Sendmail SMTP AUTH Howto 

http://www.linuxquestions.org/questions/showthread.php?s=&postid=1144343#post1144343

This Howto is meant to help demystify sendmail and get it to do some really cool stuff, in particular SMTP AUTH. Although this is meant to be Slackware specific, 95% of the stuff will work on any distro. This howto has been broken up into 4 main parts for ease of reading, they are Introduction, Compilation & Installation, Client-side SMTP AUTH and Server-side SMTP AUTH.

Introduction 

In case you have no idea what SMTP AUTH is good for, basically it allows you to provide relaying to people outside your trusted network by authenticating them in a secure manner. This is in contrast to an "open relay" which will allow anybody, anywhere to use your server to email whomever they want. As you can imagine, an open relay is a spammers dream as they are using YOUR precious resources to spam ten million people with your IP as the source….a very very bad thing!

As with most internet services we must break them down into two categories: client and server. Client-side SMTP AUTH is useful when your ISP's mail server requires you to authenticate yourself in order to relay through it using SMART_HOST; if you are on DSL you probably know what I'm talking about. Now this begs the question "why bother using the ISP's mail server when I'm setting up my own?" Good question, here is the answer. If you are like me and you run your own sendmail server using a residential (usually dynamic) IP, chances are 80% of your mail is going to be either bounced or plain out dropped due to SPAM filters running on most enterprise SMTP servers. Fortunately there is a way around this and that is by telling sendmail to relay all its outgoing mail to your ISP's SMTP server and have them send the mail on your behalf via SMART_HOST.

Server-side SMTP AUTH is exactly what the ISP's mail server is doing in the client-side example. It allows you to give relay access to only those that you specify, usually users listed in your /etc/passwd file. Unfortunately many email clients, Outlook and Outlook Express are especially notorious, will send the SMTP AUTH password in plain text format which is a bad thing. This is where the STARTTLS command comes into play. It will encrypt the password end to end by use of SSL so that if anybody were to sniff packets on our network they would only see garbage.

Check 

Lets test sendmail to make sure everything we wanted was really compiled in:

/usr/sbin/sendmail -d0.1 -bv root

In the *Compiled With* line make sure you see *STARTTLS* and *SASLv2*. If you do, go ahead and CTRL+C out, if you don't see both please re-read this howto more carefully and recompile Sendmail and/or Cyrus SASLv2.

Client-Side SMTP AUTH + SMART_HOST 

As mentioned earlier, client-side SMTP AUTH allows us to authenticate in order to relay all outgoing mail to our ISP's sendmail server and have them send the mail on our behalf via SMART_HOST. Note that you can have SMART_HOST work just fine without SMTP AUTH if your ISP's SMTP server doesnt require authentication.

Now that we have a working version of sendmail which supports SMTP AUTH, open up the /usr/share/sendmail/cf/cf/sendmail-slackware.mc file with your favorite editor and lets make some changes!

Below I have copy and pasted my sendmail-slackware.mc file and I have highlighted the parts I changed in green, parts I added in red and parts that are specific to your system in blue. Please read through this carefully and make sure you make all the necessary changes and additions.

[...]

Quick HOWTO : Ch21 : Configuring Linux Mail Servers 

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch21_:_Configuring_Linux_Mail_Servers

Contents 

Configuring Sendmail 

How Sendmail Works 

As stated before, sendmail can handle both incoming and outgoing mail for your domain. Take a closer look.

Incoming Mail 

Usually each user in your home has a regular Linux account on your mail server. Mail sent to each of these users (username@my-site.com) eventually arrives at your mail server and sendmail then processes it and deposits it in the mailbox file of the user's Linux account.

Mail isn't actually sent directly to the user's PC. Users retrieve their mail from the mail server using client software, such as Microsoft's Outlook or Outlook Express, that supports either the POP or IMAP mail retrieval protocols.

Linux users logged into the mail server can read their mail directly using a text-based client, such as mail, or a GUI client, such as Evolution. Linux workstation users can use the same programs to access their mail remotely.

Outgoing Mail 

The process is different when sending mail via the mail server. PC and Linux workstation users configure their e-mail software to make the mail server their outbound SMTP mail server.

If the mail is destined for a local user in the mysite.com domain, then sendmail places the message in that person's mailbox so that they can retrieve it using one of the methods above.

If the mail is being sent to another domain, sendmail first uses DNS to get the MX record for the other domain. It then attempts to relay the mail to the appropriate destination mail server using the Simple Mail Transport Protocol (SMTP). One of the main advantages of mail relaying is that when a PC user A sends mail to user B on the Internet, the PC of user A can delegate the SMTP processing to the mail server.

Note: If mail relaying is not configured properly, then your mail server could be commandeered to relay spam. Simple sendmail security will be covered later.

Sendmail Macros 

When mail passes through a sendmail server the mail routing information in its header is analyzed, and sometimes modified, according to the desires of the systems administrator. Using a series of highly complicated regular expressions listed in the /etc/mail/sendmail.cf file, sendmail inspects this header and then acts accordingly.

In recognition of the complexity of the /etc/mail/sendmail.cf file, a much simpler file named /etc/sendmail.mc was created, and it contains more understandable instructions for systems administrators to use. These are then interpreted by a number of macro routines to create the sendmail.cf file. After editing sendmail.mc, you must always run the macros and restart sendmail for the changes to take effect.

Each sendmail.mc directive starts with a keyword, such as DOMAIN, FEATURE, or OSTYPE, followed by a subdirective and in some cases arguments. A typical example is.

As stated before, sendmail can handle both incoming and outgoing mail for your domain. Take a closer look.

FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl

The keywords usually define a subdirectory of /usr/share/sendmail-cf in which the macro may be found and the subdirective is usually the name of the macro file itself. So in the example, the macro name is /usr/share/sendmail-cf/feature/virtusertable.m4, and the instruction `\ hash -o /etc/mail/virtusertable.db' is being passed to it.

Notice that sendmail is sensitive to the quotation marks used in the m4 macro directives. They open with a grave mark and end with a single quote.

FEATURE(`masquerade_envelope')dnl

Some keywords, such as define for the definition of certain sendmail variables and MASQUERADE_DOMAIN, have no corresponding directories with matching macro files. The macros in the /usr/share/sendmail-cf/m4 directory deal with these.

Once you finish editing the sendmail.mc file, you can then execute the make command while in the /etc/mail directory to regenerate the new sendmail.cf file.

[root@bigboy tmp]# cd /etc/mail
[root@bigboy mail]# make

If there have been no changes to the files in /etc/mail since the last time make was run, then you'll get an error like this:

[root@bigboy mail]# make
make: Nothing to be done for `all'.
[root@bigboy mail]#

The make command actually generates the sendmail.cf file using the m4 command. The m4 usage is simple, you just specify the name of the macro file as the argument, in this case sendmail.mc, and redirect the output, which would normally go to the screen, to the sendmail.cf file with the ">" redirector symbol.

[root@bigboy tmp]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

I'll discuss many of the features of the sendmail.mc file later in the chapter.

How To Restart Sendmail After Editing Your Configuration Files 

cd /etc/mail
make
newaliases
/etc/init.d/sendmail restart

It first runs the make command, which creates a new sendmail.cf file from the sendmail.mc file and compiles supporting configuration files in the /etc/mail directory according to the instructions in the file /etc/mail/Makefile. It then generates new e-mail aliases with the newaliases command, (this will be covered later), and then restarts sendmail.

The /etc/mail/sendmail.mc File 

You can define most of sendmail's configuration parameters in the /etc/mail/sendmail.mc file, which is then used by the m4 macros to create the /etc/mail/sendmail.cf file. Configuration of the sendmail.mc file is much simpler than configuration of sendmail.cf, but it is still often viewed as an intimidating task with its series of structured directive statements that get the job done. Fortunately, in most cases you won't have to edit this file very often.

