{"id":3042,"date":"2018-04-08T15:11:58","date_gmt":"2018-04-08T20:11:58","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=3042"},"modified":"2018-04-27T13:43:21","modified_gmt":"2018-04-27T18:43:21","slug":"running-sendmail-in-a-chroot-jail","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=3042","title":{"rendered":"Running Sendmail In A CHROOT Jail"},"content":{"rendered":"

My employer’s OS-support model restricts root access to members of the Unix support team. Applications are normally installed into a package directory and run under a service ID. While this model works well for most<\/em> applications, sendmail is tightly integrated into the OS and is not readily built into an application directory. We attempted to run sendmail as a non-root user with modified permissions on application directories such as \/var\/spool\/mqueue \u2013 this worked, until OS patches were applied and permissions reset. We needed a way to run sendmail as a non-root user and<\/em> allow the OS support team to patch servers without impacting the sendmail application.<\/p>\n

Chroot is a mechanism that uses a supplied directory path as the environment\u2019s root directory. The jailed process, and its children, should not be able to access any part of the file hierarchy outside of the new root. As a security mechanism, the approach has several flaws \u2013 abridged version of the story is that it\u2019s not terribly<\/em> difficult to break out of jail here; and there are far more effective security<\/em> approaches (e.g. SELinux). However, chroot jails have their own copies of system owned directories (such as \/var\/spool\/mqueue), binaries, and libraries. Using a chroot jail will allow us to maintain a sendmail application in the package directory that is not impacted by OS updates.<\/p>\n

This approach works on relaying mail servers (i.e. those that queue mail to \/var\/spool\/mqueue and send it on its merry way). If sendmail is hosting mailboxes, there are additional challenges to designing a chroot configuration that actually drops messages into mailbox files that users can access.<\/p>\n

Preliminaries:<\/em><\/strong>\u00a0To copy\/paste, view the single article<\/a>. Create a service account under which sendmail will run. The installation directory should be owned by the service account user.<\/p>\n

Set up the chroot jail location in the installation directory. In this example, that directory is \/smt00p20.<\/p>\n

mkdir \/smt00p20\/sendmail\r\nmkdir \/smt00p20\/sendmail\/dev\r\nmkdir \/smt00p20\/opendkim<\/pre>\n
We need a null and random in the sendmail jail. On a command line, run:<\/p>\n
# Create sendmail jail \/dev\/null\r\nmknod \/smt00p20\/sendmail\/dev\/null c 1 3\r\n# Create sendmail jail \/dev\/random\r\nmknod \/smt00p20\/sendmail\/dev\/random c 1 8\r\n<\/pre>\n
We need an rsyslog socket added under each jail. In \/etc\/rsyslog.conf, add the following:<\/p>\n
# additional log sockets for chroot'ed jail\r\n# Idea from http:\/\/www.ispcolohost.com\/2014\/03\/14\/how-to-get-syslog-records-of-chrooted-ssh-sftp-server-activity\/<\/a>\r\n$AddUnixListenSocket \/smt00p20\/sendmail\/dev\/log\r\n$AddUnixListenSocket \/smt00p20\/opendkim\/dev\/log<\/pre>\n
 <\/p>\n
Additionally, these instructions assume both sendmail and sendmail-cf have been installed on the server. If they have not, you can download the RPMs, unpack them, and copy the files to the appropriate relative jail locations.<\/p>\n
Chrooting Sendmail<\/em><\/strong><\/p>\n
Logged in with the sendmail ID, ensure you have a .bash_profile that loads .bashrc<\/p>\n
-bash-4.2$ cat ~\/.bash_profile\r\nif [ -f ~\/.bashrc ]; then\r\n. ~\/.bashrc\r\nfi<\/pre>\n
Edit ~\/.bashrc and add the following, where smt00p20 is the appropriate installation directory, to allow copy\/paste<\/p>\n
export SENDMAILJAIL=\/smt00p20\/sendmail\r\nexport OPENDKIMJAIL=\/smt00p20\/opendkim<\/pre>\n
Log out of the service account and back in (or just source in the .bashrc file). Verify SENDMAILJAIL and OPENDKIMJAIL are set.<\/p>\n
Copy a whole heap of \u2018stuff\u2019 into the jail – this includes some utilities used to troubleshoot issues within the jail which aren’t strictly needed. I’ve also unpacked the strace RPM to the respective directories within the jail.<\/p>\n
