From Fedora Project Wiki

Revision as of 16:20, 2 June 2008 by Anubis (talk | contribs) (Fixed templates)

Sendmail

Summary

Purpose: This document covers many of the aspects of configuring and customizing sendmail.

Audience: This document is designed for anyone wanting to setup sendmail as an SMTP server.

Assumptions: The Fedora OS is installed, TCP/IP and DNS is configured.User accounts have been added and the reader has access to the root password. Firewall rulls are configured to allow for the proper port access. The computer running Fedora has an active Internet connection, and the user has a basic understanding of vi and bash commands.

Related Documents: The InstallGuide documents the basic install of Fedora. The GettingStarted documents the basic use of Fedora and gaining access to the CLI. The DNS assists with configuring DNS for name resolution. UserAccounts documents the steps for creating users and groups.

Lead Writer: MikeDittmeier

Introduction

Sendmail is a message transport agent (MTA), responsible for taking in mail from a mail user agent (MUA) such as KMail, Evolution, or pine, and relaying the mail to another host toward the final destination. An MTA also listens for incoming connections and accepts mail from remote hosts. This document will walk through the process of setting up sendmail for relaying email. First, by allowing connections from other computers and then later by securing email transmissions as well as scanning emails for viruses and even SPAM. Some of the other features covered in this document are distribution lists, and even redirecting incoming emails to other domains. The section for sendmail basic configuration is a good start, but each of the following sections can be used by itself or in combined with other sections to add more customization and functionality to sendmail.

Package Requirements

This article makes use of the following packages found in the Fedora Repository:

  • sendmail is the core package
  • sendmail-cf package contains the configuration files
  • sendmail-doc Package contains the docs and man files for sendmail
  • spamassassin Spam filtering
  • spamass-milter milter for sendmail Spam filtering
  • clamav anti-virus application
  • clamav-data anti-virus application data
  • clamav-libs anti-virus shared libs
  • clamav-update anti-virus update scripts
  • clamav-milter sendmail milter for anti-virus

Installing Sendmail

By default sendmail is already included in most fedora installations. To verify sendmail is installed, by type the following command:

rpm -q sendmail

this should output the follow results:

sendmail-8.14.1-4.2.fc8

if not, then install the sendmail packages by typing:

su -c 'yum install -y sendmail sendmail-cf sendmail-doc'

For graphical installs, use Main Menu > Add/Remove Software. This requires the root user password to run. In the Browse tab, click on the Servers group on the left, then select the Mail Server option on the right. Click Apply to have the software and all dependencies installed. You can customize what is installed in the Mail Server grouping by clicking on Optional packages.

Connection

sendmail needs to be connected to the Internet. While it is not impossible to use a dial-up connection (you might lose incoming mail as remote hosts will be trying to connect when your server is down), normally an always-on Internet connection is needed, preferably with a static IP address. Dynamic IP is also possible with various dynamic IP DNS services (for instance DynDNS ). The default port for sendmail is 25. If sendmail takes secure connections, port 465 might be needed (for SSL connections). These ports need to be opened in the firewall (refer to the sections in this guide on firewalls ) and router NAT .) Also, a lot of ISP's are blocking port 25 for spam-reduction purposes, it might take couple of hours on the phone with ISP tech support to get them unblock it, some will do it (ATT for instance) others might refuse.

Configuring Sendmail

Sendmail has several configuration files located in the /etc/mail folder. Below is a list of the most common files:

  • /etc/mail/access, host access file
  • /etc/mail/domaintable, list of old-domains to new-domain mappings for the mail server
  • /etc/mail/local-host-names, list of host names this server is seen as
  • /etc/mail/mailertable, table of domains and how to route the email sent to those domains
  • /etc/mail/trusted-users, list of users that can send mail on behalf of other users
  • /etc/mail/virtusertable, list of users and domains and who to forward email to
  • /etc/mail/sendmail.mc, main sendmail configuration file
  • /etc/mail/submit.mc, mail submission settings
  • /etc/aliases, user aliases

