Introduction
Apple’s Mac OS X ships with the sendmail Mail Transport Agent (MTA) as part of the underlying Berkeley Software Distribution (BSD) compatibility layer. Mac OS X 10.2 ships by default with the 8.12.2 release of sendmail; the 2003-03-03 Security Update will bring sendmail to version 8.12.7, and 10.2.5 installs sendmail 8.12.9. Due to system-specific problems involved with both the stock sendmail and newer versions, I have made these notes available. Notes for other versions of sendmail on OS X are also available.
This page assumes the reader is reasonably competent with Unix.
Setup
Environment
The following are some commands and details about sendmail that should assist in debugging problems.
To see what version of sendmail is installed on your system and the compiled features, use the following command. The perl command (| perl …) limits the output to just the initial version and compile features; the skipped output contains sendmail’s domain settings. If you see long delays running this command, there are probably DNS issues to fix first.
$ sendmail -d0 < /dev/null | perl -nle 'print if 1 .. /^$/'
Version 8.12.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETINFO NETUNIX NEWDB NIS PIPELINING SCANF
USERDB XDEBUG
Sendmail on OS X logs to /var/log/mail.log by default. Use the tail(1) command to follow the log in one terminal window while making changes in others. Third-party commands such as colorize.pl can make logfile watching easier by colorizing the output.
$ tail -f /var/log/mail.log
Logging can be increased in the sendmail.cf by setting LogLevel to 15 or higher temporarily, and by testing with mail -v from the command line.
$ echo just a test | mail -v -s test user@example.org
Sendmail itself lives in /usr/sbin, and uses queue directories under /var/spool. I am not sure why Apple is still setting the set-user-id bit (r-s) on sendmail; sendmail 8.12 should be set-group-id only for security reasons: see sendmail/SECURITY for details.
$ ls -l /usr/sbin/sendmail
-r-sr-xr-x 1 root smmsp 581448 Jul 27 19:54 /usr/sbin/sendmail
$ ls -ld /var/spool/*mqueue
drwxrwx--- 21 smmsp smmsp 714 Aug 30 00:27 /var/spool/clientmqueue
drwxr-x--- 2 root wheel 68 Oct 23 2001 /var/spool/mqueue
Apple may be expecting sendmail to have the set-user-id bit set so it can talk to a local mail delivery agent (e.g. procmail or mail.local); however, I have never setup sendmail on OS X to deliver mail locally. If you upgrade sendmail from source as the permissions on sendmail will be changed to be set-group-id.
-r-xr-sr-x 1 root smmsp 687720 Aug 28 00:43 /usr/sbin/sendmail
Group Write Permissions
Sendmail still complains about group writable permissions when invoked.
$ mailq
/etc/mail/sendmail.cf: line 93: fileclass: cannot open '/etc/mail/local-host-nam↵
es': Group writable directory
There are several ways to fix this problem.
- Remove the group write permissions from all directories sendmail will be involved with (path up to /etc/mail and possibly more if sendmail needs to consult ~/.forward or similar). Not recommended: sendmail with break under this method if an update enables the group-write bit on any of the various files involved.
- Patch sendmail.cf to ignore group-writable directories.
- Set the following in the *.mc files (sendmail.mc, submit.mc) if customizing the resulting *.cf files extensively.
define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirPathSafe')
The Apple Developer Tools package may need to be installed to obtain the m4 command required to convert a *.mc file into a *.cf file.
Running
Sendmail does not run as a daemon by default on OS X. If sendmail is used as a client to distribute locally submitted mail to other servers, then all that is ideally needed is a crontab(1) job to clear out the clientmqueue directory, as otherwise mail will collect there whenever the mail submission agent is not able to deliver the mail to a MTA. A sample crontab(5) entry for root would look like the following.
$ sudo crontab -l
# clean out sendmail's mail submission queue every so often
*/10 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q
The cron job could instead be done manually from the command line. This is how I run sendmail on my laptop, as I do not need any daemons or cron jobs running, and generally know when there are queue files in /var/spool/clientmqueue that need to be flushed. A complex command like the following should be placed in a shell alias or shell script for ease of use.
$ sudo /usr/sbin/sendmail -L sm-msp-queue -Ac -q
Startup Daemon
If running sendmail as a daemon to accept mail via the Simple Mail Transport Protocol (SMTP), enable MAILSERVER support in /etc/hostconfig, and make sure the /System/Library/StartupItems/Sendmail/Sendmail startup script does what you need. With MAILSERVER set to -YES-, there is no need for the cron job mentioned above.
$ grep -i mailserver /etc/hostconfig
MAILSERVER=-YES-
Sendmail can be started without a system reboot via the startup script the OS uses.
