Sendmail

From Wikislax

Revision as of 21:31, 27 September 2013 by WikiSysop (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

What is Sendmail ?

Sendmail is the most widespread Open Source program to transport mail between machines using the SMTP protocol (and also some older protocols such as UUCP and others). Note : sendmail does not afford delivering mail to clients using the POP and IMAP protocols. A separate software such as Cyrus-IMAP must be installed to handle this.

Installing Sendmail

Download then untar to /usr/local and edit the compile options as below, updating the paths to your specific environment. Sendmail also includes many default compile options not listed here. Review the bat book (O’Reilly Sendmail, by Bryan Costales and Eric Allman) for more details.

# cd /var/log/packages
# removepkg sendmail-cf-x.y.z-noarch-2
# removepkg sendmail-x.y.z-x86_64-2
# tar -C /usr/local -xvf sendmail-x.y.z
# cd /usr/local/
# chown -R root:root sendmail-8.14.5/
# cd sendmail-x.y.z
# vi /etc/mail/local-host-names
i
your.domain.com
<esc>
:x
# mkdir /var/spool/mqueue
# vi devtools/Site/site.config.m4
i
APPENDDEF(`confENVDEF', `-DSTARTTLS')
APPENDDEF(`confLIBS', `-lssl -lcrypto')
APPENDDEF(`confLIBDIRS', `-I/usr/local/lib64')
APPENDDEF(`confINCDIRS', `-I/usr/local/openssl-0.9.8x/include')

APPENDDEF(`confENVDEF', `-DSASL')
APPENDDEF(`confLIBS', `-lsasl2')
APPENDDEF(`confLIBDIRS', `-I/usr/local/lib/sasl2')
APPENDDEF(`confINCDIRS', `-I/usr/local/cyrus-sasl-2.1.25/include')

APPENDDEF(`confMAPDEF', `-DLDAPMAP')
APPENDDEF(`confLIBS', `-lldap')
APPENDDEF(`confLIBDIRS', `-I/usr/local/lib64')
APPENDDEF(`confINCDIRS', `-I/usr/local/openldap-2.4.30/include')

APPENDDEF(`confLIBS', `-ldb')

APPENDDEF(`confMAPDEF', `-DDNSMAP=1 -DMAP_REGEX -DNEWDB')
APPENDDEF(`confENVDEF', `-DMILTER -DNETINET -DNETUNIX -DSM_CONF_LDAP_MEMFREE=1')
<esc>
:x

Then compile the software and verify how the compile options have been taken into account :

# ./Build -c install
…
# ln -s /usr/local/lib64/libldap-2.4.so.2 /usr/lib64/libldap-2.4.so.2
# ln -s /usr/local/lib64/liblber-2.4.so.2 /usr/lib64/liblber-2.4.so.2
# ldconfig
# sendmail -d0.10 -bt < /dev/null
Version 8.14.5
 Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
                MIME8TO7 NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2
                SCANF STARTTLS USERDB USE_LDAP_INIT XDEBUG
    OS Defines: HASFCHOWN HASFCHMOD HASGETDTABLESIZE HASINITGROUPS
                  HASLSTAT HASNICE HASRANDOM HASRRESVPORT HASSETREGID HASSETREUID
                  HASSETRLIMIT HASSETSID HASSETVBUF HASURANDOMDEV HASSTRERROR
                  HASUNAME HASUNSETENV HASWAITPID IDENTPROTO REQUIRES_DIR_FSYNC
                  USE_DOUBLE_FORK USE_SIGLONGJMP
Kernel symbols: /boot/vmlinux
     Conf file: /etc/mail/submit.cf (default for MSP)
     Conf file: /etc/mail/sendmail.cf (default for MTA)
     Pid file: /var/run/sendmail.pid (default)
Canonical name: inner.studioware.com
 UUCP nodename: inner
        a.k.a.: inner
        a.k.a.: [127.0.0.1]
        a.k.a.: [192.168.0.1]
      Conf file: /etc/mail/sendmail.cf (selected)
      Pid file: /var/run/sendmail.pid (selected)

============ SYSTEM IDENTITY (after readcf) ============
      (short domain name) $w = inner
  (canonical domain name) $j = inner.studioware.com
         (subdomain name) $m = studioware.com
              (node name) $k = inner
========================================================

ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>

Here is a short comment on the options selected :

DNSMAP : allows to look up host and address information. Used for reverse lookups. Necessary to use the enhdnsbl blacklist feature for improved spam screening.

