As with most complex Linux services, sendmail components can be installed from a number of RPM packages. There are many key configuration files, over and above the sendmail.cf configuration file and sendmail.mc macro.
With the latest version of sendmail, the configuration files are now split into two parts . When sendmail receives e-mail, it uses sendmail.cf . When sendmail sends e-mail, it uses submit.cf .
Once you get sendmail up and running, you can modify various configuration files to promote security.
This is far from a comprehensive discussion on sendmail; there are 1000-page books available just on this service. One good reference is Linux Sendmail Administration, by Craig Hunt (Sybex, 2001).
The only RPM that you need for a working sendmail configuration is the sendmail-* RPM, whose packages are installed by default. Available sendmail packages are listed in Table 26.1; as you might remember from Chapter 10 , you can use the rpm -q packagename command to see if they re installed. Once they re installed, you can use the rpm -ql packagename command to see the associated files.
The sendmail MTA software
Tools and templates for creating a wide variety of sendmail configuration files
sendmail- devel -*
Development libraries for sendmail
Release notes, FAQ, and other sendmail documentation
There is more to sendmail than just the basic configuration file, sendmail.cf , and the macro file, sendmail.mc . As with many other daemons, sendmail has a control file in /etc/sysconfig . You can set it to forward e-mail to a different user through /etc/aliases . Many other configuration files are stored in /etc/mail .
The /etc/sysconfig/sendmail file is fairly simple:
The DAEMON=yes entry sets sendmail to listen for messages on TCP/IP port 25, which is associated with SMTP. The QUEUE=1h entry tells sendmail to try to deliver queued mail every hour .
The /etc/aliases file is also simple. It specifies the users that should really receive e-mail. For example, if you try to send mail to a service such as ftp@localhost , the following entry redirects that mail to root@localhost :
Or, you can redirect e-mail from a former to a current employee:
There are a number of files in /etc/mail that you can use to configure sendmail or to set up databases to regulate how sendmail works. If you want to enable these configuration files, you generally need an entry in the sendmail.mc macro file. If there is a .db file, you can in most cases convert a text file such as access to access.db by using the makemap command.
access and access.db Configures domains or e-mail addresses; e-mail from these sources can be dropped ( DISCARD ), rejected with an error message ( REJECT ), or sent to the specified address ( RELAY ). You can minimize unwanted e-mail by dropping or rejecting it from specific domains or e-mail addresses. Look at the /etc/mail/access file for examples.
domaintable and domaintable.db Maps two different domains. These files are useful if you ve converted your domain name and others are still sending e-mail to your users old e-mail addresses. If you ve just converted your domain name from dictatorsrus.com to democracyisus.com , you could add the following line to your domaintable file:
helpfile Provides help for commands available at the sendmail prompt. You can get to the sendmail prompt with the telnet localhost 25 command.
local-host- names Contains aliases or other hostnames for your sendmail server. Just enter other names for your sendmail server computer on individual lines in this file.
mailertable and mailertable.db Lets you specify an unusual e-mail server type for a specific address; rarely used.
Makefile Lets you compile different options; an alternate to the sendmail macro processor.
sendmail.cf and sendmail.mc Allows you to configure sendmail; sendmail.cf is the configuration file; sendmail.mc is a macro file that can be processed into the configuration file. More information on these files is available later in this chapter.
statistics Contains statistics for sendmail usage. Run the mailstats command to read this file.
submit.cf and submit.mc Allows you to limit sendmail usage to specific groups. The syntax in the default submit.mc file is the same as in sendmail.mc . More information on submit.mc is available later in this chapter.
trusted-users Lets you list users who can send e-mail on behalf of your other users. Rarely used; would you ever want to give anyone this kind of power?
virtualusertable and virtualusertable.db Supports e-mail forwarding; similar to the /etc/ aliases file, for external users.
The /etc/mail/sendmail.cf configuration file can be intimidating ”it is on the order of 2000 lines long! By comparison, the /etc/mail/sendmail.mc file, at about 70 lines, is easy to read and understand. Once you ve configured this file to your liking, you can use an appropriate make command or the m4 macro processor to generate the custom sendmail.cf file that you need. Take a look at this file; I ve included additional comments where appropriate. As you probably won t need to modify most of this file, my comments are limited. As sendmail is a complex topic, please refer to Linux Sendmail Administration, by Craig Hunt, for more information.
The quote marks inside the parenthesis in sendmail.mc may not be what you expect: they start with a back quote (`) and end with a single quote () mark. The back quote is the character above the Tab key on a U.S. keyboard.
The divert(-1) command is a standard way to start the sendmail.mc file; if paired with divert(0) , all lines between these commands are ignored as comments.
All lines that start with dnl are comments; these particular comments include one way to process the sendmail.mc file; alternatively, you can still regenerate /etc/mail/sendmail.cf with the m4 sendmail.mc > sendmail.cf command.
dnl # dnl # This is the sendmail macro config file for m4. If you make changes to dnl # /etc/mail/sendmail.mc, you will need to regenerate the dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is dnl # installed and then performing a dnl # dnl # make -C /etc/mail dnl #
The following include command adds the cf.m4 command as a macro processing prototype; by default, it requires installation of the sendmail-cf-* RPM
The VERSIONID is the label associated with each sendmail configuration file
VERSIONID(`setup for Red Hat Linux)dnl
Naturally, any OSTYPE command specifies the operating system, in this case, linux .
The define command shown below coordinates your sendmail server with an outgoing e-mail server, presumably outside your network. If you want to activate this command, delete the dnl in front of define and replace smtp.your.provider with the outgoing (SMTP) e-mail server address of your ISP.
dnl # dnl # Uncomment and edit the following line if your outgoing mail needs to dnl # be sent out through an external mail server: dnl # dnl define(`SMART_HOST,`smtp.your.provider) dnl #
Generally, no changes are required to the commands shown below; see Linux Sendmail Administration for more information.
define(`confDEF_USER_ID,``8:12)dnl define(`confTRUSTED_USER, `smmsp)dnl dnl define(`confAUTO_REBUILD)dnl define(`confTO_CONNECT, `1m)dnl define(`confTRY_NULL_MX_LIST,true)dnl define(`confDONT_PROBE_INTERFACES,true)dnl define(`PROCMAIL_MAILER_PATH,`/usr/bin/procmail)dnl define(`ALIAS_FILE, `/etc/aliases)dnl dnl define(`STATUS_FILE, `/etc/mail/statistics)dnl define(`UUCP_MAILER_MAX, `2000000)dnl define(`confUSERDB_SPEC, `/etc/mail/userdb.db)dnl define(`confPRIVACY_FLAGS, `authwarnings,novrfy,noexpn,restrictqrun)dnl
The two commands shown below that start with define(`confAUTH_OPTIONS are mutually exclusive. TLS is Transport Layer Security, which is the successor to SSL, the Secure Socket Layer.
define(`confAUTH_OPTIONS, `A)dnl dnl # dnl # The following allows relaying if the user authenticates, and disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links dnl # dnl define(`confAUTH_OPTIONS, `A p)dnl dnl # dnl # PLAIN is the preferred plaintext authentication method and used by dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do dnl # use LOGIN. Other mechanisms should be used if the connection is not dnl # guaranteed secure. dnl #
If you need to prevent plain-text logins to your sendmail server, change these two commands so they read:
dnl define(`confAUTH_OPTIONS, `A)dnl define(`confAUTH_OPTIONS, `A p)dnl
Now let s continue on with the default sendmail.mc file. The following two commands relate to authorization methods :
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN)dnl dnl define(`confAUTH_MECHANISMS, `EXTERNAL GSSAPI DIGEST- MD5 CRAM-MD5 LOGIN PLAIN)dnl
The following commands allow you to use any SSL certificates on your system with sendmail. For more information on SSL certificates, see Chapter 30 . The certificates that you can create in that chapter for Apache can also apply here.
