Sendmail
Summary
Purpose: This document covers many of the aspects of configuring and customizing sendmail.
Audience: This document is designed for anyone wanting to setup sendmail as an SMTP server.
Assumptions: The Fedora OS is installed, TCP/IP and DNS is configured.User accounts have been added and the reader has access to the root password. Firewall rulls are configured to allow for the proper port access. The computer running Fedora has an active Internet connection, and the user has a basic understanding of vi and bash commands.
Related Documents: The InstallGuide documents the basic install of Fedora. The GettingStarted documents the basic use of Fedora and gaining access to the CLI. The DNS assists with configuring DNS for name resolution. UserAccounts documents the steps for creating users and groups.
Lead Writer: MikeDittmeier
Introduction
Sendmail is a message transport agent (MTA), responsible for taking in mail from a mail user agent (MUA) such as KMail, Evolution, or pine, and relaying the mail to another host toward the final destination. An MTA also listens for incoming connections and accepts mail from remote hosts. This document will walk through the process of setting up sendmail for relaying email. First, by allowing connections from other computers and then later by securing email transmissions as well as scanning emails for viruses and even SPAM. Some of the other features covered in this document are distribution lists, and even redirecting incoming emails to other domains. The section for sendmail basic configuration is a good start, but each of the following sections can be used by itself or in combined with other sections to add more customization and functionality to sendmail.
Package Requirements
This article makes use of the following packages found in the Fedora Repository:
sendmailis the core packagesendmail-cfpackage contains the configuration filessendmail-docPackage contains the docs and man files forsendmailspamassassinSpam filteringspamass-miltermilter forsendmailSpam filteringclamavanti-virus applicationclamav-dataanti-virus application dataclamav-libsanti-virus shared libsclamav-updateanti-virus update scriptsclamav-miltersendmailmilter for anti-virus
Installing Sendmail
By default sendmail is already included in most fedora installations. To verify sendmail is installed, by type the following command:
rpm -q sendmail
this should output the follow results:
sendmail-8.14.1-4.2.fc8
if not, then install the sendmail packages by typing:
su -c 'yum install -y sendmail sendmail-cf sendmail-doc'
For graphical installs, use Main Menu > Add/Remove Software. This requires the root user password to run. In the Browse tab, click on the Servers group on the left, then select the Mail Server option on the right. Click Apply to have the software and all dependencies installed. You can customize what is installed in the Mail Server grouping by clicking on Optional packages.
Connection
sendmail needs to be connected to the Internet. While it is not impossible to use a dial-up connection (you might lose incoming mail as remote hosts will be trying to connect when your server is down), normally an always-on Internet connection is needed, preferably with a static IP address. Dynamic IP is also possible with various dynamic IP DNS services (for instance DynDNS ). The default port for sendmail is 25. If sendmail takes secure connections, port 465 might be needed (for SSL connections). These ports need to be opened in the firewall (refer to the sections in this guide on firewalls ) and router NAT .) Also, a lot of ISP's are blocking port 25 for spam-reduction purposes, it might take couple of hours on the phone with ISP tech support to get them unblock it, some will do it (ATT for instance) others might refuse.
Configuring Sendmail
Sendmail has several configuration files located in the /etc/mail folder. Below is a list of the most common files:
/etc/mail/access, host access file/etc/mail/domaintable, list of old-domains to new-domain mappings for the mail server/etc/mail/local-host-names, list of host names this server is seen as/etc/mail/mailertable, table of domains and how to route the email sent to those domains/etc/mail/trusted-users, list of users that can send mail on behalf of other users/etc/mail/virtusertable, list of users and domains and who to forward email to/etc/mail/sendmail.mc, mainsendmailconfiguration file/etc/mail/submit.mc, mail submission settings/etc/aliases, user aliases
Allowing External Connections
By default sendmail will only accept incoming connections from the localhost or 127.0.0.1 host. The first change to make to the sendmail.mc file will be to allow connections from other hosts. First make a backup of the default sendmail.mc file in case the need to roll back occurs. Open a shell and enter the following command:
su -c 'cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak'
To begin editing the sendmail.mc. enter the following command a shell prompt:
su -c 'vim /etc/mail/sendmail.mc'
The sendmail configuration file should now be displayed in the vi editor window. Search for the line of text that will modify what hosts sendmail will accept connection from. In the vi editor press the [esc] key, then type
/Port=smtp
This should highlight the following line in the sendmail.mc:
<code>DAEMON_OPTIONS(</code>Port=smtp,Addr=127.0.0.1, Name=MTA')dnl<code>
There are two different ways to modify this line. Comment out the line by adding dnl to the beginning of the line, or by changing the IP address to the same ip as the server. For simplicity reasons, just comment out the line. Make sure the cursor is at the beginning of the line and pres the [esc] key, and then the [i] key to begin inserting text. Add dnl to the beginning of the line. The line should now look like this:
dnl DAEMON_OPTIONS(<code>Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
Save the file changes by pressing the [esc] key and typing:
:wq
To make sendmail start using these settings, apply the changes, and then restart the sendmail daemon. From a shell prompt, type the command:
su -c 'make -C /etc/mail'
The output should be similar to the text below:
make: Entering directory <code>/etc/mail' make: Leaving directory <code>/etc/mail'
Next, restart the sendmail daemon by typing the following text at a shell prompt:
su -c 'service sendmail restart'
The changes are now in effect and sendmail will allow connections from any IP.
