- 1 Introduction
2 Configuring Sendmail
2.1 How Sendmail Works
- 2.1.1 Incoming Mail
- 2.1.2 Outgoing Mail
- 2.1.3 Sendmail Macros
- 2.2 Installing Sendmail
- 2.3 Starting Sendmail
- 2.4 How To Restart Sendmail After Editing Your Configuration Files
2.5 The /etc/mail/sendmail.mc File
- 2.5.1 How to Put Comments in sendmal.mc
2.6 Configuring DNS for sendmail
- 2.6.1 Configure Your Mail Server's Name In DNS
- 2.6.2 Configure The /etc/resolv.conf File
- 2.6.3 The /etc/hosts File
- 2.7 How To Configure Linux Sendmail Clients
2.8 Converting From a Mail Client to a Mail Server
- 2.8.1 A General Guide To Using The sendmail.mc File
- 2.8.2 The /etc/mail/relay-domains File
2.9 The /etc/mail/access File
- 2.9.1 The /etc/mail/local-host-names File
2.10 Which User Should Really Receive The Mail?
- 2.10.1 The /etc/mail/virtusertable file
- 2.10.2 The /etc/aliases File
2.11 Sendmail Masquerading Explained
- 2.11.1 Configuring masquerading
- 2.11.2 Testing Masquerading
- 2.11.3 Other Masquerading Notes
- 2.12 Using Sendmail to Change the Sender's Email Address
2.13 Troubleshooting Sendmail
- 2.13.1 Testing TCP connectivity
- 2.13.2 Further Testing of TCP connectivity
- 2.13.3 The /var/log/maillog File
- 2.13.4 Common Errors Due To Incomplete RPM Installation
- 2.13.5 Incorrectly Configured /etc/hosts Files
3 Fighting SPAM
- 3.1 Using Public SPAM Blacklists With Sendmail
3.2 Spamassassin
- 3.2.1 Downloading And Installing Spamassassin
- 3.2.2 Starting Spamassassin
- 3.2.3 Configuring procmail for spamassassin
- 3.2.4 Configuring Spamassassin
- 3.2.5 Testing spamassassin
- 3.2.6 Startup spamassassin
- 3.2.7 Tuning spamassassin
3.3 The Rules du Jour Spamassassin Tool
- 3.3.1 The /etc/rulesdujour/config Configuration File
- 3.3.2 Installing Rules du Jour
3.4 Using Greylisting
- 3.4.1 Downloading and Installing milter-greylist
- 3.4.2 Configuring milter-greylist
- 3.4.3 Configuring milter-greylist
- 3.5 A Simple PERL Script To Help Stop SPAM
4 Configuring Your POP Mail Server
- 4.1 Installing Your POP Mail Server
- 4.2 Starting Your POP Mail Server
- 4.3 The /etc/dovecot.conf File
- 4.4 How To Configure Your Windows Mail Programs
- 4.5 Configuring Secure POP Mail
- 4.6 How to handle overlapping email addresses.
- 4.7 Troubleshooting POP Mail
- 5 Conclusion
As stated before, sendmail can handle both incoming and outgoing mail for your domain. Take a closer look.
Usually each user in your home has a regular Linux account on your mail server. Mail sent to each of these users (username@my-site.com) eventually arrives at your mail server and sendmail then processes it and deposits it in the mailbox file of the user's Linux account.
Mail isn't actually sent directly to the user's PC. Users retrieve their mail from the mail server using client software, such as Microsoft's Outlook or Outlook Express, that supports either the POP or IMAP mail retrieval protocols.
Linux users logged into the mail server can read their mail directly using a text-based client, such as mail, or a GUI client, such as Evolution. Linux workstation users can use the same programs to access their mail remotely.
The process is different when sending mail via the mail server. PC and Linux workstation users configure their e-mail software to make the mail server their outbound SMTP mail server.
If the mail is destined for a local user in the mysite.com domain, then sendmail places the message in that person's mailbox so that they can retrieve it using one of the methods above.
