webcp.hostinghacks.net/slackware | sendmail
This is a plain vanilla configuration of Sendmail. You can use it in this configuration alone or as a building block for the Spamassassin install @ webcp.hostinghacks.net/slackware/spamassassin/
PREREQUISITES: sendmail binary
ALTERNATES: a qmail writeup is under construction @ webcp.hostinghacks.net/slackware/qmail/
start with /usr/share/sendmailcf/cf/sendmail-slackware.mc and make edits:
cat > /etc/mail/sendmail.mc << "EOF" include(`/usr/share/sendmail/cf/m4/cf.m4') VERSIONID(`Slackware Linux')dnl OSTYPE(`linux')dnl dnl# protect against people verifying email addresses define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl dnl# Uncomment the line below to send outgoing mail through an external server: dnl define(`SMART_HOST',`mailserver.example.com') dnl# No timeout for ident: define(`confTO_IDENT', `0')dnl dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`use_cw_file')dnl FEATURE(`use_ct_file')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl FEATURE(`blacklist_recipients')dnl FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`always_add_domain')dnl FEATURE(`redirect')dnl dnl FEATURE(`accept_unresolvable_domains')dnl dnl# EXPOSED_USER(`nobody')dnl dnl# MASQUERADE_AS(`fatpenguinhosting.com')dnl dnl# Also accept mail for localhost.localdomain: LOCAL_DOMAIN(`localhost.localdomain')dnl MAILER(local)dnl MAILER(smtp)dnl MAILER(procmail)dnl EOF cd /etc/mail /usr/bin/m4 /usr/share/sendmail/cf/m4/cf.m4 sendmail.mc > sendmail.cf
more sendmail config files:
touch /etc/mail/trusted-users touch /etc/mail/domaintable touch /etc/mail/mailertable # not that these files will be overwritten by the hosting control panel # and are just a demonstration of configuration possibilities # allows mail to fatpenguinhosting.com to be relayed: cat > /etc/mail/access << "EOF" localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY fatpenguinhosting.com RELAY EOF # tells sendmail to deliver mail @fatpenguinhosting.com to the local system: cat > /etc/mail/local-host-names << "EOF" localhost localhost.localdomain fatpenguinhosting.com EOF # this setting will create a catchall to deliver all mail @fatpenguinhosting.com # to the local user 'servadmin' cat > /etc/mail/virtusertable << "EOF" @fatpenguinhosting.com servadmin EOF cat > /etc/mail/aliases << "EOF" mailer-daemon: postmaster postmaster: root abuse: root root: servadmin webmaster: servadmin hosting: servadmin support: servadmin EOF ln -s /etc/aliases /etc/mail/aliases newaliases # ln -s /usr/sbin/makemap /usr/bin/makemap chmod 644 /etc/mail/access chmod 644 /etc/mail/local-host-names chmod 644 /etc/mail/virtusertable chmod 644 /etc/mail/aliases
procmail logging:
cat > /etc/procmailrc << "EOF" #DROPPRIVS=yes #Uncomment the following lines to allow for logging # LOGFILE=/var/log/procmail VERBOSE=ON EOF touch /var/log/procmail /etc/rc.d/rc.sendmail restart
cat > /etc/cron.daily/watch.procmail << "EOF" #! /bin/sh tail -100 /var/log/procmail | mail -s "procmail log" servadmin@localhost EOF touch /var/log/procmail chmod +x /etc/cron.daily/watch.procmail /etc/cron.daily/watch.procmail
rotate log files:
cat > /etc/logrotate.d/procmail << "EOF"
/var/log/procmail {
missingok
create 0644
postrotate
/etc/rc.d/rc.sendmail restart 2> /dev/null || true
endscript
}
EOF
