Sendmail 8.10.2 on Mac OS X <= 10.1.4

Introduction | Operation | Upgrading

Introduction

Apple’s Mac OS X ships with the sendmail Mail Transport Agent (MTA) as part of the underlying Berkeley Software Distribution (BSD) compatibility layer. Mac OS 10.1.4 (and prior releases) ships with the relatively old 8.10.2 release of sendmail. Due to system-specific problems involved with both the stock sendmail and newer versions, I have made these notes available. Notes for other versions of sendmail on OS X are also available.

This page assumes the reader is reasonably competent with Unix.

Operation

To see what version of sendmail is installed on your system, use the following command.

$ sendmail -d0 < /dev/null | grep -i version
Version 8.10.2

Getting Started

At the time of writing, sendmail on Mac OS X ships broken due to the group-writable permissions scheme being used by Apple. This is readily apparent when sending a test message from the command line:

$ echo testing | mail -s test root
/etc/mail/sendmail.cf: line 81: fileclass: cannot open /etc/mail/local-host-name
s: Group writable directory

There are two solutions to the problem.

  1. Remove the group write permission on the root directory.
  2. # chmod g-w /

    This fix is easy, but tends to break poorly written Mac OS installation programs that write random files into the root directory. You may also need to remove group-write permissions from other directories as well; sendmail checks permissions on each item in the path up to the file in question.

  3. Disable the group-writable security check in sendmail.
  4. On the other hand, sendmail can be told to act inline with Apple's group-write policy. This configuration is done in /etc/mail/sendmail.cf, though configuring sendmail via a sendmail.mc is a better long-term solution— more on this later.

    Apply the following dont-blame-sendmail patch to disable the writable directory warning:

    # patch -p0 < dont-blame-sendmail.patch

    Consequently, mail from automated jobs running out of /etc/crontab will start filling up /var/mail/root. These reports contain various details about the Unix side of things on the system, and become annoying if you have more than several systems reporting to a central location. Use this /etc/crontab patch to disable the mailings; reports will still be saved to /var/log/*.out for review.

Dumb Client

A common mail architecture involves several central mail servers, along with any number of clients that do little to nothing in the way of local mail handling. The default sendmail.cf can easily be modified in place to act as a dumb client:

# perl -i.orig -ple 's/example.org/yourdomain.dom/g' dumb-client.patch
# patch -p0 < dumb-client.patch

In situations where only certain hosts can reach the rest of the world— e.g. under an Internet Service Provider (ISP) that firewalls Simple Mail Transport Protocol (SMTP) connections to prevent the spread of Microsoft malware or spam— set the “Smart” relay option to point at the outgoing mail server in sendmail.cf:

# "Smart" relay host (may be null)
DSmail.example.org

Aliases

Sendmail typically reads aliases in from a hashed version of /etc/mail/aliases. On Mac OS X, aliases are instead stored by default in the NetInfo Directory System. Aliases can be managed via the NetInfo Manager application, or from the command line with one of the ni* utilities, such as nidump(8).

$ nidump aliases .
administrator: root

New aliases can be added easily with niutil(1). For example, to create a security alias as recommended by [RFC 2142]:

# niutil -create / /aliases/security
# niutil -createprop / /aliases/security members root

Sendmail on Mac OS X may not work if the standard AliasFile support is enabled; when writing a custom sendmail.mc, disabling file-based aliases might be necessary:

undefine(`ALIAS_FILE')

Configuration

Reconfiguration of sendmail is best done with a sendmail.mc file, from which sendmail.cf can be rebuilt. The sendmail.mc is a list of m4(1) macros that produce the sendmail.cf when combined properly with the cf/* files under the sendmail source directory.

The Apple Developer Tools package may need to be installed to obtain the m4 command required to convert a *.mc file into a *.cf file.

On Mac OS X, look in /usr/share/sendmail/conf for the cf/* files compatible with the default sendmail binary. Under that directory is the README containing notes on how to write and build .mc files, and a cf/ subdirectory containing example .mc files.

To build sendmail.cf, run the following:

$ m4 -D_CF_DIR_=/usr/share/sendmail/conf/ \
/usr/share/sendmail/conf/m4/cf.m4 sendmail.mc > sendmail.cf

See my sendmail configurations for starting points for configuring sendmail to other purposes beyond a dumb client. The following two files contain sendmail 8.10 server config localizations to work on Mac OS X; the masquerade domain will still need to be changed.

Upgrading

The latest versions of sendmail offer better performance and security, and better support for features such as SMTP AUTH and STARTTLS. The latest release can be compiled from source and manually configured on Mac OS X.

Apple security updates may change the sendmail version to the 8.12 series, but not update the system startup script. If after installing any sendmail or security updates from Apple sendmail fails to start, try running the sendmail startup script manually.

$ sudo /System/Library/StartupItems/Sendmail/Sendmail start

Shell startup scripts can be debugged with the -x option to sh.

$ sudo sh -x /System/Library/StartupItems/Sendmail/Sendmail start

To run, sendmail 8.12 needs both a MTA and a Mail Submission Agent (MSA) running.

/usr/sbin/sendmail -bd -q15m
/usr/sbin/sendmail -C /etc/mail/submit.cf -q15m

More information on sendmail 8.12.