What is Sendmail ?
Sendmail is the most widespread Open Source program to transport mail between machines using the SMTP protocol (and also some older protocols such as UUCP and others). Note : sendmail does not afford delivering mail to clients using the POP and IMAP protocols. A separate software such as Cyrus-IMAP must be installed to handle this.
Download then untar to /usr/local and edit the compile options as below, updating the paths to your specific environment. Sendmail also includes many default compile options not listed here. Review the bat book (O’Reilly Sendmail, by Bryan Costales and Eric Allman) for more details.
# cd /var/log/packages # removepkg sendmail-cf-x.y.z-noarch-t # removepkg sendmail-x.y.z-x86_64-t # cd # tar -C /usr/local -xvf sendmail-8.15.2 # cd /usr/local/ # chown -R root:root sendmail-8.15.2/ # cd sendmail-x.y.z # vi /etc/mail/local-host-names i your.domain.com <esc> :x # mkdir /var/spool/mqueue # vi devtools/Site/site.config.m4 i APPENDDEF(`confENVDEF', `-DSTARTTLS') APPENDDEF(`confLIBS', `-lssl -lcrypto') APPENDDEF(`confLIBDIRS', `-I/usr/local/lib64') APPENDDEF(`confINCDIRS', `-I/usr/local/openssl-1.0.2j/include') APPENDDEF(`confENVDEF', `-DSASL') APPENDDEF(`confLIBS', `-lsasl2') APPENDDEF(`confLIBDIRS', `-I/usr/local/lib/sasl2') APPENDDEF(`confINCDIRS', `-I/usr/local/cyrus-sasl-2.1.26/include') APPENDDEF(`confMAPDEF', `-DLDAPMAP') APPENDDEF(`confLIBS', `-lldap') APPENDDEF(`confLIBDIRS', `-I/usr/local/lib64') APPENDDEF(`confINCDIRS', `-I/usr/local/openldap-2.4.44/include') APPENDDEF(`confLIBS', `-ldb') APPENDDEF(`confLIBS', `-lresolv') APPENDDEF(`confLIBS', `-llber') APPENDDEF(`confMAPDEF', `-DDNSMAP -DMAP_REGEX -DNEWDB') APPENDDEF(`confENVDEF', `-DMILTER -DNETINET -DNETUNIX -DSM_CONF_LDAP_MEMFREE=1') APPENDDEF(`confENVDEF', `-DIPV6_FULL=0 -DNETINET6=0 -DNIS=0 -DSOCKETMAP=0') APPENDDEF(`confENVDEF', `-DTCPWRAPPERS=0 -DUSE_LDAP_INIT=0') <esc> :x
Then compile the software and verify how the compile options have been taken into account :
# ./Build -c install … # ln -s /usr/local/lib64/libldap-2.4.so.2 /usr/lib64/libldap-2.4.so.2 # ln -s /usr/local/lib64/liblber-2.4.so.2 /usr/lib64/liblber-2.4.so.2 # ldconfig # sendmail -d0.10 -bt < /dev/null Version 8.15.1 Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF STARTTLS USERDB XDEBUG OS Defines: HASFCHOWN HASFCHMOD HASGETDTABLESIZE HASINITGROUPS HASLSTAT HASNICE HASRANDOM HASRRESVPORT HASSETREGID HASSETREUID HASSETRLIMIT HASSETSID HASSETVBUF HASURANDOMDEV HASSTRERROR HASUNAME HASUNSETENV HASWAITPID IDENTPROTO REQUIRES_DIR_FSYNC SFS_VFS USE_DOUBLE_FORK USE_SIGLONGJMP Kernel symbols: /boot/vmlinux Conf file: /etc/mail/submit.cf (default for MSP) Conf file: /etc/mail/sendmail.cf (default for MTA) Pid file: /var/run/sendmail.pid (default) Canonical name: inner.studioware.com UUCP nodename: inner a.k.a.: inner a.k.a.: [192.168.0.1] a.k.a.: [127.0.0.1] Conf file: /etc/mail/sendmail.cf (selected) Pid file: /var/run/sendmail.pid (selected) ============ SYSTEM IDENTITY (after readcf) ============ (short domain name) $w = inner (canonical domain name) $j = inner.studioware.com (subdomain name) $m = studioware.com (node name) $k = inner ======================================================== ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address>
Here is a short comment on the options selected :
DNSMAP : allows to look up host and address information. Used for reverse lookups. Necessary to use the enhdnsbl blacklist feature for improved spam screening.
LDAPMAP : enable use of LDAP databases.