Allowing External Connections

By default sendmail will only accept incoming connections from the localhost or 127.0.0.1 host. The first change to make to the sendmail.mc file will be to allow connections from other hosts. First make a backup of the default sendmail.mc file in case the need to roll back occurs. Open a shell and enter the following command:

su -c 'cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak'

To begin editing the sendmail.mc. enter the following command a shell prompt:

su -c 'vim /etc/mail/sendmail.mc'

The sendmail configuration file should now be displayed in the vi editor window. Search for the line of text that will modify what hosts sendmail will accept connection from. In the vi editor press the [esc] key, then type

/Port=smtp

This should highlight the following line in the sendmail.mc:

<code>DAEMON_OPTIONS(</code>Port=smtp,Addr=127.0.0.1, Name=MTA')dnl<code>

There are two different ways to modify this line. Comment out the line by adding dnl to the beginning of the line, or by changing the IP address to the same ip as the server. For simplicity reasons, just comment out the line. Make sure the cursor is at the beginning of the line and pres the [esc] key, and then the [i] key to begin inserting text. Add dnl to the beginning of the line. The line should now look like this:

dnl DAEMON_OPTIONS(<code>Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Save the file changes by pressing the [esc] key and typing:

:wq

To make sendmail start using these settings, apply the changes, and then restart the sendmail daemon. From a shell prompt, type the command:

su -c 'make -C /etc/mail'

The output should be similar to the text below:

make: Entering directory <code>/etc/mail'
make: Leaving directory <code>/etc/mail'

Next, restart the sendmail daemon by typing the following text at a shell prompt:

su -c 'service sendmail restart'

The changes are now in effect and sendmail will allow connections from any IP.

Auto Starting Sendmail

Now that sendmail is configured to allow connections from other hosts, make sure the daemon starts after system reboots. To accomplish this, simple enter the following command at a shell prompt:

su -c 'chkconfig sendmail 345 on'

This tells the daemon to start when in run levels 3, 4, and 5. To verify that the settings have taken place, use the chkconfig, and grep commands. Enter the following command at the shell prompt:

su -c 'chkconfig --list | grep sendmail'

The following output should be returned:

sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Notice that run levels 3, 4, and 5 are listed as on. This means the daemon will start automatically in the desired run levels.

Smart Host

Some Internet Service Providers ('ISP') require all email traffic to be relayed via a specific 'SMTP' server or gateway. This is common for an ISp that provides service to residential customers. To configure 'sendmail' to forward or relay all mail messages vis a 'Smart Host', edit the '/etc/mail/sendmail.mc', and define a 'smart host'. Enter the following command at a shell prompt to begin:

su-c 'vim /etc/mail/sendmail.mc'

After the 'vi' editor opens, press the [esc] key, then type:

/SMART_HOST

This should take you to the following line in the '/etc/mail/sendmail.mc' file:

dnl define(<code>SMART_HOST', </code>smtp.your.provider')dnl

Simply replace 'smtp.your.provider' with the IP address or host name provided by the ISP, and then remove the 'dnl' from the beginning of the line. Here is an example:

define(<code>SMART_HOST', </code>mail.bellsouth.net')dnl

Reapply the settings to the '/etc/mail/sendmail.mc' and make sendmail start using these settings the same as before by typing:

su -c 'make -C /etc/mail'

and

su -c 'service sendmail restart'

Masquerading

To make sendmail send all email outbound as if it had come from a specific domain instead of user@localhost.localdomain, a few changes need to be made to the '/etc/mail/sendmail.mc'. Below is a sample:

MASQUERADE_AS(<code>mydomain.org')dnl
FEATURE(always_add_domain)dnl
FEATURE(masquerade_entire_domain)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(allmasquerade)dnl
MASQUERADE_DOMAIN(<code>mydomain.org')dnl
MASQUERADE_DOMAIN(<code>localhost')dnl
MASQUERADE_DOMAIN(<code>localhost.localdomain')dnl

