Sendmail: Difference between revisions

From MediaWiki
Jump to navigationJump to search
No edit summary
No edit summary
 
Line 19: Line 19:
All '''queued''' email messages with a recipient address that matches: "'''securecomputing.com'''" will be flushed out. You can also use "'''-qS'''" to match on the "'''sender'''" and "'''-qI'''" to match on the "'''queue ID'''".
All '''queued''' email messages with a recipient address that matches: "'''securecomputing.com'''" will be flushed out. You can also use "'''-qS'''" to match on the "'''sender'''" and "'''-qI'''" to match on the "'''queue ID'''".


== How To Configure SSL Relay for verizon.net ==
== Accept/Reject Mail from Selected Domains/Hosts ==
 
Edit the ''/etc/mail/access'' file and add networks and/or hosts you want to permit access to your sendmail server.
 
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# If you want to use AuthInfo with "M:PLAIN LOGIN", make sure to have the
# cyrus-sasl-plain package installed.
#
# By default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
# Permit all machines in range of 10.8.68.0 - 10.8.68.255 to relay mail through this server
Connect:10.8.68 RELAY
 
Next, compile:
 
makemap hash /etc/mail/access.db < /etc/mail/access
 
Then restart the '''sendmail''' service.
 
systemctl restart sendmail.service
 
== How To Enable TLS ==
 
The instructions below are based on the [https://cromwell-intl.com/open-source/sendmail-ssl.html SMTP over TLS/SSL] article which is an excellent step by step guide for enabling TLS in sendmail.
 
Create a mail certificate directory and enter the new directory:
 
mkdir /etc/mail/cert
cd /etc/mail/cert
 
Create a key for the sendmail server, you will need to provide a new pass phrase when prompted. The next step will create a non-pass-phrase version.
 
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.open
 
Create a pass phrase free version of the key (so it is not pass-phrase-protected). Just hit the enter key when prompted and answer any X.509v3 certificate questions appropriately.
 
openssl req -new -x509 -days 3650 -key server.key.open -out server.crt
 
Make the files so only ''root'' can read/write them.
 
chmod 600 server.*
 
Add the following lines to your ''/etc/mail/sendmail.mc'' file (near the end of the file, but before the ''MAILER'' lines).
 
dnl #                                                                                                                                                                                   
dnl # For SSL/TLS                                                                                                                                                                       
dnl #                                                                                                                                                                                   
define(`confCACERT_PATH', `/etc/mail/cert')dnl
define(`confCACERT', `/etc/mail/cert/server.crt')dnl
define(`confSERVER_CERT', `/etc/mail/cert/server.crt')dnl
define(`confSERVER_KEY', `/etc/mail/cert/server.key.open')dnl
define(`confCLIENT_KEY', `/etc/mail/cert/server.crt')dnl
dnl#
 
Recompile your sendmail rules and restart the '''sendmail''' service.
           
cd "/etc/mail";
m4 sendmail.mc > /etc/mail/sendmail.cf;
systemctl restart sendmail.service
 
== How To Configure for verizon.net ==


This following shows the procedure and config entries to facilitate using sendmail on an NST system for relay and authentication.
This following shows the procedure and config entries to facilitate using sendmail on an NST system for relay and authentication.
Line 64: Line 131:
You can use the following examples to test the sendmail configuration:
You can use the following examples to test the sendmail configuration:


  echo "Test from $(hostname) on $(date)" | mailx -v -s "Test from $(hostname)" -r "FROM_EMAIL_ADDR" "TO_EMAIL_ADDR"
FROM="USER@DOMAIN"
TO="USER@DOMAIN"
  echo "Test sent from ${FROM} to ${TO} from host $(hostname) on $(date)" | mailx -v -s "Test from $(hostname)" -r "${FROM}" "${TO}"
  mail;
  mail;
  mailq;
  mailq;
Line 71: Line 140:




== How To Configure SSL Relay for att.net ==
== How To Configure for att.net with SSL/TLS ==


This following shows the procedure and config entries to facilitate using sendmail on an NST system for relay and authentication on a residential AT&T Fiber connection circa 2018. It is similar to the Verizon configuration.
This following shows the procedure and config entries to facilitate using sendmail on an NST system for relay and authentication on a residential AT&T Fiber connection circa 2018. It is similar to the Verizon configuration, but requires TLS for communications to the server.


