Installing sendmail on Solaris

Important note: if you are using any version of sendmail prior to 8.13.5, please upgrade immediately. The following procedure shows how to install sendmail 8.13.6.

Installing sendmail on Solaris 10

1. Download sendmail.

2. Extract the sendmail tarball.
$ gzip -cd sendmail.8.13.6.tar.gz | tar xvf -

3. Edit devtools/Site/site.config.m4.

$ cd sendmail-8.13.6
$ vi devtools/Site/site.config.m4

For hash database (NEWDB) support with makemap (recommended), add the following lines:

APPENDDEF(`confLIBDIRS', `-L/opt/sfw/lib')
APPENDDEF(`confINCDIRS', `-I/opt/sfw/include')
APPENDDEF(`confENVDEF', `-DNEWDB')

This assumes you have the SFWbdb package installed. If this package is not installed, follow the Berkeley DB instructions below in "Installing sendmail on previous Solaris releases."

For STARTTLS support, add the following lines:

define(`confSTDIO_TYPE', `portable')
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -DHASURANDOMDEV')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')

4. If compiling sendmail with hash database support, add /opt/sfw/lib to the default ELF library path.
# crle -u -l /opt/sfw/lib

5. Build sendmail.

$ ./Build -c
(the -c flag is used to signal a change in site.config.m4)

6. Create man page directories.
# mkdir /usr/share/man/cat1 mkdir /usr/share/man/cat5 /usr/share/man/cat8

7. Install sendmail.
# ./Build install

Installing sendmail on previous Solaris releases (Solaris 7, 8, and 9)

1. Download sendmail.

2. Extract the sendmail tarball.
$ gzip -cd sendmail.8.13.6.tar.gz | tar xvf -

3. For hash database (NEWDB) support with makemap (recommended), install Berkeley DB.

Download Berkeley DB.
http://dev.sleepycat.com/downloads/latestreleases.html

Install Berkeley DB.
$ gzip -cd db-4.4.20.tar.gz | tar xvf -
$ cd db-4.4.20/build_unix
$ ../dist/configure
$ make
# make install

4. For STARTTLS support, install the latest OpenSSL package from Sunfreeware.

$ gzip -d your_openssl_package.gz
# pkgadd -d ./your_openssl_package

If your Solaris system does not have /dev/urandom (Solaris 8 and earlier), install the SUNrand package. This package contains a Solaris kernel module that emulates /dev/random and /dev/urandom to generate sufficient entropy for STARTTLS support within sendmail. Note: Solaris 8 users may install Sun patch 112438 to create this device.

5. Edit devtools/Site/site.config.m4.

$ cd sendmail-8.13.6
$ vi devtools/Site/site.config.m4

For hash database (NEWDB) support with makemap (recommended), add the following lines:
APPENDDEF(`confLIBDIRS', `-L/usr/local/BerkeleyDB.4.4/lib')
APPENDDEF(`confINCDIRS', `-I/usr/local/BerkeleyDB.4.4/include')
APPENDDEF(`confENVDEF', `-DNEWDB')

For STARTTLS support, add the following lines:

define(`confSTDIO_TYPE', `portable')
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -DHASURANDOMDEV')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')
APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib')
APPENDDEF(`confINCDIRS', `-I/usr/local/ssl/include')

For libmilter support, add the following lines (the second line prevents a milter from running as root):

APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')
APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE')

6. Add directories to the default ELF library path, if applicable.

If compiling sendmail with hash database support, add /usr/local/BerkeleyDB.4.4/lib.
# crle -u -l /usr/local/BerkeleyDB.4.4/lib

If compiling sendmail with STARTTLS support, add /usr/local/ssl/lib.
# crle -u -l /usr/local/ssl/lib

7. Build sendmail.

$ ./Build -c
(the -c flag is used to signal a change in site.config.m4)

