Sendmail is the typical MTA or Mail Transfer Agent for Linux. Though it seems compilicated, it isn't too bad. Just take it a step at a time and you'll do fine. Yes, many of the commands are terse but the included configs are pretty good. If you don't trust my configs, check out http://www.sendmail.org for more details.
********
**
** If you aren't sure what version of Sendmail you are running or what features
** were compiled into your version of Sendmail, try this command:
**
** Generic method: sendmail -d0.1 </dev/null
**
** Redhat: rpm -qa | grep sendmail
**
********
-----------------------------------------------------------------------------
NOTE: The following configs are
1. Tailored to MASQ users that have 1+ machines on an internal LAN
2. Users of Sendmail >= 8.9.x
Sendmail 8.8.x users can find 8.8.x in the TrinityOS-Retired
documentation available at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/RETIRED/TrinityOS-Retired.html
BUT these configs also apply to:
2. Linux users that are NOT doing MASQ will *STILL* need to make some
of the changes below if they plan to have their Linux box send
email whatsoever.
-----------------------------------------------------------------------------
As Sendmail continues to evolve to fill the needs of various users, the configuration files and mechanisms have changed. Here is a small table of the changes that effect TrinityOS users:
Sendmail 8.8.x
Sendmail 8.9.x+
Sendmail 8.11.x+
- Download the newest stable version of Sendmail from the URLs in Section 5 and put it, in say, /usr/src/archive/sendmail
- If Sendmail is already running, shut it down :
- Redhat:
/etc/rc.d/init.d/sendmail stop
- Slackware:
kill -9 `ps aux | grep sendmail | grep -v -e grep | awk '{print $2}'`
* If you had Sendmail already configured for your box, backup your configs now:
Sendmail 8.9.x - 8.11.x+
tar czvf /root/backup/sendmail-old.tgz /etc/aliases /etc/sendmail.* /etc/mail/* /usr/sbin/sendmail /usr/lib/sendmail-cf/*
Thoughts on RPMs..
For those users who wish to use RPMs:
rpm -Uvh sendmail-*.rpm
For those users who wish to COMPILE their own version of Sendmail
tar xzvf sendmail-x.x.x.tgz
cd sendmail-x.x.x/src
LIBS= ifdef(`confLIBS', `confLIBS')
LIBS= ifdef(`confLIBS', `confLIBS') -lresolv
Sendmail 8.9.x : make
or
Sendmail 8.10.x+ : sh Build
make install
cd /usr/src/archive/sendmail/sendmail-8.11.x/cf
tar cf - . | (cd /usr/lib/sendmail-cf/; tar xvf -)
- Next, regardless if you are going to run a MASQ or non-MASQed network, edit or create the following:
This file is very important since it tells Sendmail WHAT DOMAINS TO ACCEPT Email FOR. In this file, put in **ALL** of the domain names you registered with the Internic.
Sendmail 8.11.x - 8.10.x
/etc/mail/local-host-names
--
acme123.com
--
Sendmail - 8.9.x
/etc/mail/sendmail.cw
--
acme123.com
--
****************************
** Supporting more than one Internet domain
If you are going to host MULTIPLE Internet domains on this one
box (ie. acme123.com and newdomain.com), simply add all
the other domain names that you want to be able to receive
email for in the files for your Sendmail version as shown above
and you'll be set!
**
****************************
=================================================================
All users, regardless of using the RPMs or compiling the source:
=================================================================
chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
Doing it the Sendmail way (recommended):
mkdir /usr/lib/sendmail-cf
tar cpf - /usr/src/archive/sendmail/sendmail-x.x.x/* | (cd /usr/lib/sendmail-cf; tar xpvf -)
All of the following configuration options are fully described in /usr/lib/sendmail-cf/README:
/usr/lib/sendmail-cf/cf/trinityos.mc
-- #Give the configuration a version number VERSIONID(`@(#)trinityos.mc 8.11 (Berkeley) 10/07/00') #Tell sendmail that the CF file is for the Linux OS OSTYPE(linux) #Disable UUCP. Its old and dead. FEATURE(nouucp,reject) #When sending email locally, use procmail to send mail vs. sendmail. More efficient. FEATURE(local_procmail) #Enable the SMTP protocol - other options are the legacy protocols like UUCP and BitNet MAILER(smtp) #Use procmail as the local mailer. MAILER(procmail) #Rewrite ALL outgoing email to be from acme123.com and not somehost.acme123.com MASQUERADE_AS(acme123.com) MASQUERADE_DOMAIN(acme123.com) FEATURE(masquerade_entire_domain) #This also does the above trick but also works more in the header. FEATURE(masquerade_envelope) #If you email someone locally, say "greg" without the full domain, Sendmail will #append acme123.com to the address. "greg@acme123.com" FEATURE(always_add_domain) #Enable the use of the Realtime Blackhole list for automatic SPAM filtering FEATURE(dnsbl) #Use the /etc/sendmail.cw file for what domains to allow the receiving of #email for. This option is old and will be replace with something else. FEATURE(use_cw_file) #Define where sendmail can find procmail define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail') #Delete all the program and version information out of the SMTP header define(`confSMTP_LOGIN_MSG',`') #Enable more secure operation of Sendmail define(`confPRIVACY_FLAGS',`authwarnings noexpn novrfy needmailhelo noetrn') #Enable the new Sendmail access DB support.. needed for backup SMTP setups FEATURE(access_db) #Enable to support backup SMTP for remote domains where the remote user is NOT locally defined #on the local box FEATURE(relay_mail_from) --
****************************************************** * Please do NOT use old versions of Sendmail unless * * ABSOLUTELY required to void spam and possible * * security issues!! * ******************************************************
/usr/lib/sendmail-cf/cf/trinityos.mc
-- #Give the configuration a version number VERSIONID(`@(#)trinityos.mc 8.10 (Berkeley) 11/26/99') #Tell sendmail that the CF file is for the Linux OS OSTYPE(linux) #Disable UUCP. Its old and dead. FEATURE(nouucp) #When sending email locally, use procmail to send mail vs. sendmail. More efficient. FEATURE(local_procmail) #Use procmail as the local mailer. MAILER(procmail) #Enable the SMTP protocol - other options are the legacy protocols like UUCP and BitNet MAILER(smtp) #Rewrite ALL outgoing email to be from acme123.com and not somehost.acme123.com MASQUERADE_AS(acme123.com) MASQUERADE_DOMAIN(acme123.com) FEATURE(masquerade_entire_domain) #This also does the above trick but also works more in the header. FEATURE(masquerade_envelope) #If you email someone locally, say "greg" without the full domain, Sendmail will #append acme123.com to the address. "greg@acme123.com" FEATURE(always_add_domain) #Enable the use of the Realtime Blackhole list for automatic SPAM filtering FEATURE(rbl) #Use the /etc/sendmail.cw file for what domains to allow the receiving of #email for. This option is old and will be replace with something else. FEATURE(use_cw_file) #Define where sendmail can find procmail define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail') #Delete all the program and version information out of the SMTP header define(`confSMTP_LOGIN_MSG',`') #Enable more secure operation of Sendmail define(`confPRIVACY_FLAGS',`authwarnings noexpn novrfy needmailhelo noetrn') --
- Now do the following to create a "trinityos.cf" file from the just created "trinityos.mc" file
export CFDIR="/usr/lib/sendmail-cf"
cd /usr/lib/sendmail-cf
m4 ${CFDIR}/m4/cf.m4 ${CFDIR}/cf/trinityos.mc > ${CFDIR}/cf/trinityos.cf
# Please note this is the destination directory for Sendmail 8.9.x and
# newer
cp ${CFDIR}/cf/trinityos.cf /etc/sendmail.cf
Doing it the hacker way (NOT recommended unless you know what you are doing:
DMacme123.com
S94
#R$+ $@ $>93 $1
R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2
S94
R$+ $@ $>93 $1
#R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2
*** *** Next, be SURE to follow the "aliases" instructions in Section 18. ***
- NOTE: I had some issues with the 8.9.3 installation at this point. Specifically, I was getting the following in /var/log/maillog:
Aug 24 22:38:45 trinity2 sendmail[7375]: WAA07051: SYSERR(root): Cannot exec /usr/local/bin/procmail: No such file or directory
Aug 24 22:38:45 trinity2 sendmail[7368]: WAA07051: to=<dranch@trinnet.net>, delay=00:10:10, xdelay=00:00:00, mailer=local, stat=Operating system error
This is because sendmail wasn't looking for procmail in the right place. You can either implement the following hack or fix it the proper way by using the:
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')
paramter in the 8.9.x. trinityos.mc file
To hack it to get things running, I had to fix a path ISSUE:
ln -s /usr/bin/procmail /usr/local/bin/procmail
Ok, next, you need to make sure that your mail server is SECURE and RELAY-free:
- When hackers want to hack into a given a email server, they will first want to find out what version of the email server you are running. Once they know what version you are running, they can then run exploits against it. Also, they will try to find out where root and postmaster email goes to. So, what can you do?
1. Always run the newest version of your email server. Be it Sendmail, Qmail, PostFix, etc.
2. Hide the name and version of your email server:
- Sendmail:
Edit the /etc/sendmail.cf file and change the following lines from:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
O Privacy Options=authwarnings
O HelpFile=/usr/lib/sendmail.hf
O SmtpGreetingMessage=
O Privacy Options=authwarnings noexpn novrfy needmailhelo noetrn
O HelpFile=
NOTE:The "Privacy Options" changes are now automatically done for you in the new /usr/lib/sendmail-cf/cf/trinityos.mc file
A note on Compatiblity :
I have had one user that told me that the "needmailhelo" option was possibly causing "SMTP error 250 - remote protocol error" problems with some remote SMTP servers. Please understand that this is NOT a Sendmail problem on your end. This option exposed a broken SMTP on the remote end.
You should also keep in mind that Sendmail, to this day, is one of the most tolerant SMTP servers when communicating to broken remote SMTP servers. If you were to move over to a different SMTP server, say Qmail, you would notice a LOT more broken SMTP servers out on the Internet.
- Do you need Sendmail to run as a DAEMON:
You now need to determine if you need to have sendmail running all the time or just have it occasionally load up to send email. What's the difference?
- Sendmail ONLY needs to be always running if you have your own FQDN domain such as acme123.com which you registered with the Internic.
If you do have your own domain and want to receive email, make sure to enable Sendmail that was DISABLED in Section 8
If you DON'T have your own domain, you DO NOT NEED Sendmail to always run. Because of this, I recommend to disable Sendmail as a DAEMON as shown in Section 8. If you do disable Sendmail but if you want to SEND email from your Linux box, you still need to have Sendmail (or any other MTA like Qmail, Vmail, PostFix, etc) installed.
If you aren't going to have Sendmail running Daemon mode, your locally sent email should be able to get out fine. But, if there is a problem with your Internet connection, the Internet itself, or the remote mail server, when you originally tried to send that mail, it WON'T be automatically be re-scheduled to be sent at a later time. To get Sendmail to retry later, you need to configure "cron" to try to resend any queued email once an hour.
To have sendmail try sending delayed email:
Redhat:
Create the /etc/cron.hourly/sendmail file
--
/usr/sbin/sendmail -q
--
Slackware:
edit the /var/spool/cron/crontabs/root file and add a line:
--
01 * * * * /usr/sbin/sendmail -q
--
Now, re-load cron to see the changes:
That's it! Now you need to test Sendmail:
1. First, start it up:
Redhat: /etc/rc.d/init.d/sendmail restart
Slackware: /usr/sbin/sendmail -bd -q1h
2. If you are running your own domain:
2.A. Send an email to root@acme123.com from a remote computer out on
the Internet. Make sure that this test mail arrives to your INBOX.
2.B. Look at the headers and make sure that the TO: field looks
ok.
3. Regardless if you DO or DON'T have your own Internet domain name:
3.A. Send email from the local Linux box to a different user on
the local Linux box (via Pine, ELM, etc). Make sure it gets
there.
3.B. Send email from the local Linux box to the "root" account.
Make sure that this email is properly forwarded to the user
configured to receive "root's" email via <ref id="sect-18" name="Section 18">
4. For users that send email via a POP3/IMAP client (Eudora, Netscape, etc)
from an INTERNAL LAN.
4.A. Be sure to configure your POP3/IMAP client properly.
4.B. Send a piece of email to a remote account that you have
access to or that someone can then forward BACK to you.
4.C. -LOOK- at the techincal email headers. Some programs make you
push some buttons to look at this information. Eudora needs the
"BlahBlah" button pushed. Pine requires that you hit "O" for
Options and then "H" for Header Mode (note: these PINE options
must be ENABLED in Pine's configuration menus to even see them).
4.D. Make sure that none of the To, From: Reply, etc. addresses look odd.
5. For users that send email from a POP3/IMAP client (Eudora, Netscape, etc.)
via the Internet (you are dialed into some other ISP, etc)
5.A. Be sure to configure your POP3/IMAP client and Linux POP/IMAP server
properly.
5.B. Be sure that you can receive email via POP/IMAP from your Linux server.
*** 5.C. Send a piece of email to a remote account via the local mail tools
like Pine, elm, etc. Can you do it? Probably not!!
The reason for this is because you are trying to to EMAIL RELAY through
your Linux server and this is BAD. This is how you get a majority of
all that SPAM email.
To fix this, add ANY remote network names, either INTERNAL or EXTERNAL,
that you want to send email FROM into the /etc/mail/relay-domains file.
For example, say I'm dialed into an ISP, say earthlink.net, and I want
to send email via my Linux server. Also, I will want to send email
from ANY machine on the internal MASQ'ed network. For this to work,
I would have to do the following:
--/etc/mail/relay-domains
earthlink.net
192.168.0
--
This can also be done by adding the specific hosts or IPs to the
/etc/mail/access file and marking them as "RELAY"s.
NOTE #1: I hope you realize that by doing line #1, any OTHER users
that use Earthlink.net can ALSO use your Linux server as a relay
site. This is BAD but you might not have any choice. Your only
other (but preferred) choice is to get a STATIC IP address from
your ISP (ie. Earthlink) and then configure in THAT specific
name or TCP/IP address.
NOTE #2: For the second line, you can also add either the generic
network IP address, a specific internal machine's IP address,
your top level FQDN, (acme123.com), or the FQDN of each internal
machine. Your pick.
6. Verify that the Blackhole Anti-Spam filter system is working.
Run the following command from the command line:
--
$ sendmail -bt -C /etc/mail/sendmail.cf
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> .D{client_addr}127.0.0.1
> Basic_check_relay <>
Basic_check_rela input: < >
Basic_check_rela returns: OKSOFAR
> .D{client_addr}127.0.0.2
> Basic_check_relay <>
Basic_check_rela input: < >
Basic_check_rela returns: $# error $@ 5 . 7 . 1 $: "550 Mail from " 127 . 0 . 0
. 2 " refused by blackhole site rbl.maps.vix.com"
> CTRL/D
--
Ahhh.. works like a charm!
7. Make sure that the online HELP system doesn't work:
7.A TELNET to either your external IP, localhost, or internal IP address
(if you have one) on port 25 and issue the HELP command. Type
in QUIT when finished.
telnet localhost 25
--
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ESMTP
HELP
502 5.3.0 Sendmail TrinityOS -- HELP not implemented
quit
221 2.0.0 trinity3.trinnet.net closing connection
Connection closed by foreign host.
--
7.B You will probably notice that the Sendmail version will show up when
you do that "HELP" test. Please note that deleting all references to
the Sendmail version numbers is difficult but not impossible if you
have a minimal or decent understanding of C code. If you want to
delete this specific instance, edit the Sendmail srcrsmtp.c file and
search for "502 5.3.0". There, delete the "%s" from that line. You
can replace it with anything you wish. As you can see above, I put
in "TrinityOS". :)
Errors in the logs:
mail loops back to me (MX problem?)
So say a friend is changing ISPs and he/she needs a remote SMTP email server to queue email for their domain(s) while they are transitioning ISPs, IP addresses, updating the InterNIC, etc. as described in Section 51. Easy enough.. here are the steps to configured your SMTP server to accept email for other domains. Please note that additional DNS changes and some alternate backup DNS server is required to get this running. Those changes are highlighted in Section 51.
To allow Sendmail to accept email for a different domain than your own, you first beed to be sure that you enabled the "FEATURE(access_db)" and FEATURE(relay_mail_from) options in the trinityos.mc Sendmail script.
# by default we allow relaying from localhost... localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY some-remote-domain.com RELAY yet-another-domain.net RELAY
makemap hash /etc/mail/access < /etc/mail/access
That's it. Everything SHOULD work ok for you.