Auto Starting Sendmail
Now that sendmail is configured to allow connections from other hosts, make sure the daemon starts after system reboots. To accomplish this, simple enter the following command at a shell prompt:
su -c 'chkconfig sendmail 345 on'
This tells the daemon to start when in run levels 3, 4, and 5.
To verify that the settings have taken place, use the chkconfig, and grep commands. Enter the following command at the shell prompt:
su -c 'chkconfig --list | grep sendmail'
The following output should be returned:
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Notice that run levels 3, 4, and 5 are listed as on. This means the daemon will start automatically in the desired run levels.
Smart Host
Some Internet Service Providers ('ISP') require all email traffic to be relayed via a specific 'SMTP' server or gateway. This is common for an ISp that provides service to residential customers. To configure 'sendmail' to forward or relay all mail messages vis a 'Smart Host', edit the '/etc/mail/sendmail.mc', and define a 'smart host'. Enter the following command at a shell prompt to begin:
su-c 'vim /etc/mail/sendmail.mc'
After the 'vi' editor opens, press the [esc] key, then type:
/SMART_HOST
This should take you to the following line in the '/etc/mail/sendmail.mc' file:
dnl define(`SMART_HOST', `smtp.your.provider')dnl
Simply replace 'smtp.your.provider' with the IP address or host name provided by the ISP, and then remove the 'dnl' from the beginning of the line. Here is an example:
define(`SMART_HOST', `mail.bellsouth.net')dnl
Reapply the settings to the '/etc/mail/sendmail.mc' and make sendmail start using these settings the same as before by typing:
su -c 'make -C /etc/mail'
and
su -c 'service sendmail restart'
Masquerading
To make sendmail send all email outbound as if it had come from a specific domain instead of user@localhost.localdomain, a few changes need to be made to the '/etc/mail/sendmail.mc'. Below is a sample:
MASQUERADE_AS(<code>mydomain.org')dnl FEATURE(always_add_domain)dnl FEATURE(masquerade_entire_domain)dnl FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl MASQUERADE_DOMAIN(<code>mydomain.org')dnl MASQUERADE_DOMAIN(<code>localhost')dnl MASQUERADE_DOMAIN(<code>localhost.localdomain')dnl
Start by opening the '/etc/mail/sendmail.mc with vim:
su -c 'vim /etc/mail/sendmail.mc'
After vi opens, search for the line to be modified using by pressing the [esc] key then entering the following command:
/MASQUEARADE_AS
This opens the first line needing to be modified. Alter the text to match the following:
MASQUERADE_AS(<code>mydomain.org')dnl
Search for the next line to modify using the following command:
/always_add_domain
This should find the following line:
FEATURE(always_add_domain)dnl
If the line is commented out (has a dnl at beginning of the line), make sure uncomment the line. This tells sendmail to always masquerade as the desired domain, if if the email is sent to other local users on the same server.
Search for the next line to modify using the following command:
/masquerade_entire_domain
Uncomment the line by removing the dnl at the beginning of the line. The line should look like:
FEATURE(masquerade_entire_domain)dnl
Scroll down and uncomment the following line as following:
FEATURE(masquerade_envelope)dnl
Add the following line to to sendmail to masquerade all email, including messages sent to local users:
FEATURE(allmasquerade)dnl
Scroll down and uncomment the following lines as following:
MASQUERADE_DOMAIN(<code>mydomain.org')dnl MASQUERADE_DOMAIN(<code>localhost')dnl MASQUERADE_DOMAIN(<code>localhost.localdomain')dnl
Remake the sendmail configuration file, and restart the sendmail daemon as follows:
su -c 'make -C /etc/mail'
and
su -c 'service sendmail restart'
Access
Sendmail allows for the ability to limit what hosts or servers have access to relay through the sendmail server by adding entries to the /etc/mail/access file. This feature becomes important and a first step in preventing unwanted computers from using the sendmail server as an open relay and spamming other email systems.
