# # Original File # ------------- # http://web.Linux-Sec.net/Mail/Sendmail-Install-HOWTO/permissions.txt # http://web.Linux-Sec.net/Mail/Sendmail-Install-HOWTO/smrsh.links.txt # # # 15-Nov-02 amo Separate and Clean Up Documents # 31-Dec-02 amo Added more commpents and added groupadd,useradd ( updated for sendmail-8.12.7 ) # 01-Mar-03 amo Fix the permissions # 04-May-03 amo Updated for Sendmail-8.12.4 from http://Linux-Sec.net/Mail/etc.mail # ( requires mailertable.db virtusertable.db domaintable.db genericstable.db ) # # # -------------------------------------------------------------------- # # Check permissions After Sendmail is Installed ( sendmail-8.12.x ) # # --------------------------------------------- # # # From ( near bottom ) # http://www.cs.montana.edu/harkin/courses/cs409/outline/15-email/outline.html#topic4 # # # http://www.sendmail.org/~ca/email/doc8.12/SECURITY # http://www.sendmail.org/secure-install.html # # # ---------------------------------------- # Sendmail command to test the permissions # ---------------------------------------- # /usr/lib/sendmail -bi -d44.4 # # # From sendmail-8.12.7/README # --------------------------- # chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue # chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue # # # chmod 0640 /etc/mail/aliases /etc/mail/aliases.{db,pag,dir} # chmod 0640 /etc/mail/*.{db,pag,dir} # chmod 0640 /etc/mail/statistics /var/log/sendmail.st # chmod 0600 /var/run/sendmail.pid /etc/mail/sendmail.pid # # # sendmail -v -bi # If it gives messages such as # WARNING: World writable directory /var/spool/mqueue # /etc/mail/aliases: 155 aliases, longest 156 bytes, 10897 bytes total # # chmod go-w /var/spool/mqueue # chown root /var/spool/mqueue # # # ================================================================ # --- Make sure Uid and Gid of smmsp is the same on ALL machines # --- Make sure smmsp has /var/spool/clientmqueue as its home dir # ================================================================ # # # /etc/passwd # # smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin # mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/sbin/nologin # # majordom:........:/sbin/nologin # # # /etc/group # # mail:xx:mail,smmsp,majordom # smmsp:25:smmsp,mail,majordom # # # # ------------------------------------ # groupadd -g 225 smmsp useradd -u 225 -g 225 -d /home/smmsp -s /bin/false smmsp # # chown smmsp:smmsp /var/spool/clientmqueue chmod 770 /var/spool/clientmqueue #hmod 750 /var/spool/clientmqueue -- better ? # # to clear mail stuck in the clientqueue # /usr/sbin/sendmail -L sm-msp-queue -Ac -q1m # # #hmod 755 /var/spool/mqueue chmod 700 /var/spool/mqueue chown root.mail /var/spool/mqueue # # to free-up mail-stuck in the queue # chmod 664 /var/spool/mqueue/* # # #hmod 775 /var/spool/mail chmod 770 /var/spool/mail chown root.mail /var/spool/mail # # chmod 4555 /usr/sbin/sendmail chown root.smmsp /usr/sbin/sendmail # # chown root /etc/mail chmod 755 /etc/mail # # # grep localhost /etc/mail/local-host-names grep localhost.localdomain /etc/mail/local-host-names # grep localhost /etc/mail/access grep localhost.localdomain /etc/mail/access # # # cd /etc/mail rm -f access.db rm -f virtusertable.db # make # # # # ls -la /usr/sbin/sendmail* # -r-xr-sr-x 1 root smmsp 556062 Oct 10 21:46 /usr/sbin/sendmail # # ls -la /var/spool/clientmqueue # drwxr-xr-x 2 smmsp smmsp 4096 Oct 10 21:42 /var/spool/clientmqueue # # # # Starting sendmail MTA daemon # /usr/sbin/sendmail -L sm-mta -bd -q5m # # Starting sendmail MSP queue runner # /usr/sbin/sendmail -L sm-msp-queue -Ac -q5m # # # http://rr.sans.org/email/sendmail_812.php # http://www.sendmail.org/~ca/email/doc8.12/SECURITY # -r-xr-sr-x root smmsp ... /PATH/TO/sendmail # drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue # drwx------ root wheel ... /var/spool/mqueue # -r--r--r-- root wheel ... /etc/mail/sendmail.cf # -r--r--r-- root wheel ... /etc/mail/submit.cf # ^^^^ # # wheel group can also be "mail" group but might be less secure # # # End of file