How to Put Comments in sendmal.mc 

In most Linux configuration files a # symbol is used at the beginning of a line convert it into a comment line or to deactivate any commands that may reside on that line.

The sendmail.mc file doesn't use this character for commenting, but instead uses the string "dnl". Here are some valid examples of comments used with the sendmail.mc configuration file:

How To Configure Linux Sendmail Clients 

All Linux mail clients in your home or company need to know which server is the mail server. This is configured in the sendmail.mc file by setting the SMART_HOST statement to include the mail server. In the example below, the mail server has been set to mail.my-site.com, the mail server for the my-site.com domain.

define(`SMART_HOST',`mail.my-site.com')

If you don't have a mail server on your network, you can either create one, or use the one offered by your ISP.

Once this is done, you need to process the sendmail.mc file and restart sendmail.

Converting From a Mail Client to a Mail Server 

To become a mail server, and not a mail client, sendmail needs to be configured to listen for messages on NIC interfaces as well.

A General Guide To Using The sendmail.mc File 

The sendmail.mc file can seem jumbled. To make it less cluttered I usually create two easily identifiable sections in it with all the custom commands I've ever added.

The first section is near the top where the FEATURE statements usually are, and the second section is at the very bottom.

Sometimes sendmail will archive this file when you do a version upgrade. Having easily identifiable modifications in the file will make post upgrade reconfiguration much easier. Here is a sample:

dnl ***** Customised section 1 start *****
dnl
dnl
FEATURE(delay_checks)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(allmasquerade)dnl
FEATURE(masquerade_entire_domain)dnl
dnl
dnl
dnl ***** Customised section 1 end *****
The /etc/mail/relay-domains File 

The /etc/mail/relay-domains file is used to determine domains from which it will relay mail. The contents of the relay-domains file should be limited to those domains that can be trusted not to originate spam.

If you delete /etc/mail/relay-domains, then relay access is fully determined by the /etc/mail/access file.

The /etc/mail/access File 

You can make sure that only trusted PCs on your network have the ability to relay mail via your mail server by using the /etc/mail/access file. That is to say, the mail server will relay mail only for those PCs on your network that have their e-mail clients configured to use the mail server as their outgoing SMTP mail server.

The /etc/mail/local-host-names File 

When sendmail receives mail, it needs a way of determining whether it is responsible for the mail it receives. It uses the /etc/mail/local-host-names file to do this. This file has a list of hostnames and domains for which sendmail accepts responsibility. For example, if this mail server was to accept mail for the domains my-site.com and another-site then the file would look like this:

my-site.com
another-site.com

In this case, remember to modify the MX record of the another-site.com DNS zonefile point to my-site.com. Here is an example (Remember each "." is important):

; Primary Mail Exchanger for another-site.com
another-site.com. MX 10 mail.my-site.com.

Sendmail Masquerading Explained 

If you want your mail to appear to come from user@mysite.com and not user@bigboy.mysite.com, then you have two choices:

Configuring masquerading 

In the DNS configuration, you made bigboy the mail server for the domain my-site.com. You now have to tell bigboy in the sendmail configuration file sendmail.mc that all outgoing mail originating on bigboy should appear to be coming from my-site.com; if not, based on our settings in the /etc/hosts file, mail will appear to come from mail.my-site.com. This isn't terrible, but you may not want your Web site to be remembered with the word "mail" in front of it. In other words you may want your mail server to handle all email by assigning a consistent return address to all outgoing mail, no matter which server originated the email.

You can solve this by editing your sendmail.mc configuration file and adding some masquerading commands and directives:

FEATURE(always_add_domain)dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`allmasquerade')dnl
MASQUERADE_AS(`my-site.com')dnl
MASQUERADE_DOMAIN(`my-site.com.')dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl

The result is that:

Note Use FEATURE allmasquerade with caution if your mail server handles email for many different domains and the mailboxes for the users in these domains reside on the mail server. The allmasquerade statement causes all mail destined for these mailboxes to appear to be destined for users in the domain defined in the MASQUERADE_AS statement. In other words, if MASQUERADE_AS is my-site.com and you use allmasquerade, then mail for peter@another-site.com enters the correct mailbox but sendmail rewrites the To:, making the e-mail appear to be sent to peter@my-ste.com originally.

