INSTALL INSTRUCTIONS This is basically my HOW-TO install sendmail on a RedHat system with POP before SMTP authorization. These instructions were tested and written using various RedHat 5.X to 7.X servers and these exact instructions were tested on RedHat 7.3. I also have reports that these instructions work fine with RedHat 8.0 and there are some notes on this in the contrib/ directory. UPDATE: These instructions were updated for sendmail-8.13.3 as an update to the sendmail-8.12.X INSTALL File Author: kevin@mcgrail.com -- #WGET, UNTAR & INSTALL THE VARIOUS SUPPORT DISTRIBUTIONS #CREATE A TEMP DIR FOR THE TAR FILES rm -rf /tmp/20050225SENDMAIL/ mkdir /tmp/20050225SENDMAIL/ cd /tmp/20050225SENDMAIL/ #GET ALL THE FILES wget http://www.peregrinehw.com/downloads/sendmail/sendmail-8.13.X/sendmail-source/sendmail.8.13.6.tar.gz wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/Linux-OS wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/popauth.m4 wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/poprelayd-KAM.pl wget http://www.peregrinehw.com/downloads/sendmail/sendmail-8.13.X/sendmail.mc wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/openssl.cnf wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail-ca-ssl.cnf wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail-ssl.cnf wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/site.config.m4.additions wget http://www.peregrinehw.com/downloads/sendmail/sendmail-8.13.X/sendmail-source/openssl-0.9.7e.tar.gz wget http://www.peregrinehw.com/downloads/sendmail/current-8.12.X/untarred/sendmail-init #CLEAR OUT OLD SOURCE rm -rf /usr/src/sendmail-8.13.* rm -rf /usr/src/openssl-* # INSTALL OPENSSL FOR STARTTLS (SSL) SUPPORT # HOMEPAGE: http://www.openssl.org/ # # Install openssl v0.9.7e: cd /usr/src tar zxvf /tmp/20050225SENDMAIL/openssl-0.9.7e.tar.gz cd openssl-0.9.7e/ ./config shared make make test make install # Add the follwoing line to /etc/ld.so.conf # # /usr/local/ssl/lib # vim /etc/ld.so.conf # #Update ldconfig # ldconfig -v #UNINSTALL THE DEFAULT SENDMAIL THAT COMES WITH THE OS, BUT SAVE SOME OF THE IMPORTANT FILES: tar cvfz /tmp/20050225SENDMAIL/sendmail-save.tar.gz /etc/rc.d/init.d/sendmail /etc/sendmail.mc /etc/mail/sendmail.mc /etc/mail/sendmail.cf /etc/sendmail.cf /etc/aliases /etc/mail/ /etc/pam.d/smtp /etc/sysconfig/sendmail /usr/lib/sasl/Sendmail.conf rpm -e sendmail sendmail-devel sendmail-cf --nodeps # INSTALL SENDMAIL USING A FEW PATCHES AND CONFIGURATION FILES: # # HOMEPAGE: http://www.sendmail.org/ # # Install sendmail v8.13.6 cd /usr/src/ tar zxvf /tmp/20050225SENDMAIL/sendmail.8.13.6.tar.gz cd sendmail-8.13.6 cp /tmp/20050225SENDMAIL/sendmail.mc cf/cf cp /tmp/20050225SENDMAIL/popauth.m4 cf/hack #RH 7.X Change -- This fixes some non standard paths that Redhat uses # #You can also fix this at a minimum by doing a ln -s /usr/share/man /usr/man. Thanks to Greg Smith #for pointing this out. cp -f /tmp/20050225SENDMAIL/Linux-OS devtools/OS/Linux #Add an SMMSP User -- This was needed as of Sendmail 8.12.X /usr/sbin/adduser -M -u 102 -s /bin/false smmsp #Add SSL Support cat /tmp/20050225SENDMAIL/site.config.m4.additions >> devtools/Site/site.config.m4 # I DON'T THINK THIS WORKS AS EXPECTED BECAUSE SUBSEQUENT LINES ARE OVERWRITING THE OPTIONS! # YOU NEED TO EDIT the site.config.m4 to add the lines i.e. THIS WORKED FOR ME #APPENDDEF(`confINCDIRS', `-I/usr/local/ssl/include/') #APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib') #APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -DMILTER -DSASL') #APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto -lsasl') #Add Milter Support echo "APPENDDEF(\`conf_sendmail_ENVDEF', \`-DMILTER')" >> devtools/Site/site.config.m4 #Add SASL Support echo "APPENDDEF(\`confENVDEF', \`-DSASL')" >> devtools/Site/site.config.m4 echo "APPENDDEF(\`conf_sendmail_LIBS', \`-lsasl')" >> devtools/Site/site.config.m4 sh Build sh Build install cd libmilter sh Build -c sh Build install cd .. cd libsm sh Build cd .. cd cf/cf sh Build sendmail.cf cd /usr/src/sendmail-8.13.6/obj.`uname`.`uname -r`.`uname -m`/libsm cp -f libsm.a /usr/lib/ #DELETE YOUR OBJECTS TO PREVENT LINKING AGAINST THEM rm -r /usr/src/sendmail-8.13.6/obj.`uname`.`uname -r`.`uname -m` #Install the Configuration files / Make dirs / etc. cd /usr/src/sendmail-8.13.6/cf/cf sh Build install-cf mkdir /var/spool/mqueue chmod 755 /etc/mail /var/spool/mqueue chown root.mail /var/spool/mqueue cp submit.mc sendmail.mc /etc/mail/ #NOTE: Poprelayd-KAM requires DB_File which is an ext module of perl and may need to be manually installed. # i.e. 'cd /usr/src/perl-5.6.1/ext/DB_Files/; perl Makefile.PL; make; make install; cd /etc/mail' # it is also typically available as an rpm, i.e rpm --install perl-DB_File-1.75-36.1.73.i386.rpm makemap hash /etc/mail/popauth.db < /dev/null makemap hash /etc/mail/rcpt_flood.db < /dev/null chmod 644 /etc/mail/popauth.db /etc/mail/rcpt_flood.db cp /tmp/20050225SENDMAIL/poprelayd-KAM.pl /usr/local/sbin/ chmod +x /usr/local/sbin/poprelayd-KAM.pl ###Add Poprelay Daemon to /etc/rc.d/rc.local (i.e. add a line that says this /usr/local/sbin/poprelayd-KAM.pl -d) ###run Poprelay delay /usr/local/sbin/poprelayd-KAM.pl -d #OPTIONAL SSL CERT SECTION #CREATE CERTIFICATES cd /tmp/20050225SENDMAIL/ #EDIT THE CONFIG vi sendmail-ca-ssl.cnf #CREATE THE CERTIFICATE AUTHORITY FILES /usr/bin/openssl req -new -x509 -keyout /usr/local/ssl/private/cakey.pem -out /usr/local/ssl/certs/cacert.pem -days 3650 -nodes -config sendmail-ca-ssl.cnf #INTERACTIVE chmod 400 /usr/local/ssl/private/cakey.pem #EDIT THE CONFIG -- NOTE: DO NOT USE THE SAME CN FOR BOTH THE CA AND THE CERTIFICATE BELOW (See note at end) vi sendmail-ssl.cnf #CREATE THE CERTIFICATE /usr/local/ssl/bin/openssl req -new -x509 -keyout /usr/local/ssl/private/sendmail.key -out /usr/local/ssl/certs/sendmail.csr -days 