mkdir $SENDMAILJAIL\/bin\r\nmkdir $SENDMAILJAIL\/etc\r\nmkdir $SENDMAILJAIL\/etc\/alternatives\r\nmkdir $SENDMAILJAIL\/etc\/mail\r\nmkdir $SENDMAILJAIL\/etc\/smrsh\r\nmkdir $SENDMAILJAIL\/lib64\r\nmkdir $SENDMAILJAIL\/lib\r\nmkdir $SENDMAILJAIL\/lib\/tls\r\nmkdir $SENDMAILJAIL\/tmp\r\nmkdir $SENDMAILJAIL\/usr\r\nmkdir $SENDMAILJAIL\/usr\/bin\r\nmkdir $SENDMAILJAIL\/usr\/sbin\r\nmkdir $SENDMAILJAIL\/usr\/lib\r\nmkdir $SENDMAILJAIL\/usr\/lib\/sasl2\r\nmkdir $SENDMAILJAIL\/var\r\nmkdir $SENDMAILJAIL\/var\/log\r\nmkdir $SENDMAILJAIL\/var\/log\/mail\r\nmkdir $SENDMAILJAIL\/var\/run\r\nmkdir $SENDMAILJAIL\/var\/spool\r\nmkdir $SENDMAILJAIL\/var\/spool\/mqueue\r\nmkdir $SENDMAILJAIL\/var\/spool\/clientmqueue\r\n\u00a0\r\ncp \/etc\/aliases $SENDMAILJAIL\/etc\/\r\ncp \/etc\/aliases.db $SENDMAILJAIL\/etc\/\r\ncp \/etc\/passwd $SENDMAILJAIL\/etc\/\r\ncp \/etc\/group $SENDMAILJAIL\/etc\/\r\ncp \/etc\/resolv.conf $SENDMAILJAIL\/etc\/\r\ncp \/etc\/host.conf $SENDMAILJAIL\/etc\/\r\ncp \/etc\/nsswitch.conf $SENDMAILJAIL\/etc\/\r\ncp \/etc\/services $SENDMAILJAIL\/etc\/\r\ncp \/etc\/hosts $SENDMAILJAIL\/etc\/\r\ncp \/etc\/localtime $SENDMAILJAIL\/etc\/\r\n\u00a0\r\n\r\n# If cloning an existing server, scp \/etc\/mail\/* from source to \/smt00p20\/sendmail\/etc\/mail\r\n\r\n# Verify the sendmail.mc has a RUNAS_USER set to the same service account you are using - the account on our servers is named 'sendmail'. Our old<\/em> servers are not<\/em> all set up with a runas user, and failing to have one will cause write failures to the jail \/var\/spool\/mqueue\r\n\r\ncp -r \/etc\/mail\/ $SENDMAILJAIL\/etc\/etc\/mail\/\r\ncp \/usr\/sbin\/sendmail.sendmail $SENDMAILJAIL\/usr\/sbin\/sendmail.sendmail\r\n\r\ncd \/smt00p20\/sendmail\/etc\/alternatives\r\nln -s ..\/..\/usr\/sbin\/sendmail.sendmail .\/mta\r\n\r\ncd \/smt00p20\/sendmail\/usr\/sbin\r\nln -s ..\/..\/etc\/alternatives\/mta .\/sendmail\r\nln -s .\/sendmail .\/newaliases\r\nln -s .\/sendmail .\/newaliases.sendmail\r\n\r\ncd \/smt00p20\/sendmail\/usr\/bin\r\nln -s ..\/sbin\/sendmail .\/mailq\r\nln -s ..\/sbin\/sendmail .\/mailq.sendmail\r\nln -s ..\/sbin\/sendmail.sendmail .\/hoststat\r\nln -s ..\/sbin\/sendmail.sendmail .\/purgestat\r\nln -s ..\/sbin\/makemap .\/makemap\r\nln -s .\/rmail.sendmail .\/rmail\r\ncp \/usr\/lib64\/libssl.so.10 $SENDMAILJAIL\/usr\/lib64\/libssl.so.10\r\ncp \/usr\/lib64\/libcrypto.so.10 $SENDMAILJAIL\/usr\/lib64\/libcrypto.so.10\r\ncp \/usr\/lib64\/libnsl.so.1 $SENDMAILJAIL\/usr\/lib64\/libnsl.so.1\r\ncp \/usr\/lib64\/libwrap.so.0 $SENDMAILJAIL\/usr\/lib64\/libwrap.so.0\r\ncp \/usr\/lib64\/libhesiod.so.0 $SENDMAILJAIL\/usr\/lib64\/libhesiod.so.0\r\ncp \/usr\/lib64\/libcrypt.so.1 $SENDMAILJAIL\/usr\/lib64\/libcrypt.so.1\r\ncp \/usr\/lib64\/libdb-5.3.so $SENDMAILJAIL\/usr\/lib64\/libdb-5.3.so\r\ncp \/usr\/lib64\/libresolv.so.2 $SENDMAILJAIL\/usr\/lib64\/libresolv.so.2\r\ncp \/usr\/lib64\/libsasl2.so.3 $SENDMAILJAIL\/usr\/lib64\/libsasl2.so.3\r\ncp \/usr\/lib64\/libldap-2.4.so.2 $SENDMAILJAIL\/usr\/lib64\/libldap-2.4.so.2\r\ncp \/usr\/lib64\/liblber-2.4.so.2 $SENDMAILJAIL\/usr\/lib64\/liblber-2.4.so.2\r\ncp \/usr\/lib64\/libc.so.6 $SENDMAILJAIL\/usr\/lib64\/libc.so.6\r\ncp \/usr\/lib64\/libgssapi_krb5.so.2 $SENDMAILJAIL\/usr\/lib64\/libgssapi_krb5.so.2\r\ncp \/usr\/lib64\/libkrb5.so.3 $SENDMAILJAIL\/usr\/lib64\/libkrb5.so.3\r\ncp \/usr\/lib64\/libcom_err.so.2 $SENDMAILJAIL\/usr\/lib64\/libcom_err.so.2\r\ncp \/usr\/lib64\/libk5crypto.so.3 $SENDMAILJAIL\/usr\/lib64\/libk5crypto.so.3\r\ncp \/usr\/lib64\/libdl.so.2 $SENDMAILJAIL\/usr\/lib64\/libdl.so.2\r\ncp \/usr\/lib64\/libz.so.1 $SENDMAILJAIL\/usr\/lib64\/libz.so.1\r\ncp \/usr\/lib64\/libidn.so.11 $SENDMAILJAIL\/usr\/lib64\/libidn.so.11\r\ncp \/usr\/lib64\/libfreebl3.so $SENDMAILJAIL\/usr\/lib64\/libfreebl3.so\r\ncp \/usr\/lib64\/libpthread.so.0 $SENDMAILJAIL\/usr\/lib64\/libpthread.so.0\r\ncp \/usr\/lib64\/libssl3.so $SENDMAILJAIL\/usr\/lib64\/libssl3.so\r\ncp \/usr\/lib64\/libsmime3.so $SENDMAILJAIL\/usr\/lib64\/libsmime3.so\r\ncp \/usr\/lib64\/libnss3.so $SENDMAILJAIL\/usr\/lib64\/libnss3.so\r\ncp \/usr\/lib64\/libnssutil3.so $SENDMAILJAIL\/usr\/lib64\/libnssutil3.so\r\ncp \/usr\/lib64\/libplds4.so $SENDMAILJAIL\/usr\/lib64\/libplds4.so\r\ncp \/usr\/lib64\/libplc4.so $SENDMAILJAIL\/usr\/lib64\/libplc4.so\r\ncp \/usr\/lib64\/libnspr4.so $SENDMAILJAIL\/usr\/lib64\/libnspr4.so\r\ncp \/usr\/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/usr\/lib64\/ld-linux-x86-64.so.2\r\ncp \/usr\/lib64\/libkrb5support.so.0 $SENDMAILJAIL\/usr\/lib64\/libkrb5support.so.0\r\ncp \/usr\/lib64\/libkeyutils.so.1 $SENDMAILJAIL\/usr\/lib64\/libkeyutils.so.1\r\ncp \/usr\/lib64\/librt.so.1 $SENDMAILJAIL\/usr\/lib64\/librt.so.1\r\ncp \/usr\/lib64\/libselinux.so.1 $SENDMAILJAIL\/usr\/lib64\/libselinux.so.1\r\ncp \/usr\/lib64\/libpcre.so.1 $SENDMAILJAIL\/usr\/lib64\/libpcre.so.1\r\ncp \/usr\/lib64\/libnss_dns.so.2 $SENDMAILJAIL\/usr\/lib64\/libnss_dns.so.2\r\ncp \/usr\/lib64\/libnss_files.so.2 $SENDMAILJAIL\/usr\/lib64\/libnss_files.so.2\r\n\r\ncd $SENDMAILJAIL\/lib64\r\ncp \/lib64\/libnss_dns-2.17.so $SENDMAILJAIL\/lib64\/libnss_dns-2.17.so\r\nln -s .