Obtain the Source
The latest release of sendmail is available via:
When you download the source you must select one file from many that are listed. In addition to selecting the version you want, you must choose between two forms of compressed tar(1) distributions. Those that end in .Z are compressed with Unix compress(1); those that end in .gz are compressed with GNU gzip(1). The latter is the preferred form because the file is smaller and therefore quicker to transfer.
In addition to the two forms of distribution, each release has a PGP signature file associated with it. This is a signature of the uncompressed file, so you need to uncompress the tar(1) file before verifying it.
To verify V8.5 or earlier distributions, get Eric Allman’s public key by sending email to firstname.lastname@example.org with the following subject line:
Subject: MGET Allman
Eric Allman’s public key will be mailed back to you a few minutes later. Save that returned email to a file—for example, /tmp/eric.asc—and add that key to your public “keyring” with the command:
pgp -ka /tmp/eric.asc← for pgp version 2.x %
pgpk -a /tmp/eric.asc← for pgp version 5.x
For V8.6 and above, you download a special signing key from www.sendmail.org, instead of Eric’s key. The fingerprint for the signing key is:
CA AE F2 94 3B 1D 41 3C 94 7B 72 5F AE 0B 6A 11 ← 1997 F9 32 40 A1 3B 3A B6 DE B2 98 6A 70 AF 54 9D 26 ← 1998 25 73 4C 8E 94 B1 E8 EA EA 9B A4 D6 00 51 C3 71 ← 1999 81 8C ...