m (dethinko backquotes) |
m (Docs/Drafts/AdministrationGuide/Servers/MailServer/Sendmail moved to Archive:Docs/Drafts/AdministrationGuide/Servers/MailServer/Sendmail: This page references a newer draft version. Archiving old page tree then I'll go back and redirect to the new) |
||
(No difference)
|
Latest revision as of 17:50, 4 March 2009
Sendmail
Summary
Purpose: This document covers many of the aspects of configuring and customizing sendmail
.
Audience: This document is designed for anyone wanting to setup sendmail
as an SMTP server.
Assumptions: The Fedora OS is installed, TCP/IP and DNS is configured.User accounts have been added and the reader has access to the root password. Firewall rulls are configured to allow for the proper port access. The computer running Fedora has an active Internet connection, and the user has a basic understanding of vi and bash commands.
Related Documents: The InstallGuide documents the basic install of Fedora. The GettingStarted documents the basic use of Fedora and gaining access to the CLI. The DNS assists with configuring DNS for name resolution. UserAccounts documents the steps for creating users and groups.
Lead Writer: MikeDittmeier
Introduction
Sendmail
is a message transport agent (MTA), responsible for taking in mail from a mail user agent (MUA) such as KMail, Evolution, or pine
, and relaying the mail to another host toward the final destination. An MTA also listens for incoming connections and accepts mail from remote hosts. This document will walk through the process of setting up sendmail
for relaying email. First, by allowing connections from other computers and then later by securing email transmissions as well as scanning emails for viruses and even SPAM. Some of the other features covered in this document are distribution lists, and even redirecting incoming emails to other domains. The section for sendmail
basic configuration is a good start, but each of the following sections can be used by itself or in combined with other sections to add more customization and functionality to sendmail
.
Package Requirements
This article makes use of the following packages found in the Fedora Repository:
sendmail
is the core packagesendmail-cf
package contains the configuration filessendmail-doc
Package contains the docs and man files forsendmail
spamassassin
Spam filteringspamass-milter
milter forsendmail
Spam filteringclamav
anti-virus applicationclamav-data
anti-virus application dataclamav-libs
anti-virus shared libsclamav-update
anti-virus update scriptsclamav-milter
sendmail
milter for anti-virus
Installing Sendmail
By default sendmail
is already included in most fedora installations. To verify sendmail
is installed, by type the following command:
rpm -q sendmail
this should output the follow results:
sendmail-8.14.1-4.2.fc8
if not, then install the sendmail
packages by typing:
su -c 'yum install -y sendmail sendmail-cf sendmail-doc'
For graphical installs, use Main Menu > Add/Remove Software. This requires the root user password to run. In the Browse tab, click on the Servers group on the left, then select the Mail Server option on the right. Click Apply to have the software and all dependencies installed. You can customize what is installed in the Mail Server grouping by clicking on Optional packages.
Connection
sendmail
needs to be connected to the Internet. While it is not impossible to use a dial-up connection (you might lose incoming mail as remote hosts will be trying to connect when your server is down), normally an always-on Internet connection is needed, preferably with a static IP address. Dynamic IP is also possible with various dynamic IP DNS services (for instance DynDNS ). The default port for sendmail
is 25. If sendmail
takes secure connections, port 465 might be needed (for SSL connections). These ports need to be opened in the firewall (refer to the sections in this guide on firewalls ) and router NAT .) Also, a lot of ISP's are blocking port 25 for spam-reduction purposes, it might take couple of hours on the phone with ISP tech support to get them unblock it, some will do it (ATT for instance) others might refuse.
