Configuring Linux Mail Servers

• Objectives– This chapter will show you how to install and use Mailservers

• Contents– An Overview Of How Sendmail Works

– Sendmail configruation files

– Relaying

– Sendmail Masquerading

– Using Sendmail to Change the Sender's Email Address

• Practical– Setting up mailserver

Introduction

• MTA Mail transport agents – transfer mail with SMTP protocol to other MTA based on DNS MX record

Popular agents: Sendmail Exim Postfix

• MUA Mail user agents– Accesses users mailboxes for reading and writing

Popular agents: Fetchmail (POP & IMP) IMAP Qpopper

Courier IMAPD (POP & IMP) –serverCyrus IMAPD (POP & IMP) –server

• Mailbox processing– Various mechanismes to process users mail when arrived to mailboxes

Procmail Spamassasin Vacation Amavisd

• SMTP trusts the user– Everyone who have is allowed to login a computer is trusted for e-mail sending

• SMTP needs DNS– MX entry for domains is needed if not only local mail

• Sendmail lives in smrsh chroot-jail

How sendmail works, incoming mail

• How Sendmail Works – As stated before, sendmail can handle both incoming and outgoing mail for

your domain. Take a closer look

• Incoming Mail– Sendmail processes it and deposits it in the mailbox file of the user's Linux

account (var/spool/mail)

– Mail isn't actually sent directly to the user's PC

– Users retrieve their mail from the mail server using client software that supports imap and pop

– Linux users logged into the mail server can read their mail directly using a text-based client, such as mail, or a GUI client

• Sendmail belong to what we call MTA– MTA is responcible to encapsulate the message with header and trailer.

– MTA need DNS MX record to recognize mailserver that serves recieving domain.

– Header contain destination e-mail and source e-mail

– Header contain also the path email traverses throughout the network

– Trailer contain error correction code

How sendmail works, outgoing mail

• Outgoing Mail – PC and Linux workstation users configure their e-mail software to make the mail

server their outbound SMTP mail server, e.g the user MTA.

• Local mailIf sendmail consider email local and places it directly in the destination users

mailbox (var/spool/mail) (it can be any nfs store to or database)

– If destination is localdomain (my-site.com).

– Virtual hosted domain in same server.

– If destination is localuser or virtualuser at same host.

• Mail to another domainIf sendmail consider the email to have destination outside localdomain it schedule

the mail for delivery within 15 minutes and temporary places it in (/var/spool/mqueue)

– Sendmail uses DNS to get the MX record for the other domain

– Attempts to relay the mail using SMTP

– Relaying only for trustful domains that sendmail serves must be allowed

– Localhost/Localdomain must be allowed to relay.

How sendmail works, mail processing• Sendmail main configuration /etc/sendmail.cf

– Using a series of highly complicated regular expressions – The mail header contain mail routing information, sendmail inspects this header and

then acts accordingly. – Sendmail configuration is highly configurable

• Simplified configuration /etc/sendmail.mc or /etc/mail/linux.mc– Contains more understandable instructions for systems administrators to use– Interpreted by a number of macro routines to create the sendmail.cf file – You must always run the macros and restart sendmail for the changes to take effect

• Available macros sit in /usr/share/sendmail• Sendmail files is in /etc/mail

– SuSE and RedHat also uses /etc/sysconfig/mail– SuSE and RedHat also uses /etc/sysconfig/sendmail

• Mail is parsed with sendmail.cf– Header parsing– Header processing & shaping– Header rewrite engine rules– Calls to external processors like anti (spam and virus) appz

• Sendmail logfiles /var/log/mail* and /var/log/messages

How sendmail works, sendmail macros

• Macrofiles– Macros is found in /usr/share/sendmail/

– There are several macrofiles, they have lastname .mc or .m4

• Macrofiles have keywords to call submacros/dirictives– They can begin with DOMAIN, FEATURE, or OSTYPE and DNL

– Keywords is usally followed by a keyword

• Macro example with keyword and hashfile command

– the macro name is /usr/share/sendmail/feature/virtusertable.m4,

– the instruction `\ hash -o /etc/mail/virtusertable.db' is being passed to it.