cat > /home/webcp/headers/aliases << "EOF" # >>>>>>>>>> The program "newaliases" must be run after # >> NOTE >> this file is updated for any changes to # >>>>>>>>>> show through to sendmail. mailer-daemon: postmaster postmaster: root abuse: root root: servadmin webmaster: servadmin support: servadmin EOF cat > /home/webcp/headers/access << "EOF" # must add a new domain in the cp to commit changes localhost RELAY 127.0.0.1 RELAY fatpenguinhosting.com RELAY EOF cat > /home/webcp/headers/localhosts << "EOF" localhost localhost.localdomain fatpenguinhosting.com EOF
( echo "From: mailer-daemon@localhost" echo "To: servadmin@localhost" echo "Subject: test 1" echo "test 1" ) | sendmail -t ( echo "From: mailer-daemon@localhost" echo "To: servadmin@fatpenguinhosting.usa" echo "Subject: test 2" echo "test 2" ) | sendmail -t ( echo "From: mailer-daemon@localhost" echo "To: webmaster@fatpenguinhosting.usa" echo "Subject: test 3" echo "test 3" ) | sendmail -t ( echo "From: mailer-daemon@localhost" echo "To: support@fatpenguinhosting.usa" echo "Subject: test 4" echo "test 4" ) | sendmail -t ( echo "From: mailer-daemon@localhost" echo "To: postmaster@fatpenguinhosting.usa" echo "Subject: test 5" echo "test 5" ) | sendmail -t ( echo "From: mailer-daemon@localhost" echo "To: abuse@fatpenguinhosting.usa" echo "Subject: test 6" echo "test 6" ) | sendmail -t ( echo "From: mailer-daemon@localhost" echo "To: mailer-daemon@fatpenguinhosting.usa" echo "Subject: test 7" echo "test 7" ) | sendmail -t
As of version 8.12, you must also create a user smmsp and change the permissions of various files as described in the file sendmail/SECURITY.
# (Optional) Edit /etc/passwd and change smmsp's uid to 25. This may mean changing some other user (such as "at") to something else. Obviously, there's nothing magical about 25. It can be any number other than 0 (root) as long as it's unique. But 25 seems to be the traditional number. # (Optional) Edit /etc/group and change smmsp's gid to 25 (or whatever number you picked in the previous step). Don't make a mistake at these two steps, or it will be hard to undo, because the installation makes extensive use of the uid and gid. The lines in /etc/passwd and /etc/group should look like this: smmsp:x:25:25:Sendmail:/home/smmsp:/bin/false smmsp:x:25:smmsp
mkdir /var/spool/clientmqueue
chown smmsp:smmsp /var/spool/clientmqueue
chmod 770 /var/spool/clientmqueue
chmod 700 /var/spool/mqueue
chown root.root /var/spool/mqueue
chmod 777 /var/spool/mail
chown root.root /var/spool/mail
chmod 2555 /usr/sbin/sendmail
chown root.smmsp /usr/sbin/sendmail
Note: /var/spool/mail must be world read/write, otherwise clients can't open their inbox.
Check to make sure of the following:
-r-xr-sr-x root smmsp /usr/sbin/sendmail
drwxrwx--- smmsp smmsp /var/spool/clientmqueue
drwx------ root root /var/spool/mqueue
-r--r--r-- root root /etc/mail/sendmail.cf
-r--r--r-- root root /etc/mail/submit.cf
OSTYPE('linux')
You must specify an OSTYPE to properly configure the pathname of the help and status files,
the flags needed for the local mailer, and other important
things.
define('confPRIVACY_FLAGS', 'authwarnings,novrfy,noexpn,restrictqrun')dnl
confPRIVACY_FLAGS PrivacyOptions [authwarnings] Privacy flags.
define('confMAX_MESSAGE_SIZE','100')dnl
confMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of
messages that will be accepted (in bytes).
define('confTO_IDENT', '0')dnl
confTO_IDENT Timeout.ident [5s] The timeout waiting for a
response to an IDENT query.
dnl FEATURE(delay_checks)dnl
delay_checks The rulesets check_mail and check_relay will not be called
when a client connects or issues a MAIL command, respectively.
Instead, those rulesets will be called by the check_rcpt
ruleset; they will be skipped under certain circumstances.
See "Delay all checks" in the anti-spam configuration control
section. Note: this feature is incompatible to the versions
in 8.10 and 8.11.
FEATURE('smrsh','/usr/sbin/smrsh')dnl
smrsh Use the SendMail Restricted SHell (smrsh) provided
with the distribution instead of /bin/sh for mailing
to programs. This improves the ability of the local
system administrator to control what gets run via
e-mail. If an argument is provided it is used as the
pathname to smrsh; otherwise, the path defined by
confEBINDIR is used for the smrsh binary -- by default,
/usr/libexec/smrsh is assumed.
FEATURE('mailertable','hash -o /etc/mail/mailertable.db')dnl
mailertable Include a "mailer table" which can be used to override
routing for particular domains (which are not in class {w},
i.e. local host names). The argument of the FEATURE may be
the key definition. If none is specified, the definition
used is:
hash /etc/mail/mailertable
Keys in this database are fully qualified domain names
or partial domains preceded by a dot -- for example,
"vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU". As a
special case of the latter, "." matches any domain not
covered by other keys. Values must be of the form:
mailer:domain
where "mailer" is the internal mailer name, and "domain"
is where to send the message. These maps are not
reflected into the message header. As a special case,
the forms:
local:user
will forward to the indicated user using the local mailer,
local:
will forward to the original user in the e-mail address
using the local mailer, and
error:code message
error:D.S.N:code message
will give an error message with the indicated SMTP reply
code and message, where D.S.N is an RFC 1893 compliant
error code.
FEATURE('virtusertable','hash -o /etc/mail/virtusertable.db')dnl
virtusertable A domain-specific form of aliasing, allowing multiple
virtual domains to be hosted on one machine. For example,
if the virtuser table contained:
info@foo.com foo-info
info@bar.com bar-info
joe@bar.com error:nouser 550 No such user here
jax@bar.com error:5.7.0:550 Address invalid
@baz.org jane@example.net
then mail addressed to info@foo.com will be sent to the
address foo-info, mail addressed to info@bar.com will be
delivered to bar-info, and mail addressed to anyone at baz.org
will be sent to jane@example.net, mail to joe@bar.com will
be rejected with the specified error message, and mail to
jax@bar.com will also have a RFC 1893 compliant error code
5.7.0.
The username from the original address is passed
as %1 allowing:
@foo.org %1@example.com
meaning someone@foo.org will be sent to someone@example.com.
Additionally, if the local part consists of "user+detail"
then "detail" is passed as %2 and "+detail" is passed as %3
when a match against user+* is attempted, so entries like
old+*@foo.org new+%2@example.com
gen+*@foo.org %2@example.com
+*@foo.org %1%3@example.com
X++@foo.org Z%3@example.com
@bar.org %1%3
and other forms are possible. Note: to preserve "+detail"
for a default case (@domain) %1%3 must be used as RHS.
There are two wildcards after "+": "+" matches only a non-empty
detail, "*" matches also empty details, e.g., user+@foo.org
matches +*@foo.org but not ++@foo.org. This can be used
to ensure that the parameters %2 and %3 are not empty.
All the host names on the left hand side (foo.com, bar.com,
and baz.org) must be in class {w} or class {VirtHost}. The
latter can be defined by the macros VIRTUSER_DOMAIN or
VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and
MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or
VIRTUSER_DOMAIN_FILE is used, then the entries of class
{VirtHost} are added to class {R}, i.e., relaying is allowed
to (and from) those domains. The default map definition is:
hash /etc/mail/virtusertable
A new definition can be specified as the second argument of
the FEATURE macro, such as
FEATURE('virtusertable', 'dbm /etc/mail/virtusers')
FEATURE(redirect)dnl
redirect Reject all mail addressed to "address.REDIRECT" with
a ''551 User has moved; please try <address>'' message.
