Tuesday, December 4, 2012

Basic Sendmail configuration

Basic Sendmail configuration
 
Sendmail is the default MTA on the RedHat Linux distribution. Do NOT use linuxconf to configure sendmail as it has NOT been updated to work with current versions of sendmail!!! (The tool linuxconf is no longer included with current versions of Red Hat Linux 7.3+)
RPM packages required: sendmail, sendmail-cf and m4
Ubuntu/Debian install: sudo apt-get sendmail sendmail-base sendmail-bin sendmail-cf mailutils
Sendmail receives mail for local system user login accounts. Mail is held in a single file: /var/mail/userID
Steps to run mail server using sendmail:
  1. Required for inbound mail: The mail server must be identified by the DNS as the mail server in order to receive mail. See the YoLinux web tutorial on configuring DNS.
  2. /etc/mail/local-host-names (Required) (Red Hat 7.1 - Fedora Core 3)
    /etc/sendmail.cw (Red Hat 6.x) This file contains all of the alternate host names of the server. (i.e. domain-name.com) Sendmail will not accept mail for a domain unless it is permitted to do so by the contents of this file.
    Sample: 
    megawebhost.com
yolinux.com
yo-linux.com

  3. File /etc/aliases (Optional) lists alternative names for email recipients.
    Sample: 
    webmaster: john, dave
postmaster: kim, garret
larry.anderson: larry
moe.anderson: moe
curly.anderson: curly
    After creation or modification one must run the command newaliases which will generate a new version of the file /etc/aliases.db There is no need to restart the sendmail daemon. The changes are picked up automatically.
  4. File /etc/mail/virtusertable (Optional) Allows the separation of emails by domain. i.e. greg@domain1.com and greg@domain2.com go to two different users greg1 and greg2. 
    webmaster@domain-1.com   dave
webmaster@domain-2.com   john
john@domain-2.com        john
@domain-2.com            error:nouser User unknown
@domain3.com             mathew
    The second column is the local user, a remote forwarding email address or a mailing list entry in /etc/aliases.
    The domain "domain-2.com" will only receive email for john@domain-2.com and webmaster@domain-2.com while all other mail to this domain receives an error message.
    Convert /etc/mail/virtusertable to /etc/mail/virtusertable.db with the commands:
    • cd /etc/mail
    • make

  5. Relaying and receiving mail is controlled by the file: /etc/mail/access. By default relaying is only allowed by localhost and sendmail will accept mail from all. (Red Hat 7.1 default is more strict but the restriction is not from the access file. More below.)
    Required for outbound email. Helpful for blocking some unwanted inbound email. 
    localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
    Generate database file: 
        [root prompt]# makemap hash /etc/mail/access.db < /etc/mail/access
    The access file can be used to thwart spammers. List IP addresses or email address to deny in the file: /etc/access
    After adding entries to the access file, generate the database file with the command above. 
    XXX.XXX.XXX.XXX                 REJECT
YYY.YYY.YYY.YYY                 ERROR:"550 We don't accept mail from spammers"
spammer@isp.com                 REJECT " Spam not accepted"
ZZZ.ZZZ.ZZZ.ZZZ                 OK              - Override rules and allow
ZZZ.ZZZ                         OK              - Allow from ZZZ.ZZZ.*.* network
    See the /etc/mail/access file I am currently using. It changes daily. Feel free to cut and paste this Sendmail access file to your system.
    Other access lists: Sendmail.org: More info on cf-readme (See Anti-Spam section)
  6. Sendmail must be running. See the YoLinux init tutorial to learn how the sendmail daemon can be configured to be started by the system upon system boot. This may have been configured during installation.
The default configuration is fairly secure and usable. For Red Hat 6 and earlier systems, you are ready to mail. For Red Hat 7 systems, there is one more step. See changes below required to receive mail.
Note: A user defined in the aliases file is valid for all domains hosted by the system, unless you have configured virtual hosting.

For alternate configurations change the file: sendmail.cf
The config file sendmail.cf has become so complex that most people use the m4 macro package to generate this file from a sendmail.mc file. Pre-configured ".mc" files can be found in the directory:
  • /etc/mail/ (Red Hat 9.0 - Fedora Core 3)
  • /usr/lib/sendmail-cf/cf/ (Red Hat 7.1)
  • /usr/share/sendmail-cf/cf/ (Red Hat 6.x)

Default Red Hat sendmail.cf configurations:

  • Fedora Core 3, Red Hat Enterprise Linux 4, CentOS 4: 
        cd /etc/mail
    make
    (Checks for changes and rebuilds data files.)
    or perform the manual process: 
        m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
  • Red Hat 9.0: 
        m4 /usr/share/sendmail-cf/m4/cf.m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
  • Red Hat 7.1: You will find that the files /etc/sendmail.cf and /usr/share/sendmail-cf/cf/redhat.cf are the same and is the RedHat default. 
        cd /usr/share/sendmail-cf/cf/
    m4 redhat.mc > /etc/sendmail.cf
    Note: the cf.m4 file is represented as an include file in the sendmail "mc" macro file. (include(`/usr/share/sendmail-cf/m4/cf.m4'))
  • Red Hat 6.x: You will find that the files /etc/sendmail.cf and /usr/lib/sendmail-cf/cf/redhat.cf are identical and is the RedHat default. 
        cd /usr/lib/sendmail-cf/cf/
    m4 ../m4/cf.m4 redhat.mc > /etc/sendmail.cf

Change default Sendmail to allow sendmail to receive mail:
(Red Hat 7.1-7.3, 8, 9, RHEL4, Fedora Core X)
If you just installed or upgraded to red Hat 7.1 or later and noticed that your mail server does not recieve email, it is because of the Red Hat default sendmail configuration. The default configuration for Red Hat (7.1 or later) sendmail does not allow for the receiving of mail except from yourself (localhost).
Configure to receive email:
  1. Backup the files /etc/mail/sendmail.mc and /etc/sendmail.cf
  2. Edit the file /etc/mail/sendmail.mc and change/comment the line: 
       From: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
   To:   dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
    or delete the line. Sendmail will then use the default which allows it to receive mail from other systems.
  3. Optional: Blacklist anti-spam options:
    To turn on the anti-spam feature of sendmail add the directive:
    • RFC-Ignorant: (Valid IP address checker)
      FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from " $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP server - see http://www.rfc-ignorant.org/"')
    • Easynet: (open proxy list)
      FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to OPEN PROXY SERVER "$&{client_name}" by easynet.nl DNSBL (http://proxies.blackholes.easynet.nl/errors.html)"', `')
    • Spamcop: Spammer blacklist:
      FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"')
    • Spamhaus: A spammer blacklist:
      FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://spamhaus.org/')
    • For more info see Mail-Abuse.com: MAPS RBL
    FYI: Sendmail Anti-Spam configuration options:
    • Turn off relaying (Relaying is denied by default Red Hat configuration) Do NOT use the following directive: FEATURE(`promiscuous_relay')
    • Check sender information:
      • Accept mail from your own domain: FEATURE(`relay_entire_domain')
      • Accept relay from your mail servers listed in MX record to destination in same domain: FEATURE(`relay_based_on_MX')
      • Comment out: dnl # FEATURE(`accept_unresolvable_domains')dnl
        (RHEL4)
    • Use /etc/mail/access file to deny spammers: FEATURE(`access_db') (See above example)
    • Use Realtime Blackhole List: FEATURE(`dnsbl')
    • Limit connection rate. Useful against DoS attacks or barrages of spam:
      (Available with Sendmail version 8.13 included with RHEL4)
      • define(`confMAX_DAEMON_CHILDREN', 12)
      • define(`confCONNECTION_RATE_THROTTLE', 3)
    • Check headers. Define rule in sendmail.cf.
  4. Optional: Identify outgoing mail as coming from specified domain: 
    MASQUERADE_AS(your-domain.com)
MASQUERADE_DOMAIN(your-domain.com)
MASQUERADE_DOMAIN(virt-domain-1.com)     - Add list of other domains supported
MASQUERADE_DOMAIN(virt-domain-2.com)       by your server here if required
...
..
FEATURE(masquerade_entire_domain)
FEATURE(masquerade_envelope)
    This will override a default of localhost or node.your-domain.com to be that specified. i.e. your-domain.com. This is so that you do not look like a spammer. Domain localhost is often blocked.
  5. Generate a new configuration file: m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
  6. If sending/relaying mail I then recommend you change the line in /etc/mail/sendmail.cf: 
       Cwlocalhost.localdomain
    to your actual fully qualified node name (Cwnode-name.your-domain.com). This will allow you to send mail without having the mail look like it came from "localhost.localdomain" which is often blocked by spam filters.
    You can also add the statement: DMyour-domain.com
  7. Restart sendmail: /etc/rc.d/init.d/sendmail restart
Also see: Sendmail.org: Sendmail 8.9.x configuration files