If the mail is being sent to another domain, sendmail first uses DNS to get the MX record for the other domain. It then attempts to relay the mail to the appropriate destination mail server using the Simple Mail Transport Protocol (SMTP). One of the main advantages of mail relaying is that when a PC user A sends mail to user B on the Internet, the PC of user A can delegate the SMTP processing to the mail server.
Note: If mail relaying is not configured properly, then your mail server could be commandeered to relay spam. Simple sendmail security will be covered later.
When mail passes through a sendmail server the mail routing information in its header is analyzed, and sometimes modified, according to the desires of the systems administrator. Using a series of highly complicated regular expressions listed in the /etc/mail/sendmail.cf file, sendmail inspects this header and then acts accordingly.
In recognition of the complexity of the /etc/mail/sendmail.cf file, a much simpler file named /etc/sendmail.mc was created, and it contains more understandable instructions for systems administrators to use. These are then interpreted by a number of macro routines to create the sendmail.cf file. After editing sendmail.mc, you must always run the macros and restart sendmail for the changes to take effect.
Each sendmail.mc directive starts with a keyword, such as DOMAIN, FEATURE, or OSTYPE, followed by a subdirective and in some cases arguments. A typical example is.
As stated before, sendmail can handle both incoming and outgoing mail for your domain. Take a closer look.
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
The keywords usually define a subdirectory of /usr/share/sendmail-cf in which the macro may be found and the subdirective is usually the name of the macro file itself. So in the example, the macro name is /usr/share/sendmail-cf/feature/virtusertable.m4, and the instruction `\ hash -o /etc/mail/virtusertable.db' is being passed to it.
Notice that sendmail is sensitive to the quotation marks used in the m4 macro directives. They open with a grave mark and end with a single quote.
FEATURE(`masquerade_envelope')dnl
Some keywords, such as define for the definition of certain sendmail variables and MASQUERADE_DOMAIN, have no corresponding directories with matching macro files. The macros in the /usr/share/sendmail-cf/m4 directory deal with these.
Once you finish editing the sendmail.mc file, you can then execute the make command while in the /etc/mail directory to regenerate the new sendmail.cf file.
[root@bigboy tmp]# cd /etc/mail [root@bigboy mail]# make
If there have been no changes to the files in /etc/mail since the last time make was run, then you'll get an error like this:
[root@bigboy mail]# make make: Nothing to be done for `all'. [root@bigboy mail]#
The make command actually generates the sendmail.cf file using the m4 command. The m4 usage is simple, you just specify the name of the macro file as the argument, in this case sendmail.mc, and redirect the output, which would normally go to the screen, to the sendmail.cf file with the ">" redirector symbol.
[root@bigboy tmp]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
I'll discuss many of the features of the sendmail.mc file later in the chapter.
cd /etc/mail make newaliases /etc/init.d/sendmail restart
It first runs the make command, which creates a new sendmail.cf file from the sendmail.mc file and compiles supporting configuration files in the /etc/mail directory according to the instructions in the file /etc/mail/Makefile. It then generates new e-mail aliases with the newaliases command, (this will be covered later), and then restarts sendmail.
You can define most of sendmail's configuration parameters in the /etc/mail/sendmail.mc file, which is then used by the m4 macros to create the /etc/mail/sendmail.cf file. Configuration of the sendmail.mc file is much simpler than configuration of sendmail.cf, but it is still often viewed as an intimidating task with its series of structured directive statements that get the job done. Fortunately, in most cases you won't have to edit this file very often.
In most Linux configuration files a # symbol is used at the beginning of a line convert it into a comment line or to deactivate any commands that may reside on that line.
The sendmail.mc file doesn't use this character for commenting, but instead uses the string "dnl". Here are some valid examples of comments used with the sendmail.mc configuration file:
These statements are disabled by dnl commenting.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
This statement is incorrectly disabled:
# DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
This statement is active:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
All Linux mail clients in your home or company need to know which server is the mail server. This is configured in the sendmail.mc file by setting the SMART_HOST statement to include the mail server. In the example below, the mail server has been set to mail.my-site.com, the mail server for the my-site.com domain.
define(`SMART_HOST',`mail.my-site.com')
If you don't have a mail server on your network, you can either create one, or use the one offered by your ISP.
Once this is done, you need to process the sendmail.mc file and restart sendmail.
To become a mail server, and not a mail client, sendmail needs to be configured to listen for messages on NIC interfaces as well.
The sendmail.mc file can seem jumbled. To make it less cluttered I usually create two easily identifiable sections in it with all the custom commands I've ever added.
The first section is near the top where the FEATURE statements usually are, and the second section is at the very bottom.
Sometimes sendmail will archive this file when you do a version upgrade. Having easily identifiable modifications in the file will make post upgrade reconfiguration much easier. Here is a sample:
dnl ***** Customised section 1 start ***** dnl dnl FEATURE(delay_checks)dnl FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl FEATURE(masquerade_entire_domain)dnl dnl dnl dnl ***** Customised section 1 end *****
The /etc/mail/relay-domains file is used to determine domains from which it will relay mail. The contents of the relay-domains file should be limited to those domains that can be trusted not to originate spam.
If you delete /etc/mail/relay-domains, then relay access is fully determined by the /etc/mail/access file.
You can make sure that only trusted PCs on your network have the ability to relay mail via your mail server by using the /etc/mail/access file. That is to say, the mail server will relay mail only for those PCs on your network that have their e-mail clients configured to use the mail server as their outgoing SMTP mail server.
When sendmail receives mail, it needs a way of determining whether it is responsible for the mail it receives. It uses the /etc/mail/local-host-names file to do this. This file has a list of hostnames and domains for which sendmail accepts responsibility. For example, if this mail server was to accept mail for the domains my-site.com and another-site then the file would look like this:
my-site.com another-site.com
In this case, remember to modify the MX record of the another-site.com DNS zonefile point to my-site.com. Here is an example (Remember each "." is important):
; Primary Mail Exchanger for another-site.com another-site.com. MX 10 mail.my-site.com.
If you want your mail to appear to come from user@mysite.com and not user@bigboy.mysite.com, then you have two choices:
- Configure your email client, such as Outlook Express, to set your email address to user@mysite.com. (I'll explain this in the "Configuring Your POP Mail Server" section.).
- Set up masquerading to modify the domain name of all traffic originating from and passing trough your mail server.
In the DNS configuration, you made bigboy the mail server for the domain my-site.com. You now have to tell bigboy in the sendmail configuration file sendmail.mc that all outgoing mail originating on bigboy should appear to be coming from my-site.com; if not, based on our settings in the /etc/hosts file, mail will appear to come from mail.my-site.com. This isn't terrible, but you may not want your Web site to be remembered with the word "mail" in front of it. In other words you may want your mail server to handle all email by assigning a consistent return address to all outgoing mail, no matter which server originated the email.
You can solve this by editing your sendmail.mc configuration file and adding some masquerading commands and directives:
FEATURE(always_add_domain)dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl MASQUERADE_AS(`my-site.com')dnl MASQUERADE_DOMAIN(`my-site.com.')dnl MASQUERADE_DOMAIN(localhost)dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
The result is that:
- The MASQUERADE_AS directive makes all mail originating on bigboy appear to come from a server within the domain my-site.com by rewriting the email header.
- The MASQUERADE_DOMAIN directive makes mail relayed via bigboy from all machines in the another-site.com and localdomain domains appear to come from the MASQUERADE_AS domain of my-site.com. Using DNS, sendmail checks the domain name associated with the IP address of the mail relay client sending the mail to help it determine whether it should do masquerading or not.