$ sudo /System/Library/StartupItems/Sendmail/Sendmail start
If sendmail appears not to be starting, shell startup scripts can be debugged with the -x option to sh.
$ sudo sh -x /System/Library/StartupItems/Sendmail/Sendmail start
If the system in question was upgraded from Mac OS X 10.1, the system startup script for sendmail might be out-of-date. To run, sendmail 8.12 needs both a MTA and a Mail Submission Agent (MSA) running.
/usr/sbin/sendmail -bd -q15m
/usr/sbin/sendmail -C /etc/mail/submit.cf -q15m
The first command starts a sendmail daemon that listens for mail via the SMTP at port 25 using the default sendmail.cf configuration file and the /var/spool/mqueue temporary queue directory. The second command launches a daemon that periodically checks for and attempts to resend any mail that ended up in /var/spool/clientmqueue.
For reference purposes, I have included the Sendmail startup script from Jaguar.
Debugging
To determine whether sendmail is running properly, use lsof(8) or netstat(1). These utilities can show what ports are being used; sendmail listens at the smtp port of 25, among others. The following shows sendmail configured with IPv6 support listening only on the localhost interface.
$ sudo lsof -i | grep -i sendmail
sendmail 16160 root 4u inet 0x02ce6cdc 0t0 TCP ↵
localhost:smtp (LISTEN)
sendmail 16160 root 5u inet 0x02ce825c 0t0 TCP ↵
localhost:submission (LISTEN)
$ netstat -tan | grep \.25
tcp6 0 0 ::1.25 *.* LISTEN
tcp4 0 0 127.0.0.1.25 *.* LISTEN
Even if running, a firewall or tcp_wrappers may be configured to block connections to sendmail. Use ipfw list and review the tcp_wrappers configuration in /etc/hosts.{allow,deny}, if present.
Customization
Sendmail can be configured a wide variety of ways: as a server, forwarding proxy, or dumb client. This is done via various files under /etc/mail, mainly sendmail.mc and submit.mc from which the *.cf files are built with m4(1) in conjunction with the supporting macro files under /usr/share/sendmail/conf. For starting points on how to configure sendmail, see the following resources.
- Sendmail Configurations.
- Notes on other sendmail versions on OS X - the older notes cover common setup tasks, such as aliases, which I have not repeated here.
- Relaying with TLS in Sendmail - how I configure my OS X laptop to do roaming Transport Layer Security (TLS) encrypted mail relaying through my main mail server.
- Sendmail and SMTP AUTH on Mac OS X 10.2.
Upgrading
Sendmail will need to be recompiled to add support for features that Apple does not ship with by default (such as MILTER, STARTTLS, or IPv6). To upgrade sendmail on Mac OS X, obtain the latest source distribution (at least 8.12.9) and verify the PGP signature on it with GNU privacy guard. The Apple Developer Tools need to be installed— especially the BSD SDK package if compiling in STARTTLS support (for the OpenSSL header files).
$ gpg --recv-keys 0x396F0789
$ gpg --verify sendmail.8.12.9.tar.gz.sig sendmail.8.12.9.tar.gz
gpg: Signature made Sat Mar 29 06:12:38 2003 PST using RSA key ID 396F0789
gpg: Good signature from "Sendmail Signing Key/2003 <sendmail@Sendmail.ORG>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Fingerprint: C4 73 DF 4A 97 9C 27 A9 EE 4F B2 BD 55 B5 E0 0F
To customize the build, use something like the following site.config.m4 after perusing the INSTALL and devtools/README under the sendmail source tree. If all goes well, be sure to update the /usr/share/sendmail/conf area from the source tree cf/ area, and rebuild the /etc/mail/*.cf configuration files from the corresponding *.mc macro files.
$ sh Build -c -f /path/to/site.config.m4
…
$ sudo sh Build install
…
$ sudo rsync --delete -rutvz cf/ /usr/share/sendmail/conf
Mac OS X 10.2.4 or 10.2.5 and the 2003-03-03 Security Update will erase a sendmail with custom compile features. Reinstall 8.12.9 from source, and rebuild the configuration files.
To see what an update package from Apple installs, investigate the /Library/Receipts directory and use lsbom(8) utility on any *.bom files present under the package directory in question.
$ cd /Library/Receipts/1024SecUpd2003-03-03.pkg
$ find . -name "*.bom" -exec lsbom {} \; | \
awk '{print $1}' | sort | uniq
.
./usr
./usr/bin
./usr/bin/c_rehash
./usr/bin/openssl
./usr/lib
./usr/lib/libcrypto.0.9.dylib
./usr/lib/libcrypto.dylib
./usr/lib/libssl.0.9.dylib
./usr/lib/libssl.dylib
./usr/sbin
./usr/sbin/sendmail