Sendmail needs to run as root for several reasons. The Message Submission Program (MSP) configuration file submit.cf eliminates the need for sendmail to run as root to write email that is submitted from the command line to the queue directory.
MSP requires a set-user-ID/set-group-ID program to avoid problems with a world-writable directory. It is, however, sufficient to have a set-group-ID program and a group-writable queue directory. This can be fulfilled by a sendmail daemon that is started by root. This topic explains how to use two sendmail configurations to accomplish the goal of having a sendmail binary file that is not set-user-ID root, and thus is less problematic in the presence of system configuration and OS problems.
The default configuration, starting with sendmail 8.12, uses one sendmail binary file that acts differently based on operation mode and supplied options. When running in a program control environment, two binary files are used, /usr/sbin/sendmail and /bin/sendmail. For information on program control, see Configuring Security Server (RACF or equivalent) items.
Sendmail must be a set-group-ID (default group: smmspgrp, recommended gid: 25) program to allow for queueing mail in a group-writable directory. Two .cf files are required, sendmail.cf for the daemon and submit.cf for the submission program. For the permissions that should be used, see Table 1.
The SEZAINST(EZARACF) file shows sample commands to add the smmsp user and group, as follows:
ADDGROUP SMMSPGRP OMVS(GID(25))
ADDUSER SENDMAIL DFLTGRP(SMMSPGRP) NOPASSWORD OMVS(UID(0) HOME('/'))
ADDUSER SMMSP DFLTGRP(SMMSPGRP) NOPASSWORD OMVS(UID(8000) PROGRAM('/bin/sh')That is, the owner of sendmail is root, the group is smmspgrp, and the binary file is set-group-ID. The client mail queue is owned by smmsp with group smmspgrp and is group writable. The client mail queue directory must be writable by smmspgrp, but it must not be accessible for others. That is, do not use world read or execute permissions. In submit.cf, the option UseMSP must be set, and QueueFileMode must be set to 0660. submit.cf is available in /usr/lpp/tcpip/samples/sendmail/cf, which has been built from /usr/lpp/tcpip/samples/sendmail/cf/submit.mc. The file can be used as is, or if you want to add more options, use /usr/lpp/tcpip/samples/sendmail/cf/submit.mc as a starting point.
Some features are not intended to work with the MSP. These include features that influence the delivery process (for example, mailertable, aliases), or those that are important only for an SMTP server (for example, virtusertable, DaemonPortOptions, multiple queues). Moreover, relaxing certain restrictions (RestrictQueueRun, permissions on queue directory) or adding features (for example, enabling prog/file mailer) can cause security problems.
Other things do not work well with the MSP and require tweaking or workarounds. For example, to allow for client authentication, it is not sufficient to just provide a client certificate and the corresponding key, but it is also necessary to make the key group (smmsp) readable and tell sendmail not to complain about it as follows:
define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')When FEATURE(`msp') is coded, the sendmail client will send all mail to the local mail server. If using the sendmail server as the local mail server, review the RELAY_DOMAIN() for the sendmail server. If needed, the sendmail client can be configured to send mail to a different server with this feature.
/usr/lpp/tcpip/samples/sendmail/feature/msp.m4 defines almost all settings for the MSP. Most of these should not be changed at all. Some of the features and options can be overridden if really necessary. It is a bit tricky to do this, because it depends on the actual way the option is defined in feature/msp.m4. If it is directly defined [that is, with define()], the modified value must be defined after the following line:
FEATURE(`msp')If it is conditionally defined [that is, with ifdef()], the wanted value must be defined before the FEATURE line in the .mc file. To see how the options are defined, read feature/msp.m4.
The .cf file (sendmail.cf or submit.cf) is chosen based on the operation mode. For -bm (default), -bs, and -t, it is submit.cf, if it exists. For all others, it is sendmail.cf. This selection can be changed by -Ac (to use submit.cf) or -Am (to use sendmail.cf).
The daemon must be started by root as usual, for example:
/usr/sbin/sendmail -L sm-mta -bd -q1hMail ends up in the client queue if the daemon does not accept connections or if an address is temporarily not resolvable. The latter problem can be minimized by using the following lines:
FEATURE(`nocanonify', `canonify_hosts')
define(`confDIRECT_SUBMISSION_MODIFIERS', `C')However, these lines might have unwanted side effects, as described in /usr/lpp/tcpip/samples/sendmail/README.m4. In general, it is necessary to clean the queue either with a cronjob or by running a daemon as follows:
Cronjob: /usr/sbin/sendmail -L sm-msp-queue -Ac -q
Daemon: /usr/sbin/sendmail -L sm-msp-queue -Ac -q30mIf the option UseMSP is not set, sendmail will complain during queue runs about bogus file permission. If you want a queue runner for the client queue, you probably have to change OS-specific scripts to accomplish this (check the man pages of your OS for more information). You can start this program as root, and it will change its user ID to RunAsUser (smmsp by default, recommended uid: 25). This way, smmsp does not need a valid shell.
The following brief summary shows how the two configuration files are used:
/usr/sbin/sendmail -L sm-mta -bd -q1h/usr/sbin/sendmail -L sm-msp-queue -Ac -q30m