Configuring Sendmail on Linux
I am writing this working from a Red Hat based distro, CentOS to be exact, so this should apply to any Linux distribution that is similar. If you are using Red Hat Enterprise, CentOS or Fedora Core, you should be OK. Please note though that I am not as familiar with recent Fedora Core releases, so it may have become different.
Sendmail should be on the box by default, it comes with a standard install and frankly, I don’t know that you can not install it. There are folk who push for postfix or exim or whatever, but good old reliable sendmail has worked well for me for years, so that’s what I examine here. I use it for all of my company’s email needs, and have used it in the past, including hosting mail services for thousands of users at an ISP.
To get started, we have to configure sendmail, below I will walk through what I do to configure sendmail.
Locate and edit the sendmail.mc file
Luckilly, we don’t have to edit the sendmail.cf file directly, it’s a nightmare. What we do is edit the sendmail.mc file which holds a list of macro commands, and then run it through the m4 macro interpreter to generate the sendmail.cf. All files are located in /etc/mail, although some versions put the sendmail.cf in just /etc. If you can’t seem to find them, use the find command to locate them (find / -name sendmail.mc). Here I will detail some basic changes that I make to the sendmail.mc file, and why.
I comment out (remove the dnl from in front of the line) these lines from the default config.
Determine how long a message can be undeliverable before we warn and then give up:
define(`confTO_QUEUEWARN', `4h')dnl define(`confTO_QUEUERETURN', `5d')dnl
By default it sends a warning that it couldn’t deliver after four hours, and then gives up delivery altogether after five days. If you have lots of users and lots of mail, this will eat up a good bit of disk, CPU time and network bandwidth dealing with all of the SPAM out there, just an observation I have had.
Delay_checks determines (among other things) at which point during the smtp transaction DNSBL checking occurs, before or after authentication.
One important thing is to set the greeting when someone connects to the mail server. While not mandatory for operation, this greeting doesn’t give out version and other info like the default, which could be beneficial to a potential attacker:
define(`confSMTP_LOGIN_MSG', `$j server ready at $b')dnl
I always add dns block listings, this checks incoming mail to see if the sender is on an active block list. Again, not mandatory for operation, but helps cut down on spam:
FEATURE(dnsbl, `relays.ordb.org', `Rejected - see http://ordb.org/')dnl FEATURE(dnsbl, `list.dsbl.org', `Rejected - see http://dsbl.org/')dnl FEATURE(dnsbl, `relays.visi.com', `Rejected - see http://relays.visi.com/')dnl FEATURE(dnsbl, `bl.spamcop.net', `Rejected - see http://bl.spamcop.net/')dnl
I comment out (add dnl to the front of) this line:
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
Which by default limits smtp to the loopback, and add this one in it’s place to allow the server to accept connections from outside, so in the end it looks like this:
I comment out (add dnl to the front of) this feature to help stop even more spam:
Which basically says that if the domain of the sender (whatever is to the right of the @) does not resolve to an IP properly, like you see with fake domains from spammers, don’t accept it!
Create the sendmail.cf file
From the /etc/mail directory, you can backup the current and then create the new sendmail.cf like this:
cp sendmail.cf sendmail.cf_`date +%m%d%y_%H%M%S` m4 sendmail.mc > sendmail.cf
You can simply view the m4 output by doing this:
Configure the /etc/mail/local-host-names file
In /etc/mail, there is a file called local-host-names. This file tells sendmail what domains it is to accept mail for, so basically any hostname that is going to be receiving mail needs to be in here. For example, if you are setting up the server to handle mail for @flintstones.com, you have to put flintstones.com in that file or the mail server will not accept it, thinking that there is a loopback error because it is getting mail for domains it doesn’t know about.
Configure the /etc/mail/virtusertable file
The virtusertable is a cool file. It allows you to specify mail users and how they are going to get mail, including wild cards. Let’s say you create a user account named fred, and you want it to receive mail for flintstones.com, you would put this in the virtusertable:
What this is, is an email address to user map. You can even send it to another email address rather than a local user, if you want to setup a mail forward at the server level.
One thing that I do, is to add a catch all in case someone spells a username wrong, you can also set the catch all to dump to /dev/null, for example, after all legitimate users. I add this to catch any other usernames coming in with my domain and send to a user I created just to catch it named deadletter:
You can alternately just dump the mail, and not waste time generating and sending reject messages:
Once you have the virtusertable setup to your liking, we must build the database or hash of the file. The hash is actually what is read by sendmail, use this command to build the hash:
makemap hash virtusertable < virtusertable
This should make a file called virtusertable.db, alongside your text file.
Configure the access file
There is a file called access, and it’s function is to control who can relay mail. In it’s simplest form, you add the network that is allowed to send mail and tell it that it can relay. For example, in our 10.10.10.x network, we would add:
This will allow the whole 10.10.10.x network to relay mail through your server. You can also REJECT the same way, and you can specify a single IP, subnet or even hostnames. Just use REJECT instead of RELAY. Just like the virtusertable, when you are done, you have to create the hash:
makemap hash access < access
This should create the access.db file alongside your text file.
Now we are ready!
Restart and test!
Restart the sendmail daemon like so:
Test it out and drive on.