LDAPMAP : enable use of LDAP databases.

LOG : log error messages and other useful information that is often important for security and debugging.

MAP_REGEX : ability to match addresses to regular expressions in rule sets with the regex class of database map (§23.7.21 of the Sendmail book 3d edition).

MATCHGECOS : support of limited fuzzy name matching. Normally defined as true by default.

MILTER : ability to submit messages to external programs that can be used to screen messages for spam indicators, viruses, or other content that you might want to reject.

MIME7TO8 : ability to convert messages that were converted into either quoted-printable or base64 back into their original 8-bit form. The decision to make this conversion is based on the F=9 delivery agent flag (§20.8.10 of the Sendmail book 3d edition).

MIME8TO7 : ability to convert 8-bit MIME message content into 7-bit MIME so that mail can be transported through non-8-bit gateways. The methods used and the circumstances required to trigger conversion are described under the EightBitMode option (§24.9.42 of the Sendmail book 3d edition).

NAMED_BIND : automatically take advantage of DNS lookups or MX records to resolve addresses and canonical hostnames.

NETINET : to support an Ipv4 network.

NETUNIX : to support a unix domain network.

NEWDB : to support aliasing in an efficient manner.

PIPELINING : enable pipelining SMTP extension.

SASLv2 : support SMTP AUTH version 2.

SCANF : support scanf(3) with the F command.

STARTTLS : enable stream encryption.

USERDB : support the user database, that allows sender and recipient addresses to be rewritten under the control of an external database.

XDEBUG : support sanity checks. In past releases of sendmail, changes in file descriptors and other key variables have sometimes occurred for reasons that remain a mistery to this day. Small “sanity checks” have been included in the code to discover such anomalies, should they appear again.

Configuring Sendmail

Since v8.12 and by default on Linux Slackware, sendmail runs as non-set-user-id root and comes in two guises. In one guise, it is run as before by root to function as a listening daemon and uses the /etc/mail/sendmail.cf configuration file. In the second guise, it is run as an ordinary user (usually smmsp), to collect locally submitted messages and uses the /etc/mail/submit.cf configuration file. Both guises are launched at system startup if script /etc/rc.d/rc.sendmail is executable. Let us create these files :

# cd /usr/local/sendmail*/cf/cf
# cp generic-linux.mc sendmail.mc
# vi sendmail.mc
define(`confPRIVACY_FLAGS', `goaway, restrictexpand, restrictmailq, restrictqrun')dnl
define(`confSMTP_LOGIN_MSG', `inner.studioware.com service')dnl
define(`confAUTH_MECHANISMS', `CRAM-MD5 DIGEST-MD5 PLAIN LOGIN')dnl
TRUST_AUTH_MECH(`CRAM-MD5 DIGEST-MD5 PLAIN LOGIN')dnl
define(`confCACERT_PATH', `/etc/ssl/certs')dnl
define(`confCACERT', `confCACERT_PATH`'/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/ssl/certs/mtacert.pem')dnl
define(`confSERVER_KEY', `/etc/ssl/private/mtakey.pem.unsecure')dnl
define(`confCLIENT_CERT', `/etc/ssl/certs/mtacert.pem')dnl
define(`confCLIENT_KEY', `/etc/ssl/private/mtakey.pem.unsecure')dnl
define(`confMAX_MESSAGE_SIZE', `15728640')dnl

As the second guise of Sendmail is ran as smmsp, let us make a copy of the server private keys that will be readable only by this user then define macros to take into account in submit.mc the certificates :

# cd /etc/ssl/private
# cp mtakey.pem.unsecure smmsp.mtakey.pem.unsecure
# chown smmsp:smmsp smmsp.mtakey.pem.unsecure

define(`confCACERT_PATH', `/etc/ssl/certs')dnl
define(`confCACERT', `confCACERT_PATH`'/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/ssl/certs/mtacert.pem')dnl
define(`confSERVER_KEY', `/etc/ssl/private/smmsp.mtakey.pem.unsecure')dnl
define(`confCLIENT_CERT', `/etc/ssl/certs/mtacert.pem')dnl
define(`confCLIENT_KEY', `/etc/ssl/private/smmsp.mtakey.pem.unsecure')dnl

Let us now finalize and generate sendmail.cf, copy sendmail.mc and sendmail.cf to /etc/mail. Do the same with submit.mc and submit.cf :

# cd /usr/local/sendmail*/cf/cf
# m4 ../m4/cf.m4 sendmail.mc > sendmail.cf
# cp sendmail.mc /etc/mail
# cp sendmail.cf /etc/mail
# vi submit.mc
# m4 ../m4/cf.m4 submit.mc > submit.cf
# cp submit.mc /etc/mail
# cp submit.cf /etc/mail

Configuring Sendmail SASL

For SMTP authentication, we use SASL against the OpenLDAP directory installed previously. As only mechanism, we use PLAIN, later ensuring security by forcing SSL encryption over port 465 SMTPS (actually, DIGEST-MD5 and CRAM-MD5 are not widely used, and Microsoft Outlook uses only the LOGIN non standard mechanism). Here is the content of file /usr/local/lib/sasl2/Sendmail.conf :

ldapdb_uri: ldaps://localhost
ldapdb_id: proxyUser
ldapdb_pw: proxyUserPassword
ldapdb_mech: DIGEST-MD5
log_level: 0
auxprop_plugin: ldapdb
pwcheck_method: auxprop
mech_list: PLAIN

As it contains sensitive information, the owner and rights of this file should be set so that it can be read only by its user smmsp:root.

Running sendmail

Build installs sendmail not in /usr/local/sbin but in /usr/sbin. Make sure that the right path is used in /etc/rc.d/rc.sendmail then make the file executable and start the software :

# cd /etc/rc.d
# vi rc.sendmail
# chmod u+x rc.sendamil
# ./rc.sendmail start

Checking sendmail run-time options

Correct configuration of the STARTTLS option can be tested using the command below, in which -bs requests sendmail to use SMTP on its standard input and -Am requests sendmail to use the server configuration file, even if used in local message submission mode :

# sendmail -bs -Am
220 inner.studioware.com ESMTP service
ehlo studioware.com
250-inner.studioware.com Hello root@localhost, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 inner.studioware.com closing connection

In this example the STARTTLS keyword appears, showing that this site supports TLS. If the STARTTLS keyword does not appear, check file /var/log/maillog for error messages or launch again the sendmail command, adding debug option -O LogLevel=14. Errors will be displayed on the console.

If the STARTTLS keyword appears, the last step is to test for real, examining the mail headers of messages sent by other STARTTLS supporting sites. If these lines include verify=OK, TLS has been used. If they include verify=NO, TLS has not been used, and if they include verify=FAIL, TLS has been used but the certificate authentication step has failed. Notice that this failure does not prevent the software from using encryption. Only that the parties are not authenticated.

inner sm-mta[]: STARTTLS=server, relay=IDENT:25@localhost [127.0.0.1], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
inner sendmail[]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256

To check an external certificate

For OpenSSL to check an external certificate, you need to place in your /etc/ssl/certs directory a copy of its Certification Authority certificate and a symbolic link to this copy. The name of this link must be based on the certificate hash code (see http://www.sendmail.org/~ca/email/starttls.html). This can be done in this way :

# C=CertificateFileName
# ln -s $C `openssl x509 -noout -hash < $C`.0


Cyrus-SASL Main Page Cyrus-IMAP
Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox