youremail

??



[ Reply to This | # ]
Works for me, seems clean
Authored by: jzsimon on Mar 12, '03 10:52:55AM
This worked for me and appears to be the cleanest, simplest fix. The idea is courtesy of RonLP via MacFixit. The implementation (hopefully bug free, but it works for me) is mine. All shell > commands are entered in a terminal.

1) Backup /System/Library/StartupItems/Sendmail/Sendmail, e.g.
> sudo cp -p /System/Library/StartupItems/Sendmail/Sendmail \
/System/Library/StartupItems/Sendmail/Sendmail.old


2) Edit the same file to put a "-Am" in the first line calling sendmail, so that it reads /usr/sbin/sendmail -Am -bd -q1h
An easy way to edit it is with
> sudo pico /System/Library/StartupItems/Sendmail/Sendmail

3) Restart sendmail with
> sudo SystemStarter -v restart SMTP

The -Am tells sendmail to use /etc/mail/sendmail.cf. It is "supposed to" use this file anyway, but without the -Am it doesn't, it uses /etc/mail/submit.cf.

All of this assumes that you followed the Davidson article's instruction on how to create your own, new, /etc/mail/sendmail.cf file, and that before you applied the March 3 2003 security update your sendmail was working properly.

All the usual caveats apply; your results may vary. I'm not a sendmail expert at all.

[ Reply to This | # ]
Hack for new sendmail on 10.1.5
Authored by: mariox19 on Mar 14, '03 07:39:28AM

I'm running 10.1.5 and fell victim to Software Update. The March 2003 Security Update said Jaguar was required, but the update showed up on my machine anyway. I ran it, and met with problems running my sendmail.

I had my sendmail configured according to the O'Reilly article, Update to Terminal Part 3. Sendmail would run only when needed, and start up at system boot.

After the update, sendmail would no longer start at boot. In the system log file I would get the following: Exec format error. Reconfiguring my sendmail.cf file was no help.

Finally, I did three things. I copied my sendmail.cf to submit.cf. Then I made two changes to the startup script at /System/Library/StartupItems/Sendmail/Sendmail. First, I changed the sendmail command to only one command reading:



    /usr/sbin/sendmail -C /etc/mail/submit.cf -q1h

I also added this line before the above:

    sleep 10

I seems that the sleep command enabled sendmail to start, avoiding the exec format error. The one line to start sendmail allows it to run only when sending mail from my machine. (It is invisible to port scans.)

I don't know much about sendmail, but my guess is because it does not show up on port 25 (or any other I'm aware of) it is secure.

As always, your mileage may vary!

---
quiquid id est, timeo puellas et oscula dantes.

[ Reply to This | # ]