Sendmail Update

If you're as security conscious as I am then you're probably on the CERT mailing list. If so then you likely received an e-mail alert regarding a sendmail vulnerability, one which could affect a vast number of servers. It has some rather nasty potential as it lives in headers, not the body content or attachments. I was vulnerable according to the alert so I shut down my sendmail and fetchmail processes and attempted to apply the fix.

And here's where it gets a bit gnarly. I run a mutated version of Red Hat Linux, combining elements as needed to support various applications. It started off as a 5.2 system but was subsequently upgraded to 6.2 with other bits and pieces as required. I've saved all of my RPMs so I'll be able to restore the system back to the current state but it's not exactly a "default configuration" any more. My customizations are fairly typical but these are all backed-up as well.

I went to the Red Hat site identified in the CERT alert and downloaded the sendmail RPM (Red Hat Package Manager) for 6.2. Trying to install the upgrade failed the prerequisites test. I'm used to this, sometimes having to track down and install half a dozen dependencies just to be able to get to the point where the desired package will install. So I chose to go with the source RPM (SRPM) instead. This approach utilizes the resources already installed on the system instead of requiring upgrades of all sorts of unrelated packages which might end up breaking some of my existing applications. I then applied the patch, which is simply a matter of typing the following command at the shell prompt:

$ patch -p0 < sendmail.8.11.6.security.cr.patch

Sendmail is supposed to install uneventfully on a wide range of *NIX platforms, Linux included. As with many other packages, however, the documentation isn't always as detailed as it could be. I was able to determine that I needed to download the Berkeley DB package from sleepycat.com. This was somewhat surprising since the dbm packages have been part of UNIX since at least the PWB (Programmer WorkBench, sort of a version 6.5) days back in the mid-seventies. I was surprised that ndbm (new dbm) wasn't included as a standard part of Linux.

With that installed it was a matter of more digging through the sendmail documentation to figure out that I needed a configuration file in the devtools/Site subdirectory called site.config.m4. Here are the contents of the file:

define(`confMAPDEF', `-DNEWDB')
define(`confINCDIRS', `-I/usr/local/BerkeleyDB.4.1/include')
define(`confLIBDIRS', `-L/usr/local/BerkeleyDB.4.1/lib')
define(`confLIBS', `-ldb-4.1')

Now it was simply a matter of typing the following command at the shell prompt in the sendmail directory:

$ sh Build -c -f `pwd`/devtools/Site/site.config.m4

Now this is all covered in the documentation, albeit a tad obliquely. What wasn't covered was the minor detail of compilation failing when calling DB->open. Some digging through the Berkeley DB documentation showed that in version 4 they included a transaction identifier in the argument list for the open function. A value of NULL is acceptable if you're not using transactions. Here are the diffs for the original and modified code using the 8.11.6 source base:

libsmdb/smdb2.c:

530a531,533
> #if DB_VERSION_MAJOR > 3
> 	result = (*db)->open(*db, NULL, db_name, NULL, db_type, db_flags, 0644);
> #else
531a535
> #endif

sendmail/map.c:

1634a1635,1638
> #if DB_VERSION_MAJOR > 3
> 			ret = db->open(db, NULL, buf, NULL, dbtype, flags,
> 			  DBMMODE);
> #else
1635a1640
> #endif

sendmail/udb.c:

1005a1006,1014
> #if DB_VERSION_MAJOR > 3
> 					ret = up->udb_dbp->open(up->udb_dbp,
> 								NULL,
> 								up->udb_dbname,
> 								NULL,
> 								DB_BTREE,
> 								flags,
> 								0644);
> #else
1011a1021
> #endif

Nothing earth-shattering, although I did send this information to sendmail.org for the benefit of others. It's also why I'm writing this document: to help others who may be going through this process. Anyway, run the Build again and it compiles cleanly. Become the super-user and run this command:

# sh Build install

Everything gets installed into the appropriate places and you can restart sendmail. I usually just run the start script from the run commands (rc) directory. Doing that the first time gave me an unresolved symbol error. I had to include the DB library in the LD_LIBRARY_PATH environment variable. So here's what the session looked like:

# LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/BerkeleyDB.4.1/lib
# export LD_LIBRARY_PATH
# /etc/rc.d/rc3.d/S80sendmail start

One final warning: you also need to update your /etc/ld.so.conf file or else the library won't be found the next time you reboot and sendmail will not get started. And don't forget to run ldconfig as root so that your mail applications will actually be able to find the libraries; setting LD_LIBRARY_PATH doesn't work (except for the superuser, for some strange reason).

Total elapsed time: about four hours. That included downloading the source RPM, the Berkeley DB source package and the patch. I then had to build the DB package, figure out the configuration file (lots of README files in the sendmail source distribution) and compile and install sendmail. So if you're trying to secure your system and don't want to reinvent the wheel, follow along and you should be up and running in less than an hour. Cheers!

March 3rd, 2003