Problem: AT&T blocks TCP port 25, therefore a relay setup to smtp.mail.att.net is used. Reference: https://www.linuxquestions.org/questions/slackware-14/sendmail-smtp-auth-howto-224543/
Problem: AT&T blocks TCP port 25, therefore a relay setup to smtp.mail.att.net is used. Reference: https://www.linuxquestions.org/questions/slackware-14/sendmail-smtp-auth-howto-224543/
=== Enable TLS ===
Follow the instructions in the [[#How To Enable TLS]] section to enable your '''sendmail''' service to use TLS when communicating with the AT&T mail server.


=== Stop the sendmail Service ===
=== Stop the sendmail Service ===
Line 125: Line 198:
You can use the following examples to test the sendmail configuration:
You can use the following examples to test the sendmail configuration:


  set FROM="USER@DOMAIN"
  FROM="USER@DOMAIN"
  set TO="USER@DOMAIN"
  TO="USER@DOMAIN"
  echo "Test from $(hostname) on $(date)" | mailx -v -s "Test from $(hostname)" -r "${FROM}" "${TO}"
  echo "Test sent from ${FROM} to ${TO} from host $(hostname) on $(date)" | mailx -v -s "Test from $(hostname)" -r "${FROM}" "${TO}"
  mail;
  mail;
  mailq;
  mailq;
  tail -6 /var/log/maillog;
  tail -6 /var/log/maillog;
sendmail -d0.1 -bv;

Latest revision as of 08:51, 7 June 2018

How To Flush Out All Email Messages From The Sendmail Queue

Sometimes email messages can be queued up with the Mail Transport Agent: "sendmail". The following command line can be used to manually try to immediately flush out All emails queued up by "sendmail". Even though a "sendmail" service may be running, this command is Ok to use, it will only run once and then terminate.

Try To Flush Out The Entire "sendmail" Queue:
[root@probe-222 root]# /usr/local/sbin/sendmail -q -v


How To Flush Out A Specific Email Message From The Sendmail Queue

"sendmail" can be told to only flush out certain emails from the "queue" with an additional argument to "-q". One can flush email messages that match a specific recipient's address:

Try To Flush Out A Specific "sendmail" Queued Email Message:
[root@probe-222 root]# /usr/local/sbin/sendmail -qR "securecomputing.com" -v

All queued email messages with a recipient address that matches: "securecomputing.com" will be flushed out. You can also use "-qS" to match on the "sender" and "-qI" to match on the "queue ID".

Accept/Reject Mail from Selected Domains/Hosts

Edit the /etc/mail/access file and add networks and/or hosts you want to permit access to your sendmail server. 

# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# If you want to use AuthInfo with "M:PLAIN LOGIN", make sure to have the 
# cyrus-sasl-plain package installed.
#
# By default we allow relaying from localhost...
Connect:localhost.localdomain	RELAY
Connect:localhost	RELAY
Connect:127.0.0.1	RELAY
# Permit all machines in range of 10.8.68.0 - 10.8.68.255 to relay mail through this server
Connect:10.8.68	RELAY

Next, compile: 

makemap hash /etc/mail/access.db < /etc/mail/access

Then restart the sendmail service. 

systemctl restart sendmail.service

How To Enable TLS

The instructions below are based on the SMTP over TLS/SSL article which is an excellent step by step guide for enabling TLS in sendmail.

Create a mail certificate directory and enter the new directory: 

mkdir /etc/mail/cert
cd /etc/mail/cert

Create a key for the sendmail server, you will need to provide a new pass phrase when prompted. The next step will create a non-pass-phrase version. 

openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.open

Create a pass phrase free version of the key (so it is not pass-phrase-protected). Just hit the enter key when prompted and answer any X.509v3 certificate questions appropriately. 

openssl req -new -x509 -days 3650 -key server.key.open -out server.crt

Make the files so only root can read/write them. 

chmod 600 server.*

Add the following lines to your /etc/mail/sendmail.mc file (near the end of the file, but before the MAILER lines). 

dnl #                                                                                                                                                                                     
dnl # For SSL/TLS                                                                                                                                                                         
dnl #                                                                                                                                                                                     
define(`confCACERT_PATH', `/etc/mail/cert')dnl
define(`confCACERT', `/etc/mail/cert/server.crt')dnl
define(`confSERVER_CERT', `/etc/mail/cert/server.crt')dnl
define(`confSERVER_KEY', `/etc/mail/cert/server.key.open')dnl
define(`confCLIENT_KEY', `/etc/mail/cert/server.crt')dnl
dnl#

Recompile your sendmail rules and restart the sendmail service. 

cd "/etc/mail";
m4 sendmail.mc > /etc/mail/sendmail.cf;
systemctl restart sendmail.service

How To Configure for verizon.net

This following shows the procedure and config entries to facilitate using sendmail on an NST system for relay and authentication.