3650 -nodes -config sendmail-ssl.cnf #INTERACTIVE chmod 400 /usr/local/ssl/private/sendmail.key #SIGN THE CERTIFICATE WITH THE CA FILE ABOVE cd /usr/local/ssl mv openssl.cnf openssl.old cp /tmp/20050225SENDMAIL/openssl.cnf . echo "20030917" > serial touch index.txt /usr/local/ssl/bin/openssl x509 -x509toreq -in /usr/local/ssl/certs/sendmail.csr -signkey /usr/local/ssl/private/sendmail.key -out /tmp/tmp.pem /usr/local/ssl/bin/openssl ca -config /usr/local/ssl/openssl.cnf -policy policy_anything -days 3650 -out /usr/local/ssl/certs/sendmail.pem -infiles /tmp/tmp.pem #INTERACTIVE rm /tmp/tmp.pem #STILL BUGGY: #SETUP CERTS FOR REDHAT RPM OF IMAP SERVICES FOR SSL #STILL BUGGY: cd /usr/share/ssl/certs #STILL BUGGY: rm -f imapd.pem ipop3d.pem #STILL BUGGY: ln -s /usr/local/ssl/certs/imapd.pem imapd.pem #STILL BUGGY: ln -s /usr/local/ssl/certs/imapd.pem ipop3d.pem #STILL BUGGY: #STILL BUGGY: #CREATE THE CERTIFICATE #STILL BUGGY: cd /tmp/20050225SENDMAIL/ #STILL BUGGY: /usr/local/ssl/bin/openssl req -new -x509 -keyout /usr/local/ssl/certs/imapd.csr -out /usr/local/ssl/certs/imapd.csr -days 3650 -nodes -config sendmail-ssl.cnf #STILL BUGGY: #INTERACTIVE #STILL BUGGY: #STILL BUGGY: #SIGN THE CERTIFICATE WITH THE CA FILE ABOVE #STILL BUGGY: /usr/local/ssl/bin/openssl x509 -x509toreq -signkey /usr/local/ssl/certs/imapd.csr -in /usr/local/ssl/certs/imapd.csr -out /tmp/tmp.pem #STILL BUGGY: #STILL BUGGY: /usr/local/ssl/bin/openssl ca -config /usr/local/ssl/openssl.cnf -policy policy_anything -days 3650 -out /usr/local/ssl/certs/imapd.pem -infiles /tmp/tmp.pem #STILL BUGGY: #STILL BUGGY: #IMPORTANT: COPY THE PRIVATE KEY FROM IMAPD.CSR TO IMAPD.PEM #STILL BUGGY: #STILL BUGGY: #INTERACTIVE #STILL BUGGY: rm /tmp/tmp.pem #STILL BUGGY: chmod 400 /usr/local/ssl/certs/imapd.pem /usr/local/ssl/certs/imapd.csr #Restore Saved files and Move files to proper locations cd /tmp/20050225SENDMAIL/ tar zxvf sendmail-save.tar.gz mv /tmp/20050225SENDMAIL/etc/rc.d/init.d/sendmail /etc/rc.d/init.d #OLD WAY: cd /etc/rc.d/rc3.d; ln -s ../init.d/sendmail S80sendmail #OLD WAY cd /etc/rc.d/rc0.d; ln -s ../init.d/sendmail K30sendmail chkconfig sendmail on mv /tmp/20050225SENDMAIL/etc/aliases /etc/mail/ mv /tmp/20050225SENDMAIL/etc/pam.d/smtp /etc/pam.d/ mv /tmp/20050225SENDMAIL/etc/sysconfig/sendmail /etc/sysconfig/ mv /tmp/20050225SENDMAIL/etc/mail/access /etc/mail mv /tmp/20050225SENDMAIL/etc/mail/domaintable /etc/mail mv /tmp/20050225SENDMAIL/etc/mail/local-host-names /etc/mail mv /tmp/20050225SENDMAIL/etc/mail/mailertable /etc/mail mv /tmp/20050225SENDMAIL/etc/mail/Makefile /etc/mail mv /tmp/20050225SENDMAIL/etc/mail/trusted-users /etc/mail mv /tmp/20050225SENDMAIL/etc/mail/virtusertable /etc/mail mv /tmp/20050225SENDMAIL/etc/mail/domaintable /etc/mail mv /tmp/20050225SENDMAIL/usr/lib/sasl/Sendmail.conf /usr/lib/sasl/ #Alternate RH7 init script for sendmail -- Adds Submission Queue (*NECESSARY FOR MIMEDEFANG!