Mastering Red Hat Linux 9 [Electronic resources] نسخه متنی

Configuring sendmail

As with most complex Linux services, sendmail components can be installed from a number of RPM packages. There are many key configuration files, over and above the sendmail.cf configuration file and sendmail.mc macro.

With the latest version of sendmail, the configuration files are now split into two parts. When sendmail receives e-mail, it uses sendmail.cf. When sendmail sends e-mail, it uses submit.cf.

Once you get sendmail up and running, you can modify various configuration files to promote security.

Packages

The only RPM that you need for a working sendmail configuration is the sendmail-* RPM, whose packages are installed by default. Available sendmail packages are listed in Chapter 10, you can use the rpm -q packagename command to see if they’re installed. Once they’re installed, you can use the rpm -ql packagename command to see the associated files.

Basic Configuration Files

There is more to sendmail than just the basic configuration file, sendmail.cf, and the macro file, sendmail.mc. As with many other daemons, sendmail has a control file in /etc/sysconfig. You can set it to forward e-mail to a different user through /etc/aliases. Many other configuration files are stored in /etc/mail.

Basic /etc/sysconfig/sendmail

The /etc/sysconfig/sendmail file is fairly simple:

DAEMON=yes
QUEUE=1h

The DAEMON=yes entry sets sendmail to listen for messages on TCP/IP port 25, which is associated with SMTP. The QUEUE=1h entry tells sendmail to try to deliver queued mail every hour.

sendmail Aliases

The /etc/aliases file is also simple. It specifies the users that should really receive e-mail. For example, if you try to send mail to a service such as ftp: root

Or, you can redirect e-mail from a former to a current employee:

byeltsin:    vputin

sendmail /etc/mail Configuration Files

There are a number of files in /etc/mail that you can use to configure sendmail or to set up databases to regulate how sendmail works. If you want to enable these configuration files, you generally need an entry in the sendmail.mc macro file. If there is a .db file, you can in most cases convert a text file such as access to access.db by using the makemap command.

access and access.db Configures domains or e-mail addresses; e-mail from these sources can be dropped (DISCARD), rejected with an error message (REJECT), or sent to the specified address (RELAY). You can minimize unwanted e-mail by dropping or rejecting it from specific domains or e-mail addresses. Look at the /etc/mail/access file for examples.

domaintable and domaintable.db Maps two different domains. These files are useful if you’ve converted your domain name and others are still sending e-mail to your users’ old e-mail addresses. If you’ve just converted your domain name from dictatorsrus.com to democracyisus.com, you could add the following line to your domaintable file:

dictatorsrus.com    democracyisus.com

helpfile Provides help for commands available at the sendmail prompt. You can get to the sendmail prompt with the telnet localhost 25 command.

local-host-names Contains aliases or other hostnames for your sendmail server. Just enter other names for your sendmail server computer on individual lines in this file.

mailertable and mailertable.db Lets you specify an unusual e-mail server type for a specific address; rarely used.

Makefile Lets you compile different options; an alternate to the sendmail macro processor.

sendmail.cf and sendmail.mc Allows you to configure sendmail; sendmail.cf is the configuration file; sendmail.mc is a macro file that can be processed into the configuration file. More information on these files is available later in this chapter.

statistics Contains statistics for sendmail usage. Run the mailstats command to read this file.

submit.cf and submit.mc Allows you to limit sendmail usage to specific groups. The syntax in the default submit.mc file is the same as in sendmail.mc. More information on submit.mc is available later in this chapter.

trusted-users Lets you list users who can send e-mail on behalf of your other users. Rarely used; would you ever want to give anyone this kind of power?

virtualusertable and virtualusertable.db Supports e-mail forwarding; similar to the /etc/ aliases file, for external users.

Understanding sendmail.mc

The /etc/mail/sendmail.cf configuration file can be intimidating—it is on the order of 2000 lines long! By comparison, the /etc/mail/sendmail.mc file, at about 70 lines, is easy to read and understand. Once you’ve configured this file to your liking, you can use an appropriate make command or the m4 macro processor to generate the custom sendmail.cf file that you need. Take a look at this file; I’ve included additional comments where appropriate. As you probably won’t need to modify most of this file, my comments are limited. As sendmail is a complex topic, please refer to Linux Sendmail Administration, by Craig Hunt, for more information.