– hash makes simple database format db

– hash –o means output generated database to the db file taht follows

• Example with only macro

• Use the m4 command to generate /etc/sendmail.cf

FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl

FEATURE(`masquerade_envelope')dnl FEATURE(`masquerade_envelope')dnl

# m4 /etc/mail/linux.mc > /etc/sendmail.cf # m4 /etc/mail/linux.mc > /etc/sendmail.cf

Getting SENDMAIL from rpm• Sendmail you can get as

– Open Source http://www.sendmail.org– Commersial http://www.sendmail.com

• Installing Sendmail from RPM (SuSE)– You will need to make sure that the sendmail, and m4 software RPMs are installed.– You will need to remove/uninstall othermailers like exim and postfix before installing

• Starting/Stopping Sendmail– You can use the chkconfig or insserv command to get Sendmail configured to start at boot:

– To start/stop/restart sendmail after booting

– You need to restart sendmail after changing sendmail.cf and reload sendmail if the other files has been manipulated

# insserv sendmail# insserv sendmail

# rcsendmail start# rcsendmail stop# rcsendmail restart

# rcsendmail start# rcsendmail stop# rcsendmail restart

# rpm –ivh sendmail-8.13.3-5.i386.rpm (The client/server)

# rpm –ivh sendmail-devel-8.13.3-5.i386.rpm (Optional)# rpm –ivh sendmail-debug-8.13.3-5.i386.rpm (Optional)# rpm –ivh m4-1.4.2-4.i586.rpm

(macrocompilator)# rpm –ivh db-devel-4.3.27-3.1.i586.rpm (Needed if

compile)

# rpm –ivh sendmail-8.13.3-5.i386.rpm (The client/server)

# rpm –ivh sendmail-devel-8.13.3-5.i386.rpm (Optional)# rpm –ivh sendmail-debug-8.13.3-5.i386.rpm (Optional)# rpm –ivh m4-1.4.2-4.i586.rpm

(macrocompilator)# rpm –ivh db-devel-4.3.27-3.1.i586.rpm (Needed if

compile)

SENDMAIL from sources• Get sendmail tar-ball, here 8.13.5

• Unpack the tar-ball and add one group that sendmail needs

• Read the tar-ball INSTALL and README files– If you need extras like TLS or other you might need compile options

– Sendmail is very advanced and flexible

• The default build of should do in most cases

• Copy current sendmail.mc or linux.mc to sendmail.mc in the cf-cf directory and make a new with all the new and updated macros.

– You can also copy generic-linux.mc if you do not have any sendmail.mc

# cd sendmail ; sh ./Build# cd sendmail ; sh ./Build

# cd /usr/local/src# wget ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.5.tar.gz

# cd /usr/local/src# wget ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.5.tar.gz

# tar xvfz sendmail.8.13.5.tar.gz# cd sendmail.8.13.5

# tar xvfz sendmail.8.13.5.tar.gz# cd sendmail.8.13.5

# cd cf/cf ; cp /etc/mail/linux.mc sendmail.mc# sh ./Build sendmail.cf

# cd cf/cf ; cp /etc/mail/linux.mc sendmail.mc# sh ./Build sendmail.cf

# groupadd smmsp# groupadd smmsp

SENDMAIL from sources, continued• Backup old sendmail configuration and binaries

• Install the new configuration

• Create a new user for sendmail called smmsp and make softlink for manuals

• Install the new sendmail binaries and change owner on clientmqueue

• Sendmail utility directories contain the Build command– They contain ectra functionality like support for antispam, antivirus, databases etc..