Masquerading is an important part of any mail server configuration as it enables systems administrators to use multiple outbound mail servers, each providing only the global domain name for a company and not the fully qualified domain name of the server itself. All email correspondence then has a uniform email address format that complies with the company's brand marketing policies.

Note: E-mail clients, such as Outlook Express, consider the To: and From: statements as the e-mail header. When you choose Reply or Reply All in Outlook Express, the program automatically uses the To: and From: in the header. It is easy to fake the header, as spammers often do; it is detrimental to e-mail delivery, however, to fake the envelope.

The e-mail envelope contains the To: and From: used by mailservers for protocol negotiation. It is the envelope's From: that is used when e-mail rejection messages are sent between mail servers.

Testing Masquerading 

The best way of testing masquerading from the Linux command line is to use the "mail -v username" command. I have noticed that "sendmail -v username" ignores masquerading altogether. You should also tail the /var/log/maillog file to verify that the masquerading is operating correctly and check the envelope and header of test email received by test email accounts.

Other Masquerading Notes 

By default, user "root" will not be masqueraded. To remove this restriction use:

EXPOSED_USER(`root')dnl

command in /etc/mail/sendmail.mc. You can comment this out if you like with a "dnl" at the beginning of the line and running the sendmail start script.

Using Sendmail to Change the Sender's Email Address 

Sometimes masquerading isn't enough. At times you may need to change not only the domain of the sender but also the username portion of the sender's e-mail address. For example, perhaps you bought a program for your SOHO office that sends out notifications to your staff, but the program inserts its own address as sender's address, not that of the IT person.

Web-based CGI scripts tend to run as user apache and, therefore, send mail as user apache too. Often you won't want this, not only because apache's e-mail address may not be a suitable, but also because some anti-spam programs check to ensure that the From:, or source e-mail address, actually exists as a real user. If your virtusertable file allows e-mail to only predefined users, then queries about the apache user will fail, and your valid e-mail may be classified as being spam.

With sendmail, you can change both the domain and username on a case-by-case basis using the genericstable feature:

  1. Add these statements to your /etc/mail/sendmail.mc file to activate the feature: 

    FEATURE(`genericstable',`hash -o /etc/mail/genericstable.db')dnl
GENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl

  2. Create a /etc/mail/generics-domains file that is just a list of all the domains that should be inspected. Make sure the file includes your server's canonical domain name, which you can obtain using the command: 

    sendmail -bt -d0.1 </dev/null
    # Here is a sample /etc/mail/generics-domains file:
    my-site.com
another-site.com
bigboy.my-site.com

  3. Create your /etc/mail/genericstable file. First sendmail searches the /etc/mail/generics-domains file for a list of domains to reverse map. It then looks at the /etc/mail/genericstable file for an individual email address from a matching domain. The format of the file is 

    linux-username       username@new-domain.com
    # Here is an example:
    alert          security-alert@my-site.com
peter          urgent-message@my-site.com
apache         mailer@my-site.com

  4. Run the sendmail restart script from the beginning of the chapter and then test.

Your e-mails from linux-username should now appear to come from username@new-domain.com.

Sendmail SMTP AUTH HOWTO 

http://www.simpaticus.com/linux/howto/html-single/Sendmail-SMTP-AUTH-HOWTO.html

Rodolfo J. Paiz

rpaiz AT simpaticus DOT com Guatemala City Guatemala

Revision History

Revision 0.3 2003-11-11 Revised by: RJP Corrected several errors and made minor additions to the text. Also added Fedora Core 1 as a supported operating system. Revision 0.2 2003-10-25 Revised by: RJP Converted HTML output to use the LDP stylesheet, which I much prefer aesthetically. Made some minor changes to the text. Revision 0.1 2003-10-20 Revised by: RJP First draft translated into SGML. Made available in several formats (SGML, HTML single- and multiple-page, and PDF).