The divert(-1) command is a standard way to start the sendmail.mc file; if paired with divert(0), all lines between these commands are ignored as comments.

divert(-1)dnl

All lines that start with dnl are comments; these particular comments include one way to process the sendmail.mc file; alternatively, you can still regenerate /etc/mail/sendmail.cf with the m4 sendmail.mc > sendmail.cf command.

dnl #
dnl # This is the sendmail macro config
 file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will 
need to regenerate the
dnl # /etc/mail/sendmail.cf file by
 confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #

The following include command adds the cf.m4 command as a macro processing prototype; by default, it requires installation of the sendmail-cf-* RPM

include(`/usr/share/sendmail-cf/m4/cf.m4’)dnl

The VERSIONID is the label associated with each sendmail configuration file

VERSIONID(`setup for Red Hat Linux ’)dnl

Naturally, any OSTYPE command specifies the operating system, in this case, linux.

OSTYPE(`linux’)dnl

The define command shown below coordinates your sendmail server with an outgoing e-mail server, presumably outside your network. If you want to activate this command, delete the dnl in front of define and replace smtp.your.provider with the outgoing (SMTP) e-mail server address of your ISP.

dnl #
dnl # Uncomment and edit the
 following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST’,`smtp.your.provider’)
dnl #

Generally, no changes are required to the commands shown below; see Linux Sendmail Administration for more information.

define(`confDEF_USER_ID’,``8:12’’)dnl
define(`confTRUSTED_USER’, `smmsp’)dnl
dnl define(`confAUTO_REBUILD’)dnl
define(`confTO_CONNECT’, `1m’)dnl
define(`confTRY_NULL_MX_LIST’,true)dnl
define(`confDONT_PROBE_INTERFACES’,true)dnl
define(`PROCMAIL_MAILER_PATH’,`/usr/bin/procmail’)dnl
define(`ALIAS_FILE’, `/etc/aliases’)dnl
dnl define(`STATUS_FILE’, `/etc/mail/statistics’)dnl
define(`UUCP_MAILER_MAX’, `2000000’)dnl
define(`confUSERDB_SPEC’, `/etc/mail/userdb.db’)dnl
define(`confPRIVACY_FLAGS’, 
`authwarnings,novrfy,noexpn,restrictqrun’)dnl

The two commands shown below that start with define(`confAUTH_OPTIONS’ are mutually exclusive. TLS is Transport Layer Security, which is the successor to SSL, the Secure Socket Layer.

define(`confAUTH_OPTIONS’, `A’)dnl
dnl #
dnl # The following allows relaying if
 the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS’, `A p’)dnl
dnl #
dnl # PLAIN is the preferred plaintext
 authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook
 Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be
 used if the connection is not
dnl # guaranteed secure.
dnl #

If you need to prevent plain-text logins to your sendmail server, change these two commands so they read:

dnl define(`confAUTH_OPTIONS’, `A’)dnl
define(`confAUTH_OPTIONS’, `A p’)dnl

Now let’s continue on with the default sendmail.mc file. The following two commands relate to authorization methods:

dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl define(`confAUTH_MECHANISMS’, 
`EXTERNAL GSSAPI DIGEST- MD5 CRAM-MD5 LOGIN  
→ PLAIN’)dnl

The following commands allow you to use any SSL certificates on your system with sendmail. For more information on SSL certificates, see Chapter 30. The certificates that you can create in that chapter for Apache can also apply here.

dnl #
dnl # Rudimentary information on 
creating certificates for sendmail TLS:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH’,`/usr/share/ssl/certs’)
dnl define(`confCACERT’,`/usr/share/ssl/certs/ca-bundle.crt’)
dnl define(`confSERVER_CERT’,`/usr/share/ssl/certs/sendmail.pem’)
dnl define(`confSERVER_KEY’, `/usr/share/ssl/certs/sendmail.pem’)
dnl #