\/libnss_dns-2.17.so .\/libnss_dns.so.2\r\n\r\ncp \/lib64\/libresolv-2.17.so $SENDMAILJAIL\/lib64\/libresolv-2.17.so\r\nln -s .\/lib64\/libresolv-2.17.so .\/libresolv.so.2\r\n\r\ncp \/lib64\/libnss_files-2.17.so $SENDMAILJAIL\/lib64\/libnss_files-2.17.so\r\nln -s .\/lib64\/libnss_files-2.17.so .\/libnss_files.so.2\r\n\r\ncd $SENDMAILJAIL\/lib \r\ncp \/lib64\/libnss_dns-2.17.so $SENDMAILJAIL\/lib\/libnss_dns-2.17.so\r\nln -s .\/lib\/libnss_dns-2.17.so .\/libnss_dns.so.2\r\n\r\ncp \/lib64\/libresolv-2.17.so $SENDMAILJAIL\/lib\/libresolv-2.17.so\r\nln -s .\/lib\/libresolv-2.17.so .\/libresolv.so.2\r\n\r\ncp \/lib64\/libnss_files-2.17.so $SENDMAILJAIL\/lib\/libnss_files-2.17.so\r\nln -s .\/lib\/libnss_files-2.17.so .\/libnss_files.so.2\r\n\r\nmkdir $SENDMAILJAIL\/usr\/lib64\/sasl2\r\ncp \/usr\/lib64\/sasl2\/* $SENDMAILJAIL\/usr\/lib64\/sasl2\/\r\n\r\nmkdir $SENDMAILJAIL\/lib64\/sasl2\/\r\ncp \/lib64\/sasl2\/* $SENDMAILJAIL\/lib64\/sasl2\/\r\ncp \/etc\/sasl2\/Sendmail.conf $SENDMAILJAIL\/usr\/lib64\/sasl2\/\r\n\r\nmkdir $SENDMAILJAIL\/etc\/sasl2\r\ncp \/etc\/sasl2\/Sendmail.conf $SENDMAILJAIL\/etc\/sasl2\/\r\n\r\n\r\ncp \/usr\/sbin\/makemap $SENDMAILJAIL\/usr\/sbin\/makemap\r\nln -s ..\/sbin\/makemap .\/makemap\r\ncp \/usr\/bin\/rmail.sendmail $SENDMAILJAIL\/usr\/bin\/rmail.sendmail\r\nln -s .\/rmail.sendmail .\/rmail\r\n\r\ncp \/usr\/sbin\/mailstats $SENDMAILJAIL\/usr\/sbin\/mailstats\r\ncp \/usr\/sbin\/makemap $SENDMAILJAIL\/usr\/sbin\/makemap\r\ncp \/usr\/sbin\/praliases $SENDMAILJAIL\/usr\/sbin\/praliases\r\ncp \/usr\/sbin\/smrsh $SENDMAILJAIL\/usr\/sbin\/smrsh\r\n\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcom_err.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcrypt.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcrypto.so.10 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdb-5.3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libfreebl3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgssapi_krb5.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libhesiod.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libidn.so.11 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libk5crypto.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libk5crypto.so.3: $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkeyutils.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkrb5.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkrb5support.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/liblber-2.4.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libldap-2.4.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libnsl.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libnspr4.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libnss3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libnssutil3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpcre.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libplc4.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libplds4.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpthread.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/librt.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libsasl2.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libselinux.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libsmime3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libssl.so.10 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libssl3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libwrap.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libz.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/usr\/lib64\/libk5crypto.so.3 $SENDMAILJAIL\/usr\/lib64\/\r\n\r\ncp \/lib64\/libdns.so.100 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/liblwres.so.90 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libbind9.so.90 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libisccfg.so.90 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libisccc.so.90 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libisc.so.95 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgssapi_krb5.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkrb5.