LinuxWebLog.com

Logjam broke Sendmail?

Generate new DH keys file:

Edit sendmail.mc:

Update sendmail.cf and restart:

Refer to https://weakdh.org/sysadmin.html for other service fixes.

Below one liner, pipes mailq command to sed, which prints out every 3rd line starting from line 5 capturing only the email addresses and producing report of the top 10 email addresses in sendmail mail queue.

Below is how I have migrated mail server with minimum downtime and routing mail to the new server via mailertable, if IP is still pointing to the old server and has not resolved for some ISPs.

• 48 hours prior to migration, set the TTL value for the mail server DNS A record to a short time like 15 minutes.
  
• Prepare for the migration, rsycing the mail spool folder and the user home mail folders.
  
  rsync --progress -a -e "ssh -i /root/.ssh/key -p 22" old.mailserver:/var/spool/mail/ /var/spool/mail/
rsync --progress -a -e "ssh -i /root/.ssh/key -p 22" old.mailserver:/var/www/web1/mail/ /var/www/web1/mail/
rsync --progress -a -e "ssh -i /root/.ssh/key -p 22" --exclude='*/bak' --exclude='*/web' old.mailserver:/var/www/web1/user/ /var/www/web1/user/
• At the time of migration, firewall incoming port 25 on the old mail server and update the DNS A record to point to the new server.
  
• Run rsync the final time.
  
• Setup Sendmail with mailertable to relay mail coming in to the old server over to the new mail server. This is a similar setup for secondary mail servers.
  
• Add "FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl" to "/etc/mail/sendmail.mc" if it does not already exist.
  
• Create "/etc/mail/mailertable" file with contents of the routing table:
  
  domain.tld esmtp:[xxx.xxx.xxx.xxx]
  
  The square brackets skips checking MX records, so IP can be used instead.
• Remove domain name from "/etc/mail/local-host-names" so mails do not get delivered locally.
  
• Edit "/etc/mail/access" to relay mail for the domain.
  
  TO:domain.tld RELAY
• Rebuild the access and mailertable databases.
  
  cd /etc/mail
makemap hash access.db < access
makemap hash mailertable.db < mailertable
• Restart sendmail and open up the firewall.
  
• Test by telneting to port 25 on the old servers' IP and sending email. This should get relayed over to the new server.
  
• Use a new subdomain and redirect existing webmail url to the new server.

As root you can redeliver all mail in the mail server queue via:

If you put multiple addresses in a .forward file, a copy will be sent to each.

If you want to keep a copy of each message in the original account without causing a .forward infinite loop, put a backslash in front of the account name.

The below is specific to CentOS-5.4 and may work similarly with other distros.

• Additional packages required if not installed already:
  

  sendmail-cf
  m4
  make
  cyrus-sasl-plain

• Edit ”/etc/mail/sendmail.mc”:
  
  define(`SMART_HOST', `{smtprelay.domain.tld}')dnl
FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl
• Create file ”/etc/mail/authinfo” with below contents and chmod 640:
  
  AuthInfo:smtprelay.domain.tld "U:{username}" "P:{password}" "M:PLAIN"
• Update the sendmail conf and db hashes:
  
  cd /etc/mail
make
• Restart sendmail for the new configs to pick up.
  
• Now mails sent to localhost is relayed via your SMTP provider.

1. Edit /etc/mail/sendmail.mc and add the below lines replacing domain.tld with the actual domain name:
   dnl # BEGIN: Rewriting Sender addresses for Entire Domain
dnl #
dnl # Process login names through the genericstable
FEATURE(`genericstable', `hash -o /etc/mail/genericstable.db9;)dnl
dnl # Interpret the value in G as a domain name
FEATURE(generics_entire_domain)dnl
dnl # masquerade not just the headers, but the envelope as well
FEATURE(masquerade_envelope)dnl
dnl # Load domain.tld into G
GENERICS_DOMAIN(domain.tld)dnl
dnl #
dnl # END: Rewriting Sender addresses for Entire Domain

2. Create /etc/mail/genericstable, which is very similar to an /etc/aliases, two columns separated by whitespace:
   web1_user1    user1@domain.tld
web1_user2    user2@domain.tld
web1_user3    user3@domain.tld

3. Create the db:
   # makemap -hash /etc/mail/genericstable < /etc/mail/genericstable

4. Restart sendmail.

Feature "genericstable" tells sendmail to use the generics table.