dnl # dnl # Rudimentary information on creating certificates for sendmail TLS: dnl # make -C /usr/share/ssl/certs usage dnl # dnl define(`confCACERT_PATH,`/usr/share/ssl/certs) dnl define(`confCACERT,`/usr/share/ssl/certs/ca-bundle.crt) dnl define(`confSERVER_CERT,`/usr/share/ssl/certs/sendmail.pem) dnl define(`confSERVER_KEY, `/usr/share/ssl/certs/sendmail.pem) dnl #
The following define command supports integration with the Lightweight Directory Assistance Protocol (LDAP), which provides detailed user information and can therefore replace the /etc/aliases and the /etc/mail/virtusertable.db files shown below. Integration of sendmail and LDAP is a complex topic beyond the scope of this book.
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAPs dnl # slapd, which requires the file to be readble by group ldap dnl # dnl define(`confDONT_BLAME_SENDMAIL,`groupreadablekeyfile)dnl dnl #
The following commands specify actions associated with e-mail that can t find the destination.
dnl define(`confTO_QUEUEWARN, `4h)dnl dnl define(`confTO_QUEUERETURN, `5d)dnl dnl define(`confQUEUE_LA, `12)dnl dnl define(`confREFUSE_LA, `18)dnl define(`confTO_IDENT, `0)dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa,`dnl)dnl
This FEATURE command sets the default sendmail shell, smrsh . The mailertable.db associates different domain names.
FEATURE(`smrsh,`/usr/sbin/smrsh)dnl FEATURE(`mailertable,`hash -o/etc/mail/mailertable.db)dnl FEATURE(`virtusertable,`hash -o/etc/mail/virtusertable.db)dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl dnl # dnl # The -t option will retry delivery if e.g. the user runs over his quota. dnl # FEATURE(local_procmail,`,`procmail -t -Y -a $h -d $u)dnl FEATURE(`access_db,`hash -T<TMPF> -o/etc/mail/access.db)dnl FEATURE(`blacklist_recipients)dnl
If the root user tries to log in; the EXPOSED_USER command requires the full e-mail address.
EXPOSED_USER(`root)dnl dnl # dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl #
By default, sendmail listens for and processes e-mail only from the local computer. If you want this sendmail server to work for other computers on your network, add a dnl in front of this command and remove it from one of the following commands.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA)dnl dnl # dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who cant reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl #
If you activate the following DAEMON_OPTIONS command, sendmail will listen for e-mail from e-mail users who send their accounts and passwords; that is, whose e-mail mangers authenticate. This process works through TCP/IP port 587.
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea)dnl dnl # dnl # The following causes sendmail to additionally listen to port 465, but dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed dnl # by STARTTLS is preferred, but roaming clients using Outlook Express cant dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS dnl # and doesnt support the deprecated smtps; Evolution <1.1.1 uses smtps dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1. dnl # dnl # For this to work your OpenSSL certificates must be configured. dnl #
If you want to require secure connections to your sendmail server, you could activate this command, which requires the use of TLS. However, as noted in the comments, you should not activate this command if your users work with Microsoft Outlook Express or Evolution below version 1.1.1.
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s)dnl dnl # dnl # The following causes sendmail to additionally listen on the IPv6 loopback dnl # device. Remove the loopback address restriction listen to the network. dnl # dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires dnl # a kernel patch dnl #
Activate the command shown below if you ve configured your network to use IPv6, as described in Chapter 20 . This is the IPv6 equivalent of the default command noted earlier that accepts e-mail only from the local computer.
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6)dnl dnl # dnl # We strongly recommend not accepting unresolvable domains if you want to dnl # protect yourself from spam. However, the laptop and users on computers dnl # that do not have 24x7 DNS do need this. dnl #
This FEATURE command means that sendmail doesn t do a reverse DNS lookup on an e-mail. Unless you have reliable access to a DNS server and can accept the extra traffic, keep the command as is.
FEATURE(`accept_unresolvable_domains)dnl dnl #
This FEATURE command allows the use of the MX records for a mail server as specified in a DNS database. See Chapter 24 for more information on DNS.
dnl FEATURE(`relay_based_on_MX)dnl dnl # dnl # Also accept email sent to "localhost.localdomain" as local email. dnl #
The LOCAL_DOMAIN command specifies an alias for the local computer; localhost.localdomain is a default alias in /etc/ hosts .
LOCAL_DOMAIN(`localhost.localdomain)dnl dnl # dnl # The following example makes mail from this host andany additional dnl # specified domains appear to be sent from mydomain.com dnl #
This MASQUERADE_AS command changes the label that sendmail attaches to your outgoing e-mail. If you activate this command, change mydomain.com to the label you desire ; typically used to specify e-mail from a subdomain. For example, if I m on the mommabears.com network, I could set MASQUERADE_AS to linux.mommabears.com .
dnl MASQUERADE_AS(`mydomain.com)dnl dnl # dnl # masquerade not just the headers, but the envelope as well dnl # dnl FEATURE(masquerade_envelope)dnl dnl # dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well dnl # dnl FEATURE(masquerade_entire_domain)dnl dnl #
With the MASQUERADE_DOMAIN command, you can tell sendmail to handle e-mail addresses from other domains in the same way. For example, these commands, if active, set e-mail from these subdomains ( localhost , localhost.localdomain , mydomainalias.com , and mydomain.lan ) to the domain specified earlier with the MASQUERADE_AS command.
dnl MASQUERADE_DOMAIN(localhost)dnl dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
The following MAILER commands specify the type of server that actually sends out the e-mail.
Before you start, it s a good idea to make backups of your sendmail.cf and sendmail.mc files in your /etc/mail directory.
There are a couple of lines that you should change in the default sendmail.mc configuration file. First, this line limits the sendmail server to sending e-mail only to the specified address; 127.0.0.1 is the loopback address for the local computer:
If you have reliable DNS access and high-speed Internet access, comment out this next line. It keeps sendmail from checking the domain associated with incoming e-mail addresses. You can comment out the line by putting dnl in front; when you restart the sendmail service, sendmail automatically starts checking domains:
The submit.mc is the macro file used to create submit.cf , the sendmail configuration file for outgoing e-mail. It is processed in the same way as sendmail.mc; fortunately, this file is simpler. Generally, you don t need to make any changes to this file ”but it s helpful to understand this file to know what other files to configure.
These first commands are essentially the same as the first commands in sendmail.mc and are explained in that section of this chapter.
divert(-1)dnl divert(0)dnl include(`/usr/share/sendmail-cf/m4/cf.m4) VERSIONID(`linux setup for Red Hat Linux)dnl
The confCF_Version command simply adds to the version name.
This adds an operating system type, similar to the OSTYPE(`linux)dnl command in sendmail.mc .
define(`__OSTYPE__,`)dnl dirty hack to keep proto.m4 from complaining
DECNET is a network type common on older mainframe and microcomputers.
define(`_USE_DECNET_SYNTAX_, `1)dnl support DECnet
The confTIME_ZONE variable adds a time stamp.
This setting avoids looking through any NIS list for users and passwords; the alternative source of usernames and passwords is /etc/passwd .
This sets the location of the process identifier (PID) file.
The confDIRECT_SUBMISSION_MODIFIERS variable assumes standard "canonical" host names.
The use_ct_file FEATURE reads /etc/mail/trusted-users for standard users.
FEATURE(`use_ct_file)dnl dnl dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
This notes the message submission program ( msp ) on the local computer (127.0.0.1).
In most cases, you don t need to change anything in this file; if you do, please remember to back it up first! If you ve installed the sendmail-doc-* RPM, more information on this file is available in README.cf , in the /usr/share/doc/sendmail directory.
If you haven t already done so, now is a good time to back up your current sendmail.cf configuration file. Once you ve made the desired changes, you ll want to use the m4 macro processor or the make -C /etc/mail command to create a new sendmail.cf file. Then, restart the sendmail daemon with the following commands.
# m4 /etc/mail/submit.mc > /etc/mail/submit.cf # service sendmail restart
These commands won t work unless you ve installed the sendmail-cf-* RPM.