LOG : log error messages and other useful information that is often important for security and debugging.
MAP_REGEX : ability to match addresses to regular expressions in rule sets with the regex class of database map (§23.7.21 of the Sendmail book 3d edition).
MATCHGECOS : support of limited fuzzy name matching. Normally defined as true by default.
MILTER : ability to submit messages to external programs that can be used to screen messages for spam indicators, viruses, or other content that you might want to reject.
MIME7TO8 : ability to convert messages that were converted into either quoted-printable or base64 back into their original 8-bit form. The decision to make this conversion is based on the F=9 delivery agent flag (§20.8.10 of the Sendmail book 3d edition).
MIME8TO7 : ability to convert 8-bit MIME message content into 7-bit MIME so that mail can be transported through non-8-bit gateways. The methods used and the circumstances required to trigger conversion are described under the EightBitMode option (§24.9.42 of the Sendmail book 3d edition).
NAMED_BIND : automatically take advantage of DNS lookups or MX records to resolve addresses and canonical hostnames.
NETINET : to support an Ipv4 network.
NETUNIX : to support a unix domain network.
NEWDB : to support aliasing in an efficient manner.
PIPELINING : enable pipelining SMTP extension.
SASLv2 : support SMTP AUTH version 2.
SCANF : support scanf(3) with the F command.
STARTTLS : enable stream encryption.
USERDB : support the user database, that allows sender and recipient addresses to be rewritten under the control of an external database.
XDEBUG : support sanity checks. In past releases of sendmail, changes in file descriptors and other key variables have sometimes occurred for reasons that remain a mistery to this day. Small “sanity checks” have been included in the code to discover such anomalies, should they appear again.
Since v8.12 and by default on Linux Slackware, sendmail runs as non-set-user-id root and comes in two guises. In one guise, it is run as before by root to function as a listening daemon and uses the /etc/mail/sendmail.cf configuration file. In the second guise, it is run as an ordinary user (usually smmsp), to collect locally submitted messages and uses the /etc/mail/submit.cf configuration file. Both guises are launched at system startup if script /etc/rc.d/rc.sendmail is executable. Let us create these files :
# cd /usr/local/sendmail*/cf/cf # cp generic-linux.mc sendmail.mc # vi sendmail.mc
- Define the following macro to avoid user information leaks by the VRFY command, that verifies the validity of a user name, the EXPN command, that expands the distribution lists, and the VERB command, that puts a remote MTA in verbose mode :
define(`confPRIVACY_FLAGS', `goaway, restrictexpand, restrictmailq, restrictqrun')dnl
- Define the following macro to change the default banner and avoid letting the software name and version number appear :
define(`confSMTP_LOGIN_MSG', `inner.studioware.com service')dnl
- In recent versions sendmail is configured by default to forbid open relay. However the SMTP AUTH extension affords authenticated users to relay. Define the SASL authentication mechanisms used :
define(`confAUTH_MECHANISMS', `CRAM-MD5 DIGEST-MD5 PLAIN LOGIN')dnl TRUST_AUTH_MECH(`CRAM-MD5 DIGEST-MD5 PLAIN LOGIN')dnl
- Define macros to take into account in sendmail.mc the certificates previously created :
define(`confCACERT_PATH', `/etc/ssl/certs')dnl define(`confCACERT', `confCACERT_PATH`'/cacert.pem')dnl define(`confSERVER_CERT', `/etc/ssl/certs/mtacert.pem')dnl define(`confSERVER_KEY', `/etc/ssl/private/mtakey.pem.unsecure')dnl define(`confCLIENT_CERT', `/etc/ssl/certs/mtacert.pem')dnl define(`confCLIENT_KEY', `/etc/ssl/private/mtakey.pem.unsecure')dnl
- Defining a maximum message size (here 15 megs) can be a good idea :
As the second guise of Sendmail is ran as smmsp, let us make a copy of the server private keys that will be readable only by this user then define macros to take into account in submit.mc the certificates :
# cd /etc/ssl/private # cp mtakey.pem.unsecure smmsp.mtakey.pem.unsecure # chown smmsp:smmsp smmsp.mtakey.pem.unsecure define(`confCACERT_PATH', `/etc/ssl/certs')dnl define(`confCACERT', `confCACERT_PATH`'/cacert.pem')dnl define(`confSERVER_CERT', `/etc/ssl/certs/mtacert.pem')dnl define(`confSERVER_KEY', `/etc/ssl/private/smmsp.mtakey.pem.unsecure')dnl define(`confCLIENT_CERT', `/etc/ssl/certs/mtacert.pem')dnl define(`confCLIENT_KEY', `/etc/ssl/private/smmsp.mtakey.pem.unsecure')dnl
Let us now finalize and generate sendmail.cf, copy sendmail.mc and sendmail.cf to /etc/mail. Do the same with submit.mc and submit.cf :
# cd /usr/local/sendmail*/cf/cf # m4 ../m4/cf.m4 sendmail.mc > sendmail.cf # cp sendmail.mc /etc/mail # cp sendmail.cf /etc/mail # vi submit.mc # m4 ../m4/cf.m4 submit.mc > submit.cf # cp submit.mc /etc/mail # cp submit.cf /etc/mail
Configuring Sendmail SASL
For SMTP authentication, we use SASL against the OpenLDAP directory installed previously. As only mechanism, we use PLAIN, later ensuring security by forcing SSL encryption over port 465 SMTPS (actually, DIGEST-MD5 and CRAM-MD5 are not widely used, and Microsoft Outlook uses only the LOGIN non standard mechanism). Here is the content of file /usr/local/lib/sasl2/Sendmail.conf :
auxprop_plugin: ldapdb ldapdb_id: proxyUser ldapdb_mech: DIGEST-MD5 ldapdb_pw: proxyUserPassword ldapdb_uri: ldaps://localhost log_level: 0 mech_list: PLAIN pwcheck_method: auxprop
As it contains sensitive information, the owner and rights of this file should be set so that it can be read only by its user root:root.
Build installs sendmail not in /usr/local/sbin but in /usr/sbin. Make sure that the right path is used in /etc/rc.d/rc.sendmail then make the file executable and start the software :
# cd /etc/rc.d # vi rc.sendmail # chmod u+x rc.sendamil # ./rc.sendmail start
Checking sendmail run-time options
Correct configuration of the STARTTLS option can be tested using the command below, in which -bs requests sendmail to use SMTP on its standard input and -Am requests sendmail to use the server configuration file, even if used in local message submission mode :
# sendmail -bs -Am 220 inner.studioware.com ESMTP service ehlo studioware.com 250-inner.studioware.com Hello root@localhost, pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 15728640 250-DSN 250-ETRN 250-AUTH PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP quit 221 2.0.0 inner.studioware.com closing connection
In this example the STARTTLS keyword appears, showing that this site supports TLS. If the STARTTLS keyword does not appear, check file /var/log/maillog for error messages or launch again the sendmail command, adding debug option -O LogLevel=14. Errors will be displayed on the console.
If the STARTTLS keyword appears, then TLS is available to cipher the communication and to verify the certificates of the connecting clients. To test this, it is possible to use the s_client command of openssl. The result can be observed in file /var/log/maillog. If the log line includes verify=OK, then the certificate has been successfully verified. If it includes verify=NO, then no certificate has been used, and if it includes verify=FAIL, the certificate verification step has failed. Notice that this failure does not prevent the software from using encryption. Only that the other party was not authenticated by sendmail.
# openssl s_client -connect inner:25 -starttls smtp -cert /etc/ssl/certs/mtacert.pem -key /etc/ssl/private/mtakey.pem . . . # vi /var/log/maillog . . . Oct 15 10:42:00 inner sm-mta: STARTTLS=server, relay=IDENT:firstname.lastname@example.org [192.168.0.2], version=TLSv1.2, verify=OK, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
To use the PLAIN authentication, enter auth plain authent on a single line, where authent is a base64 encoded string composed of a null character, followed by the user name, followed by a null character, followed by the password. In practise, authent may be obtained by typing :
# base64 - <ctrl>@username<ctrl>@password<ctrl>d<ctrl>d
To effectively check certificates
To effectively use STARTTLS to allow relaying based on certificates or to restrict incoming or outgoing connections, you need to use specific macros in sendmail rulesets, please see the instructions in http://www.sendmail.org/~ca/email/starttls.html. If using your own (self-signed) Certification Authority Certificate, you need to place it in your in your /etc/ssl/certs directory with a symbolic link whose name must be based on the certificate hash code. This can be done in this way :
# C=CACertificateFileName # ln -s $C `openssl x509 -noout -hash < $C`.0
Errors in /var/log/maillog
The message did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA in log file /var/log/maillog means that a remote server connected to your site but closed the connection before actually sending any mail. This is probably related to malicious behaviour to connect to, scan, or exploit vulnerabilities of your site. Observing the line with wireshark with filter port smtp will afford checking what really happens. Here are a few interesting additional comments about this issue.