The /etc/mail/access file has a simple setup of 2 columns. The first column lists the domains or IP addresses to control, and the second column states what permissions or restrictions to place on the entry. Examples of the types of permissions or restrictions are:
RELAY, allow relayingREJECT, reject emailsOK,DISCARD, reject email without sending a bounce message
Here is an example /etc/mail/access file that allows relaying from localhost and the 192.168.1.0/24 network only:
Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:192.168.1 RELAY
To add support for relaying email from a domain, simply add the domain to the first column, and the permissions to the second column. Here is another example to demonstrate adding RELAY for the mydomain.org domain:
Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:192.168.1 RELAY Connect:mydomain.org RELAY
To block access to a host that is trying to relay SPAM, add the following line to the /etc/mail/access file:
Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:192.168.1 RELAY Connect:mydomain.org RELAY Connect:209.62.42.54 REJECT
This will reject all messages sent from the host and send a bounce message notifying the sender that the mail meassage was rejected. To accomplish the same thing, but not send a bounce message, modify the second column like the example below:
Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:192.168.1 RELAY Connect:mydomain.org RELAY Connect:209.62.42.54 DISCARD
Host Names
Sendmail uses the '/etc/mail/local-host-names' file to determine which domains manages. To add a domain to the file, open the '/etc/mail/local-host-names' file using the following command:
su-c 'vim /etc/mail/local-host-names'
The file should only contain the following text at this point:
Press the [o] key to begin inserting a new line, then enter the names of the domans sendmail should manage. The example below shows an '/etc/mail/local-host-names' with two different domains:
mydomain.org mydomain.net
Virtual Users
The '/etc/mail/virtusertable' file tells sendmail what to do with the mail it receives. The file is setup in two columns. The first column is the email address being sent a message. The second column is the email address that you want those messages to go to. Here is an example or receiving email for user1@mydomain.org and forwarding the email to user1@localhost:
user1@mydomain.org user1
To make sendmail forward all email for the mydomain.org domain to user1, use the following example:
@mydomain.org user1
Aliases
The '/etc/aliases' file can be used ro redirect email to local users, groups, external email addresses, or even programs. The '/etc/aliases' file has 2 columns of data. The first column is the name of the mail alias. The second column is the user, group, list of users, external email, or application to forward the email to. The '/etc/aliases' already includes a list of examples by default for most of the deamons and services on the system. In the example below, an alias called sysadmins will forward email messages to user1, user2, and user3:
.png){kind=small}
sysadmins: user1,user2,user3
SSl Encryption
The most common way for any system to be exploited is for a user name and password to be captured that is transmitted in clear text over the Internet. Sendmailcan be configured to use TLS and SSL encryption to protect user accounts and passwords.
To configure sendmail with TLS / SSL encryption, edit the '/etc/mail/sendmail.mc' file and make the following changes.
Uncomment the following lines:
DAEMON_OPTIONS(<code>Port=smtps, Name=TLSMTA, M=s')dnl define(<code>confCACERT_PATH', </code>/etc/pki/tls/certs')dnl define(<code>confCACERT', </code>/etc/pki/tls/certs/ca-bundle.crt')dnl define(<code>confSERVER_CERT', </code>/etc/pki/tls/certs/sendmail.pem')dnl define(<code>confSERVER_KEY', </code>/etc/pki/tls/certs/sendmail.pem')dnl
Save the changes to the '/etc/mail/sendmail.mc' and exit the vi editor. The next step is to create a self-signed certificate for sendmail to use. A certificate can also be purchased from a commercial vendor such as Verisign , or Thawte . To begin creating a self-signed certificate, open a shell prompt, and become root by entering the following command:
su -
and entering the root password.
Next change to the '/etc/pki/tls/certs' directory. Type 'make sendmail.pem' to begin the cert process. Enter the information for country, state, city, company name, and server name as it is requested. When finished, remake the sendmail configuration files and restart the sendmail daemon as stated earlier in the chapter.
