My employer’s OS-support model restricts root access to members of the Unix support team. Applications are normally installed into a package directory and run under a service ID. While this model works well for most applications, sendmail is tightly integrated into the OS and is not readily built into an application directory. We attempted to run sendmail as a non-root user with modified permissions on application directories such as /var/spool/mqueue – this worked, until OS patches were applied and permissions reset. We needed a way to run sendmail as a non-root user and allow the OS support team to patch servers without impacting the sendmail application.
Chroot is a mechanism that uses a supplied directory path as the environment’s root directory. The jailed process, and its children, should not be able to access any part of the file hierarchy outside of the new root. As a security mechanism, the approach has several flaws – abridged version of the story is that it’s not terribly difficult to break out of jail here; and there are far more effective security approaches (e.g. SELinux). However, chroot jails have their own copies of system owned directories (such as /var/spool/mqueue), binaries, and libraries. Using a chroot jail will allow us to maintain a sendmail application in the package directory that is not impacted by OS updates.
This approach works on relaying mail servers (i.e. those that queue mail to /var/spool/mqueue and send it on its merry way). If sendmail is hosting mailboxes, there are additional challenges to designing a chroot configuration that actually drops messages into mailbox files that users can access.
Preliminaries: To copy/paste, view the single article. Create a service account under which sendmail will run. The installation directory should be owned by the service account user.
Set up the chroot jail location in the installation directory. In this example, that directory is /smt00p20.
mkdir /smt00p20/sendmail mkdir /smt00p20/sendmail/dev mkdir /smt00p20/opendkim
We need a null and random in the sendmail jail. On a command line, run:
# Create sendmail jail /dev/null mknod /smt00p20/sendmail/dev/null c 1 3 # Create sendmail jail /dev/random mknod /smt00p20/sendmail/dev/random c 1 8
We need an rsyslog socket added under each jail. In /etc/rsyslog.conf, add the following:
# additional log sockets for chroot'ed jail # Idea from http://www.ispcolohost.com/2014/03/14/how-to-get-syslog-records-of-chrooted-ssh-sftp-server-activity/ $AddUnixListenSocket /smt00p20/sendmail/dev/log $AddUnixListenSocket /smt00p20/opendkim/dev/log
Additionally, these instructions assume both sendmail and sendmail-cf have been installed on the server. If they have not, you can download the RPMs, unpack them, and copy the files to the appropriate relative jail locations.
Chrooting Sendmail
Logged in with the sendmail ID, ensure you have a .bash_profile that loads .bashrc
-bash-4.2$ cat ~/.bash_profile if [ -f ~/.bashrc ]; then . ~/.bashrc fi
Edit ~/.bashrc and add the following, where smt00p20 is the appropriate installation directory, to allow copy/paste
export SENDMAILJAIL=/smt00p20/sendmail export OPENDKIMJAIL=/smt00p20/opendkim
Log out of the service account and back in (or just source in the .bashrc file). Verify SENDMAILJAIL and OPENDKIMJAIL are set.
Copy a whole heap of ‘stuff’ into the jail – this includes some utilities used to troubleshoot issues within the jail which aren’t strictly needed. I’ve also unpacked the strace RPM to the respective directories within the jail.
mkdir $SENDMAILJAIL/bin mkdir $SENDMAILJAIL/etc mkdir $SENDMAILJAIL/etc/alternatives mkdir $SENDMAILJAIL/etc/mail mkdir $SENDMAILJAIL/etc/smrsh mkdir $SENDMAILJAIL/lib64 mkdir $SENDMAILJAIL/lib mkdir $SENDMAILJAIL/lib/tls mkdir $SENDMAILJAIL/tmp mkdir $SENDMAILJAIL/usr mkdir $SENDMAILJAIL/usr/bin mkdir $SENDMAILJAIL/usr/sbin mkdir $SENDMAILJAIL/usr/lib mkdir $SENDMAILJAIL/usr/lib/sasl2 mkdir $SENDMAILJAIL/var mkdir $SENDMAILJAIL/var/log mkdir $SENDMAILJAIL/var/log/mail mkdir $SENDMAILJAIL/var/run mkdir $SENDMAILJAIL/var/spool mkdir $SENDMAILJAIL/var/spool/mqueue mkdir $SENDMAILJAIL/var/spool/clientmqueue cp /etc/aliases $SENDMAILJAIL/etc/ cp /etc/aliases.db $SENDMAILJAIL/etc/ cp /etc/passwd $SENDMAILJAIL/etc/ cp /etc/group $SENDMAILJAIL/etc/ cp /etc/resolv.conf $SENDMAILJAIL/etc/ cp /etc/host.conf $SENDMAILJAIL/etc/ cp /etc/nsswitch.conf $SENDMAILJAIL/etc/ cp /etc/services $SENDMAILJAIL/etc/ cp /etc/hosts $SENDMAILJAIL/etc/ cp /etc/localtime $SENDMAILJAIL/etc/ # If cloning an existing server, scp /etc/mail/* from source to /smt00p20/sendmail/etc/mail # Verify the sendmail.mc has a RUNAS_USER set to the same service account you are using - the account on our servers is named 'sendmail'. Our old servers are not all set up with a runas user, and failing to have one will cause write failures to the jail /var/spool/mqueue cp -r /etc/mail/ $SENDMAILJAIL/etc/etc/mail/ cp /usr/sbin/sendmail.sendmail $SENDMAILJAIL/usr/sbin/sendmail.sendmail cd /smt00p20/sendmail/etc/alternatives ln -s ../../usr/sbin/sendmail.sendmail ./mta cd /smt00p20/sendmail/usr/sbin ln -s ../../etc/alternatives/mta ./sendmail ln -s ./sendmail ./newaliases ln -s ./sendmail ./newaliases.sendmail cd /smt00p20/sendmail/usr/bin ln -s ../sbin/sendmail ./mailq ln -s ../sbin/sendmail ./mailq.sendmail ln -s ../sbin/sendmail.sendmail ./hoststat ln -s ../sbin/sendmail.sendmail ./purgestat ln -s ../sbin/makemap ./makemap ln -s ./rmail.sendmail ./rmail cp /usr/lib64/libssl.so.10 $SENDMAILJAIL/usr/lib64/libssl.so.10 cp /usr/lib64/libcrypto.so.10 $SENDMAILJAIL/usr/lib64/libcrypto.so.10 cp /usr/lib64/libnsl.so.1 $SENDMAILJAIL/usr/lib64/libnsl.so.1 cp /usr/lib64/libwrap.so.0 $SENDMAILJAIL/usr/lib64/libwrap.so.0 cp /usr/lib64/libhesiod.so.0 $SENDMAILJAIL/usr/lib64/libhesiod.so.0 cp /usr/lib64/libcrypt.so.1 $SENDMAILJAIL/usr/lib64/libcrypt.so.1 cp /usr/lib64/libdb-5.3.so $SENDMAILJAIL/usr/lib64/libdb-5.3.so cp /usr/lib64/libresolv.so.2 $SENDMAILJAIL/usr/lib64/libresolv.so.2 cp /usr/lib64/libsasl2.so.3 $SENDMAILJAIL/usr/lib64/libsasl2.so.3 cp /usr/lib64/libldap-2.4.so.2 $SENDMAILJAIL/usr/lib64/libldap-2.4.so.2 cp /usr/lib64/liblber-2.4.so.2 $SENDMAILJAIL/usr/lib64/liblber-2.4.so.2 cp /usr/lib64/libc.so.6 $SENDMAILJAIL/usr/lib64/libc.so.6 cp /usr/lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/usr/lib64/libgssapi_krb5.so.2 cp /usr/lib64/libkrb5.so.3 $SENDMAILJAIL/usr/lib64/libkrb5.so.3 cp /usr/lib64/libcom_err.so.2 $SENDMAILJAIL/usr/lib64/libcom_err.so.2 cp /usr/lib64/libk5crypto.so.3 $SENDMAILJAIL/usr/lib64/libk5crypto.so.3 cp /usr/lib64/libdl.so.2 $SENDMAILJAIL/usr/lib64/libdl.so.2 cp /usr/lib64/libz.so.1 $SENDMAILJAIL/usr/lib64/libz.so.1 cp /usr/lib64/libidn.so.11 $SENDMAILJAIL/usr/lib64/libidn.so.11 cp /usr/lib64/libfreebl3.so $SENDMAILJAIL/usr/lib64/libfreebl3.so cp /usr/lib64/libpthread.so.0 $SENDMAILJAIL/usr/lib64/libpthread.so.0 cp /usr/lib64/libssl3.so $SENDMAILJAIL/usr/lib64/libssl3.so cp /usr/lib64/libsmime3.so $SENDMAILJAIL/usr/lib64/libsmime3.so cp /usr/lib64/libnss3.so $SENDMAILJAIL/usr/lib64/libnss3.so cp /usr/lib64/libnssutil3.so $SENDMAILJAIL/usr/lib64/libnssutil3.so cp /usr/lib64/libplds4.so $SENDMAILJAIL/usr/lib64/libplds4.so cp /usr/lib64/libplc4.so $SENDMAILJAIL/usr/lib64/libplc4.so cp /usr/lib64/libnspr4.so $SENDMAILJAIL/usr/lib64/libnspr4.so cp /usr/lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/usr/lib64/ld-linux-x86-64.so.2 cp /usr/lib64/libkrb5support.so.0 $SENDMAILJAIL/usr/lib64/libkrb5support.so.0 cp /usr/lib64/libkeyutils.so.1 $SENDMAILJAIL/usr/lib64/libkeyutils.so.1 cp /usr/lib64/librt.so.1 $SENDMAILJAIL/usr/lib64/librt.so.1 cp /usr/lib64/libselinux.so.1 $SENDMAILJAIL/usr/lib64/libselinux.so.1 cp /usr/lib64/libpcre.so.1 $SENDMAILJAIL/usr/lib64/libpcre.so.1 cp /usr/lib64/libnss_dns.so.2 $SENDMAILJAIL/usr/lib64/libnss_dns.so.2 cp /usr/lib64/libnss_files.so.2 $SENDMAILJAIL/usr/lib64/libnss_files.so.2 cd $SENDMAILJAIL/lib64 cp /lib64/libnss_dns-2.17.so $SENDMAILJAIL/lib64/libnss_dns-2.17.so ln -s ./libnss_dns-2.17.so ./libnss_dns.so.2 cp /lib64/libresolv-2.17.so $SENDMAILJAIL/lib64/libresolv-2.17.so ln -s ./lib64/libresolv-2.17.so ./libresolv.so.2 cp /lib64/libnss_files-2.17.so $SENDMAILJAIL/lib64/libnss_files-2.17.so ln -s ./lib64/libnss_files-2.17.so ./libnss_files.so.2 cd $SENDMAILJAIL/lib cp /lib64/libnss_dns-2.17.so $SENDMAILJAIL/lib/libnss_dns-2.17.so ln -s ./lib/libnss_dns-2.17.so ./libnss_dns.so.2 cp /lib64/libresolv-2.17.so $SENDMAILJAIL/lib/libresolv-2.17.so ln -s ./lib/libresolv-2.17.so ./libresolv.so.2 cp /lib64/libnss_files-2.17.so $SENDMAILJAIL/lib/libnss_files-2.17.so ln -s ./lib/libnss_files-2.17.so ./libnss_files.so.2 mkdir $SENDMAILJAIL/usr/lib64/sasl2 cp /usr/lib64/sasl2/* $SENDMAILJAIL/usr/lib64/sasl2/ mkdir $SENDMAILJAIL/lib64/sasl2/ cp /lib64/sasl2/* $SENDMAILJAIL/lib64/sasl2/ cp /etc/sasl2/Sendmail.conf $SENDMAILJAIL/usr/lib64/sasl2/ mkdir $SENDMAILJAIL/etc/sasl2 cp /etc/sasl2/Sendmail.conf $SENDMAILJAIL/etc/sasl2/ cp /usr/sbin/makemap $SENDMAILJAIL/usr/sbin/makemap ln -s ../sbin/makemap ./makemap cp /usr/bin/rmail.sendmail $SENDMAILJAIL/usr/bin/rmail.sendmail ln -s ./rmail.sendmail ./rmail cp /usr/sbin/mailstats $SENDMAILJAIL/usr/sbin/mailstats cp /usr/sbin/makemap $SENDMAILJAIL/usr/sbin/makemap cp /usr/sbin/praliases $SENDMAILJAIL/usr/sbin/praliases cp /usr/sbin/smrsh $SENDMAILJAIL/usr/sbin/smrsh cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libcom_err.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libcrypt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libcrypto.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libdb-5.3.so $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libfreebl3.so $SENDMAILJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libhesiod.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libidn.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3: $SENDMAILJAIL/lib64/ cp /lib64/libkeyutils.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5support.so.0 $SENDMAILJAIL/lib64/ cp /lib64/liblber-2.4.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libldap-2.4.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libnsl.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libnspr4.so $SENDMAILJAIL/lib64/ cp /lib64/libnss3.so $SENDMAILJAIL/lib64/ cp /lib64/libnssutil3.so $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libplc4.so $SENDMAILJAIL/lib64/ cp /lib64/libplds4.so $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/librt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libsasl2.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libsmime3.so $SENDMAILJAIL/lib64/ cp /lib64/libssl.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libssl3.so $SENDMAILJAIL/lib64/ cp /lib64/libwrap.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /usr/lib64/libk5crypto.so.3 $SENDMAILJAIL/usr/lib64/ cp /lib64/libdns.so.100 $SENDMAILJAIL/lib64/ cp /lib64/liblwres.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libbind9.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisccfg.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisccc.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisc.so.95 $SENDMAILJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libcom_err.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libcrypto.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libGeoIP.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libxml2.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libm.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libidn.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5support.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libkeyutils.so.1 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/liblzma.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /bin/dig $SENDMAILJAIL/bin/ cp /lib64/libtinfo.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /bin/bash $SENDMAILJAIL/bin/ cp /bin/ls $SENDMAILJAIL/bin/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libacl.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /bin/vi $SENDMAILJAIL/bin/ cp /usr/sbin/pidof $SENDMAILJAIL/usr/sbin/pidof cp /lib64/libprocps.so.4 $SENDMAILJAIL/lib64/ cp /lib64/libsystemd.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libm.so.6 $SENDMAILJAIL/lib64/ cp /lib64/librt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/liblzma.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libgcrypt.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libgpg-error.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libdw.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libgcc_s.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libelf.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libbz2.so.1 $SENDMAILJAIL/lib64/ cp /bin/rm $SENDMAILJAIL/bin/
Under your ID, ensure the proper permissions are set on the chroot jail
sudo chown -R sendmail:mail /smt00p20/sendmail/ sudo chown sendmail /smt00p20/sendmail/var/spool/mqueue sudo chmod 0700 /smt00p20/sendmail/var/spool/mqueue sudo chmod -R go-w /smt00p20/sendmail sudo chmod 0400 /smt00p20/sendmail/etc/mail/*.cf
Now verify it works – still under your ID as you have sudo permission to run chroot.
sudo /sbin/chroot /smt00p20/sendmail /bin/ls # You should see a directory listing like this, not an error bin dev etc lib lib64 tmp usr var
Assuming there are no problems, run sendmail:
sudo /sbin/chroot /smt00p20/sendmail /usr/sbin/sendmail -bd -q5m
Test sending mail through the server to verify proper functionality.
Unit Config: Edit the systemd unit file and add the “RootDirectory” directive
sudo vi /etc/systemd/system/multi-user.target.wants/sendmail.service
[Unit] Description=Sendmail Mail Transport Agent After=syslog.target network.target Conflicts=postfix.service exim.service Wants=sm-client.service [Service] RootDirectory=/smt00p20/sendmail Type=forking StartLimitInterval=0 # Known issue – pid causes service hang/timeout that bothers Unix guys # https://bugzilla.redhat.com/show_bug.cgi?id=1253840 #PIDFile=/run/sendmail.pid Environment=SENDMAIL_OPTS=-q15m EnvironmentFile=-/smt00p20/sendmail/etc/sysconfig/sendmail ExecStart=/usr/sbin/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG [Install] WantedBy=multi-user.target Also=sm-client.service
Then run “systemctl daemon-reload” to ingest the changes.
You can now use systemctl to start and stop the sendmail service.
Chrooting opendkim
Create the chroot jail and lib64 directory, create the base directories, then add a few core Linux files so you have a bash shell:
mkdir $OPENDKIMJAIL mkdir $OPENDKIMJAIL/lib64 mkdir $OPENDKIMJAIL/usr/lib64 mkdir $OPENDKIMJAIL/bin mkdir $OPENDKIMJAIL/etc cp /lib64/libtinfo.so.5 $OPENDKIMJAIL/lib64/ cp /lib64/libdl.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libc.so.6 $OPENDKIMJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $OPENDKIMJAIL/lib64/ cp /bin/bash $OPENDKIMJAIL/bin/ cp /lib64/libstdc++.so.6* $OPENDKIMJAIL/lib64 cp /lib64/libm.so.6 $OPENDKIMJAIL/lib64 cp /lib64/libgcc_s.so.1 $OPENDKIMJAIL/lib64 cp /lib64/libnss_files* $OPENDKIMJAIL/lib64/
Unpack the following RPMs:
rpm2cpio opendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv rpm2cpio libopendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv rpm2cpio sendmail-milter-8.14.7-5.el7.x86_64.rpm | cpio -idmv rpm2cpio opendbx-1.4.6-6.el7.x86_64.rpm | cpio -idmv rpm2cpio libmemcached-1.0.16-5.el7.x86_64.rpm | cpio -idvm rpm2cpio libbsd-0.6.0-3.el7.elrepo.x86_64.rpm | cpio -idvm
Then move the unpacked files into the corresponding location in the $OPENDKIMJAIL directory.
Copy host configuration ‘stuff’ from /etc
cp /etc/aliases $OPENDKIMJAIL/etc/ cp /etc/aliases.db $OPENDKIMJAIL/etc/ cp /etc/passwd $OPENDKIMJAIL/etc/ cp /etc/group $OPENDKIMJAIL/etc/ cp /etc/resolv.conf $OPENDKIMJAIL/etc/ cp /etc/host.conf $OPENDKIMJAIL/etc/ cp /etc/nsswitch.conf $OPENDKIMJAIL/etc/ cp /etc/services $OPENDKIMJAIL/etc/ cp /etc/hosts $OPENDKIMJAIL/etc/ cp /etc/localtime $OPENDKIMJAIL/etc/
Copy some more files:
cp /lib64/libcom_err.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libcrypt.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libcrypto.so.10 $OPENDKIMJAIL/lib64/ cp /lib64/libdb-5.3.so $OPENDKIMJAIL/lib64/ cp /lib64/libfreebl3.so $OPENDKIMJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libk5crypto.so.3 $OPENDKIMJAIL/lib64/ cp /lib64/libkeyutils.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libkrb5.so.3 $OPENDKIMJAIL/lib64/ cp /lib64/libkrb5support.so.0 $OPENDKIMJAIL/lib64/ cp /lib64/liblber-2.4.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libldap-2.4.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libnspr4.so $OPENDKIMJAIL/lib64/ cp /lib64/libnss3.so $OPENDKIMJAIL/lib64/ cp /lib64/libnssutil3.so $OPENDKIMJAIL/lib64/ cp /lib64/libpcre.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libplc4.so $OPENDKIMJAIL/lib64/ cp /lib64/libplds4.so $OPENDKIMJAIL/lib64/ cp /lib64/libpthread.so.0 $OPENDKIMJAIL/lib64/ cp /lib64/libresolv.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/librt.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libsasl2.so.3 $OPENDKIMJAIL/lib64/ cp /lib64/libselinux.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libsmime3.so $OPENDKIMJAIL/lib64/ cp /lib64/libssl.so.10 $OPENDKIMJAIL/lib64/ cp /lib64/libssl3.so $OPENDKIMJAIL/lib64/ cp /lib64/libz.so.1 $OPENDKIMJAIL/lib64/ cp /usr/lib64/libssl.so.10 $OPENDKIMJAIL/usr/lib64/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0 $OPENDKIMJAIL/usr/lib/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0.1 $OPENDKIMJAIL/usr/lib/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0 $OPENDKIMJAIL/lib64/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0.1 $OPENDKIMJAIL/lib64/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0 $OPENDKIMJAIL/usr/lib/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0.1 $OPENDKIMJAIL/usr/lib/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0 $OPENDKIMJAIL/lib64/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0.1 $OPENDKIMJAIL/lib64/
Configure OpenDKIM ($DKIMJAIL/etc/opendkim.conf) and populate keys (copy from server being replaced or generate new keys). Then, under your ID, run:
sudo /sbin/chroot /smt00p20/opendkim /usr/sbin/opendkim -u sendmail -v
The systemd unit file, /usr/lib/systemd/system/opendkim.service, needs to contain:
# If you are using OpenDKIM with SQL datasets it might be necessary to start OpenDKIM after the database servers. # For example, if using both MariaDB and PostgreSQL, change "After=" in the "[Unit]" section to: # After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service [Unit] Description=DomainKeys Identified Mail (DKIM) Milter Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html After=network.target nss-lookup.target syslog.target [Service] RootDirectory=/smt00p20/opendkim Type=forking PIDFile=/smt00p20/opendkim/var/run/opendkim/opendkim.pid EnvironmentFile=-/etc/sysconfig/opendkim ExecStart=/usr/sbin/opendkim -u sendmail -v $OPTIONS ExecReload=/bin/kill -USR1 $MAINPID User=sendmail Group=mail [Install] WantedBy=multi-user.target
Upgrading Sendmail – After Unix Applies Patches
This process grabs a new copy of sendmail, associated diagnostic utilities, and their dependencies from the OS installation. If you want to apply patches prior to Unix support doing so, you can stage a sendmail build (everything up to ‘make install’) and copy the files out or, if an updated RPM is in the repo but just not installed, download the RPMs, unpack them, and copy the files in. I would do that in addition to (and after) this process to ensure library updates are reflected in our jailed sendmail installation (i.e. if there’s an update to the crypto libraries, we get those updates).
cp /usr/sbin/sendmail.sendmail $SENDMAILJAIL/usr/sbin/sendmail.sendmail cp /usr/lib64/libssl.so.10 $SENDMAILJAIL/usr/lib64/libssl.so.10 cp /usr/lib64/libcrypto.so.10 $SENDMAILJAIL/usr/lib64/libcrypto.so.10 cp /usr/lib64/libnsl.so.1 $SENDMAILJAIL/usr/lib64/libnsl.so.1 cp /usr/lib64/libwrap.so.0 $SENDMAILJAIL/usr/lib64/libwrap.so.0 cp /usr/lib64/libhesiod.so.0 $SENDMAILJAIL/usr/lib64/libhesiod.so.0 cp /usr/lib64/libcrypt.so.1 $SENDMAILJAIL/usr/lib64/libcrypt.so.1 cp /usr/lib64/libdb-5.3.so $SENDMAILJAIL/usr/lib64/libdb-5.3.so cp /usr/lib64/libresolv.so.2 $SENDMAILJAIL/usr/lib64/libresolv.so.2 cp /usr/lib64/libsasl2.so.3 $SENDMAILJAIL/usr/lib64/libsasl2.so.3 cp /usr/lib64/libldap-2.4.so.2 $SENDMAILJAIL/usr/lib64/libldap-2.4.so.2 cp /usr/lib64/liblber-2.4.so.2 $SENDMAILJAIL/usr/lib64/liblber-2.4.so.2 cp /usr/lib64/libc.so.6 $SENDMAILJAIL/usr/lib64/libc.so.6 cp /usr/lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/usr/lib64/libgssapi_krb5.so.2 cp /usr/lib64/libkrb5.so.3 $SENDMAILJAIL/usr/lib64/libkrb5.so.3 cp /usr/lib64/libcom_err.so.2 $SENDMAILJAIL/usr/lib64/libcom_err.so.2 cp /usr/lib64/libk5crypto.so.3 $SENDMAILJAIL/usr/lib64/libk5crypto.so.3 cp /usr/lib64/libdl.so.2 $SENDMAILJAIL/usr/lib64/libdl.so.2 cp /usr/lib64/libz.so.1 $SENDMAILJAIL/usr/lib64/libz.so.1 cp /usr/lib64/libidn.so.11 $SENDMAILJAIL/usr/lib64/libidn.so.11 cp /usr/lib64/libfreebl3.so $SENDMAILJAIL/usr/lib64/libfreebl3.so cp /usr/lib64/libpthread.so.0 $SENDMAILJAIL/usr/lib64/libpthread.so.0 cp /usr/lib64/libssl3.so $SENDMAILJAIL/usr/lib64/libssl3.so cp /usr/lib64/libsmime3.so $SENDMAILJAIL/usr/lib64/libsmime3.so cp /usr/lib64/libnss3.so $SENDMAILJAIL/usr/lib64/libnss3.so cp /usr/lib64/libnssutil3.so $SENDMAILJAIL/usr/lib64/libnssutil3.so cp /usr/lib64/libplds4.so $SENDMAILJAIL/usr/lib64/libplds4.so cp /usr/lib64/libplc4.so $SENDMAILJAIL/usr/lib64/libplc4.so cp /usr/lib64/libnspr4.so $SENDMAILJAIL/usr/lib64/libnspr4.so cp /usr/lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/usr/lib64/ld-linux-x86-64.so.2 cp /usr/lib64/libkrb5support.so.0 $SENDMAILJAIL/usr/lib64/libkrb5support.so.0 cp /usr/lib64/libkeyutils.so.1 $SENDMAILJAIL/usr/lib64/libkeyutils.so.1 cp /usr/lib64/librt.so.1 $SENDMAILJAIL/usr/lib64/librt.so.1 cp /usr/lib64/libselinux.so.1 $SENDMAILJAIL/usr/lib64/libselinux.so.1 cp /usr/lib64/libpcre.so.1 $SENDMAILJAIL/usr/lib64/libpcre.so.1 cp /usr/lib64/libnss_dns.so.2 $SENDMAILJAIL/usr/lib64/libnss_dns.so.2 cp /usr/lib64/libnss_files.so.2 $SENDMAILJAIL/usr/lib64/libnss_files.so.2 cp /lib64/libnss_dns-2.17.so $SENDMAILJAIL/lib64/libnss_dns-2.17.so cp /lib64/libresolv-2.17.so $SENDMAILJAIL/lib64/libresolv-2.17.so cp /lib64/libnss_files-2.17.so $SENDMAILJAIL/lib64/libnss_files-2.17.so cp /lib64/libnss_dns-2.17.so $SENDMAILJAIL/lib/libnss_dns-2.17.so cp /lib64/libresolv-2.17.so $SENDMAILJAIL/lib/libresolv-2.17.so cp /lib64/libnss_files-2.17.so $SENDMAILJAIL/lib/libnss_files-2.17.so cp /usr/lib64/sasl2/* $SENDMAILJAIL/usr/lib64/sasl2/ cp /lib64/sasl2/* $SENDMAILJAIL/lib64/sasl2/ cp /etc/sasl2/Sendmail.conf $SENDMAILJAIL/usr/lib64/sasl2/ cp /etc/sasl2/Sendmail.conf $SENDMAILJAIL/etc/sasl2/ cp /usr/sbin/makemap $SENDMAILJAIL/usr/sbin/makemap cp /usr/bin/rmail.sendmail $SENDMAILJAIL/usr/bin/rmail.sendmail cp /usr/sbin/mailstats $SENDMAILJAIL/usr/sbin/mailstats cp /usr/sbin/makemap $SENDMAILJAIL/usr/sbin/makemap cp /usr/sbin/praliases $SENDMAILJAIL/usr/sbin/praliases cp /usr/sbin/smrsh $SENDMAILJAIL/usr/sbin/smrsh cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libcom_err.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libcrypt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libcrypto.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libdb-5.3.so $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libfreebl3.so $SENDMAILJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libhesiod.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libidn.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3: $SENDMAILJAIL/lib64/ cp /lib64/libkeyutils.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5support.so.0 $SENDMAILJAIL/lib64/ cp /lib64/liblber-2.4.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libldap-2.4.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libnsl.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libnspr4.so $SENDMAILJAIL/lib64/ cp /lib64/libnss3.so $SENDMAILJAIL/lib64/ cp /lib64/libnssutil3.so $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libplc4.so $SENDMAILJAIL/lib64/ cp /lib64/libplds4.so $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/librt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libsasl2.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libsmime3.so $SENDMAILJAIL/lib64/ cp /lib64/libssl.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libssl3.so $SENDMAILJAIL/lib64/ cp /lib64/libwrap.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /usr/lib64/libk5crypto.so.3 $SENDMAILJAIL/usr/lib64/ cp /lib64/libdns.so.100 $SENDMAILJAIL/lib64/ cp /lib64/liblwres.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libbind9.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisccfg.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisccc.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisc.so.95 $SENDMAILJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libcom_err.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libcrypto.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libGeoIP.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libxml2.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libm.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libidn.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5support.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libkeyutils.so.1 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/liblzma.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /bin/dig $SENDMAILJAIL/bin/ cp /lib64/libtinfo.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /bin/bash $SENDMAILJAIL/bin/ cp /bin/ls $SENDMAILJAIL/bin/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libacl.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /bin/vi $SENDMAILJAIL/bin/ cp /usr/sbin/pidof $SENDMAILJAIL/usr/sbin/pidof cp /lib64/libprocps.so.4 $SENDMAILJAIL/lib64/ cp /lib64/libsystemd.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libm.so.6 $SENDMAILJAIL/lib64/ cp /lib64/librt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/liblzma.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libgcrypt.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libgpg-error.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libdw.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libgcc_s.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libelf.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libbz2.so.1 $SENDMAILJAIL/lib64/ cp /bin/rm $SENDMAILJAIL/bin/
Under your ID, ensure the proper permissions are set on the chroot jail
sudo chown -R sendmail:mail /smt00p20/sendmail/ sudo chown sendmail /smt00p20/sendmail/var/spool/mqueue sudo chmod 0700 /smt00p20/sendmail/var/spool/mqueue sudo chmod -R go-w /smt00p20/sendmail sudo chmod 0400 /smt00p20/sendmail/etc/mail/*.cf
Then start sendmail and verify functionality.
Updating OpenDKIM
cp /lib64/libtinfo.so.5 $OPENDKIMJAIL/lib64/ cp /lib64/libdl.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libc.so.6 $OPENDKIMJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $OPENDKIMJAIL/lib64/ cp /bin/bash $OPENDKIMJAIL/bin/ cp /lib64/libstdc++.so.6* $OPENDKIMJAIL/lib64 cp /lib64/libm.so.6 $OPENDKIMJAIL/lib64 cp /lib64/libgcc_s.so.1 $OPENDKIMJAIL/lib64 cp /lib64/libnss_files* $OPENDKIMJAIL/lib64/
If there is an update to the opendkim packages, unpack the updated RPM files and move the new files into the corresponding jail locations.
rpm2cpio opendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv rpm2cpio libopendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv rpm2cpio sendmail-milter-8.14.7-5.el7.x86_64.rpm | cpio -idmv rpm2cpio opendbx-1.4.6-6.el7.x86_64.rpm | cpio -idmv rpm2cpio libmemcached-1.0.16-5.el7.x86_64.rpm | cpio -idvm rpm2cpio libbsd-0.6.0-3.el7.elrepo.x86_64.rpm | cpio -idvm