Start by opening the '/etc/mail/sendmail.mc with vim:

su -c 'vim /etc/mail/sendmail.mc'

After vi opens, search for the line to be modified using by pressing the [esc] key then entering the following command:

/MASQUEARADE_AS

This opens the first line needing to be modified. Alter the text to match the following:

MASQUERADE_AS(<code>mydomain.org')dnl

Search for the next line to modify using the following command:

/always_add_domain

This should find the following line:

FEATURE(always_add_domain)dnl

If the line is commented out (has a dnl at beginning of the line), make sure uncomment the line. This tells sendmail to always masquerade as the desired domain, if if the email is sent to other local users on the same server. Search for the next line to modify using the following command:

/masquerade_entire_domain

Uncomment the line by removing the dnl at the beginning of the line. The line should look like:

FEATURE(masquerade_entire_domain)dnl

Scroll down and uncomment the following line as following:

the comment lines do not need to be changed
FEATURE(masquerade_envelope)dnl

Add the following line to to sendmail to masquerade all email, including messages sent to local users:

FEATURE(allmasquerade)dnl

Scroll down and uncomment the following lines as following:

the comment lines do not need to be changed
MASQUERADE_DOMAIN(<code>mydomain.org')dnl
MASQUERADE_DOMAIN(<code>localhost')dnl
MASQUERADE_DOMAIN(<code>localhost.localdomain')dnl

Remake the sendmail configuration file, and restart the sendmail daemon as follows:

su -c 'make -C /etc/mail'

and

su -c 'service sendmail restart'

Access

Sendmail allows for the ability to limit what hosts or servers have access to relay through the sendmail server by adding entries to the /etc/mail/access file. This feature becomes important and a first step in preventing unwanted computers from using the sendmail server as an open relay and spamming other email systems. The /etc/mail/access file has a simple setup of 2 columns. The first column lists the domains or IP addresses to control, and the second column states what permissions or restrictions to place on the entry. Examples of the types of permissions or restrictions are:

  • RELAY, allow relaying
  • REJECT, reject emails
  • OK,
  • DISCARD, reject email without sending a bounce message

Here is an example /etc/mail/access file that allows relaying from localhost and the 192.168.1.0/24 network only:

Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY
Connect:192.168.1                       RELAY

To add support for relaying email from a domain, simply add the domain to the first column, and the permissions to the second column. Here is another example to demonstrate adding RELAY for the mydomain.org domain:

Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY
Connect:192.168.1                       RELAY
Connect:mydomain.org               RELAY

To block access to a host that is trying to relay SPAM, add the following line to the /etc/mail/access file:

Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY
Connect:192.168.1                       RELAY
Connect:mydomain.org                    RELAY
Connect:209.62.42.54			REJECT

This will reject all messages sent from the host and send a bounce message notifying the sender that the mail meassage was rejected. To accomplish the same thing, but not send a bounce message, modify the second column like the example below:

Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY
Connect:192.168.1                       RELAY
Connect:mydomain.org                    RELAY
Connect:209.62.42.54			DISCARD

Host Names

Sendmail uses the '/etc/mail/local-host-names' file to determine which domains manages. To add a domain to the file, open the '/etc/mail/local-host-names' file using the following command:

su-c 'vim /etc/mail/local-host-names'

The file should only contain the following text at this point:


Press the [o] key to begin inserting a new line, then enter the names of the domans sendmail should manage. The example below shows an '/etc/mail/local-host-names' with two different domains:

mydomain.org
mydomain.net

Virtual Users

The '/etc/mail/virtusertable' file tells sendmail what to do with the mail it receives. The file is setup in two columns. The first column is the email address being sent a message. The second column is the email address that you want those messages to go to. Here is an example or receiving email for user1@mydomain.org and forwarding the email to user1@localhost:

user1@mydomain.org	user1

To make sendmail forward all email for the mydomain.org domain to user1, use the following example:

