Simple sendmail Configuration

If you choose to install the sendmail SMTP service, be prepared to do most configuration by directly editing an appropriate configuration file. When installing sendmail with the following command,

$ sudo apt-get install sendmail several additional packages are installed (if they're not already included), as described in Table 17-3.

sendmail Package

Description

m4

A macro processor intended to compile the sendmail.mc file

procmail

An MDA sometimes used by sendmail for local e-mail addresses

sendmail-base

Architecture-independent files for sendmail

sendmail-bin

For user authentication databases including NIS (Network Information Service) and LDAP (Lightweight Directory Access Protocol)

sendmail-cf

Example sendmail configuration files

sensible-mda

Connector between sendmail and an MDA

Table 17-3. Packages Installed with the sendmail SMTP Service

The sendmail configuration files are stored primarily in the /etc/mail directory. Alternative configuration files are available in the /usr/share/sendmail/cf directory. The key files that will be configured indirectly are sendmail.cf for incoming mail and submit .cf for outgoing mail. Other sendmail configuration files in the /etc/mail directory are described in Table 17-4. The sendmail service requires compiled versions of several configuration files, with the .db (database) extension. In a bit, I'll explain how the database and configuration files are created.

/etc/mail File

Description

access, access.db

Supports outgoing access rules

address.resolve

Specifies different e-mail addresses for local, firewall, and remote delivery

aliases, aliases.db

Notes the target user for e-mail sent to other users; linked to /etc/aliases

databases

Includes automatically configured databases

helpfile

Notes help messages available to administrators who connect remotely via port 25

local-host-names

Supports aliases for local hostnames

m4/

Notes the directory with m4 macro processor files

Makefile

Contains rules for compiling files in /etc/mail

peers/provider

Includes support to a remote SMTP server

sasl/

Notes the directory with Simple Authentication Security Layer (SASL) files for authentication

sendmail.cf

Specifies the main sendmail configuration file

sendmail.cf.errors

Notes errors in the current sendmail configuration

sendmail.conf

Adds alternative configuration file for sendmail

sendmail.mc

Includes macros that can be used to generate a new version of sendmail.cf

service.switch

Specifies the search order for hostnames; the format is similar to /etc/nsswitch.conf

service.switch-nodns

Specifies the search order for hostnames; the format is similar to /etc/nsswitch.conf

Table 17-4. sendmail Configuration Files

/etc/mail File

Description

smrsh/

Adds files for the sendmail control shell

submit.cf submit.mc

Specifies the main outgoing sendmail configuration file

Includes macros that can be used to generate a new version of submit.cf

tls/

trusted-users

Notes the directory with sendmail Transport Layer Security (TLS) certificates

Lists special users that can send e-mail without warnings

Table 17-4. sendmail Configuration Files {continued)

Most of the work required is in customizing the sendmail.mc configuration file. But first, you should know a bit about the language found in the sendmail.mc and submit.mc macro files.

How sendmail Configuration Files Are Read

When the sendmail service is started, it reads the .cf (configuration) and .db (database) files in the /etc/mail directory. The configuration files are sendmail.cf and submit.cf. The sendmail.cf file is a long (around 2000 lines) file that may seem difficult to decipher but includes a wealth of helpful comments. The submit.cf file is nearly as long. This file provides detailed rules (organized into rulesets) on how sendmail should process e-mail addresses, filter spam, talk to other mail servers, and more. The database files limit access primarily by IP address and provide aliases for specified users.

The sendmail.cf file is complex and may appear cryptic. Fortunately, most directives in this file need not be changed. And Linux simplifies this process—all you really need to do is customize a smaller file full of macros, sendmail.mc. There's a similar relationship between the submit.cf and submit.mc files.

Once you've configured these files (and any other files in the /etc/mail directory), you can use the sendmailconfig command to compile new custom sendmail.cf and submit .mc files. As these files are still fairly complex, I'll highlight those directives associated with configuring sendmail for basic operation.

The macros in the sendmail.mc and submit.mc files perform the following tasks:

▼ Activate or deactivate features.

■ Define variables and values.

▲ Include descriptive comments.

The most basic macro is dnl, which is effectively a comment character. Information from this macro to the end of the line is not compiled or included in the actual sendmail configuration.

The include directive instructs sendmail to read the contents of the named file and insert it at the current location in the output. Some of these files are in the /etc/mail directory; some administrators include macro files (with .mc extensions) in various /usr/ share/sendmail/cf directories.

The define directive sets files or enables features that you want to use. The following example in sendmail.mc disables certain commands:

define("confPRIVACY_FLAGS',dnl

^needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand, nobodyreturn,authwarnings')dnl

The FEATURE directive, not surprisingly, enables specific features. For example, one FEATURE directive refers to the /etc/mail/access.db file for allowed systems.

DAEMON_OPTIONS directly controls the sendmail daemon. The default active DAEMON_OPTIONS directive does not accept any mail from outside the local system, as defined by the localhost address:

DAEMON_OPTIONS("Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl

There are a seemingly inconsistent pair of quote characters in most of these lines. Specifically, in this command, the directives inside the parentheses start with a back quote f) and end with a single quote (').

Configuring and Securing sendmail.mc

Before making any changes to the sendmail.mc configuration file, back it up. You need to make only a couple of adjustments to get your system ready for use on the Internet. By default, the following line limits sendmail access to the local system, despite the IP addresses in the /etc/mail/access file:

DAEMON_OPTIONS("Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl

To allow access to other computers, remove the address information. That can be limited to the local network in the /etc/mail/access file:

DAEMON_OPTIONS("Family=inet, Name=MTA-v4, Port=smtp')dnl

There are four DAEMON_OPTIONS directives in the default /etc/mail/sendmail .mc configuration file, as shown. IPv6 addressing is disabled by default.

dnl DAEMON_OPTIONS("Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl DAEMON_OPTIONS(" Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl dnl DAEMON_OPTIONSPFamily=inet6, Name=MSP-v6, Port=submission, Addr=::1') dnl DAEMON_OPTIONSPFamily=inet, Name=MSP-v4, Port=submission, Addr=127.0.0.1') dnl

If you activate IPv6 addressing, and disable the IPv4 and IPv6 address limits, these directives would read like so:

DAEMON_OPTIONS("Family=inet6, Name=MTA-v6, Port=smtp')dnl

DAEMON_OPTIONS("Family=inet, Name=MTA-v4, Port=smtp')dnl

DAEMON_OPTIONS("Family=inet6, Name=MSP-v6, Port=submission')dnl

DAEMON_OPTIONS("Family=inet, Name=MSP-v4, Port=submission')dnl

Note the Port directives; the smtp and submission port numbers, as defined in /etc/ services, are TCP/IP port numbers 25 and 587.

Next, in the / etc/mail/submit.mc file, the following directive configures a source IP address of 127.0.0.1. It should be changed to a real IP address. Many servers block e-mails from private IP addresses, as that would be a simple way to send spam from an unidentifiable location. But a private IP address should work for e-mails within a local network. If you intend to configure this system to connect online, you should give it a real IP address—and if there's a router between the local network and the Internet, that router should transmit messages on the aforementioned TCP/IP ports to the sendmail system.

FEATURE("msp', "[192.168.0.154]', "MSA')dnl

But that's not enough. If you want to allow remote computers or networks access to your sendmail server, you'll need to add their names or addresses to the /etc/ mail/access file. And there are four directives of interest in this file, as described in Table 17-5.

access Directive

Description

Connect

Specifies systems that may be allowed to use this service

GreetPause

Sets a delay, in milliseconds, against floods of spam e-mail

ClientRate

Limits the number of connections, per minute

ClientConn

Limits the number of simultaneous connections

Table 17-5. Key Directives in the /etc/mail/access File

The Connect directive can be used to allow or deny access to the sendmail service. For example, the following directive would allow access to my private network, 192.168.0.0/24:

Connect:192.168.0 RELAY

Pay attention to the notation. For this file, no dot (.) appears at the end of the IP address.

Next is the GreetPause directive, which can slow the rate of e-mail connections from spamming servers. The first GreetPause directive disables from the local network; the second GreetPause directive enables a 5 second (5000 millisecond) delay from all other systems. The second directive should already be included in / etc/mail/access by default.

GreetPause:192.168.0 0 GreetPause: 5000

The ClientRate directive limits the number of connections from a single system, on a per-minute basis. Assuming the users on the local network can be trusted, the following directives disable the ClientRate limit from the local network, and then sets a limit of 10 e-mails per minute from all other systems. The second directive should already be included in /etc/mail/access by default.

ClientRate:192.168.0 0 ClientRate: 10

Finally, the ClientConn directive limits the number of simultaneous connections from a single system. Assuming the users on the local network can be trusted, the following directives disable the ClientConn limit from the local network, and then sets a limit of 10 simultaneous connections from all other systems. The second directive should already be included in /etc/mail/access by default.

ClientConn:192.168.0 0

ClientConn: 10

Back up the current files in the /etc/mail directory. Then you can generate a new set of sendmail configuration files with the following command:

$ sudo sendmailconfig

The sendmailconfig script processes the files in the /etc/mail directory, with a series of questions. The first question is a bit misleading, as there's no sendmail.conf configuration file, but the question should be accepted to enable sendmailconfig to process the other files.

Configure sendmail with the existing /etc/mail/sendmail.conf? [Y] Y

Next, you're asked whether to use the current sendmail.mc macro file:

Configure sendmail with the existing /etc/mail/sendmail.mc? [Y] Y And finally, you're prompted to reload the currently running sendmail service:

Reload the running sendmail now with the new configuration? [Y] Y

If there are errors you can find them in the / etc/mail/sendmail.cf.errors file. Read this file and follow the suggestions. The default configuration leads to errors such as this:

If you configure the MAILER directives at the end of the / etc/mail/sendmail.mc macro file, the errors will disappear the next time you run the sudo sendmailconfig command.

Was this article helpful?

0 0

Post a comment