Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Confusion | 18 comments | Create New Account
Click here to return to the 'Confusion' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Confusion
Authored by: professor on Mar 10, '03 01:29:34PM

For those sendmail experts who don't have the time to read that article, my summary of what it does is:

  • Copy the file /usr/share/sendmail/conf/cf/generic-darwin.mc to /etc/mail/config.mc and modify it
  • Run the new file through m4 with
    % m4 /usr/share/sendmail/conf/m4/cf.m4 /etc/mail/config.mc
    > /tmp/sendmail.cf
  • Replace /etc/mail/sendmail.cf with the new /tmp/sendmail.cf

This is generic advice for producing a new (customized) sendmail.cf. In the end, /etc/mail/ should have a sendmail.cf and a submit.cf file.

  • Tell sendmail to use /etc/mail/sendmail.cf via netinfo with
    % sudo niutil -create . /locations/sendmail
    % sudo niutil -createprop . /locations/sendmail sendmail.cf /etc/mail/sendmail.cf
    
    Security Update 2003-03-03 fixed and updated sendmail but seems to have broken sendmail's former ability to read /etc/mail/sendmail.cf when told to by netinfo.

Utterly unnecessary. The default location for sendmail to find its configuration files is in /etc/mail. Unless you've overridden this in NETINFO, sendmail will work fine without this. (Which is why Apple didn't do it.)

I've seen several "cures":

  • Replace the /etc/mail/submit.cf file with my /etc/mail/sendmail.cf file. This got sendmail going again but sounded dangerous because sendmail is called twice for two different functions, and, I thought, once with sendmail.cf and once with submit.cf.
  • Modify /System/Library/StartupItems/Sendmail/Sendmail so that the first call to sendmail gets the "-Am" switch, which forces it to use /etc/mail/sendmail.cf. This sounded safer because the second invocation still gets to use its original submit.cf.

Both of these are wrong. The first invocation, with the "-bd" flag will cause sendmail to use sendmail.cf. The second invocation, with the "-Ac" flag will cause it to use submit.cf.

  • The posting above indicates we should make brand new .cf files, but I don't know how to make a new one that isn't exactly the same as the one I already made and want to use. And I don't know how a submit.cf file should differ from a sendmail.cf file.

Running the same sendmail.mc file through m4 with the cf/ from a new version of sendmail will produce a different sendmail.cf file as output (which is why it is good practice to rebuild your .cf files when updating sendmail).

Of course, if your /usr/share/sendmail/conf/ contains the config files from an old version of sendmail, you'll get the old version of sendmail.cf out.

If that's the case, you may need to download the sendmail sourcecode from sendmail.org and use the cf/ directory found there instead of /usr/share/sendmail/conf/ to build your new *.cf files.

Is there anything clean and relatively simple that we can do that doesn't involve turning off sendmail, or understanding all of sendmail, or suffering until James Duncan Davidson writes a new article?

I didn't think very highly of the article in the first place, and I can see that it has caused more confusion than enlightenment. The instruction for building the *.cf files from the sendmail 8.12.8 source directory is

% cd cf/cf
% cp [your customized .mc file] sendmail.mc
% ./Build sendmail.cf
% sudo make install-cf
% sudo /System/Library/StartupItems/Sendmail/Sendmail restart

Mr. Davidson makes it all sound much more complicated than it is.



[ Reply to This | # ]
hostnameProblems
Authored by: dconroy on Mar 10, '03 02:31:28PM
No updates 'broke' sendmail for me precisely because that is the procedure that I was following. i.e. regenerate the .cf files. One problem has been created though. When I set up sendmail in the first place I used the line define(`confDOMAIN_NAME', `myDomain.com') to make outgoing mail come from user@myDomain.com. This broke with the updates, so now mail comes from user@machine-name.local. Any suggestions on how to fix this? Thanks, DC.

[ Reply to This | # ]
Confusion
Authored by: jzsimon on Mar 10, '03 02:33:35PM

Thanks for the thoughtful reply. Unfortunately I'm still confused because some of the things you said do not seem to be valid on my system:

o After the security update, the first invocation of sendmail, with the -bd flag but without the -Am flag reads submit.cf, *not* sendmail.cf. This contrary to your statement and contrary to its behavior before the security update. For all I know it means that Apple's binary is broken. But it's also true that adding -Am did force sendmail to read sendmail.cf as it had before, which is what I thought I wanted (and you seem to agree). [Also, just for the record, the second invocation in my StartupItems/Sendmail/Sendmail file doesn't have the -Ac switch it has -C /etc/mail/submit.cf instead, though I would guess there is no difference in execution.]

o Netinfo doesn't tell sendmail what directory to use, it tells it which file to use. Before the update, I configured netinfo to tell sendmail to use sendmail.cf (in/etc/mail/), and the first invocation of sendmail did so. After the update, netinfo was still configured to tell sendmail to use sendmail.cf but instead sendmail uses submit.cf (as said above). Using netinfo for this purpose in Mac OS X is recommended by Apple in /etc/mail/README. But of course one arm at Apple my not read the README of another are at Apple. ;)

Also, you are correct in guessing that Apple did not update /usr/share/sendmail/conf/, so building new .cf files without downloading the source version of sendmail is impossible.

I agree Davidson's article spent a lot of time explaining simple things (much of what he said was how to write a shell script that performs what is recommended by Apple in /etc/mail/README) but I thought his tutorial on DontBlameSendmail and other sendmail configuration options was at a good level for those of us with famililarity with unix at the user level but not at the sysadmin level.