• Make and install example for mailstats

• You will also have one output directory for all your makesThe directories contain the compiled binaries and

extras, ready for mass deployment

# useradd -m –g smmsp -G mail smmsp; ln –s /usr/share/man /usr/man# useradd -m –g smmsp -G mail smmsp; ln –s /usr/share/man /usr/man

# tar cvfz /root/sm-config.tar.gz /etc/mail /etc/sendmail* # tar cvfz /root/sm-bin.tar.gz /usr/sbin/sendmail /usr/lib/sendmail

# tar cvfz /root/sm-config.tar.gz /etc/mail /etc/sendmail* # tar cvfz /root/sm-bin.tar.gz /usr/sbin/sendmail /usr/lib/sendmail

# sh ./Build install-cf# sh ./Build install-cf

# cd ../../sendmail# sh ./Build install ; cd ..

# cd ../../sendmail# sh ./Build install ; cd ..

# find * -type f -maxdepth 1 -name Build# find * -type f -maxdepth 1 -name Build

# cd mailstats ; sh ./Build ; sh ./Build install# cd mailstats ; sh ./Build ; sh ./Build install

# ls obj.Linux*# ls obj.Linux*

# chown smmsp:smmsp /var/spool/ \ clientmqueue

# chown smmsp:smmsp /var/spool/ \ clientmqueue

Standard sendmail.mc comment & DNS

• If sendmail uses /etc/mail/linux.mc we make some links– Needed in SuSE and some other RPM distributions

• How to Put Comments in sendmail.mc– The sendmail.mc file doesn't use the "#" for commenting, but instead uses the

string "dnl".

• Configuring the DNS for sendmail– Make Your Mail Server The Mail Server For Your Domain in DNS

dnl Disabled statements due to "dnl" commentingdnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl Incorrectly disabled statement# DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl Active statement, here sendmail client daemon is enabledDAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

dnl Disabled statements due to "dnl" commentingdnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl Incorrectly disabled statement# DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl Active statement, here sendmail client daemon is enabledDAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

my-site.com. IN MX 10 mail.my-site.com.

my-site.com. IN MX 10 mail.my-site.com.

# host my-site.commy-site.com mail is handled by 10 mail.my-site.com.

# host my-site.commy-site.com mail is handled by 10 mail.my-site.com.

# ln –s /etc/sendmail.cf /etc/mail/sendmail.cf# ln –s /etc/mail/linux.mc /etc/mail/sendmail.mc

# ln –s /etc/sendmail.cf /etc/mail/sendmail.cf# ln –s /etc/mail/linux.mc /etc/mail/sendmail.mc

Sendmail & name resolution

• All hosts that are not the nameserver should have /etc/resolv.conf file like this:

Server Client

• And incorrectly configured resolv.conf – file can lead to errors like this when running the m4

• The /etc/hosts File must have loopback address– For a sample mailserver:

– For a sample client:

domain my-site.comnameserver 192.168.0.1

domain my-site.comnameserver 192.168.0.1

WARNING: local host name (smallfry) is not qualified; fix $j in config file

WARNING: local host name (smallfry) is not qualified; fix $j in config file

127.0.0.1  mail.my-site.com localhost.localdomain localhost mail127.0.0.1  mail.my-site.com localhost.localdomain localhost mail

domain my-site.comnameserver 127.0.0.1

domain my-site.comnameserver 127.0.0.1

127.0.0.1  client.my-site.com localhost.localdomain localhost client127.0.0.1  client.my-site.com localhost.localdomain localhost client

How To Configure Linux Sendmail Client

• All Linux mail clients in your home or company need to know which server is the mail server, in /etc/mail/sendmail.mc

• If you run SuSE sendmail from RPM, take full control again– In /etc/sysconfig/mail change:

• Smarthost (the mailserver) must accept mail from your host/domain– In /etc/mail/access:

• Converting From a Mail Client to a Mail Server– Determine Which NICs Sendmail Is Running On– We can verify that sendmail is running by first using the pgrep command

– Here sendmail listens on loopback interface, this is normal because a client does not normally recieve email directly

define(`SMART_HOST',`mail.my-site.com')DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

define(`SMART_HOST',`mail.my-site.com')DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