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libk5crypto.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcom_err.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcrypto.so.10 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcap.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpthread.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libGeoIP.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libxml2.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libz.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libm.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libidn.so.11 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkrb5support.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkeyutils.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libattr.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/liblzma.so.5 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libselinux.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpcre.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/bin\/dig $SENDMAILJAIL\/bin\/\r\n\r\ncp \/lib64\/libtinfo.so.5 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/bin\/bash $SENDMAILJAIL\/bin\/\r\n\r\ncp \/bin\/ls $SENDMAILJAIL\/bin\/\r\ncp \/lib64\/libcap.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libacl.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpcre.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libattr.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpthread.so.0 $SENDMAILJAIL\/lib64\/\r\n\r\ncp \/bin\/vi $SENDMAILJAIL\/bin\/\r\ncp \/usr\/sbin\/pidof $SENDMAILJAIL\/usr\/sbin\/pidof\r\ncp \/lib64\/libprocps.so.4 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libsystemd.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcap.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libm.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/librt.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libselinux.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/liblzma.so.5 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgcrypt.so.11 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgpg-error.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdw.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgcc_s.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpthread.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libattr.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpcre.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libelf.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libz.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libbz2.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/bin\/rm $SENDMAILJAIL\/bin\/<\/pre>\n
Under your ID, ensure the proper permissions are set on the chroot jail<\/p>\n
sudo chown -R sendmail:mail \/smt00p20\/sendmail\/\r\nsudo chown sendmail \/smt00p20\/sendmail\/var\/spool\/mqueue\r\nsudo chmod 0700 \/smt00p20\/sendmail\/var\/spool\/mqueue\r\nsudo chmod -R go-w \/smt00p20\/sendmail\r\nsudo chmod 0400 \/smt00p20\/sendmail\/etc\/mail\/*.cf<\/pre>\n
Now verify it works \u2013 still under your ID as you have sudo permission to run chroot.<\/p>\n
sudo \/sbin\/chroot \/smt00p20\/sendmail \/bin\/ls\r\n# You should see a directory listing like this, not an error\r\nbin\u00a0 dev\u00a0 etc\u00a0 lib\u00a0 lib64\u00a0 tmp\u00a0 usr\u00a0 var<\/pre>\n
Assuming there are no problems, run sendmail:<\/p>\n
sudo \/sbin\/chroot \/smt00p20\/sendmail \/usr\/sbin\/sendmail -bd -q5m<\/pre>\n
Test sending mail through the server to verify proper functionality.<\/p>\n
Unit Config: <\/em><\/strong>Edit the systemd unit file and add the \u201cRootDirectory\u201d directive<\/p>\n
sudo vi \/etc\/systemd\/system\/multi-user.target.wants\/sendmail.service<\/p>\n
[Unit]\r\nDescription=Sendmail Mail Transport Agent\r\nAfter=syslog.target network.target\r\nConflicts=postfix.service exim.service\r\nWants=sm-client.service\r\n\r\n[Service]\r\nRootDirectory=\/smt00p20\/sendmail\r\nType=forking\r\nStartLimitInterval=0\r\n# Known issue \u2013 pid causes service hang\/timeout that bothers Unix guys\r\n# https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1253840<\/a>\r\n#PIDFile=\/run\/sendmail.pid\r\nEnvironment=SENDMAIL_OPTS=-q15m\r\nEnvironmentFile=-\/smt00p20\/sendmail\/etc\/sysconfig\/sendmail\r\nExecStart=\/usr\/sbin\/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\nAlso=sm-client.service<\/pre>\n
Then run \u201csystemctl daemon-reload\u201d to ingest the changes.<\/p>\n
You can now use systemctl to start and stop the sendmail service.<\/p>\n
Chrooting opendkim<\/em><\/strong><\/p>\n
Create the chroot jail and lib64 directory, create the base directories, then add a few core Linux files so you have a bash shell:<\/p>\n
mkdir $OPENDKIMJAIL\r\nmkdir $OPENDKIMJAIL\/lib64\r\nmkdir $OPENDKIMJAIL\/usr\/lib64\r\nmkdir $OPENDKIMJAIL\/bin\r\nmkdir $OPENDKIMJAIL\/etc\r\n\r\ncp \/lib64\/libtinfo.so.5 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $OPENDKIMJAIL\/lib64\/\r\n\r\ncp \/bin\/bash $OPENDKIMJAIL\/bin\/\r\ncp \/lib64\/libstdc++.so.6* $OPENDKIMJAIL\/lib64\r\ncp \/lib64\/libm.so.6 $OPENDKIMJAIL\/lib64\r\ncp \/lib64\/libgcc_s.so.1 $OPENDKIMJAIL\/lib64\r\ncp \/lib64\/libnss_files* $OPENDKIMJAIL\/lib64\/<\/pre>\n
Unpack the following RPMs:<\/p>\n
rpm2cpio opendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv\r\nrpm2cpio libopendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv\r\nrpm2cpio sendmail-milter-8.14.7-5.el7.x86_64.rpm | cpio -idmv\r\nrpm2cpio opendbx-1.4.6-6.el7.x86_64.rpm | cpio -idmv\r\nrpm2cpio libmemcached-1.0.16-5.el7.x86_64.rpm | cpio -idvm\r\nrpm2cpio libbsd-0.6.0-3.el7.elrepo.x86_64.rpm | cpio -idvm<\/pre>\n
Then move the unpacked files into the corresponding location in the $OPENDKIMJAIL directory.<\/p>\n
Copy host configuration ‘stuff’ from \/etc<\/p>\n
cp \/etc\/aliases $OPENDKIMJAIL\/etc\/\r\ncp \/etc\/aliases.db $OPENDKIMJAIL\/etc\/\r\ncp \/etc\/passwd $OPENDKIMJAIL\/etc\/\r\ncp \/etc\/group $OPENDKIMJAIL\/etc\/\r\ncp \/etc\/resolv.conf $OPENDKIMJAIL\/etc\/\r\ncp \/etc\/host.conf $OPENDKIMJAIL\/etc\/\r\ncp \/etc\/nsswitch.conf $OPENDKIMJAIL\/etc\/\r\ncp \/etc\/services $OPENDKIMJAIL\/etc\/\r\ncp \/etc\/hosts $OPENDKIMJAIL\/etc\/\r\ncp \/etc\/localtime $OPENDKIMJAIL\/etc\/<\/pre>\n
Copy some more files:<\/p>\n
cp \/lib64\/libcom_err.so.2 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libcrypt.so.1 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libcrypto.so.10 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libdb-5.3.so $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libfreebl3.so $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libgssapi_krb5.so.2 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libk5crypto.so.3 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libkeyutils.so.1 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libkrb5.so.3 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libkrb5support.so.0 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/liblber-2.4.so.2 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libldap-2.4.so.2 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libnspr4.so $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libnss3.so $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libnssutil3.so $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libpcre.so.1 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libplc4.so $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libplds4.so $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libpthread.so.0 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libresolv.so.2 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/librt.so.1 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libsasl2.so.3 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libselinux.so.1 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libsmime3.so $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libssl.so.10 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libssl3.so $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libz.so.1 $OPENDKIMJAIL\/lib64\/\r\ncp \/usr\/lib64\/libssl.so.10 $OPENDKIMJAIL\/usr\/lib64\/\r\n\r\ncp $OPENDKIMJAIL\/usr\/lib64\/libmilter.so.1.0 $OPENDKIMJAIL\/usr\/lib\/\r\ncp $OPENDKIMJAIL\/usr\/lib64\/libmilter.so.1.0.1 $OPENDKIMJAIL\/usr\/lib\/\r\n\r\ncp $OPENDKIMJAIL\/usr\/lib64\/libmilter.so.1.0 $OPENDKIMJAIL\/lib64\/\r\ncp $OPENDKIMJAIL\/usr\/lib64\/libmilter.so.1.0.1 $OPENDKIMJAIL\/lib64\/\r\n\r\ncp $OPENDKIMJAIL\/usr\/lib64\/libmilter.so.1.0 $OPENDKIMJAIL\/usr\/lib\/\r\ncp $OPENDKIMJAIL\/usr\/lib64\/libmilter.so.1.0.1 $OPENDKIMJAIL\/usr\/lib\/\r\n\r\ncp $OPENDKIMJAIL\/usr\/lib64\/libmilter.so.1.0 $OPENDKIMJAIL\/lib64\/\r\ncp $OPENDKIMJAIL\/usr\/lib64\/libmilter.so.1.0.1 $OPENDKIMJAIL\/lib64\/\r\n<\/pre>\n
Configure OpenDKIM ($DKIMJAIL\/etc\/opendkim.conf) and populate keys (copy from server being replaced or generate new keys). Then, under your ID, run:<\/p>\n