[Of course one can argue that turning unix users into recreational sysadmins is dangerous, and I'd agree, but that's a topic for a different forum. :) ]

In the meantime, I'll stick with my method two (use my old personal sendmail.cf and make sure it gets called by adding -Am) and rely on logcheck and my system log to make sure all those .cn users keep getting bounced off my smtp server.

jzsimon



[ Reply to This | # ]
Confusion
Authored by: professor on Mar 10, '03 03:29:03PM

o After the security update, the first invocation of sendmail, with the -bd flag but without the -Am flag reads submit.cf, *not* sendmail.cf. This contrary to your statement and contrary to its behavior before the security update. For all I know it means that Apple's binary is broken. But it's also true that adding -Am did force sendmail to read sendmail.cf as it had before, which is what I thought I wanted (and you seem to agree).
[Also, just for the record, the second invocation in my StartupItems/Sendmail/Sendmail file doesn't have the -Ac switch it has -C /etc/mail/submit.cf instead, though I would guess there is no difference in execution.]

From the sendmail manpage:

Parameters
   -Ac    Use  submit.cf  even if the operation mode does not
          indicate an initial mail submission.

   -Am    Use sendmail.cf even if the  operation  mode  indi-
          cates an initial mail submission.

   -bd    Run as a daemon.  Sendmail will  fork  and  run  in
          background listening on socket 25 for incoming SMTP
          connections.

   -Cfile Use alternate configuration file.  Sendmail refuses
          to run as root if an alternate  configuration  file
          is specified.

So I'm pretty sure "-bd" ought to imply "sendmail.cf". There is a subtle difference between "-Csubmit.cf" and "-Ac". When in doubt, I'd use the latter.

o Netinfo doesn't tell sendmail what directory to use, it tells it which file to use. Before the update, I configured netinfo to tell sendmail to use sendmail.cf (in/etc/mail/), and the first invocation of sendmail did so. After the update, netinfo was still configured to tell sendmail to use sendmail.cf but instead sendmail uses submit.cf (as said above). Using netinfo for this purpose in Mac OS X is recommended by Apple in /etc/mail/README. But of course one arm at Apple my not read the README of another are at Apple. ;)

Again, which .cf file to use should be determined by how sendmail is envoked. If the envocation is as I wrote in my first post, you should not need NETINFO to tell it. It can only trip you up down the road (my experience).

Also, you are correct in guessing that Apple did not update /usr/share/sendmail/conf/, so building new .cf files without downloading the source version of sendmail is impossible.

Easily remedied, eh?

I agree Davidson's article spent a lot of time explaining simple things (much of what he said was how to write a shell script that performs what is recommended by Apple in /etc/mail/README) but I thought his tutorial on DontBlameSendmail and other sendmail configuration options was at a good level for those of us with famililarity with unix at the user level but not at the sysadmin level.

I think there are a lot better tutorials on sendmail available on the 'net. They may not be MacOSX specific, but the only truly MacOSX-specific aspects of Davidson's article were

  1. The bit about NETINFO (which i think was superfluous).
  2. The fact that sendmail gets started by /System/Library/StartupItems/Sendmail/Sendmail
  3. The fact that Apple's installers have a nasty habit of changing "/" to be group-writable, and that sendmail doesn't like this. But I think the correct solution (ie, more secure) is to do a
    % sudo chmod 755/
    after running the installer, rather than (as he advocates) making sendmail bend over and not complain about running with a group-writable directory.


[ Reply to This | # ]
Confusion
Authored by: mnewman on Mar 10, '03 08:53:45PM

Well, guess what. I'm still confused. Is anyone out there willing to post step-by-step instructions for those of us who used the O'Reilly method (dontblamesendmail) to get sendmail running ought to do after applying the latest security update?

---
Mike Newman
Saipan and Narita Layover Pages:
http://net.saipan.com/personal/mike_newman/



[ Reply to This | # ]
Confusion
Authored by: AndyB40 on Mar 12, '03 04:41:41AM

I too would like to see what changes (step by step) are needed inside
the Sendmail file to fix the problem caused by the security update.



[ Reply to This | # ]
a little less confused now
Authored by: carsten on Mar 12, '03 03:38:54PM
Thanks for the info and instructions professor, this helped me a lot.

A few days ago my ISP had sent me email after their' scan determined I was using the old sendmail so I am eager to make sure I really am using the latest Sendmail.

I downloaded the latest source from sendmail.org. Then I copied /usr/share/sendmail/conf/cf/generic-darwin.mc to sendmail.mc and the rest of your instructions worked fine.

(I am not using any custom mc, and this generic file with my 10.2.4 is the same as the latest one in the Darwin CVS, except for some reason mine has RBL configuration entries. http://www.opensource.apple.com/cgi-bin/registered/cvs/sendmail/sendmail/cf/cf/generic-darwin.mc)

Now when I telnet localhost 25, I see "Sendmail 8.12.7/8.12.8" which is looking better, previously it showed "Sendmail 8.12.7/8.12.2".

I'm still a little troubled that part of the Sendmail version string appears to be the old version, and not 8.12.8. Also:


sendmail -d0 < /dev/null | perl -nle 'print if 1 .. /^$/'
tells me:

Version 8.12.7
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETINFO NETUNIX NEWDB NIS PIPELINING SCANF
                USERDB XDEBUG

Any suggestions?

[ Reply to This | # ]