Configuring Sendmail
Sendmail has several configuration files located in the /etc/mail folder. Below is a list of the most common files:
/etc/mail/access
, host access file/etc/mail/domaintable
, list of old-domains to new-domain mappings for the mail server/etc/mail/local-host-names
, list of host names this server is seen as/etc/mail/mailertable
, table of domains and how to route the email sent to those domains/etc/mail/trusted-users
, list of users that can send mail on behalf of other users/etc/mail/virtusertable
, list of users and domains and who to forward email to/etc/mail/sendmail.mc
, mainsendmail
configuration file/etc/mail/submit.mc
, mail submission settings/etc/aliases
, user aliases
Allowing External Connections
By default sendmail
will only accept incoming connections from the localhost or 127.0.0.1 host. The first change to make to the sendmail.mc
file will be to allow connections from other hosts. First make a backup of the default sendmail.mc
file in case the need to roll back occurs. Open a shell and enter the following command:
su -c 'cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak'
To begin editing the sendmail.mc
. enter the following command a shell prompt:
su -c 'vim /etc/mail/sendmail.mc'
The sendmail
configuration file should now be displayed in the vi
editor window. Search for the line of text that will modify what hosts sendmail
will accept connection from. In the vi
editor press the [esc] key, then type
/Port=smtp
This should highlight the following line in the sendmail.mc
:
<code>DAEMON_OPTIONS(</code>Port=smtp,Addr=127.0.0.1, Name=MTA')dnl<code>
There are two different ways to modify this line. Comment out the line by adding dnl
to the beginning of the line, or by changing the IP address to the same ip as the server. For simplicity reasons, just comment out the line. Make sure the cursor is at the beginning of the line and pres the [esc] key, and then the [i] key to begin inserting text. Add dnl
to the beginning of the line. The line should now look like this:
dnl DAEMON_OPTIONS(<code>Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
Save the file changes by pressing the [esc] key and typing:
:wq
To make sendmail
start using these settings, apply the changes, and then restart the sendmail
daemon. From a shell prompt, type the command:
su -c 'make -C /etc/mail'
The output should be similar to the text below:
make: Entering directory <code>/etc/mail' make: Leaving directory <code>/etc/mail'
Next, restart the sendmail
daemon by typing the following text at a shell prompt:
su -c 'service sendmail restart'
The changes are now in effect and sendmail
will allow connections from any IP.
Auto Starting Sendmail
Now that sendmail
is configured to allow connections from other hosts, make sure the daemon starts after system reboots. To accomplish this, simple enter the following command at a shell prompt:
su -c 'chkconfig sendmail 345 on'
This tells the daemon to start when in run levels 3, 4, and 5.
To verify that the settings have taken place, use the chkconfig
, and grep
commands. Enter the following command at the shell prompt:
su -c 'chkconfig --list | grep sendmail'
The following output should be returned:
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Notice that run levels 3, 4, and 5 are listed as on. This means the daemon will start automatically in the desired run levels.
Smart Host
Some Internet Service Providers ('ISP') require all email traffic to be relayed via a specific 'SMTP' server or gateway. This is common for an ISp that provides service to residential customers. To configure 'sendmail' to forward or relay all mail messages vis a 'Smart Host', edit the '/etc/mail/sendmail.mc', and define a 'smart host'. Enter the following command at a shell prompt to begin:
su-c 'vim /etc/mail/sendmail.mc'
After the 'vi' editor opens, press the [esc] key, then type:
/SMART_HOST
This should take you to the following line in the '/etc/mail/sendmail.mc' file:
dnl define(`SMART_HOST', `smtp.your.provider')dnl
Simply replace 'smtp.your.provider' with the IP address or host name provided by the ISP, and then remove the 'dnl' from the beginning of the line. Here is an example:
define(`SMART_HOST', `mail.bellsouth.net')dnl
Reapply the settings to the '/etc/mail/sendmail.mc' and make sendmail
start using these settings the same as before by typing:
su -c 'make -C /etc/mail'
and
su -c 'service sendmail restart'
Masquerading
To make sendmail
send all email outbound as if it had come from a specific domain instead of user@localhost.localdomain, a few changes need to be made to the '/etc/mail/sendmail.mc'. Below is a sample:
MASQUERADE_AS(<code>mydomain.org')dnl FEATURE(always_add_domain)dnl FEATURE(masquerade_entire_domain)dnl FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl MASQUERADE_DOMAIN(<code>mydomain.org')dnl MASQUERADE_DOMAIN(<code>localhost')dnl MASQUERADE_DOMAIN(<code>localhost.localdomain')dnl
Start by opening the '/etc/mail/sendmail.mc with vim
:
su -c 'vim /etc/mail/sendmail.mc'
After vi
opens, search for the line to be modified using by pressing the [esc] key then entering the following command:
/MASQUEARADE_AS
This opens the first line needing to be modified. Alter the text to match the following:
MASQUERADE_AS(<code>mydomain.org')dnl
Search for the next line to modify using the following command:
/always_add_domain
This should find the following line:
FEATURE(always_add_domain)dnl
If the line is commented out (has a dnl
at beginning of the line), make sure uncomment the line. This tells sendmail
to always masquerade as the desired domain, if if the email is sent to other local users on the same server.