Feature "generics_entire_domain" allows to add hosts to genericstable without having to rebuild sendmail.cf.

Feature "masquerade_envelope" applies the rewriting process to the mail envelope as well as to the mail header.

"GENERICS_DOMAIN" defines the domains to which you wish to apply the generics table.

When submitting mail by using sendmail as a mail submission program, sendmail copies all messages to "/var/spool/clientmqueue" first. Sendmail is a setgid smmsp program and thus gives any user the permission to do so (/var/spool/clientmqueue belongs to user and group smmsp). Later, another sendmail process, the sendmail mail transfer agent (MTA) copies the messages from /var/spool/clientmqueue to /var/spool/mqueue and sends them to their destination.

/var/spool/clientmqueue is thus the holding area used by the MSP (Mail Submission Protocol) sendmail instance before it injects the messages into the main MTA (Mail Transport Agent) sendmail instance.

Sendmail will save the message in /var/spool/clientmqueue for safe keeping before trying to connect to the MTA to get the message delivered. Normally there would be a 'queue runner' MSP sendmail instance which every half hour would retry sending any message that couldn't be sent immediately. Each message will generate a 'df' (message routing info) and 'qf' (message headers and body) file. You can list out all of the messages and their status by:

When files accumulate in /var/spool/clientmqueue, this is probably due to sendmail localhost MTA not running, and thus the mails don't get send.

1. Backup files:
   
      /etc/mail/sendmail.mc
   /etc/mail/sendmail.cf
   /etc/mail/access
   /etc/mail/access.db
   /etc/aliases
2. These changes go in the /etc/mail/sendmail.mc file:

   Security enhancements:

   • Require a HELO or EHLO greeting from the sending SMTP server.
     
   • Put limits on Sendmail forks and other settings to stop a DOS attack from overwhelming server.
     
   • Munge the Sendmail server identification.
     
   • Recipient throttle to identify when an envelope arrives with more than 4 invalid users, presuming that this is a dictionary attack.
     
   • Limit the number of recipients in a single message.
   dnl #
dnl #start security mods
define(`confPRIVACY_FLAGS�39;, `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl
define(`confMAX_DAEMON_CHILDREN',20)dnl
define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl
define(`confMIN_FREE_BLOCKS', `4000')dnl
define(`confMAX_HEADERS_LENGTH', `32000')dnl
define(`confMAX_MIME_HEADER_LENGTH', `1024')dnl
define(`confBAD_RCPT_THROTTLE',`4')dnl
define(`confMAX_RCPTS_PER_MESSAGE', `10')
dnl #end security mods
dnl #

   Enable DNS BlockLists:

   dnl #
dnl # Begin Spam Block Enhancement mod
dnl # Start BlockList
FEATURE(`dnsbl', `bl.spamcop.net', `"554 Spam blocked - see http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`dnsbl', `zen.spamhaus.org', `"554 Rejected - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}')dnl
dnl # sorbs dynamic user list ( not dial up )
FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}"; - see http://dnsbl.sorbs.net"')dnl
dnl # End BlockList
dnl # Start dont bounce errors back to me
define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')dnl
dnl # End dont bounce
dnl # Start delay checks, so we see the intended recipient
dnl # Added friend so we can exempt specified local user via access file
FEATURE(`delay_checks',`friend')dnl
dnl # End delay checks
dnl # End Spam Block Enhancement mod
dnl #

   All of the above should go before the line:

   FEATURE(`blacklist_recipients')dnl

   Notes:

   The above Double Bounce Address throws the double bounces into the bit bucket.

   The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

3. Create an alias in "/etc/aliases" called dev-null and point it to "/dev/null":
   dev-null: /dev/null

4. In file "/etc/mail/access", enter:
   Connect:xxx.xxx.xxx.xxx OK

   where xxx.xxx.xxx.xxx is the server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists used!

5. To apply the configurations, run:
   # newaliases
# makemap hash /etc/mail/access.db < /etc/mail/access
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /sbin/service sendmail restart

The -b switch instructs sendmail to "Become"/operate in a mode.
The -d0 switch, instructs sendmail to produce debugging information.
The level .11 prints more information than the default level of .1 .
The -bp switch instructs sendmail to print the contents of the queue.

You can verify aliases with the -bv switch:

To run sendmail verbosely, use the -v switch: