Tag Archives: sendmail

Sendmail and SMTP Authenticated Relay

This document is to configure SMTP server on Fedora Core 4, to use it from anywhere without the necessity of opening up the relay for public use and hence subjecting yourself to the possibility of being blacklisted or ending up in other databases such as ORBS. DRAC and SMTP AUTH are two different approach which addresses this.

The Purpose of this document is to explain the process of installation and Configuration of sendmail with relay for roaming users, ie,relay based on authentication. With SMTP-AUTH client may indicate an authentication mechanism to the server, perform an authentication protocol exchange, and optionally negotiate a security layer for subsequent protocol interactions. This extension is a profile of the Cyrus Simple Authentication and Security Layer [SASL].

Platform: Fedora Core 4, Sendmail 8.13.5

Installation of sendmail with SASL support

a) Download sendmail source package from:

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.5.tar.gz

This is downloaded into /usr/local/src directory.

b) tar -zxvf sendmail.8.13.5
c) cd sendmail-8.13.5
d) cd devtools/Site
e) joe site.config.m4
f) Add the following lines to it:
APPENDDEF(`confENVDEF’, `-DSASL’)
APPENDDEF(`conf_sendmail_LIBS’, `-lsasl’)

g) cd /usr/local/src/sendmail-8.13.5/cf/cf
h) create a file called linux.mc with exactly the following lines:

OSTYPE(`linux')dnl
define(`confCONNECTION_RATE_THROTTLE',40)dnl
define(`confMAX_HOP',30)dnl
define(`confMAX_MESSAGE_SIZE',10000000)dnl
define(`confPRIVACY_FLAGS',`authwarnings,needmailhelo')dnl
define(`confQUEUE_LA',5)dnl
define(`confREFUSE_LA',10)dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTO_IDENT',0s)dnl
define(`confTO_QUEUEWARN', `12h')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`STATUS_FILE',`/etc/mail/sendmail.st')dnl
define(`ALIAS_FILE',`/etc/mail/aliases')dnl
FEATURE(`local_procmail', `/usr/bin/procmail')dnl
FEATURE(`always_add_domain')dnl
define(`confCW_FILE',` /etc/mail/local-host-names')dnl
FEATURE(`smrsh')dnl
define(`confEBINDIR',`/usr/lib/libexec')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`redirect')dnl
FEATURE(`virtusertable',` hash -o /etc/mail/virtusertable')dnl
FEATURE(`access_db')dnl
FEATURE(`blacklist_recipients')dnl
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 PLAIN LOGIN PAM')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 PLAIN LOGIN PAM')dnl
MAILER(`smtp')dnl

i) run :
m4 ../m4/cf.m4 linux.mc > sendmail.cf
j) cp sendmail.cf /etc/mail
if /etc/mail does not exist , create it and then copy
k) cd /usr/local/src/sendmail-8.13.5/
l) groupadd -g smmsp; useradd -g smmsp smmsp
m) sh Build
n) sh Build install
o) create a file called /etc/rc.d/init.d/sendmail with following lines ( the standard redhat startup-script):

#!/bin/sh
#
#This shell script takes care of starting and stopping sendmail.
#
# chkconfig: 2345 80 30
# description: Sendmail is a Mail Transport Agent, which is the program \
# that moves mail from one machine to another.
# processname: sendmail
# config: /etc/sendmail.cf
# pidfile: /var/run/sendmail.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Source sendmail configureation.
if [ -f /etc/sysconfig/sendmail ] ; then
. /etc/sysconfig/sendmail
else
DAEMON=yes
QUEUE=1h
fi

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /usr/sbin/sendmail ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in

start)
# Start daemons.

echo -n "Starting sendmail: "
/usr/bin/newaliases > /dev/null 2>&1

for i in virtusertable access domaintable mailertable ; do
if [ -f /etc/mail/$i ] ; then
makemap hash /etc/mail/$i < /etc/mail/$i fi done daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail ;; stop) # Stop daemons. echo -n "Shutting down sendmail: " killproc sendmail RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail ;; restart|reload) $0 stop $0 start RETVAL=$? ;; status) status sendmail RETVAL=$? ;; *) echo "Usage: sendmail {start|stop|restart|status}" exit 1 esac exit $RETVAL

********* End of start/stop sendmail script ************

0) use /etc/rc.d/init.d/sendmail start/stop to start/stop sendmail
p) cd /etc/mail
q) touch local-host-names access domaintable mailertable virtusertable
r) if not exist, create dir /var/spool/mqueue
Sendmail installation is complete

Authentication with PAM

Edit /usr/lib/sasl/Sendmail.conf. Add the following line to it:
pwcheck_method: PAM

Create /etc/pam.d/smtp with following lines:

#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so

Test your setup, by using clients like Outlook Express and relay mail through this server.

Sendmail configuration for domains with wild card DNS entry

Problem


My SMTP server, sendmail 8.13.4, is trying to add the domain name to
the recipient’s email address when it is not able to find the domain
name.

Here, for example:

**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Mon, 8 Aug 2005 06:47:30 -0700
from superman [202.163.211.54]

—– Transcript of session follows —–
< endu...@anotherdomain.com >… Deferred: Connection timed out with
anotherdomain.com.mydomain.com.
Warning: message still undelivered after 12 hours
Will keep trying until message is 5 days old

[r…@mydomain.com cf]# sendmail -bt -C /etc/mail/sendmail.cf
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter < ruleset > < address >
> /try smtp s…@thisdomainnotexistatall.com

Trying envelope recipient address s…@thisdomainnotexistatall.com for
mailer smtp
canonify input: super @ thisdomainnotexistatall . com
Canonify2 input: super < @ thisdomainnotexistatall . com >
Canonify2 returns: super < @ thisdomainnotexistatall . com . mydomain . com . >
canonify returns: super < @ thisdomainnotexistatall . com . mydomain . com . >
2 input: super < @ thisdomainnotexistatall . com . mydomain . com . >
2 returns: super < @ thisdomainnotexistatall . com . mydomain . com . >
EnvToSMTP input: super < @ thisdomainnotexistatall . com . mydomain . com . >
PseudoToReal input: super < @ thisdomainnotexistatall . com . mydomain . com . >
PseudoToReal returns: super < @ thisdomainnotexistatall . com . mydomain . com . >
MasqSMTP input: super < @ thisdomainnotexistatall . com . mydomain . com . >
MasqSMTP returns: super < @ thisdomainnotexistatall . com . mydomain . com . >
EnvToSMTP returns: super < @ thisdomainnotexistatall . com . mydomain . com . >
final input: super < @ thisdomainnotexistatall . com . mydomain . com . >
final returns: super @ thisdomainnotexistatall . com . mydomain . com

Now, where did anotherdomain.com.mydomain.com come from ? Also, why is it adding mydomain.com ?

Solution

Now, This could be because the domain, mydomain.com has got wildcard entry (*.mydomain.com). So, edit the option in /etc/mail/sendmail.cf to the following:

O ResolverOptions=+AAONLY -DNSRCH HasWildcardMX

from the doc:

The ResolverOptions ( I) option allows you to tweak name server options. The command line takes a series of flags as documented in resolver(3) (with the leading RES_ deleted). Each can be preceded by an optional `+’ or `-‘. For example, the line

O ResolverOptions=+AAONLY -DNSRCH

turns on the AAONLY (accept authoritative answers only) and turns off the DNSRCH (search the domain path) options. Most resolver libraries default DNSRCH, DEFNAMES, and RECURSE flags on and all others off. You can also include HasWildcardMX to specify that there is a wildcard MX record matching your domain; this turns off MX matching when canonifying names, which can lead to inappropriate canonifications.

Installing Spamassassin for filtering Spam

Note: This document is only for per-user configuration of spamassassin

Configuration: RedHat Linux 7.2, Sendmail 8.12.6, procmail 3.21, SpamAssassin 2.43 ( and you will have to be connected to the internet)

Installing the prerequisites:
Spam assassin depends on other perl modules. The complete SpamAssassin package along with its dependent modules can be installed using CPAN:
as root:
# perl -MCPAN -e shell
install Mail::SpamAssassin
quit

If CPAN has been configured properly, this should be a successfull install. SpamAssassin is now installed in /usr/bin/SpamAssassin.

We would be using procmail to filter messages. Due to sendmail’s security feature, we would have to create a symlink to procmail in the director /usr/adm/sm.bin
# cd /usr/adm/sm.bin
# ln -s /usr/bin/procmail ./procmail
( sendmail executes the programs, only when they are symlinked to, in /usr/admin/sm.bin)

Configuring SpamAssassin ( for user, say, ram)
1) Make sure that your home root directory ( /home) and your home directory ( /home/ram) is not group writable.
2) create a file in your home directory, ~ram/.forward, and add the follwing to it:
“|/usr/bin/procmail -f- #ram”

3) now, this ~ram/.forward file should have permission of 700
4) create a file called spams in your home directory
5) create file, ~ram/.procmailrc with the following content:
:0fw
| /usr/bin/spamassassin
:0
* ^^rom[ ]
{
LOG=”*** Dropped F off From_ header! Fixing up. ”

:0 fhw
| sed -e ‘1s/^/F/’
}

( Here, we are processing the incoming mail using SpamAssassin, and if the mail is marked by SpamAssassin as a spam, we move it to a file called spams. The third rule is a workaround for a bug in procmail 3.21)

6) Send a test mail to yourself. you should now see the following in your mail header:
X-Spam-Status: No, hits=2.6 required=5.0
tests=FROM_AND_TO_SAME_1,NO_REAL_NAME,SPAM_PHRASE_00_01
version=2.43
X-Spam-Level: **
X-UIDL: 5,@!!fXk!!`Cm”!6?l”!M

7) You can now configure your mail client to parse the headers and check for X-spam-Status = Yes, throw into a seperate folder , or use procmail to do it, by adding:
:0:
* ^X-Spam-Status: Yes
spams
as your second rule.