8. Create man page directories.
# mkdir /usr/share/man/cat1 mkdir /usr/share/man/cat5 /usr/share/man/cat8

9. Install sendmail.
# ./Build install

Configuring sendmail

$ cd cf/cf
$ cp generic-solaris.mc sendmail.mc
$ vi sendmail.mc

The lines in bold are those I added to the default generic-solaris.mc configuration:

divert(0)dnl
VERSIONID(`$Id: generic-solaris.mc,v 8.13 2001/06/27 21:46:30 gshapiro Exp $')
OSTYPE(solaris2)dnl
DOMAIN(generic)dnl
FEATURE(access_db)dnl
FEATURE(blacklist_recipients)dnl
FEATURE(mailertable)dnl
MAILER(local)dnl
MAILER(smtp)dnl
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/CAcert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/MYcert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/MYkey.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/certs/MYcert.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/MYkey.pem')dnl
define(`confPRIVACY_FLAGS', `authwarnings,goaway,noetrn')dnl
define(`confTO_IDENT', `0')dnl

In our configuration, we are enabling the access and mailertable databases via the FEATUREs in bold. The blacklist_recipients feature allows us to also reject envelope recipients in addition to envelope senders.

The next six lines in bold are used for our STARTTLS configuration. If you are not installing STARTTLS support, you will not need these lines.

The confPRIVACY_FLAGS line disables the EXPN, VRFY, and ETRN SMTP commands.

The confTO_IDENT line prevents our server from sending ident queries to remote mail servers when receiving mail. The ident queries attempt to determine the owner of the remote mail server's process ID. In practice, ident (TCP port 113) is disabled on most remote mail servers. Preventing these queries can speed up receiving mail. 

For more information on configuring sendmail, visit Sendmail Configuration Files.

Final steps

1. Create the sendmail configuration file and copy it to the appropriate directory.
# ./Build install-cf

2. You may wish to create your own sendmail startup and shutdown script. The following is a sample /etc/init.d/sendmail script.

#!/bin/sh

case "$1" in
'start')
   # Start the MTA
   /usr/lib/sendmail -L sm-mta -bd -q30m
   # Start the MSP
   /usr/lib/sendmail -L sm-msp-queue -Ac -q30m
   ;;
'stop')
   # Stop the MTA
   [ -f /var/run/sendmail.pid ] && \
/usr/bin/kill `/usr/bin/head -1 /var/run/sendmail.pid`
   # Stop the MSP
   MSP_PID=`/usr/bin/ps -e -o pid,args | /usr/bin/grep [s]m-msp-queue | \
/usr/bin/awk '{print $1}'`
   [ -n "$MSP_PID" ] && /usr/bin/kill $MSP_PID
   ;;
*)
   echo "Usage: $0 { start | stop }"
   exit 1
   ;;
esac
exit 0

# chown root:root /etc/init.d/sendmail
# chmod 744 /etc/init.d/sendmail

3. Create or update sendmail database files.

$ cd /etc/mail
# touch access mailertable
# makemap hash access < access
# makemap hash mailertable < mailertable
# newaliases

4. If you are using STARTTLS, create a STARTTLS certificate directory, copy the certificates to this directory, and configure file permissions. For information on creating SSL certificates for use with sendmail STARTTLS, please read Securing Sendmail with TLS.

# mkdir /etc/mail/certs
# mv CAcert.pem MYcert.pem MYkey.pem /etc/mail/certs
# cd /etc/mail/certs
# chmod 600 CAcert.pem MYcert.pem MYkey.pem
# chown root CAcert.pem MYcert.pem MYkey.pem

5. If you are using Solaris 7 or later, I strongly recommend mounting the file system containing /var/spool with the noatime and logging options. If you are not using ufs file systems, you may want to investigate if your file system supports journaling (logging) and disabling inode access time updates (noatime).

Changes should be made to /etc/vfstab to use logging and noatime after system boot.

Example /etc/vfstab entry:
/dev/dsk/c1t5d0s0 /dev/rdsk/c1t5d0s0 /var/spool ufs 2 yes nosuid,logging,noatime

These options may also be enabled on a currently mounted file system using the mount command's remount option.

Example:
# mount /var/spool -o remount,logging,noatime

More information:
Why aren't you logging?
comp.mail.sendmail thread
File System Performance: The Solaris OS, UFS, Linux ext3, and ReiserFS

6. Start sendmail.
# /etc/init.d/sendmail start

Back to brandonhutchinson.com.

Last modified: 2006/06/15