- FEATURE masquerade_entire_domain makes sendmail masquerade servers named *my-site.com, and *another-site.com as my-site.com. In other words, mail from sales.my-site.com would be masqueraded as my-site.com. If this wasn't selected, then only servers named my-site.com and my-othersite.com would be masqueraded. Use this with caution when you are sure you have the necessary authority to do this.
- FEATURE allmasquerade makes sendmail rewrite both recipient addresses and sender addresses relative to the local machine. If you cc: yourself on an outgoing mail, the other recipient sees a cc: to an address he knows instead of one on localhost.localdomain.
![[Note]](../../../../../../asciidoc/images/icons/note.png){kind=icon} | |
Use FEATURE allmasquerade with caution if your mail server handles email for many different domains and the mailboxes for the users in these domains reside on the mail server. The allmasquerade statement causes all mail destined for these mailboxes to appear to be destined for users in the domain defined in the MASQUERADE_AS statement. In other words, if MASQUERADE_AS is my-site.com and you use allmasquerade, then mail for peter@another-site.com enters the correct mailbox but sendmail rewrites the To:, making the e-mail appear to be sent to peter@my-ste.com originally. |
- FEATURE always_add_domain always masquerades email addresses, even if the mail is sent from a user on the mail server to another user on the same mail server.
- FEATURE masquerade_envelope rewrites the email envelope just as MASQUERADE_AS rewrote the header.
Masquerading is an important part of any mail server configuration as it enables systems administrators to use multiple outbound mail servers, each providing only the global domain name for a company and not the fully qualified domain name of the server itself. All email correspondence then has a uniform email address format that complies with the company's brand marketing policies.
Note: E-mail clients, such as Outlook Express, consider the To: and From: statements as the e-mail header. When you choose Reply or Reply All in Outlook Express, the program automatically uses the To: and From: in the header. It is easy to fake the header, as spammers often do; it is detrimental to e-mail delivery, however, to fake the envelope.
The e-mail envelope contains the To: and From: used by mailservers for protocol negotiation. It is the envelope's From: that is used when e-mail rejection messages are sent between mail servers.
The best way of testing masquerading from the Linux command line is to use the "mail -v username" command. I have noticed that "sendmail -v username" ignores masquerading altogether. You should also tail the /var/log/maillog file to verify that the masquerading is operating correctly and check the envelope and header of test email received by test email accounts.
Sometimes masquerading isn't enough. At times you may need to change not only the domain of the sender but also the username portion of the sender's e-mail address. For example, perhaps you bought a program for your SOHO office that sends out notifications to your staff, but the program inserts its own address as sender's address, not that of the IT person.
Web-based CGI scripts tend to run as user apache and, therefore, send mail as user apache too. Often you won't want this, not only because apache's e-mail address may not be a suitable, but also because some anti-spam programs check to ensure that the From:, or source e-mail address, actually exists as a real user. If your virtusertable file allows e-mail to only predefined users, then queries about the apache user will fail, and your valid e-mail may be classified as being spam.
With sendmail, you can change both the domain and username on a case-by-case basis using the genericstable feature:
Add these statements to your /etc/mail/sendmail.mc file to activate the feature:
FEATURE(`genericstable',`hash -o /etc/mail/genericstable.db')dnl GENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl
Create a /etc/mail/generics-domains file that is just a list of all the domains that should be inspected. Make sure the file includes your server's canonical domain name, which you can obtain using the command:
sendmail -bt -d0.1 </dev/null
# Here is a sample /etc/mail/generics-domains file:
my-site.com another-site.com bigboy.my-site.com
Create your /etc/mail/genericstable file. First sendmail searches the /etc/mail/generics-domains file for a list of domains to reverse map. It then looks at the /etc/mail/genericstable file for an individual email address from a matching domain. The format of the file is
linux-username username@new-domain.com
# Here is an example:
alert security-alert@my-site.com peter urgent-message@my-site.com apache mailer@my-site.com
- Run the sendmail restart script from the beginning of the chapter and then test.
Your e-mails from linux-username should now appear to come from username@new-domain.com.
