From /usr/share/doc/sendmail-8.12.10/SECURITY.gz: --------------- The default configuration starting with sendmail 8.12 uses one sendmail binary which acts differently based on operation mode and supplied options. sendmail must be a set-group-ID (default group: smmsp, recommended gid: 25) program to allow for queueing mail in a group-writable directory. Two .cf files are required: sendmail.cf for the daemon and submit.cf for the submission program. The following permissions should be used: -r-xr-sr-x root smmsp ... /PATH/TO/sendmail drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue drwx------ root wheel ... /var/spool/mqueue -r--r--r-- root wheel ... /etc/mail/sendmail.cf -r--r--r-- root wheel ... /etc/mail/submit.cf --------------- Some of them seems already covered by the ebuild: fowners root.smmsp /usr/sbin/sendmail fowners smmsp.smmsp /var/spool/clientmqueue fperms 770 /var/spool/clientmqueue fperms 700 /var/spool/mqueue But these were wrong in my case, every file belongs to root:root (maybe, because ssmtp was installed before)!? Also, the .cf-files and sendmail itself has been "wrong" (not covered by the ebuild yet). HTH, Jan
This is unfortunately still broken. When emerging: "make: Leaving directory `/var/tmp/portage/sendmail-8.12.10/work/sendmail-8.12.10/obj.Linux.2.6.4-gentoo.i686/mail.local' chown: `root.smmsp': invalid user chown: `smmsp.smmsp': invalid user" I believe this is a fairly important thing to get fixed...
Yup, I just upgraded to 8.12.11 from 8.12.10 and now I can't send mail from my user account.
This is really two bugs... 1. Permissions on /etc/mail/sendmail.cf, /etc/mail/submit.cf are not according to spec in the SECURITY file included with the sendmail distribution. I do not think this is a problem. There is no clear motivation to group-own these files "wheel". The wheel group is not used in this way on Gentoo systems, in addition it does not have any higher permissions than (o)ther. Furthermore, I see no reason to make these files 555. The superuser may need to edit them at some point. Most config files are fine at 755. 2. The sendmail ebuild (as of sendmail-8.12.11-r3) does not check for the existance of a smmsp group before doing fowners. This definitely needs to be fixed. This is a new feature of sendmail in 8.12.x (they finally caught up to postfix). Even if this group makes it to baselayout, we need to check for it now. I attached a diff for this. Jan, can you weigh in? Thanks for all these bug reports, btw.
Created attachment 33254 [details, diff] sendmail-8.12.11-r3.ebuild.diff
A new sendmail-8.13.1-r1 ebuild is masked in portage now and it properly checks smmsp group existence. Testing is appreciated :)
This is fixed now.