@mydomain.org	user1

Aliases

The '/etc/aliases' file can be used ro redirect email to local users, groups, external email addresses, or even programs. The '/etc/aliases' file has 2 columns of data. The first column is the name of the mail alias. The second column is the user, group, list of users, external email, or application to forward the email to. The '/etc/aliases' already includes a list of examples by default for most of the deamons and services on the system. In the example below, an alias called sysadmins will forward email messages to user1, user2, and user3:

When creating group lists in the second column, do not use spaces
sysadmins:	user1,user2,user3

SSl Encryption

The most common way for any system to be exploited is for a user name and password to be captured that is transmitted in clear text over the Internet. Sendmailcan be configured to use TLS and SSL encryption to protect user accounts and passwords. To configure sendmail with TLS / SSL encryption, edit the '/etc/mail/sendmail.mc' file and make the following changes. Uncomment the following lines:

DAEMON_OPTIONS(<code>Port=smtps, Name=TLSMTA, M=s')dnl
define(<code>confCACERT_PATH', </code>/etc/pki/tls/certs')dnl
define(<code>confCACERT', </code>/etc/pki/tls/certs/ca-bundle.crt')dnl
define(<code>confSERVER_CERT', </code>/etc/pki/tls/certs/sendmail.pem')dnl
define(<code>confSERVER_KEY', </code>/etc/pki/tls/certs/sendmail.pem')dnl

Save the changes to the '/etc/mail/sendmail.mc' and exit the vi editor. The next step is to create a self-signed certificate for sendmail to use. A certificate can also be purchased from a commercial vendor such as Verisign , or Thawte . To begin creating a self-signed certificate, open a shell prompt, and become root by entering the following command:

su -

and entering the root password. Next change to the '/etc/pki/tls/certs' directory. Type 'make sendmail.pem' to begin the cert process. Enter the information for country, state, city, company name, and server name as it is requested. When finished, remake the sendmail configuration files and restart the sendmail daemon as stated earlier in the chapter.

Logging

sendmail logs it's information in the '/var/log/maillog' file. The level of logging is set in the '/etc/mail/sendmail.mc' file. The default level of logging is great for normal operation of sendmail but can be changed if the need arises for debugging or troubleshooting. To modify the logging level of sendmail, open a shell prompt and enter the following command:

su -c 'vim /etc/mail/sendmail.mc'

Find the line that sets sendmail logging level by pressing the [esc] key and entering the following text:

/confLOG_LEVEL

The higher the number, the more detail. To enable the a specific logging level, uncomment the line by removing the 'dnl' from the beginning of the line, then change '9' to a higher number such as 68. Save the changes to the 'sendmail.mc' and hen finished, remake the sendmail configuration files and restart the sendmail daemon as stated earlier in the chapter.

Mail Statistics

Sendmail saves mail traffic information to the '/var/log/mail/statistics' file. To view the information, at the shell prompt type:

su -c 'mailstats'

This should display results similar to the following regarding server performance:

Statistics from Sun Aug 19 12:01:58 2007
M   msgsfr  bytes_from   msgsto    bytes_to  msgsrej msgsdis msgsqur  Mailer
4        3          5K        0          0K        0       0       0  esmtp
9     1817       4196K     1854       5020K        0       0       0  local
=====================================================================
T     1820       4201K     1854       5020K        0       0       0
C     1814                    0                    0

The types of information displayed can be broken down into the following groups:

  • M, The mailer number.
  • msgsfr, Number of messages from the mailer.
  • bytes_from, Kbytes from the mailer.
  • msgsto, Number of messages to the mailer.
  • bytes_to, Kbytes to the mailer.
  • msgsrej, Number of messages rejected.
  • msgsdis, Number of messages discarded.
  • Mailer, The name of the mailer

Dealing with SPAM

The first step in dealing with unwanted or unsolicited email requires another change to the '/etc/mail/sendmail.mc' file. Open the 'sendmail.mc' by typing

su -c 'vim /etc/mail/sendmail.mc'

Press the [esc] key and enter the following to find the line to be modified:

/accept_unresolvable_domains

Comment out the line by adding 'dnl' at the beginning of the line. The lines should now look like this:

dnl FEATURE(<code>accept_unresolvable_domains')dnl

This prevents sendmail from accepting mail from servers that are not properly set up with DNS on the Internet. The next step is to install and configure a SPAM program. Fedora comes with such a program called spamassassin. To see if spamassassin is install, open a shell prompt and enter the following text:

su -c 'rpm -q spamassassin spamass-milter'

If spamassassin is installed, the following results should be displayed:

spamassassin-3.2.3-1.fc8
spamass-milter-0.3.1-4.fc8

If spamassassin is not installed, enter the following text at the shell prompt:

su -c 'yum -y install spamassassin spamass-milter'

After the installation completes, it's time to configure the applications. Spamassassin and spamass-milter keep configuration files in the following files and folders:

  • /etc/mail/spamassassin, main configuration files
  • /etc/sysconfig/spamassassin, spamd options
  • /etc/sysconfig/spamaas-milter, milter configuration settings
  • /etc/procmailrc, system wide procmail settings

To begin configuring spamassassin enter the following command at a shell prompt:

su -c 'vim /etc/mail/spamassassin/local.cf'

This opens the main spamassain configuration file with the following text:


required_hits 5
report_safe 0
rewrite_header Subject [SPAM] 

Modify the file to include the following text:

required_score           5.0
rewrite_header subject         [SPAM] 
report_safe             2
use_bayes               1
bayes_auto_learn        1
skip_rbl_checks         0
use_razor2              1
use_pyzor               1
ok_locales              en

Now test to make sure spamassassin is working. enter the following text into a shel prompt:

spamc -R </usr/share/doc/spamassassin-*/sample-nonspam.txt

The following output should be displayed:

Spam detection software, running on the system "localhost.localdomain", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  -----BEGIN PGP SIGNED MESSAGE----- TBTF ping for 2001-04-20:
Reviving T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t [...] 


Content analysis details:   (0.0 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
_SUMMARY_

Now configure procmail to run spamc on all incoming mail. Add the following text to '/etc/procmailrc' using an editor such as vi:

the '/etc/procmailrc' may not exist. Just create a new file
DROPPRIVS=yes
:0fw
| /usr/bin/spamassassin
:0
* ^X-Spam-Status: Yes
\$HOME/mail/spam

To configure the final piece, open a shell prompt, and enter the following command:

su -c 'vim /etc/sysconfig/spamass-milter'

This opens up the spamass-milter configuration file. Here is an example file:

<!--# Override for your different local config
-->
#SOCKET=/var/run/spamass-milter/spamass-milter.sock

<!--# Standard parameters for spamass-milter are:
-->
<!--# -P /var/run/spamass-milter.pid (PID file)
-->
<!--#
-->
<!--# Note that the -f parameter for running the milter in the background
-->
<!--# is not required because the milter runs in a wrapper script that
-->
<!--# backgrounds itself
-->
<!--#
-->
<!--# You may add another parameters here, see spamass-milter(1)
-->
#SOCKET=/var/run/spamass-milter/spamass-milter.sock

google.com/search?q=PKI+Fedora+8&hl=en&start=10&sa=N

Uncomment the line '#SOCKET=/var/run/spamass-milter/spamass-milter.sock' and the line '#SOCKET=/var/run/spamass-milter/spamass-milter.sock' by removing the '#'.

make note of the path for the 'sock' file, as it will be used in the next step

Save the changes, and use vi to open the 'sendmail.mc' again. Insert te following line at the bottom of the 'sendmail.mc':

