11.1 Overview of the Queue

The sendmail queue is implemented by placing held messages into one or more directories. Prior to V8.10, there was only one directory, and its name was usually mqueue. Now, the directory or directories to be used are specified in the configuration file with the QueueDirectory option (QueueDirectory):

OQ/var/spool/mqueue                     pre-V8.7 form
O QueueDirectory=/var/spool/mqueue      beginning with V8.7
O QueueDirectory=/var/queues/q.*        V8.10 multiple directories

If the QueueDirectory option is missing, the name defaults to mqueue. The location should never be relative (as mqueue). When it is wrongly specified as a relative path name, it is taken as relative to the location where sendmail is run. Because the sendmail daemon is typically started from an rc file at boot time, such relative locations are usually relative to the root (/) directory.^[1]

^[1] Of course, if sendmail is started somewhere else or by someone else, the queue directory will be a subdirectory under that other starting directory.

After sendmail has processed its configuration file, it does a chdir(2) into its base queue directory and does all the rest of its work from there. In the first two lines of the previous example, the base queue directory is /var/spool/mqueue. In the last line, the base queue directory is /var/queues. This change into the base queue directory has three side effects:

• Should the sendmail program fault and produce a core dump, the core image is left in the base queue directory.

• Any relative pathnames that are given to options in the configuration file are interpreted as relative to the base queue directory. (This is not true for the F configuration command, Section 22.1.2. Those files are processed at the same time as the configuration file, before the chdir.)

• If you use V8.12 and above queue groups (Section 11.4), all the queues used by those queue groups must be subdirectories of the base queue directory.

The base queue directory, and all subdirectories under it, should be set to have very narrow permissions. They must be owned by root. We (and CERT) recommend a mode of 0700. Prior to V8 sendmail, such narrow permissions would cause C-shell scripts run from a ~/.forward file to fail. V8 sendmail lets you specify alternative directories in which to run programs (see the D= delivery agent equate, D=). This allows you to use mode 0700 queue directories without the associated problems.

As a further precaution, all the components of the path leading to the queue directories should be owned by root and be writable only by root. In the case of our example of /var/spool/mqueue, permissions should look like this:

drwxr-xr-x  root    /
drwxr-xr-x  root    /var/
drwxr-xr-x  root    /var/spool/
drwx------  root    /var/spool/mqueue/

For additional security, see the restrictmailq keyword for the PrivacyOptions option (PrivacyOptions). It allows only users in the same group as the group ownership of the queue directory to be able to print its contents with mailq or -bp (Section 11.6).