# pgrep sendmail22131

# netstat -an | grep :25 | grep tcptcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

# pgrep sendmail22131

# netstat -an | grep :25 | grep tcptcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

my-site.com RELAYmy-site.com RELAY

MAIL_CREATE_CONFIG=“no”SMTPD_LISTEN_REMOTE="yes“

MAIL_CREATE_CONFIG=“no”SMTPD_LISTEN_REMOTE="yes“

Convert the sendmail client to server

• Edit sendmail.mc To Make Sendmail Listen On All Interfaces

dnl This changes sendmail to only listen on the loopback device 127.0.0.1dnl and not on any other network devices. Comment this out if you wantdnl to accept email over the network.

-> dnl DAEMON_OPTIONS(`Port=smtp,Addr=mail.my-site.com, Name=MTA')dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requiresdnl a kernel patchdnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl We strongly recommend to comment this one out if you want to protectdnl yourself from spam. However, the laptop and users on computers that dodnl not have 24x7 DNS do need this.

-> dnl FEATURE(`accept_unresolvable_domains')dnldnl FEATURE(`relay_based_on_MX')dnl

dnl This changes sendmail to only listen on the loopback device 127.0.0.1dnl and not on any other network devices. Comment this out if you wantdnl to accept email over the network.

-> dnl DAEMON_OPTIONS(`Port=smtp,Addr=mail.my-site.com, Name=MTA')dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requiresdnl a kernel patchdnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl We strongly recommend to comment this one out if you want to protectdnl yourself from spam. However, the laptop and users on computers that dodnl not have 24x7 DNS do need this.

-> dnl FEATURE(`accept_unresolvable_domains')dnldnl FEATURE(`relay_based_on_MX')dnl

Convert the sendmail client to server

• If you run SuSE sendmail from RPM, take full control again– In /etc/sysconfig/mail change:

– SuSEconfig will write over your /etc/sendmail.cf

• Comment out the "SMART_HOST" Entry In sendmail.mc

• Regenerate The sendmail.cf File & Restart sendmail– This step can be accomplished by running the script we created at the beginning

of the chapter.

• Now Make Sure Sendmail Is Listening On All Interfaces

dnl define(`SMART_HOST',`mail.my-site.com')dnl define(`SMART_HOST',`mail.my-site.com')

# netstat -an | grep :25 | grep tcptcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN

# netstat -an | grep :25 | grep tcptcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN

# ./smmake# ./smmake

MAIL_CREATE_CONFIG=“no”SMTPD_LISTEN_REMOTE="yes“

MAIL_CREATE_CONFIG=“no”SMTPD_LISTEN_REMOTE="yes“

A General Guide To Using The sendmail.mc File

• Primary rule, nice and clean sendmail.mc with comments– Masquerade rewrites all mail from hosts to coming from domain

– FEATURE adds functionallity to sendmail

• After adding some features make a new sendmail.cf, but first make a backup of the old working:

dnl ***** Customized section 1 start *****DnlDnlFEATURE(delay_checks)dnlFEATURE(masquerade_envelope)dnlFEATURE(allmasquerade)dnlFEATURE(masquerade_entire_domain)dnldnldnldnl ***** Customized section 1 end *****

dnl ***** Customized section 1 start *****DnlDnlFEATURE(delay_checks)dnlFEATURE(masquerade_envelope)dnlFEATURE(allmasquerade)dnlFEATURE(masquerade_entire_domain)dnldnldnldnl ***** Customized section 1 end *****

# cp sendmail.cf sendmail-v1.cf# m4 sendmail.mc > sendmail.cf

# cp sendmail.cf sendmail-v1.cf# m4 sendmail.mc > sendmail.cf

Sendmail feature files

• The /etc/mail/relay-domains File– Relay those domains directly

• The /etc/mail/access File– Keywords include:

RELAY # Allow access + Relay

REJECT # Refuse connection

OK # Allow access

DISCARD # Silently drop email

after recieved

550 You are not welcome here # Bounceback messages

• The /etc/mail/local-host-names File– Also recieve mail from my other site

– In DNS we need to enter:

• After changing any sendmail files exept the .mc do a

my-other-site.commy-site.com

my-other-site.commy-site.com

localhost.localdomain           RELAYlocalhost                       RELAY127.0.0.1                       RELAY192.168.1.16                    RELAY192.168.1.17                    RELAY192.168.2                       RELAYmy-site.com                     RELAY

localhost.localdomain           RELAYlocalhost                       RELAY127.0.0.1                       RELAY192.168.1.16                    RELAY192.168.1.17                    RELAY192.168.2                       RELAYmy-site.com                     RELAY

my-site.commy-other-site.com

my-site.commy-other-site.com

my-other-site.com. MX 10 mail.my-site.com.my-other-site.com. MX 10 mail.my-site.com.

# cd /etc/mail ; newaliases ; make# cd /etc/mail ; newaliases ; make

Which User Should Really Receive The Mail?

• The /etc/mail/virtusertable file

– The string @my-site.com actually rejects all non local emails with error message• The /etc/aliases File

• Allways run command newaliases after working with aliases

webmaster@my-other-site.com   webmasters@my-other-site.com            marcsales@my-site.com             sales@my-other-site.compaul@my-site.com              paulfinance@my-site.com           paul@my-site.com                  error:nouser User unknown

webmaster@my-other-site.com   webmasters@my-other-site.com            marcsales@my-site.com             sales@my-other-site.compaul@my-site.com              paulfinance@my-site.com           paul@my-site.com                  error:nouser User unknown

. . .manager:        rootabuse:          root# trap decode to catch security attacksdecode:         root# Person who should get root's mailroot:           marc,kalle,webmaster@my-site.com# My mailing list fileadmin-list:     ":include:/home/mailings/admin-list"

. . .manager:        rootabuse:          root# trap decode to catch security attacksdecode:         root# Person who should get root's mailroot:           marc,kalle,webmaster@my-site.com# My mailing list fileadmin-list:     ":include:/home/mailings/admin-list"

# cd /etc/mail ; newaliases ; make# cd /etc/mail ; newaliases ; make

Mail-aliases ”/etc/aliases” explanations

• Mail to "directors@my-site.com" goes to users "peter", "paul" and "mary".

• Mail sent to "family@my-site.com" goes to users "grandma", "brother" and "sister"

• Mail sent to ”admin-list@my-site.com” gets sent to all the users listed in the file /home/mailings/admin-list.

• Mail sent to peter.steen@ing-steen.se goes to peter

# Directors of my SOHO company directors: peter,paul,mary

# Directors of my SOHO company directors: peter,paul,mary

# My family family: grandma,brother,sister

# My family family: grandma,brother,sister

# My mailing list file admin-list: ":include:/home/mailings/admin-list"

# My mailing list file admin-list: ":include:/home/mailings/admin-list"

# peter.steen@ing-steen.se become same as peter@ing-steen.sepeter.steen: peter

# peter.steen@ing-steen.se become same as peter@ing-steen.sepeter.steen: peter

Sendmail ”.mc” Masquerading Explained• The MASQUERADE_AS directive makes all mail originating on mail appear to

come from a server within the domain my-site.com by rewriting the email header. • The MASQUERADE_DOMAIN directive makes mail relayed via mail from all

machines in the another-site.com and localdomain domains appear to come from the MASQUERADE_AS domain of my-site.com. Using DNS, sendmail checks the domain name associated with the IP address of the mail relay client sending the mail to help it determine whether it should do masquerading or not.

• FEATURE masquerade_entire_domain makes sendmail masquerade servers named *my-site.com, and *another-site.com as my-site.com. In other words, mail from sales.my-site.com would be masqueraded as my-site.com. If this wasn't selected, then only servers named my-site.com and my-othersite.com would be masqueraded. Use this with caution when you are sure you have the necessary authority to do this.