sudo \/sbin\/chroot \/smt00p20\/opendkim \/usr\/sbin\/opendkim -u sendmail -v<\/pre>\n
The systemd unit file, \/usr\/lib\/systemd\/system\/opendkim.service, needs to contain:<\/p>\n
# If you are using OpenDKIM with SQL datasets it might be necessary to start OpenDKIM after the database servers.\r\n# For example, if using both MariaDB and PostgreSQL, change \"After=\" in the \"[Unit]\" section to:\r\n# After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service\r\n\r\n[Unit]\r\nDescription=DomainKeys Identified Mail (DKIM) Milter\r\nDocumentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http:\/\/www.opendkim.org\/docs.html\r\nAfter=network.target nss-lookup.target syslog.target\r\n\r\n[Service]\r\nRootDirectory=\/smt00p20\/opendkim\r\nType=forking\r\nPIDFile=\/smt00p20\/opendkim\/var\/run\/opendkim\/opendkim.pid\r\nEnvironmentFile=-\/etc\/sysconfig\/opendkim\r\nExecStart=\/usr\/sbin\/opendkim -u sendmail -v $OPTIONS\r\nExecReload=\/bin\/kill -USR1 $MAINPID\r\nUser=sendmail\r\nGroup=mail\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/pre>\n
 <\/p>\n
Upgrading Sendmail \u2013 After Unix Applies Patches<\/strong><\/p>\n
This process grabs a new copy of sendmail, associated diagnostic utilities, and their dependencies from the OS installation. If you want to apply patches prior to Unix support doing so, you can stage a sendmail build (everything up to \u2018make install\u2019) and copy the files out or, if an updated RPM is in the repo but just not installed, download the RPMs, unpack them, and copy the files in. I would do that in addition to<\/em> (and after) this process to ensure library updates are reflected in our jailed sendmail installation (i.e. if there\u2019s an update to the crypto libraries, we get those updates).<\/p>\n
cp \/usr\/sbin\/sendmail.sendmail $SENDMAILJAIL\/usr\/sbin\/sendmail.sendmail\r\ncp \/usr\/lib64\/libssl.so.10 $SENDMAILJAIL\/usr\/lib64\/libssl.so.10\r\ncp \/usr\/lib64\/libcrypto.so.10 $SENDMAILJAIL\/usr\/lib64\/libcrypto.so.10\r\ncp \/usr\/lib64\/libnsl.so.1 $SENDMAILJAIL\/usr\/lib64\/libnsl.so.1\r\ncp \/usr\/lib64\/libwrap.so.0 $SENDMAILJAIL\/usr\/lib64\/libwrap.so.0\r\ncp \/usr\/lib64\/libhesiod.so.0 $SENDMAILJAIL\/usr\/lib64\/libhesiod.so.0\r\ncp \/usr\/lib64\/libcrypt.so.1 $SENDMAILJAIL\/usr\/lib64\/libcrypt.so.1\r\ncp \/usr\/lib64\/libdb-5.3.so $SENDMAILJAIL\/usr\/lib64\/libdb-5.3.so\r\ncp \/usr\/lib64\/libresolv.so.2 $SENDMAILJAIL\/usr\/lib64\/libresolv.so.2\r\ncp \/usr\/lib64\/libsasl2.so.3 $SENDMAILJAIL\/usr\/lib64\/libsasl2.so.3\r\ncp \/usr\/lib64\/libldap-2.4.so.2 $SENDMAILJAIL\/usr\/lib64\/libldap-2.4.so.2\r\ncp \/usr\/lib64\/liblber-2.4.so.2 $SENDMAILJAIL\/usr\/lib64\/liblber-2.4.so.2\r\ncp \/usr\/lib64\/libc.so.6 $SENDMAILJAIL\/usr\/lib64\/libc.so.6\r\ncp \/usr\/lib64\/libgssapi_krb5.so.2 $SENDMAILJAIL\/usr\/lib64\/libgssapi_krb5.so.2\r\ncp \/usr\/lib64\/libkrb5.so.3 $SENDMAILJAIL\/usr\/lib64\/libkrb5.so.3\r\ncp \/usr\/lib64\/libcom_err.so.2 $SENDMAILJAIL\/usr\/lib64\/libcom_err.so.2\r\ncp \/usr\/lib64\/libk5crypto.so.3 $SENDMAILJAIL\/usr\/lib64\/libk5crypto.so.3\r\ncp \/usr\/lib64\/libdl.so.2 $SENDMAILJAIL\/usr\/lib64\/libdl.so.2\r\ncp \/usr\/lib64\/libz.so.1 $SENDMAILJAIL\/usr\/lib64\/libz.so.1\r\ncp \/usr\/lib64\/libidn.so.11 $SENDMAILJAIL\/usr\/lib64\/libidn.so.11\r\ncp \/usr\/lib64\/libfreebl3.so $SENDMAILJAIL\/usr\/lib64\/libfreebl3.so\r\ncp \/usr\/lib64\/libpthread.so.0 $SENDMAILJAIL\/usr\/lib64\/libpthread.so.0\r\ncp \/usr\/lib64\/libssl3.so $SENDMAILJAIL\/usr\/lib64\/libssl3.so\r\ncp \/usr\/lib64\/libsmime3.so $SENDMAILJAIL\/usr\/lib64\/libsmime3.so\r\ncp \/usr\/lib64\/libnss3.so $SENDMAILJAIL\/usr\/lib64\/libnss3.so\r\ncp \/usr\/lib64\/libnssutil3.so $SENDMAILJAIL\/usr\/lib64\/libnssutil3.so\r\ncp \/usr\/lib64\/libplds4.so $SENDMAILJAIL\/usr\/lib64\/libplds4.so\r\ncp \/usr\/lib64\/libplc4.so $SENDMAILJAIL\/usr\/lib64\/libplc4.so\r\ncp \/usr\/lib64\/libnspr4.so $SENDMAILJAIL\/usr\/lib64\/libnspr4.so\r\ncp \/usr\/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/usr\/lib64\/ld-linux-x86-64.so.2\r\ncp \/usr\/lib64\/libkrb5support.so.0 $SENDMAILJAIL\/usr\/lib64\/libkrb5support.so.0\r\ncp \/usr\/lib64\/libkeyutils.so.1 $SENDMAILJAIL\/usr\/lib64\/libkeyutils.so.1\r\ncp \/usr\/lib64\/librt.so.1 $SENDMAILJAIL\/usr\/lib64\/librt.so.1\r\ncp \/usr\/lib64\/libselinux.so.1 $SENDMAILJAIL\/usr\/lib64\/libselinux.so.1\r\ncp \/usr\/lib64\/libpcre.so.1 $SENDMAILJAIL\/usr\/lib64\/libpcre.so.1\r\ncp \/usr\/lib64\/libnss_dns.so.2 $SENDMAILJAIL\/usr\/lib64\/libnss_dns.so.2\r\ncp \/usr\/lib64\/libnss_files.so.2 $SENDMAILJAIL\/usr\/lib64\/libnss_files.so.2\r\ncp \/lib64\/libnss_dns-2.17.so $SENDMAILJAIL\/lib64\/libnss_dns-2.17.so\r\ncp \/lib64\/libresolv-2.17.so $SENDMAILJAIL\/lib64\/libresolv-2.17.so\r\ncp \/lib64\/libnss_files-2.17.so $SENDMAILJAIL\/lib64\/libnss_files-2.17.so\r\ncp \/lib64\/libnss_dns-2.17.so $SENDMAILJAIL\/lib\/libnss_dns-2.17.so\r\ncp \/lib64\/libresolv-2.17.so $SENDMAILJAIL\/lib\/libresolv-2.17.so\r\ncp \/lib64\/libnss_files-2.17.so $SENDMAILJAIL\/lib\/libnss_files-2.17.so\r\ncp \/usr\/lib64\/sasl2\/* $SENDMAILJAIL\/usr\/lib64\/sasl2\/\r\ncp \/lib64\/sasl2\/* $SENDMAILJAIL\/lib64\/sasl2\/\r\ncp \/etc\/sasl2\/Sendmail.conf $SENDMAILJAIL\/usr\/lib64\/sasl2\/\r\ncp \/etc\/sasl2\/Sendmail.conf $SENDMAILJAIL\/etc\/sasl2\/\r\ncp \/usr\/sbin\/makemap $SENDMAILJAIL\/usr\/sbin\/makemap\r\ncp \/usr\/bin\/rmail.sendmail $SENDMAILJAIL\/usr\/bin\/rmail.sendmail\r\ncp \/usr\/sbin\/mailstats $SENDMAILJAIL\/usr\/sbin\/mailstats\r\ncp \/usr\/sbin\/makemap $SENDMAILJAIL\/usr\/sbin\/makemap\r\ncp \/usr\/sbin\/praliases $SENDMAILJAIL\/usr\/sbin\/praliases\r\ncp \/usr\/sbin\/smrsh $SENDMAILJAIL\/usr\/sbin\/smrsh\r\n\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcom_err.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcrypt.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcrypto.so.10 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdb-5.3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libfreebl3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgssapi_krb5.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libhesiod.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libidn.so.11 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libk5crypto.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libk5crypto.so.3: $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkeyutils.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkrb5.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkrb5support.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/liblber-2.4.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libldap-2.4.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libnsl.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libnspr4.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libnss3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libnssutil3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpcre.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libplc4.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libplds4.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpthread.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/librt.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libsasl2.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libselinux.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libsmime3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libssl.so.10 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libssl3.so $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libwrap.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libz.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/usr\/lib64\/libk5crypto.so.3 $SENDMAILJAIL\/usr\/lib64\/\r\n\r\ncp \/lib64\/libdns.so.100 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/liblwres.so.90 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libbind9.so.90 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libisccfg.so.90 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libisccc.so.90 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libisc.so.95 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgssapi_krb5.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkrb5.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libk5crypto.so.3 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcom_err.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcrypto.so.10 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcap.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpthread.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libGeoIP.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libxml2.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libz.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libm.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libidn.so.11 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkrb5support.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libkeyutils.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libattr.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/liblzma.so.5 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libselinux.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpcre.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/bin\/dig $SENDMAILJAIL\/bin\/\r\n\r\ncp \/lib64\/libtinfo.so.5 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/bin\/bash $SENDMAILJAIL\/bin\/\r\n\r\ncp \/bin\/ls $SENDMAILJAIL\/bin\/\r\ncp \/lib64\/libcap.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libacl.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpcre.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libattr.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpthread.so.0 $SENDMAILJAIL\/lib64\/\r\n\r\ncp \/bin\/vi $SENDMAILJAIL\/bin\/\r\ncp \/usr\/sbin\/pidof $SENDMAILJAIL\/usr\/sbin\/pidof\r\ncp \/lib64\/libprocps.so.4 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libsystemd.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libcap.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libm.so.6 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/librt.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libselinux.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/liblzma.so.5 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgcrypt.so.11 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgpg-error.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libdw.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libgcc_s.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpthread.so.0 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libattr.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libpcre.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libelf.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libz.so.1 $SENDMAILJAIL\/lib64\/\r\ncp \/lib64\/libbz2.so.1 $SENDMAILJAIL\/lib64\/\r\n\r\ncp \/bin\/rm $SENDMAILJAIL\/bin\/<\/pre>\n
 <\/p>\n
Under your ID, ensure the proper permissions are set on the chroot jail<\/p>\n
sudo chown -R sendmail:mail \/smt00p20\/sendmail\/\r\nsudo chown sendmail \/smt00p20\/sendmail\/var\/spool\/mqueue\r\nsudo chmod 0700 \/smt00p20\/sendmail\/var\/spool\/mqueue\r\nsudo chmod -R go-w \/smt00p20\/sendmail\r\nsudo chmod 0400 \/smt00p20\/sendmail\/etc\/mail\/*.cf<\/pre>\n
Then start sendmail and verify functionality.<\/p>\n
Updating OpenDKIM<\/strong><\/p>\n
cp \/lib64\/libtinfo.so.5 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libdl.so.2 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/libc.so.6 $OPENDKIMJAIL\/lib64\/\r\ncp \/lib64\/ld-linux-x86-64.so.2 $OPENDKIMJAIL\/lib64\/\r\ncp \/bin\/bash $OPENDKIMJAIL\/bin\/\r\ncp \/lib64\/libstdc++.so.6* $OPENDKIMJAIL\/lib64\r\ncp \/lib64\/libm.so.6 $OPENDKIMJAIL\/lib64\r\ncp \/lib64\/libgcc_s.so.1 $OPENDKIMJAIL\/lib64\r\ncp \/lib64\/libnss_files* $OPENDKIMJAIL\/lib64\/<\/pre>\n
 <\/p>\n
If there is an update to the opendkim packages, unpack the updated RPM files and move the new files into the corresponding jail locations.<\/p>\n
rpm2cpio opendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv\r\nrpm2cpio libopendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv\r\nrpm2cpio sendmail-milter-8.14.7-5.el7.x86_64.rpm | cpio -idmv\r\nrpm2cpio opendbx-1.4.6-6.el7.x86_64.rpm | cpio -idmv\r\nrpm2cpio libmemcached-1.0.16-5.el7.x86_64.rpm | cpio -idvm\r\nrpm2cpio libbsd-0.6.0-3.el7.elrepo.x86_64.rpm | cpio -idvm<\/pre>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
My employer’s OS-support model restricts root access to members of the Unix support team. Applications are normally installed into a package directory and run under a service ID. While this model works well for most applications, sendmail is tightly integrated into the OS and is not readily built into an application directory. We attempted to …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[567,294,259],"class_list":["post-3042","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-chroot","tag-linux","tag-sendmail"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3042","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3042"}],"version-history":[{"count":10,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3042\/revisions"}],"predecessor-version":[{"id":3117,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3042\/revisions\/3117"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3042"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3042"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3042"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}