This is a very brief document, detailing how to setup Sendmail on Red Hat Linux 7.x/8.0/9 or Fedora Core 1 to accept mail connections from the network and demand SMTP AUTH authentication when the sender wishes to relay a message (i.e. ask this machine to deliver a message to a user on some other machine or network).

This document does not yet cover the configuration and use of encrypted AUTH mechanisms such as CRAM-MD5. Instructions on how to accomplish this will be added at some later date.

1. Introduction 

Back in prehistoric times (about five years ago), most SMTP mail servers on the open Internet would accept connections from anyone, sending mail to anyone else, without knowing for sure or verifying the sender's identity in any way. Now that SPAM (unsolicited commercial email) is such a huge problem, an administrator's failure to lock down a mail server will surely result in being found by spammers and abused heavily. I have actually seen a big spammer attempt to relay over ten million messages through a vulnerable server in just a few hours, destroying the victim's server, network connection, and customer service.

Two major mechanisms were created to stop unauthorized relaying: SMTP AUTH, which is an IETF standard, and POP-before-SMTP, which is not. However, SMTP AUTH required that mail clients such as Outlook and Eudora be rewritten to support the new standard and POP-before-SMTP could be implemented entirely on the server, so at first "PbS" was wildly popular. Today, every single mail client and every single mail server of which I am aware supports SMTP AUTH, and its far better design makes it the preferred choice.

[...]

2.3. Backing Up Your Critical Files 

Your key, critical, most important configuration file is sendmail.mc which is always located in /etc/mail. This file is human-readable, and it is the file which you will edit to make changes; so clearly, you want to make a copy of it before you make any changes. Depending on which operating system you are running, you may also have one or two files called sendmail.cf in /etc and /etc/mail. You also want to back these up.

The following command will look for all those files, and will make a backup of each of them if they exist by adding ".bak" to the end of the filename. Make sure you type this entire command on a single line, only pressing the Enter key until you are done.

[root@mailsrv mail]# for file in /etc/sendmail.cf /etc/mail/sendmail.cf /etc/mail/sendmail.mc ; do [ -f $file ] && cp $file $file.bak ; echo "Backed up $file." ; done

Now that you know what operating system you are using (primarily to make sure that this document supports it), you have made sure that you are running the latest version of the m4, sendmail, and sendmail-cf packages, and you have backed up your configuration files, we can proceed. Remember that you can restore your previous configuration by copying a .bak file back to its original filename.

3. Instructions 

This section goes through what you need to do step by step. I hope you find it clear and easy to understand, but please note that it does not offer much in the way of comment or explanation. This is so that more advanced users can quickly follow the recipe without swimming through huge amounts of text, and so that explanations for beginners can be added afterwards with more detail.

  1. Remember that, although you may be or may not be an expert, your users almost surely are not. Of all the popular Windows mail clients, only Eudora comes with SMTP AUTH activated in its default configuration. In particular, Outlook and Outlook Express (or anything by Microsoft) do not have this feature enabled out of the box. You will have to make sure that your users enable SMTP authentication, or else they will no longer be able to relay mail through this server!

  2. Make sure that you are logged in as root. If you logged in as another user and used the "su" command to become root, make sure that you typed "su -" to get the full login environment. The added space and the dash make sure that you get root's path and shell environment, not just the identity.

  3. Edit /etc/mail/sendmail.mc and look for the following three lines of text somewhere: 

    define(`confAUTH_OPTIONS', `A')dnl
  dnlTRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnldefine(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

    Any or all of those lines may start with the letters "dnl". That means "delete through newline" and is sendmail's way of either ending a line or starting a comment. You need to eliminate the "dnl" at the start of the line in order to activate the functionality in these lines. When you're done, the three lines should look exactly like this:

    define(`confAUTH_OPTIONS', `A')dnl
  TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    Warning Those are directed quotes. They are not single quotes, double quotes, or smart quotes. You type the left directed quote with the backtick (also known as the "accent grave" key by the French), and you type the right directed quote with the apostrophe.