If this is set, you can alias people who have left
to their new address with ".REDIRECT" appended.
FEATURE(always_add_domain)dnl
always_add_domain
Include the local host domain even on locally delivered
mail. Normally it is not added on unqualified names.
However, if you use a shared message store but do not use
the same user name space everywhere, you may need the host
name on local names. An optional argument specifies
another domain to be added than the local.
FEATURE(use_cw_file)dnl
FEATURE('use_cw_file')tells sendmail that you want to have it read
an /etc/mail/local-host-names file to get values for class {w}.
FEATURE(use_ct_file)dnl
use_ct_file Read the file /etc/mail/trusted-users file to get the
names of users that will be ''trusted'', that is, able to
set their envelope from address using -f without generating
a warning message. The actual filename can be overridden
by redefining confCT_FILE.
FEATURE(local_procmail,'','procmail -t -Y -a $h -d $u')dnl
dnl The '-t' option will retry delivery if e.g. the user runs over his quota.
local_procmail Use procmail or another delivery agent as the local mailer.
The argument to this feature is the pathname of the
delivery agent, which defaults to PROCMAIL_MAILER_PATH.
Note that this does NOT use PROCMAIL_MAILER_FLAGS or
PROCMAIL_MAILER_ARGS for the local mailer; tweak
LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS instead, or
specify the appropriate parameters. When procmail is used,
the local mailer can make use of the
"user+indicator@local.host" syntax; normally the +indicator
is just tossed, but by default it is passed as the -a
argument to procmail.
This feature can take up to three arguments:
1. Path to the mailer program
[default: /usr/local/bin/procmail]
2. Argument vector including name of the program
[default: procmail -Y -a $h -d $u]
3. Flags for the mailer [default: SPfhn9]
Empty arguments cause the defaults to be taken.
For example, this allows it to use the maildrop
(http://www.flounder.net/~mrsam/maildrop/) mailer instead
by specifying:
FEATURE('local_procmail', '/usr/local/bin/maildrop',
'maildrop -d $u')
or scanmails using:
FEATURE('local_procmail', '/usr/local/bin/scanmails')
WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally,
i.e., without respecting any definitions in an OSTYPE setting.
FEATURE('access_db','hash -T<TMPF> -o /etc/mail/access.db')dnl
access_db Turns on the access database feature. The access db gives
you the ability to allow or refuse to accept mail from
specified domains for administrative reasons. Moreover,
it can control the behavior of sendmail in various situations.
By default, the access database specification is:
hash -T<TMPF> /etc/mail/access
See the anti-spam configuration control section for further
important information about this feature. Notice:
"-T<TMPF>" is meant literal, do not replace it by anything.
FEATURE('blacklist_recipients')dnl
blacklist_recipients
Turns on the ability to block incoming mail for certain
recipient usernames, hostnames, or addresses. For
example, you can block incoming mail to user nobody,
host foo.mydomain.com, or guest@bar.mydomain.com.
These specifications are put in the access db as
described in the anti-spam configuration control section
later in this document.
EXPOSED_USER('root')dnl
EXPOSED_USER('usernames')
This adds users to class {E}; you could also use
DAEMON_OPTIONS('Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS('port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl a kernel patch
FEATURE('accept_unresolvable_domains')dnl
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
accept_unresolvable_domains
Normally, MAIL FROM: commands in the SMTP session will be
refused if the host part of the argument to MAIL FROM:
cannot be located in the host name service (e.g., an A or
MX record in DNS). If you are inside a firewall that has
only a limited view of the Internet host name space, this
could cause problems. In this case you probably want to
use this feature to accept all domains on input, even if
they are unresolvable.
dnl FEATURE('relay_based_on_MX')dnl
relay_based_on_MX
Turns on the ability to allow relaying based on the MX
records of the host portion of an incoming recipient; that
is, if an MX record for host foo.com points to your site,
you will accept and relay mail addressed to foo.com. See
description below for more information before using this
feature. Also, see the KNOWNBUGS entry regarding bestmx
map lookups.
FEATURE('relay_based_on_MX') does not necessarily allow
routing of these messages which you expect to be allowed,
if route address syntax (or %-hack syntax) is used. If
this is a problem, add entries to the access-table or use
FEATURE('loose_relay_check').
MAILER(smtp)dnl
MAILER(procmail)dnl
These describe the mailers used at the default CS site. The local
mailer is always included automatically. Beware: MAILER declarations
should always be at the end of the configuration file. The general
rules are that the order should be:
local The local and prog mailers. You will almost always
need these; the only exception is if you relay ALL
your mail to another site. This mailer is included
automatically.
smtp The Simple Mail Transport Protocol mailer. This does
not hide hosts behind a gateway or another other
such hack; it assumes a world where everyone is
running the name server. This file actually defines
five mailers: "smtp" for regular (old-style) SMTP to
other servers, "esmtp" for extended SMTP to other
servers, "smtp8" to do SMTP to other servers without
converting 8-bit data to MIME (essentially, this is
your statement that you know the other end is 8-bit
clean even if it doesn't say so), "dsmtp" to do on
demand delivery, and "relay" for transmission to the
RELAY_HOST, LUSER_RELAY, or MAIL_HUB.
The configuration is set to not allow SMTP relaying except from the localhost anybody attempting to relay off of your hosting server should get the following error message: [code]Relaying denied', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79[/code] Due to the possibilities for spam abuse it is commonplace for hosting providers not to provide SMTP relay service these days. Clients should be able to use their ISP providers to send out email. If you have a particular need to allow your server to accept and forward emails from your clients then your choices are: 1. to specialize the configuration to utilize SMTP authentication 2. allow by IP address 3. allow by domain I don't have much experience with these setups but I would like to add these as optional configurations. If you have some notes regarding any of these post them and I'll add them to the writups.
to add an email account from the command line assign a false shell so that it can't be used to log into the system as a shell user:
groupadd subzero mkdir -p /home/subzero useradd -s /bin/false -d /home/subzero -g subzero -c "email user" subzero -M chown subzero /home/subzero -R passwd subzero
using dig to test the mx records:
dig @serv1.fatpenguinhosting.com mx fatpenguinhosting.com
Important RFCs for electronic mail are: RFC821 SMTP protocol RFC822 Mail header format RFC974 MX routing RFC976 UUCP mail format RFC1123 Host requirements (modifies 821, 822, and 974) RFC1344 Implications of MIME for Internet Mail Gateways RFC1413 Identification server RFC1428 Transition of Internet Mail from Just-Send-8 to 8-bit SMTP/MIME RFC1652 SMTP Service Extension for 8bit-MIMEtransport RFC1869 SMTP Service Extensions (ESMTP spec) RFC1870 SMTP Service Extension for Message Size Declaration RFC1891 SMTP Service Extension for Delivery Status Notifications RFC1892 Multipart/Report Content Type for the Reporting of Mail System Administrative Messages RFC1893 Enhanced Mail System Status Codes RFC1894 An Extensible Message Format for Delivery Status Notifications RFC1985 SMTP Service Extension for Remote Message Queue Starting RFC2033 Local Mail Transfer Protocol (LMTP) RFC2034 SMTP Service Extension for Returning Enhanced Error Codes RFC2045 Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies RFC2476 Message Submission RFC2487 SMTP Service Extension for Secure SMTP over TLS RFC2554 SMTP Service Extension for Authentication RFC2821 Simple Mail Transfer Protocol RFC2822 Internet Message Format RFC2852 Deliver By SMTP Service Extension RFC2920 SMTP Service Extension for Command Pipelining