Logging
sendmail logs it's information in the '/var/log/maillog' file. The level of logging is set in the '/etc/mail/sendmail.mc' file. The default level of logging is great for normal operation of sendmail but can be changed if the need arises for debugging or troubleshooting. To modify the logging level of sendmail, open a shell prompt and enter the following command:
su -c 'vim /etc/mail/sendmail.mc'
Find the line that sets sendmail logging level by pressing the [esc] key and entering the following text:
/confLOG_LEVEL
The higher the number, the more detail. To enable the a specific logging level, uncomment the line by removing the 'dnl' from the beginning of the line, then change '9' to a higher number such as 68. Save the changes to the 'sendmail.mc' and hen finished, remake the sendmail configuration files and restart the sendmail daemon as stated earlier in the chapter.
Mail Statistics
Sendmail saves mail traffic information to the '/var/log/mail/statistics' file. To view the information, at the shell prompt type:
su -c 'mailstats'
This should display results similar to the following regarding server performance:
Statistics from Sun Aug 19 12:01:58 2007 M msgsfr bytes_from msgsto bytes_to msgsrej msgsdis msgsqur Mailer 4 3 5K 0 0K 0 0 0 esmtp 9 1817 4196K 1854 5020K 0 0 0 local ===================================================================== T 1820 4201K 1854 5020K 0 0 0 C 1814 0 0
The types of information displayed can be broken down into the following groups:
M, The mailer number.msgsfr, Number of messages from the mailer.bytes_from, Kbytes from the mailer.msgsto, Number of messages to the mailer.bytes_to, Kbytes to the mailer.msgsrej, Number of messages rejected.msgsdis, Number of messages discarded.Mailer, The name of the mailer
Dealing with SPAM
The first step in dealing with unwanted or unsolicited email requires another change to the '/etc/mail/sendmail.mc' file. Open the 'sendmail.mc' by typing
su -c 'vim /etc/mail/sendmail.mc'
Press the [esc] key and enter the following to find the line to be modified:
/accept_unresolvable_domains
Comment out the line by adding 'dnl' at the beginning of the line. The lines should now look like this:
dnl FEATURE(<code>accept_unresolvable_domains')dnl
This prevents sendmail from accepting mail from servers that are not properly set up with DNS on the Internet.
The next step is to install and configure a SPAM program. Fedora comes with such a program called spamassassin. To see if spamassassin is install, open a shell prompt and enter the following text:
su -c 'rpm -q spamassassin spamass-milter'
If spamassassin is installed, the following results should be displayed:
spamassassin-3.2.3-1.fc8 spamass-milter-0.3.1-4.fc8
If spamassassin is not installed, enter the following text at the shell prompt:
su -c 'yum -y install spamassassin spamass-milter'
After the installation completes, it's time to configure the applications.
Spamassassin and spamass-milter keep configuration files in the following files and folders:
/etc/mail/spamassassin, main configuration files/etc/sysconfig/spamassassin, spamd options/etc/sysconfig/spamaas-milter, milter configuration settings/etc/procmailrc, system wideprocmailsettings
To begin configuring spamassassin enter the following command at a shell prompt:
su -c 'vim /etc/mail/spamassassin/local.cf'
This opens the main spamassain configuration file with the following text:
required_hits 5 report_safe 0 rewrite_header Subject [SPAM]
Modify the file to include the following text:
required_score 5.0 rewrite_header subject [SPAM] report_safe 2 use_bayes 1 bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 1 use_pyzor 1 ok_locales en
Now test to make sure spamassassin is working. enter the following text into a shel prompt:
spamc -R </usr/share/doc/spamassassin-*/sample-nonspam.txt
The following output should be displayed:
Spam detection software, running on the system "localhost.localdomain", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: -----BEGIN PGP SIGNED MESSAGE----- TBTF ping for 2001-04-20: Reviving T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- _SUMMARY_
Now configure procmail to run spamc on all incoming mail. Add the following text to '/etc/procmailrc' using an editor such as vi:
DROPPRIVS=yes :0fw | /usr/bin/spamassassin :0 * ^X-Spam-Status: Yes \$HOME/mail/spam
To configure the final piece, open a shell prompt, and enter the following command:
su -c 'vim /etc/sysconfig/spamass-milter'
This opens up the spamass-milter configuration file. Here is an example file:
<!--# Override for your different local config --> #SOCKET=/var/run/spamass-milter/spamass-milter.sock <!--# Standard parameters for spamass-milter are: --> <!--# -P /var/run/spamass-milter.pid (PID file) --> <!--# --> <!--# Note that the -f parameter for running the milter in the background --> <!--# is not required because the milter runs in a wrapper script that --> <!--# backgrounds itself --> <!--# --> <!--# You may add another parameters here, see spamass-milter(1) --> #SOCKET=/var/run/spamass-milter/spamass-milter.sock
google.com/search?q=PKI+Fedora+8&hl=en&start=10&sa=N
Uncomment the line '#SOCKET=/var/run/spamass-milter/spamass-milter.sock' and the line '#SOCKET=/var/run/spamass-milter/spamass-milter.sock' by removing the '#'.