• FEATURE allmasquerade makes sendmail rewrite both recipient addresses and sender addresses relative to the local machine. If you cc: yourself on an outgoing mail, the other recipient sees a cc: to an address he knows instead of one on localhost.localdomain.

• FEATURE always_add_domain always masquerades email addresses, even if the mail is sent from a user on the mail server to another user on the same mail server.

• FEATURE masquerade_envelope rewrites the email envelope just as MASQUERADE_AS rewrote the header.

Sendmail Masquerading example

• If you want your mail to appear to come from– user@mysite.com and not user@mail.mysite.com or user@client.my-site.com

You can in that case:

a) Configure your email client, such as Outlook Express, to set your email address to user@mysite.com

b) Set up masquerading to modify the domain name of all traffic originating from and passing trough your mail server

• Configuring masquerading– This can be solved by editing your sendmail.mc configuration file and adding

some masquerading commands:

FEATURE(`always_add_domain')dnlFEATURE(`masquerade_entire_domain')dnlFEATURE(`masquerade_envelope')dnlFEATURE(`allmasquerade')dnlMASQUERADE_AS(`my-site.com')dnlMASQUERADE_DOMAIN(`my-site.com.')dnlMASQUERADE_DOMAIN(`localhost')dnlMASQUERADE_DOMAIN(`localhost.localdomain')dnl

FEATURE(`always_add_domain')dnlFEATURE(`masquerade_entire_domain')dnlFEATURE(`masquerade_envelope')dnlFEATURE(`allmasquerade')dnlMASQUERADE_AS(`my-site.com')dnlMASQUERADE_DOMAIN(`my-site.com.')dnlMASQUERADE_DOMAIN(`localhost')dnlMASQUERADE_DOMAIN(`localhost.localdomain')dnl

Testing Sendmail Masquerading

•  Testing Masquerading– You should also tail the /var/log/mail* file to verify that the masquerading is

operating

– Verify reciever of email

• Logfiles/var/log/mail

/var/log/mail.info

/var/log/mail.warn

/var/log/mail.err

/var/log/messages

• Other Masquerading Notes– By default, user "root" will not be masqueraded. This is achieved with the:

– in /etc/mail/sendmail.mc

# mail -v username# mail -v username

EXPOSED_USER(`root')dnlEXPOSED_USER(`root')dnl

# sendmail -bv username@domain # sendmail -bv username@domain

Using Sendmail to Change the Sender's Email Address

• Add these statements to your /etc/mail/sendmail.mc– In order to rewrite emails origin address, you need some features:

• Create a /etc/mail/generics-domains– Same file as local-host-names

– Make sure the file includes your server's

canonical domain name, which you can

obtain using the command:

– Remember to do the make after changing your sendmail files

• Create your /etc/mail/genericstable – Mail sent from alert, peter, anton will have new source address

FEATURE(`genericstable',`hash -o /etc/mail/genericstable.db')dnlGENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl

FEATURE(`genericstable',`hash -o /etc/mail/genericstable.db')dnlGENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl

my-site.commy-other-site.commail.my-site.com

my-site.commy-other-site.commail.my-site.com

#linux-username   new source address: user@domainalert          security-alert@my-site.competer          urgent-message@my-site.comanton anton@my-other-site.com

#linux-username   new source address: user@domainalert          security-alert@my-site.competer          urgent-message@my-site.comanton anton@my-other-site.com

sendmail -bt -d0.1 </dev/nullsendmail -bt -d0.1 </dev/null

Sendmail and virtualusers

• At slide 17 we created your /etc/mail/virtusertable – /etc/aliases can also be used, althought virtusertable is more flexible

• We need to add virtual domains last in file /etc/sendmail.cf– For revieving email for virtual domains

• Everytime you run m4 command you will have to put back your virtualdomains

• sendmail.cf is a long complicated file, sometimes you will need to add and change things inside this file.