Search for the next line to modify using the following command:
/masquerade_entire_domain
Uncomment the line by removing the dnl
at the beginning of the line. The line should look like:
FEATURE(masquerade_entire_domain)dnl
Scroll down and uncomment the following line as following:
FEATURE(masquerade_envelope)dnl
Add the following line to to sendmail
to masquerade all email, including messages sent to local users:
FEATURE(allmasquerade)dnl
Scroll down and uncomment the following lines as following:
MASQUERADE_DOMAIN(<code>mydomain.org')dnl MASQUERADE_DOMAIN(<code>localhost')dnl MASQUERADE_DOMAIN(<code>localhost.localdomain')dnl
Remake the sendmail
configuration file, and restart the sendmail
daemon as follows:
su -c 'make -C /etc/mail'
and
su -c 'service sendmail restart'
Access
Sendmail
allows for the ability to limit what hosts or servers have access to relay through the sendmail
server by adding entries to the /etc/mail/access
file. This feature becomes important and a first step in preventing unwanted computers from using the sendmail
server as an open relay and spamming other email systems.
The /etc/mail/access
file has a simple setup of 2 columns. The first column lists the domains or IP addresses to control, and the second column states what permissions or restrictions to place on the entry. Examples of the types of permissions or restrictions are:
RELAY
, allow relayingREJECT
, reject emailsOK
,DISCARD
, reject email without sending a bounce message
Here is an example /etc/mail/access
file that allows relaying from localhost and the 192.168.1.0/24 network only:
Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:192.168.1 RELAY
To add support for relaying email from a domain, simply add the domain to the first column, and the permissions to the second column. Here is another example to demonstrate adding RELAY for the mydomain.org
domain:
Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:192.168.1 RELAY Connect:mydomain.org RELAY
To block access to a host that is trying to relay SPAM, add the following line to the /etc/mail/access
file:
Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:192.168.1 RELAY Connect:mydomain.org RELAY Connect:209.62.42.54 REJECT
This will reject all messages sent from the host and send a bounce message notifying the sender that the mail meassage was rejected. To accomplish the same thing, but not send a bounce message, modify the second column like the example below:
Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Connect:192.168.1 RELAY Connect:mydomain.org RELAY Connect:209.62.42.54 DISCARD
Host Names
Sendmail
uses the '/etc/mail/local-host-names' file to determine which domains manages. To add a domain to the file, open the '/etc/mail/local-host-names' file using the following command:
su-c 'vim /etc/mail/local-host-names'
The file should only contain the following text at this point:
Press the [o] key to begin inserting a new line, then enter the names of the domans sendmail
should manage. The example below shows an '/etc/mail/local-host-names' with two different domains:
mydomain.org mydomain.net
Virtual Users
The '/etc/mail/virtusertable' file tells sendmail
what to do with the mail it receives. The file is setup in two columns. The first column is the email address being sent a message. The second column is the email address that you want those messages to go to. Here is an example or receiving email for user1@mydomain.org
and forwarding the email to user1@localhost
:
user1@mydomain.org user1
To make sendmail
forward all email for the mydomain.org domain to user1
, use the following example:
@mydomain.org user1
Aliases
The '/etc/aliases' file can be used ro redirect email to local users, groups, external email addresses, or even programs. The '/etc/aliases' file has 2 columns of data. The first column is the name of the mail alias. The second column is the user, group, list of users, external email, or application to forward the email to. The '/etc/aliases' already includes a list of examples by default for most of the deamons and services on the system. In the example below, an alias called sysadmins will forward email messages to user1, user2, and user3:
sysadmins: user1,user2,user3
SSl Encryption
The most common way for any system to be exploited is for a user name and password to be captured that is transmitted in clear text over the Internet. Sendmail
can be configured to use TLS and SSL encryption to protect user accounts and passwords.
To configure sendmail with TLS / SSL encryption, edit the '/etc/mail/sendmail.mc' file and make the following changes.
Uncomment the following lines:
DAEMON_OPTIONS(<code>Port=smtps, Name=TLSMTA, M=s')dnl define(<code>confCACERT_PATH', </code>/etc/pki/tls/certs')dnl define(<code>confCACERT', </code>/etc/pki/tls/certs/ca-bundle.crt')dnl define(<code>confSERVER_CERT', </code>/etc/pki/tls/certs/sendmail.pem')dnl define(<code>confSERVER_KEY', </code>/etc/pki/tls/certs/sendmail.pem')dnl
Save the changes to the '/etc/mail/sendmail.mc' and exit the vi
editor. The next step is to create a self-signed certificate for sendmail
to use. A certificate can also be purchased from a commercial vendor such as Verisign , or Thawte . To begin creating a self-signed certificate, open a shell prompt, and become root by entering the following command:
su -
and entering the root password.
Next change to the '/etc/pki/tls/certs' directory. Type 'make sendmail.pem' to begin the cert process. Enter the information for country, state, city, company name, and server name as it is requested. When finished, remake the sendmail
configuration files and restart the sendmail
daemon as stated earlier in the chapter.