The following define command supports integration with the Lightweight Directory Assistance Protocol (LDAP), which provides detailed user information and can therefore replace the /etc/aliases and the /etc/mail/virtusertable.db files shown below. Integration of sendmail and LDAP is a complex topic beyond the scope of this book.

dnl # This allows sendmail to use a 
keyfile that is shared with OpenLDAP’s
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL’,`groupreadablekeyfile’)dnl
dnl #

The following commands specify actions associated with e-mail that can’t find the destination.

dnl define(`confTO_QUEUEWARN’, `4h’)dnl
dnl define(`confTO_QUEUERETURN’, `5d’)dnl
dnl define(`confQUEUE_LA’, `12’)dnl
dnl define(`confREFUSE_LA’, `18’)dnl
define(`confTO_IDENT’, `0’)dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa’,`dnl’)dnl

This FEATURE command sets the default sendmail shell, smrsh. The mailertable.db associates different domain names.

FEATURE(`smrsh’,`/usr/sbin/smrsh’)dnl
FEATURE(`mailertable’,`hash -o/etc/mail/mailertable.db’)dnl
FEATURE(`virtusertable’,`hash -o/etc/mail/virtusertable.db’)dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if 
e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`’,`procmail -t -Y -a $h -d $u’)dnl
FEATURE(`access_db’,`hash -T<TMPF> -o/etc/mail/access.db’)dnl
FEATURE(`blacklist_recipients’)dnl

If the root user tries to log in; the EXPOSED_USER command requires the full e-mail address.

EXPOSED_USER(`root’)dnl
dnl #
dnl # The following causes sendmail to
 only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network
 devices. Remove the loopback
dnl # address restriction to 
accept email from the internet or intranet.
dnl #

By default, sendmail listens for and processes e-mail only from the local computer. If you want this sendmail server to work for other computers on your network, add a dnl in front of this command and remove it from one of the following commands.

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
dnl #
dnl # The following causes sendmail to
 additionally listen to port 587 for
dnl # mail from MUAs that authenticate.
 Roaming users who can’t reach their
dnl # preferred sendmail daemon due to
 port 25 being blocked or redirected find
dnl # this useful.
dnl #

If you activate the following DAEMON_OPTIONS command, sendmail will listen for e-mail from e-mail users who send their accounts and passwords; that is, whose e-mail mangers authenticate. This process works through TCP/IP port 587.

dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea’)dnl
dnl #
dnl # The following causes sendmail to
 additionally listen to port 465, but
dnl # starting immediately in TLS mode 
upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming 
clients using Outlook Express can’t
dnl # do STARTTLS on ports other than 25.
 Mozilla Mail can ONLY use STARTTLS
dnl # and doesn’t support
 the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS
 support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #

If you want to require secure connections to your sendmail server, you could activate this command, which requires the use of TLS. However, as noted in the comments, you should not activate this command if your users work with Microsoft Outlook Express or Evolution below version 1.1.1.

dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl
dnl #
dnl # The following causes sendmail to
 additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address
 restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 
daemon to the same port requires
dnl #       a kernel patch
dnl #

Activate the command shown below if you’ve configured your network to use IPv6, as described in Chapter 20. This is the IPv6 equivalent of the default command noted earlier that accepts e-mail only from the local computer.

dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6’)dnl
dnl #
dnl # We strongly recommend not accepting
 unresolvable domains if you want to
dnl # protect yourself from spam. However, the
 laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #

This FEATURE command means that sendmail doesn’t do a reverse DNS lookup on an e-mail. Unless you have reliable access to a DNS server and can accept the extra traffic, keep the command as is.

FEATURE(`accept_unresolvable_domains’)dnl
dnl #

This FEATURE command allows the use of the MX records for a mail server as specified in a DNS database. See Chapter 24 for more information on DNS.

dnl FEATURE(`relay_based_on_MX’)dnl
dnl #
dnl # Also accept email sent to "localhost
.localdomain" as local email.
dnl #

The LOCAL_DOMAIN command specifies an alias for the local computer; localhost.localdomain is a default alias in /etc/hosts.