  4. Find the line near the bottom that says: 

    DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

    This line does not begin with a "dnl", which means it is active. If you read it through, you will note the "Addr=127.0.0.1" text which tells Sendmail to listen for connections only on that IP address, also known as the loopback address. Since the loopback address is used to process connections to/from the same machine, this is the line that effectively tells Sendmail not to accept any connections from anywhere else.

    Since you're going through this document, you do want to allow other systems to connect to yours to send mail. To deactivate this line, you could delete it, but the safer way (in case you ever want to know what you did or temporarily lock out outside users) is to comment it out by adding a "dnl" at the beginning of the line.

    Remember, previously we removed "dnl" characters. In this case, we need to add them.

  5. Create and place your new sendmail.cf file using the following commands. Some of these operating systems require the file to be placed in /etc and others in /etc/mail, so for safety's sake place the file in both locations (it won't hurt you): 

    [root@mailsrv etc]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
[root@mailsrv etc]# cp /etc/mail/sendmail.cf /etc/sendmail.cf

  6. Verify that your system contains an /etc/pam.d/smtp file with the following contents: 

    #%PAM-1.0
  auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth

  7. Verify that you have a /usr/lib/sasl/Sendmail.conf file with the following contents: 

    pwcheck_method:pam

  8. Restart the sendmail service: 

    [root@mailsrv mail]# service sendmail restart

  9. Test that authentication has in fact been enabled and that the server now accepts mail connections from the outside by issuing the following command (from another machine, of course!): 

    [user@otherbox user]$ telnet mailsrv 25

    This will initiate a connection to the SMTP service on mailsrv, which is handled by Sendmail. If your sendmail daemon is now accepting network connections, you will see the following text:

    Trying 192.168.0.1...
  Connected to mailsrv.
Escape character is '^]'.
220 dude.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 29 Jan 2002 07:24:49 -0600

    Carefully and without making mistakes, type in "ehlo localhost" and then press Enter. You will get back something similar to the following lines of text:

    250-dude.com Hello dude.com [127.0.0.1], pleased to meet you
  250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH LOGIN PLAIN
250 HELP

    If you see a line like the one above, saying "250-AUTH LOGIN PLAIN" or something similar, you have successfully set up unencrypted SMTP AUTH as a first step on the road to greater mail security. You can now simply type "quit" then press Enter to cancel this SMTP session.

  10. If you have previously allowed any relaying, whether by IP address or any other method, wait until very late at night to make sure you don't disrupt your users and then disable it. In your /etc/mail/access file, for example, make sure that you only allow relaying from localhost which is 127.0.0.1.

  11. Ensure that your /etc/mail/relay-domains file contains only your domains and the domains you host on this server; that is, only those domains which really have users on this server, and who will use this server to send all their mail.

    If you do not have an /etc/mail/relay-domains file, don't worry; simply create a blank text file with that name, and put all the domains you want in it, one domain per line.

  12. Ensure that your /etc/mail/sendmail.mc file does not enable relaying in funny forms like "accept unresolvable domains", "relay by domain", or any of that crap. An example (complete) sendmail.mc which is relay-safe is included here: 

    divert(-1)
  dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl Change sendmail to only listen on the loopback interface and
dnl the internal network interface; never accept outside traffic.
dnl Add "dnl" to both DAEMON_OPTIONS lines to accept mail from
dnl all network interfaces.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.1, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl       a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwlocalhost.localdomain

  13. Hover anxiously over the server for a couple of days and check for "Relaying denied" errors. Track them down aggressively, since most of them will be your own customers who didn't fix their mail clients when you told them to do so. Fix them now.

documented on: 2004.06.20