INPUT_MAIL_FILTER(<code>spamassassin', </code>S=local:/var/run/spamass-milter/spamass-milter.sock, F=,T=C:15m;S:4m;R:4m;E:10m')dnl

Start the Save the changes, then rebuild the sendmail configuration file. Restart the sendmail daemon. Start the spamass-milter service by entering the follow command at a shell prompt:

su -c 'chkconfig --levels 345 spamass-milter on
su -c 'service spamass-milter start'

Verify the service is running:

su -c 'pgrep spamass-milter'

This should return the process id of the spamass-milter processes:

22325
22326

Check the mail log to verify spamass-milter is starting by entering the following text at a shell prompt:

su -c 'tail /var/log/maillog'

There sould be an entry similar to the following:

Oct 28 20:25:33 localhost spamass-milter[22326] : spamass-milter 0.3.1 starting

Black Lists

To reduce the amount of SPAM even further, add the following rule to the end of the '/etc/mail/sendmail.mc' file, remake the sendmail config file and restart sendmail to make all of the changes take effect.

FEATURE(<code>dnsbl', </code>relays.ordb.org', <code>"Rejected due to Open Relay see http://www.ordb.org/lookup/?host=" $&{clientaddr} " for more information"')dnl

www.ordb.org

Anti-Virus

SPAM is the only concern when running a dedicated mail server. Virus attachments can do as much damage. Clamav is an open source anti-virus program that can scan incoming mail messages. Clamav and clamav-milter are included in Fedora distributions. to check if Clamav and clamav-milter are installed, run the following command at a shell prompt:

su -c 'rpm -q clamav clamav-milter'

The follow will be returned if Clamav and clamav-milter are installed

clamav-0.91.2-2.fc8
clamav-milter-0.91.2-2.fc8

If the packages are not installed, run the following command at a shell prompt:

su -c 'yum -y install clamav clamav-milter clamav-data clamav-update'

After the install completes, there are some changes that need to made to the configuration files. clamav keeps it's configuration files in '/etc/clamd.d/milter.conf' and '/etc/sysconfig/clamav-milter'. Open the '/etc/clamd.d/milter.conf' using the following command at a shell prompt:

su -c 'vim /etc/mail/clamd.d/milter.conf'
The 'milter.conf' file is quite large, and has many options. Basic systems changes will be made to make the system functional. Make additional changes at your own risk.

The first change that needs to be made is to comment out the 'Example' line. Press the [esc] key and enter the following search string:

/Example

Comment out the line by placing a '#' at the beginning of the line. Save the changes, and start up clamav-milter by entering the following command at a shell prompt:

su -c 'service clamav-milter start'

To make clamav-milter auto start during system reboots, enter the following command at a shell prompt:

su -c 'chkconfig --levels 345 clamav-milter on'

To enable clamav updates, enter the following command at the command prompt:

su -c 'vim /etc/freshclam.conf'

Comment out the line with the text 'Example' by adding a '#' to the beginning of the line. Save the changes and run the following command at a shell prompt to update clamav data files:

freshclam

The last item to make changes to is the 'sendmail.mc'. Open the '/etc/mail/sendmail.mc' by entering the following command at a shell prompt:

su -c 'vim /etc/mail/sendmail.mc'

Scroll to the bottom of the 'sendmail.mc' and add the following text:

INPUT_MAIL_FILTER(<code>clamav-milter', </code>S=local:/var/run/clamav-milter/clamav.sock, T=S:4m;R:4m')dnl
define(<code>confINPUT_MAIL_FILTERS', </code>spamassassin,clamav-milter')dnl

Remake the sendmail configuration file and restart sendmail to apply the changes and enable anti-virus scanning. To verify anti-virus scanning is running, run the following command at the shell prompt:

su -c 'tail /var/log/maillog'

The following line should be present in the log file after a mail message has been received:

Milter add: header: X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on localhost.localdomain