LOCAL_DOMAIN(`localhost.localdomain’)dnl
dnl #
dnl # The following example makes
 mail from this host andany additional
dnl # specified domains appear to be sent from mydomain.com
dnl #

This MASQUERADE_AS command changes the label that sendmail attaches to your outgoing e-mail. If you activate this command, change mydomain.com to the label you desire; typically used to specify e-mail from a subdomain. For example, if I’m on the mommabears.com network, I could set MASQUERADE_AS to linux.mommabears.com.

dnl MASQUERADE_AS(`mydomain.com’)dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com,
 but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #

With the MASQUERADE_DOMAIN command, you can tell sendmail to handle e-mail addresses from other domains in the same way. For example, these commands, if active, set e-mail from these subdomains (localhost, localhost.localdomain, mydomainalias.com, and mydomain.lan) to the domain specified earlier with the MASQUERADE_AS command.

dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl

The following MAILER commands specify the type of server that actually sends out the e-mail.

MAILER(smtp)dnl
MAILER(procmail)dnl

Revising sendmail.mc

Before you start, it’s a good idea to make backups of your sendmail.cf and sendmail.mc files in your /etc/mail directory.

There are a couple of lines that you should change in the default sendmail.mc configuration file. First, this line limits the sendmail server to sending e-mail only to the specified address; 127.0.0.1 is the loopback address for the local computer:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)

If you have reliable DNS access and high-speed Internet access, comment out this next line. It keeps sendmail from checking the domain associated with incoming e-mail addresses. You can comment out the line by putting dnl in front; when you restart the sendmail service, sendmail automatically starts checking domains:

FEATURE(`accept_unresolvable_domains’)dnl

Understanding submit.mc

The submit.mc is the macro file used to create submit.cf, the sendmail configuration file for outgoing e-mail. It is processed in the same way as sendmail.mc; fortunately, this file is simpler. Generally, you don’t need to make any changes to this file—but it’s helpful to understand this file to know what other files to configure.

These first commands are essentially the same as the first commands in sendmail.mc and are explained in that section of this chapter.

divert(-1)dnl
divert(0)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4’)
VERSIONID(`linux setup for Red Hat Linux’)dnl

The confCF_Version command simply adds to the version name.

define(`confCF_VERSION’, `Submit’)dnl

This adds an operating system type, similar to the OSTYPE(`linux’)dnl command in sendmail.mc.

define(`__OSTYPE__’,`’)dnl dirty 
hack to keep proto.m4 from complaining

DECNET is a network type common on older mainframe and microcomputers.

define(`_USE_DECNET_SYNTAX_’, `1’)dnl support DECnet

The confTIME_ZONE variable adds a time stamp.

define(`confTIME_ZONE’, `USE_TZ’)dnl

This setting avoids looking through any NIS list for users and passwords; the alternative source of usernames and passwords is /etc/passwd.

define(`confDONT_INIT_GROUPS’, `True’)dnl

This sets the location of the process identifier (PID) file.

define(`confPID_FILE’, `/var/run/sm-client.pid’)dnl

The confDIRECT_SUBMISSION_MODIFIERS variable assumes standard "canonical" host names.

dnl define(`confDIRECT_SUBMISSION_MODIFIERS’,`C’)

The use_ct_file FEATURE reads /etc/mail/trusted-users for standard users.

FEATURE(`use_ct_file’)dnl
dnl
dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]

This notes the message submission program (msp) on the local computer (127.0.0.1).

FEATURE(`msp’, `[127.0.0.1]’)dnl

In most cases, you don’t need to change anything in this file; if you do, please remember to back it up first! If you’ve installed the sendmail-doc-* RPM, more information on this file is available in README.cf, in the /usr/share/doc/sendmail directory.

Processing and Reactivating sendmail

If you haven’t already done so, now is a good time to back up your current sendmail.cf configuration file. Once you’ve made the desired changes, you’ll want to use the m4 macro processor or the make -C /etc/mail command to create a new sendmail.cf file. Then, restart the sendmail daemon with the following commands.

# m4 /etc/mail/submit.mc > /etc/mail/submit.cf
# service sendmail restart

These commands won’t work unless you’ve installed the sendmail-cf-* RPM.