[Potential Pitfall]: To comment out a line use:
  • dnl #
    OR
  • dnl
The use of only "#" will NOT work. [Potential Pitfall]: Some distributions have a default configuration which causes failure. The /etc/hosts.deny entry ALL:ALL will cause failure to receive mail.
Notes:
  • Look for errors in /var/log/maillog
  • Red Hat/Fedora Core systems come with the user smmsp which is required for operation. Do not remove! 
    smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
Sendmail config: /etc/mail/sendmail.mc:

Directive Description
divert(-1) m4 macro directive. File output not diverted
OSTYPE(`linux') Required before definitions. Definitions tied to OSTYPE.
define('VARIABLE','VALUE') Change a setting in sendmail.
See list
undefine(`UUCP_RELAY') Remove UUCP email processing capability
undefine(`BITNET_RELAY') Remove BITNET addressed email processing
FEATURE() See list of features
FEATURE(redirect) Reject redirected email addressed to user@domain.com.REDIRECT
Message returned to announce that one should send email to address defined by alias.
FEATURE(always_add_domain) Append fully qualified domain name of host to user name.
FEATURE(use_cw_file) File /etc/sendmail.cw defines alternate names of host.
MAILER() See list of Mailers
MAILER(procmail) Defines procmail as the local mail program on server.
MAILER(smtp) Remote mail program.
dnl: m4 directive to delete whitespace in input
See Sendmail.org: cf-readme - HTML version (not as up to date)

Examples:

Directive Description
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl Disable "vrfy" so that spammers cannot "verify" typical email addresses such as info, admin, staff, etc.
define(`ALIAS_FILE', `/etc/aliases')dnl This states the obvious. Email address aliases are defined in the file: /etc/aliases
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl Execute Sendmail using the Sendmail restricted shell

Sendmail documentation:
DNS and Sendmail Presentation at LUGFest 2000 - (Star Office 5.2 "sdd" file) - More configuration insight and information.

Sendmail tools:
  • mailq : Print a summary of the mail messages queued for future delivery.
    Mail is queued in directory: /var/spool/mqueue/
  • mailstats : Display current mail statistics.
    Mail statistics stored in file: /var/log/sendmail.st/
  • purgestat : Purge mail statistics.
  • praliases : Display current mail aliases
Files used by sendmail for a mail server.

Sendmail post-configuration and test:
Check if an open relay: (you do not want to be an open relay)

Sending email using the sendmail command:
Sendmail can be used as a shell or script command to send email:
  • Interactive shell session: 
    $ /usr/sbin/sendmail user@domain.com
enter body of message here
ctrl-d
  • Pre-format message in a file and send: $ /usr/sbin/sendmail user@domain.com < mail-file.txt
    Or use text header "to" to determine to whom the email is sent: $ /usr/sbin/sendmail -t < mail-file.txt 
    date: Thu Nov 13 10:37:14 2008
to: user@domain.com
subject: subject
from: your-name@your-domain.com

Body of message goes here
  • Using a Perl script: 
    #!/usr/bin/perl
use Time::localtime;
open (OUT,"|/usr/sbin/sendmail -t");
print OUT "From: your-email\@domain.com\n"; ## escape the @ or put in single quotes
print(OUT "Date: ".ctime()."\n");
print(OUT "To: $email\n");
print(OUT "Subject: $subject\n");
print(OUT "\n");
print(OUT "$body
Also see the sendmail manpage
(Ubuntu note: the sendmail command /usr/sbin/sendmail (not the email server) also comes with the package postfix.)

Links:

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)