*) mv /tmp/20050225SENDMAIL/sendmail-init /etc/rc.d/init.d/sendmail chmod +x /etc/rc.d/init.d/sendmail echo CLIENTQUEUE=5m >> /etc/sysconfig/sendmail #Recreate db files /usr/bin/newaliases make -C /etc/mail #Create smrsh dir and link procmail and vacation mkdir /usr/adm; mkdir /usr/adm/sm.bin; cd /usr/adm/sm.bin #OPTIONAL -- The Current Patch MAY close the procmail security whole smrsh but may not: ln -s /usr/bin/procmail procmail ln -s /usr/bin/vacation vacation # IF YOU WANT TO USE 'mailstats' touch /var/log/sendmail.st #ADD THE FOLLOWING FOR GREET PAUSE & CLIENT CONNECTION/RATE SETTINGS vi /etc/mail/access GreetPause:127.0.0.1 0 ClientConn:127.0.0.1 0 ClientRate:127.0.0.1 0 ClientConn: 10 ClientRate: 15 #REMAKE THE ACCESS FILE make -C /etc/mail #START HER UP! /etc/rc.d/init.d/sendmail start #GET RID OF THE TEMP DIR FOR THE TAR FILES (OPTIONAL) rm -rf /tmp/20050225SENDMAIL/ NOTE ABOUT CN: The CN is the CommonName which is the name of your server, say for example, www.pccc.com. If you make a certificate and a CA certificate and both of them have the same CN, then some browsers/SSL implementations will not work. For the CA cert, we recommend something like "Company Name's CA" and for the cert we recommend the name of the box. For example, here is the cert for https://spam.peregrinehw.com/ View the cert: openssl x509 -noout -text -in /usr/local/ssl/certs/spam.peregrinehw.com.crt Certificate: Data: Version: 3 (0x2) Serial Number: 537067828 (0x20030134) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Virginia, L=Fairfax City, O=Peregrine Hardeware, Inc., CN=Peregrine Hardware, Inc's CA Validity Not Before: Mar 5 20:59:24 2003 GMT Not After : Mar 2 20:59:24 2013 GMT Subject: C=US, ST=Virginia, L=Fairfax, O=Peregrine Hardware, Inc., OU=SpamAssassin, CN=spam.peregrinehw.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e6:5e:07:5c:bb:2c:bc:d4:57:93:70:53:8b:b4: 48:2a:bf:e0:b0:fa:6d:33:8c:bd:d1:bd:68:68:2c: cd:8c:b6:cd:32:33:8e:40:8c:22:0a:7d:c0:60:5c: f0:ab:c1:f1:de:0e:94:cd:34:a1:e4:92:aa:84:fc: 74:d4:5a:81:04:42:46:2c:6a:79:90:b4:3a:2d:f0: 28:78:6b:f0:4e:6d:8c:9f:46:5e:c1:e6:d3:a6:a6: d6:c6:68:ee:c9:a9:c7:73:53:1c:9d:54:b1:8f:22: 84:23:be:49:92:7f:c2:c0:bd:1b:72:d8:81:83:1c: 02:f3:f4:d8:d5:c7:dd:22:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9F:D2:B1:6F:5F:AF:18:75:1C:ED:6E:58:09:82:9D:AD:03:1F:54:7E X509v3 Authority Key Identifier: DirName:/C=US/ST=Virginia/L=Fairfax City/O=Peregrine Hardeware, Inc./CN=Peregrine Hardware, Inc's CA serial:00 Signature Algorithm: md5WithRSAEncryption bd:e5:fc:e0:1f:6e:04:bb:76:d0:ea:74:10:b3:b3:d1:1f:3e: 63:37:92:49:89:61:8d:d1:12:e2:54:fb:68:d2:93:93:dd:04: 08:11:7e:da:49:c8:8b:68:84:53:be:91:b3:bc:7c:92:1f:17: 36:2b:98:59:61:48:b0:e0:98:c4:30:cd:94:41:78:0f:35:73: 8c:d0:99:ba:e4:60:cd:7f:fa:cf:81:38:02:0d:8f:04:7b:28: 0f:c8:78:90:02:94:fa:4e:e9:c0:c9:8d:5c:82:de:a7:91:b0: 64:a1:69:ad:39:dd:50:b1:c1:32:6c:6d:2e:69:16:02:cf:f8: a9:ce