CGmy-site.comCGmy-other-site.com

CGmy-site.comCGmy-other-site.com

Troubleshooting Sendmail 1

• Testing TCP connectivity – sendmail uses SMTP TCP port 25

Server

The server can listen on all interfaces 0.0.0.0

or a deligated interface like 192.168.1.1

Client

Allways listen on 127.0.0.0

• Telnet to the mail server on port 25. You should get a response with a 220 status code: – Communication with sendmail remainds of radio communication

# telnet mail.my-site.com 25 Trying mail.my-site.com... Connected to mail.my-site.com. Escape character is '^]'. 220 mail.my-site.com ESMTP server ready

# telnet mail.my-site.com 25 Trying mail.my-site.com... Connected to mail.my-site.com. Escape character is '^]'. 220 mail.my-site.com ESMTP server ready

# netstat -an | grep :25 | grep tcptcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN

# netstat -an | grep :25 | grep tcptcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN

# netstat -an | grep :25 | grep tcptcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

# netstat -an | grep :25 | grep tcptcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

Troubleshooting Sendmail 2

• Use the hello command to tell the mail server the domain you belong to:

• You should receive a message with a successful status 250 code at the beginning of the response.

• Inform the mail server from which the test message is coming with the MAIL FROM: statement:

• Tell the mail server to whom the test message is going with the " RCPT TO:" statement:

HELO my-other-site.com250 mail.my-site.com Hello mail.my-site.com [192.168.3.5], pleased to meet you

HELO my-other-site.com250 mail.my-site.com Hello mail.my-site.com [192.168.3.5], pleased to meet you

MAIL FROM:sender@my-other-site.com 250 2.1.0 sender@my-other-site.com... Sender ok

MAIL FROM:sender@my-other-site.com 250 2.1.0 sender@my-other-site.com... Sender ok

RCPT TO::sender@my-other-site.com 250 2.1.0 sender@my-other-site.com... Sender ok

RCPT TO::sender@my-other-site.com 250 2.1.0 sender@my-other-site.com... Sender ok

Troubleshooting Sendmail 3

• Prepare the mail server to receive data with the DATA statement:

• Type the string "subject:" then type a subject. Type in your text message, ending it with a single period on the last line. For example:

• Use the QUIT command to end the session:

DATA 354 Enter mail, end with "." on a line by itself

DATA 354 Enter mail, end with "." on a line by itself

Subject: Test Message Testing sendmail interactively. 250 2.0.0 iA75r9si017840 Message accepted for delivery

Subject: Test Message Testing sendmail interactively. 250 2.0.0 iA75r9si017840 Message accepted for delivery

QUIT 221 2.0.0 mail.my-site.com closing connection

Connection closed by foreign host.

QUIT 221 2.0.0 mail.my-site.com closing connection

Connection closed by foreign host.

Common Errors Due To Incomplete Installation

• Sample Errors when running newaliases :

• Sample errors when processing the sendmail.mc file :

• Sample errors when restarting sendmail :

# newaliases Warning: .cf file is out of date: sendmail 8.13.3 supports version 10, .cf file is version 0 No local mailer defined QueueDirectory (Q) option must be set

# newaliases Warning: .cf file is out of date: sendmail 8.13.3 supports version 10, .cf file is version 0 No local mailer defined QueueDirectory (Q) option must be set

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf /etc/mail/sendmail.mc:8: m4: Cannot open /usr/share/sendmail-cf/m4/cf.m4: No such

file or directory

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf /etc/mail/sendmail.mc:8: m4: Cannot open /usr/share/sendmail-cf/m4/cf.m4: No such

file or directory

# rcsendmail restart Shutting down sendmail: [ OK ] Shutting down sm-client: [FAILED] Starting sendmail: 554 5.0.0 No local mailer defined 554 5.0.0 QueueDirectory (Q) option must be set [FAILED] Starting sm-client: [ OK ]