Logging
sendmail
logs it's information in the '/var/log/maillog' file. The level of logging is set in the '/etc/mail/sendmail.mc' file. The default level of logging is great for normal operation of sendmail
but can be changed if the need arises for debugging or troubleshooting. To modify the logging level of sendmail
, open a shell prompt and enter the following command:
su -c 'vim /etc/mail/sendmail.mc'
Find the line that sets sendmail
logging level by pressing the [esc] key and entering the following text:
/confLOG_LEVEL
The higher the number, the more detail. To enable the a specific logging level, uncomment the line by removing the 'dnl' from the beginning of the line, then change '9' to a higher number such as 68. Save the changes to the 'sendmail.mc' and hen finished, remake the sendmail
configuration files and restart the sendmail
daemon as stated earlier in the chapter.
Mail Statistics
Sendmail
saves mail traffic information to the '/var/log/mail/statistics' file. To view the information, at the shell prompt type:
su -c 'mailstats'
This should display results similar to the following regarding server performance:
Statistics from Sun Aug 19 12:01:58 2007 M msgsfr bytes_from msgsto bytes_to msgsrej msgsdis msgsqur Mailer 4 3 5K 0 0K 0 0 0 esmtp 9 1817 4196K 1854 5020K 0 0 0 local ===================================================================== T 1820 4201K 1854 5020K 0 0 0 C 1814 0 0
The types of information displayed can be broken down into the following groups:
M
, The mailer number.msgsfr
, Number of messages from the mailer.bytes_from
, Kbytes from the mailer.msgsto
, Number of messages to the mailer.bytes_to
, Kbytes to the mailer.msgsrej
, Number of messages rejected.msgsdis
, Number of messages discarded.Mailer
, The name of the mailer
Dealing with SPAM
The first step in dealing with unwanted or unsolicited email requires another change to the '/etc/mail/sendmail.mc' file. Open the 'sendmail.mc' by typing
su -c 'vim /etc/mail/sendmail.mc'
Press the [esc] key and enter the following to find the line to be modified:
/accept_unresolvable_domains
Comment out the line by adding 'dnl' at the beginning of the line. The lines should now look like this:
dnl FEATURE(<code>accept_unresolvable_domains')dnl
This prevents sendmail
from accepting mail from servers that are not properly set up with DNS on the Internet.
The next step is to install and configure a SPAM program. Fedora comes with such a program called spamassassin
. To see if spamassassin
is install, open a shell prompt and enter the following text:
su -c 'rpm -q spamassassin spamass-milter'
If spamassassin
is installed, the following results should be displayed:
spamassassin-3.2.3-1.fc8 spamass-milter-0.3.1-4.fc8
If spamassassin
is not installed, enter the following text at the shell prompt:
su -c 'yum -y install spamassassin spamass-milter'
After the installation completes, it's time to configure the applications.
Spamassassin
and spamass-milter
keep configuration files in the following files and folders:
/etc/mail/spamassassin
, main configuration files/etc/sysconfig/spamassassin
, spamd options/etc/sysconfig/spamaas-milter
, milter configuration settings/etc/procmailrc
, system wideprocmail
settings
To begin configuring spamassassin
enter the following command at a shell prompt:
su -c 'vim /etc/mail/spamassassin/local.cf'
This opens the main spamassain
configuration file with the following text:
required_hits 5 report_safe 0 rewrite_header Subject [SPAM]
Modify the file to include the following text:
required_score 5.0 rewrite_header subject [SPAM] report_safe 2 use_bayes 1 bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 1 use_pyzor 1 ok_locales en
Now test to make sure spamassassin
is working. enter the following text into a shel prompt:
spamc -R </usr/share/doc/spamassassin-*/sample-nonspam.txt
The following output should be displayed:
Spam detection software, running on the system "localhost.localdomain", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: -----BEGIN PGP SIGNED MESSAGE----- TBTF ping for 2001-04-20: Reviving T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- _SUMMARY_
Now configure procmail to run spamc on all incoming mail. Add the following text to '/etc/procmailrc' using an editor such as vi
:
DROPPRIVS=yes :0fw | /usr/bin/spamassassin :0 * ^X-Spam-Status: Yes \$HOME/mail/spam
To configure the final piece, open a shell prompt, and enter the following command:
su -c 'vim /etc/sysconfig/spamass-milter'
This opens up the spamass-milter
configuration file. Here is an example file:
<!--# Override for your different local config --> #SOCKET=/var/run/spamass-milter/spamass-milter.sock <!--# Standard parameters for spamass-milter are: --> <!--# -P /var/run/spamass-milter.pid (PID file) --> <!--# --> <!--# Note that the -f parameter for running the milter in the background --> <!--# is not required because the milter runs in a wrapper script that --> <!--# backgrounds itself --> <!--# --> <!--# You may add another parameters here, see spamass-milter(1) --> #SOCKET=/var/run/spamass-milter/spamass-milter.sock
google.com/search?q=PKI+Fedora+8&hl=en&start=10&sa=N
Uncomment the line '#SOCKET=/var/run/spamass-milter/spamass-milter.sock' and the line '#SOCKET=/var/run/spamass-milter/spamass-milter.sock' by removing the '#'.