Save the changes, and use vi to open the 'sendmail.mc' again. Insert te following line at the bottom of the 'sendmail.mc':
INPUT_MAIL_FILTER(<code>spamassassin', </code>S=local:/var/run/spamass-milter/spamass-milter.sock, F=,T=C:15m;S:4m;R:4m;E:10m')dnl
Start the Save the changes, then rebuild the sendmail configuration file. Restart the sendmail daemon.
Start the spamass-milter service by entering the follow command at a shell prompt:
su -c 'chkconfig --levels 345 spamass-milter on su -c 'service spamass-milter start'
Verify the service is running:
su -c 'pgrep spamass-milter'
This should return the process id of the spamass-milter processes:
22325 22326
Check the mail log to verify spamass-milter is starting by entering the following text at a shell prompt:
su -c 'tail /var/log/maillog'
There sould be an entry similar to the following:
Oct 28 20:25:33 localhost spamass-milter[22326] : spamass-milter 0.3.1 starting
Black Lists
To reduce the amount of SPAM even further, add the following rule to the end of the '/etc/mail/sendmail.mc' file, remake the sendmail config file and restart sendmail to make all of the changes take effect.
FEATURE(<code>dnsbl', </code>relays.ordb.org', <code>"Rejected due to Open Relay see http://www.ordb.org/lookup/?host=" $&{clientaddr} " for more information"')dnl
www.ordb.org
Anti-Virus
SPAM is the only concern when running a dedicated mail server. Virus attachments can do as much damage. Clamav is an open source anti-virus program that can scan incoming mail messages. Clamav and clamav-milter are included in Fedora distributions. to check if Clamav and clamav-milter are installed, run the following command at a shell prompt:
su -c 'rpm -q clamav clamav-milter'
The follow will be returned if Clamav and clamav-milter are installed
clamav-0.91.2-2.fc8 clamav-milter-0.91.2-2.fc8
If the packages are not installed, run the following command at a shell prompt:
su -c 'yum -y install clamav clamav-milter clamav-data clamav-update'
After the install completes, there are some changes that need to made to the configuration files. clamav keeps it's configuration files in '/etc/clamd.d/milter.conf' and '/etc/sysconfig/clamav-milter'. Open the '/etc/clamd.d/milter.conf' using the following command at a shell prompt:
su -c 'vim /etc/mail/clamd.d/milter.conf'
The first change that needs to be made is to comment out the 'Example' line. Press the [esc] key and enter the following search string:
/Example
Comment out the line by placing a '#' at the beginning of the line. Save the changes, and start up clamav-milter by entering the following command at a shell prompt:
su -c 'service clamav-milter start'
To make clamav-milter auto start during system reboots, enter the following command at a shell prompt:
su -c 'chkconfig --levels 345 clamav-milter on'
To enable clamav updates, enter the following command at the command prompt:
su -c 'vim /etc/freshclam.conf'
Comment out the line with the text 'Example' by adding a '#' to the beginning of the line. Save the changes and run the following command at a shell prompt to update clamav data files:
freshclam
The last item to make changes to is the 'sendmail.mc'. Open the '/etc/mail/sendmail.mc' by entering the following command at a shell prompt:
su -c 'vim /etc/mail/sendmail.mc'
Scroll to the bottom of the 'sendmail.mc' and add the following text:
INPUT_MAIL_FILTER(<code>clamav-milter', </code>S=local:/var/run/clamav-milter/clamav.sock, T=S:4m;R:4m')dnl define(<code>confINPUT_MAIL_FILTERS', </code>spamassassin,clamav-milter')dnl
Remake the sendmail configuration file and restart sendmail to apply the changes and enable anti-virus scanning. To verify anti-virus scanning is running, run the following command at the shell prompt:
su -c 'tail /var/log/maillog'
The following line should be present in the log file after a mail message has been received:
Milter add: header: X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on localhost.localdomain