# rcsendmail restart Shutting down sendmail: [ OK ] Shutting down sm-client: [FAILED] Starting sendmail: 554 5.0.0 No local mailer defined 554 5.0.0 QueueDirectory (Q) option must be set [FAILED] Starting sm-client: [ OK ]

Incorrectly Configured /etc/hosts Files

• By default, Linux inserts the hostname of the server between the

127.0.0.1 and the localhost entries in /etc/hosts like this:

– Sendmail will think that the server's FQDN is mail – It will then default to sending e-mails in which the domain is

localhost.localdomain.

• The /etc/hosts file is also important for configuring mail relay

– Here sendmail thinks that the server's FDQN was my-site and that the domain was all of .com.

– The server would therefore be open to relay all mail from any .com domain and would ignore the security features of the access and relay-domains

• The correct loopback entry should look like:

127.0.0.1 mail localhost.localdomain localhost 127.0.0.1 mail localhost.localdomain localhost

127.0.0.1 my-site.com localhost.localdomain localhost 127.0.0.1 my-site.com localhost.localdomain localhost

127.0.0.1  mail.my-site.com localhost.localdomain localhost mail127.0.0.1  mail.my-site.com localhost.localdomain localhost mail

Incorrect name resolution hosts file ?

• Use the sendmail program to send a sample e-mail to someone in verbose mode : – Look in /var/log/mail– Also look in /var/log/mail.err– Offcourse /var/log/messages

# sendmail -v example@another-site.com test text test text .

# sendmail -v example@another-site.com test text test text .

example@another-site.com... Connecting to mail.another-site.com. via esmtp... 220 ltmail.another-site.com LiteMail v3.02(BFLITEMAIL4A); Sat, 21 Feb 2006 20:18:44 +0100

>>> EHLO localhost.localdomain 250-mx.another-site.com Hello [67.120.221.106], pleased to meet you 250 HELP >>> MAIL From:<root@localhost.localdomain> 250 <root@localhost.localdomain>... Sender Ok >>> RCPT To:<example@another-site.com> 250 <example@another-site.com>... Recipient Ok >>> DATA 354 Enter mail, end with "." on a line by itself >>> . 250 Message accepted for delivery example@another-site.com... Sent (Message accepted for delivery) Closing connection to mail.another-site.com. >>> QUIT

example@another-site.com... Connecting to mail.another-site.com. via esmtp... 220 ltmail.another-site.com LiteMail v3.02(BFLITEMAIL4A); Sat, 21 Feb 2006 20:18:44 +0100

>>> EHLO localhost.localdomain 250-mx.another-site.com Hello [67.120.221.106], pleased to meet you 250 HELP >>> MAIL From:<root@localhost.localdomain> 250 <root@localhost.localdomain>... Sender Ok >>> RCPT To:<example@another-site.com> 250 <example@another-site.com>... Recipient Ok >>> DATA 354 Enter mail, end with "." on a line by itself >>> . 250 Message accepted for delivery example@another-site.com... Sent (Message accepted for delivery) Closing connection to mail.another-site.com. >>> QUIT

Fighting SPAM, add features to sendmail.mc

• RFC-Ignorant valid IP address checker.

• Easynet open proxy list.

• The Open Relay Database open mail relay list.

• Spamcop spammer blacklist.

• Spamhaus spammer blacklist.

FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from " $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP server - see http://www.rfc-ignorant.org/"')

FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from " $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP server - see http://www.rfc-ignorant.org/"')

FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to OPEN PROXY SERVER "$&{client_name}" by easynet.nl DNSBL  (http://proxies.blackholes.easynet.nl/errors.html)"', `')dnl

FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to OPEN PROXY SERVER "$&{client_name}" by easynet.nl DNSBL  (http://proxies.blackholes.easynet.nl/errors.html)"', `')dnl

FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl

FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl

FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"')

FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"')

FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dnFEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dn