Save the changes, and use vi
to open the 'sendmail.mc' again. Insert te following line at the bottom of the 'sendmail.mc':
INPUT_MAIL_FILTER(<code>spamassassin', </code>S=local:/var/run/spamass-milter/spamass-milter.sock, F=,T=C:15m;S:4m;R:4m;E:10m')dnl
Start the Save the changes, then rebuild the sendmail
configuration file. Restart the sendmail
daemon.
Start the spamass-milter
service by entering the follow command at a shell prompt:
su -c 'chkconfig --levels 345 spamass-milter on su -c 'service spamass-milter start'
Verify the service is running:
su -c 'pgrep spamass-milter'
This should return the process id of the spamass-milter
processes:
22325 22326
Check the mail log to verify spamass-milter
is starting by entering the following text at a shell prompt:
su -c 'tail /var/log/maillog'
There sould be an entry similar to the following:
Oct 28 20:25:33 localhost spamass-milter[22326] : spamass-milter 0.3.1 starting
Black Lists
To reduce the amount of SPAM even further, add the following rule to the end of the '/etc/mail/sendmail.mc' file, remake the sendmail
config file and restart sendmail
to make all of the changes take effect.
FEATURE(<code>dnsbl', </code>relays.ordb.org', <code>"Rejected due to Open Relay see http://www.ordb.org/lookup/?host=" $&{clientaddr} " for more information"')dnl
www.ordb.org
Anti-Virus
SPAM is the only concern when running a dedicated mail server. Virus attachments can do as much damage. Clamav
is an open source anti-virus program that can scan incoming mail messages. Clamav
and clamav-milter
are included in Fedora distributions. to check if Clamav
and clamav-milter
are installed, run the following command at a shell prompt:
su -c 'rpm -q clamav clamav-milter'
The follow will be returned if Clamav
and clamav-milter
are installed
clamav-0.91.2-2.fc8 clamav-milter-0.91.2-2.fc8
If the packages are not installed, run the following command at a shell prompt:
su -c 'yum -y install clamav clamav-milter clamav-data clamav-update'
After the install completes, there are some changes that need to made to the configuration files. clamav
keeps it's configuration files in '/etc/clamd.d/milter.conf' and '/etc/sysconfig/clamav-milter'. Open the '/etc/clamd.d/milter.conf' using the following command at a shell prompt:
su -c 'vim /etc/mail/clamd.d/milter.conf'
The first change that needs to be made is to comment out the 'Example' line. Press the [esc] key and enter the following search string:
/Example
Comment out the line by placing a '#' at the beginning of the line. Save the changes, and start up clamav-milter
by entering the following command at a shell prompt:
su -c 'service clamav-milter start'
To make clamav-milter
auto start during system reboots, enter the following command at a shell prompt:
su -c 'chkconfig --levels 345 clamav-milter on'
To enable clamav
updates, enter the following command at the command prompt:
su -c 'vim /etc/freshclam.conf'
Comment out the line with the text 'Example' by adding a '#' to the beginning of the line. Save the changes and run the following command at a shell prompt to update clamav
data files:
freshclam
The last item to make changes to is the 'sendmail.mc'. Open the '/etc/mail/sendmail.mc' by entering the following command at a shell prompt:
su -c 'vim /etc/mail/sendmail.mc'
Scroll to the bottom of the 'sendmail.mc' and add the following text:
INPUT_MAIL_FILTER(<code>clamav-milter', </code>S=local:/var/run/clamav-milter/clamav.sock, T=S:4m;R:4m')dnl define(<code>confINPUT_MAIL_FILTERS', </code>spamassassin,clamav-milter')dnl
Remake the sendmail configuration file and restart sendmail
to apply the changes and enable anti-virus scanning. To verify anti-virus scanning is running, run the following command at the shell prompt:
su -c 'tail /var/log/maillog'
The following line should be present in the log file after a mail message has been received:
Milter add: header: X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on localhost.localdomain