Problem: Verizon blocks TCP port 25, therefore a relay setup to smtp.aol.com (Verizon uses AOL email) is used. Reference: https://www.linuxquestions.org/questions/slackware-14/sendmail-smtp-auth-howto-224543/

Stop the sendmail Service

systemctl stop sendmail.service;

Create authinfo file: "/etc/mail/auth/authinfo"

Following shows contents of /etc/mail/auth/authinfo. NOTE: Change USERID and PASSWORD to the verizon.net account you will be using to send mail with. 

AuthInfo:smtp.aol.com "U:USERID@verizon.net" "P:PASSWORD" "M:PLAIN"
AuthInfo: "U:USERID@verizon.net" "P:PASSWORD" "M:PLAIN"

Compile

cd "/etc/mail/auth";
makemap hash authinfo < authinfo;

Create Relay Entries

Add the following entries to the file: "/etc/mail/sendmail.mc" 

define(`SMART_HOST',`smtp.aol.com')dnl
define(`RELAY_MAILER',`esmtp')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/authinfo')dnl

Compile

cd "/etc/mail";
m4 sendmail.mc > /etc/mail/sendmail.cf;

Start the sendmail Service

systemctl start sendmail.service;

Testing

You can use the following examples to test the sendmail configuration: 

FROM="USER@DOMAIN"
TO="USER@DOMAIN"
echo "Test sent from ${FROM} to ${TO} from host $(hostname) on $(date)" | mailx -v -s "Test from $(hostname)" -r "${FROM}" "${TO}"
mail;
mailq;
tail -6 /var/log/maillog;
sendmail -d0.1 -bv;


How To Configure for att.net with SSL/TLS

This following shows the procedure and config entries to facilitate using sendmail on an NST system for relay and authentication on a residential AT&T Fiber connection circa 2018. It is similar to the Verizon configuration, but requires TLS for communications to the server.

Problem: AT&T blocks TCP port 25, therefore a relay setup to smtp.mail.att.net is used. Reference: https://www.linuxquestions.org/questions/slackware-14/sendmail-smtp-auth-howto-224543/

Enable TLS

Follow the instructions in the #How To Enable TLS section to enable your sendmail service to use TLS when communicating with the AT&T mail server.

Stop the sendmail Service

systemctl stop sendmail.service;

Create authinfo file: "/etc/mail/auth/authinfo"

Create the auth sub-directory (if not present). 

install -d /etc/mail/auth

Following shows contents of /etc/mail/auth/authinfo. NOTE: Change USERID and PASSWORD to the att.net account you will be using to send mail with. 

AuthInfo:smtp.mail.att.net "U:USERID@att.net" "P:PASSWORD" "M:PLAIN"
AuthInfo: "U:USERID@att.net" "P:PASSWORD" "M:PLAIN"

Change permissions to 600 so password can only be viewed by the root user. 

chmod 600 /etc/mail/auth/authinfo

Compile

cd "/etc/mail/auth";
makemap hash authinfo < authinfo;

Create Relay Entries

Add the following entries to the file: "/etc/mail/sendmail.mc". This can go near the end of the file, but needs to be prior to the MAILER directives. 

define(`SMART_HOST',`smtp.mail.att.net')dnl
define(`RELAY_MAILER',`esmtp')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 465')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/authinfo')dnl

Compile

cd "/etc/mail";
m4 sendmail.mc > /etc/mail/sendmail.cf;

Start the sendmail Service

systemctl start sendmail.service;
systemctl enable sendmail.service;

Testing

You can use the following examples to test the sendmail configuration: 

FROM="USER@DOMAIN"
TO="USER@DOMAIN"
echo "Test sent from ${FROM} to ${TO} from host $(hostname) on $(date)" | mailx -v -s "Test from $(hostname)" -r "${FROM}" "${TO}"
mail;
mailq;
tail -6 /var/log/maillog;
Retrieved from "https://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=Sendmail&oldid=8887"