Sendmail

Sendmail tips...

sendmail dh key too small

Logjam broke Sendmail?

Generate new DH keys file:

cd /etc/pki/tls/certs
openssl dhparam -out dhparams.pem 2048

Edit sendmail.mc:

define(`confDH_PARAMETERS';,`/etc/pki/tls/certs/dhparams.pem')dnl

Update sendmail.cf and restart:

cd /etc/mail
make
service sendmail restart

Refer to https://weakdh.org/sysadmin.html for other service fixes.

Get a count of top 10 emails that are in mail queue

Below one liner, pipes mailq command to sed, which prints out every 3rd line starting from line 5 capturing only the email addresses and producing report of the top 10 email addresses in sendmail mail queue.

mailq | sed -n '5~3p' | sort  | uniq -c | sort -nr | head

Migrating Sendmail Mail Server

Below is how I have migrated mail server with minimum downtime and routing mail to the new server via mailertable, if IP is still pointing to the old server and has not resolved for some ISPs.

  • 48 hours prior to migration, set the TTL value for the mail server DNS A record to a short time like 15 minutes.
  • Prepare for the migration, rsycing the mail spool folder and the user home mail folders.
    rsync --progress -a -e "ssh -i /root/.ssh/key -p 22" old.mailserver:/var/spool/mail/ /var/spool/mail/
    rsync --progress -a -e "ssh -i /root/.ssh/key -p 22" old.mailserver:/var/www/web1/mail/ /var/www/web1/mail/
    rsync --progress -a -e "ssh -i /root/.ssh/key -p 22" --exclude='*/bak' --exclude='*/web' old.mailserver:/var/www/web1/user/ /var/www/web1/user/
  • At the time of migration, firewall incoming port 25 on the old mail server and update the DNS A record to point to the new server.
  • Run rsync the final time.
  • Setup Sendmail with mailertable to relay mail coming in to the old server over to the new mail server. This is a similar setup for secondary mail servers.
  • Add "FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl" to "/etc/mail/sendmail.mc" if it does not already exist.
  • Create "/etc/mail/mailertable" file with contents of the routing table:
    domain.tld esmtp:[xxx.xxx.xxx.xxx]

    The square brackets skips checking MX records, so IP can be used instead.
  • Remove domain name from "/etc/mail/local-host-names" so mails do not get delivered locally.
  • Edit "/etc/mail/access" to relay mail for the domain.
    TO:domain.tld RELAY
  • Rebuild the access and mailertable databases.
    cd /etc/mail
    makemap hash access.db < access
    makemap hash mailertable.db < mailertable
  • Restart sendmail and open up the firewall.
  • Test by telneting to port 25 on the old servers' IP and sending email. This should get relayed over to the new server.
  • Use a new subdomain and redirect existing webmail url to the new server.

resend all mails in sendmail queue

As root you can redeliver all mail in the mail server queue via:

sendmail -v -q

Using a .forward to send mail to multiple accounts

If you put multiple addresses in a .forward file, a copy will be sent to each.

remoteuser1@domain.tld, remoteuser2@domain.tld, remoteuser3@domain.tld

If you want to keep a copy of each message in the original account without causing a .forward infinite loop, put a backslash in front of the account name.

\localuser, remoteuser1@domain.tld, remoteuser2@domain.tld, remoteuser3@domain.tld

Relay email via SMTP provider using sendmail

The below is specific to CentOS-5.4 and may work similarly with other distros.

  • Additional packages required if not installed already:

    sendmail-cf
    m4
    make
    cyrus-sasl-plain

  • Edit ”/etc/mail/sendmail.mc”:
    define(`SMART_HOST', `{smtprelay.domain.tld}')dnl
    FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl
  • Create file ”/etc/mail/authinfo” with below contents and chmod 640:
    AuthInfo:smtprelay.domain.tld "U:{username}" "P:{password}" "M:PLAIN"
  • Update the sendmail conf and db hashes:
    cd /etc/mail
    make
  • Restart sendmail for the new configs to pick up.
  • Now mails sent to localhost is relayed via your SMTP provider.

Rewriting Sender addresses for Entire Domain in Sendmail

  1. Edit /etc/mail/sendmail.mc and add the below lines replacing domain.tld with the actual domain name:

    dnl # BEGIN: Rewriting Sender addresses for Entire Domain
    dnl #
    dnl # Process login names through the genericstable
    FEATURE(`genericstable', `hash -o /etc/mail/genericstable.db9;)dnl
    dnl # Interpret the value in G as a domain name
    FEATURE(generics_entire_domain)dnl
    dnl # masquerade not just the headers, but the envelope as well
    FEATURE(masquerade_envelope)dnl
    dnl # Load domain.tld into G
    GENERICS_DOMAIN(domain.tld)dnl
    dnl #
    dnl # END: Rewriting Sender addresses for Entire Domain

  2. Create /etc/mail/genericstable, which is very similar to an /etc/aliases, two columns separated by whitespace:

    web1_user1    user1@domain.tld
    web1_user2    user2@domain.tld
    web1_user3    user3@domain.tld

  3. Create the db:

    # makemap -hash /etc/mail/genericstable < /etc/mail/genericstable

  4. Restart sendmail.

Feature "genericstable" tells sendmail to use the generics table.

Feature "generics_entire_domain" allows to add hosts to genericstable without having to rebuild sendmail.cf.

Feature "masquerade_envelope" applies the rewriting process to the mail envelope as well as to the mail header.

"GENERICS_DOMAIN" defines the domains to which you wish to apply the generics table.

sendmail use of clientmqueue and mqueue folders

When submitting mail by using sendmail as a mail submission program, sendmail copies all messages to "/var/spool/clientmqueue" first. Sendmail is a setgid smmsp program and thus gives any user the permission to do so (/var/spool/clientmqueue belongs to user and group smmsp). Later, another sendmail process, the sendmail mail transfer agent (MTA) copies the messages from /var/spool/clientmqueue to /var/spool/mqueue and sends them to their destination.

/var/spool/clientmqueue is thus the holding area used by the MSP (Mail Submission Protocol) sendmail instance before it injects the messages into the main MTA (Mail Transport Agent) sendmail instance.

Sendmail will save the message in /var/spool/clientmqueue for safe keeping before trying to connect to the MTA to get the message delivered. Normally there would be a 'queue runner' MSP sendmail instance which every half hour would retry sending any message that couldn't be sent immediately. Each message will generate a 'df' (message routing info) and 'qf' (message headers and body) file. You can list out all of the messages and their status by:

# mailq -v -Ac

When files accumulate in /var/spool/clientmqueue, this is probably due to sendmail localhost MTA not running, and thus the mails don't get send.

Sendmail tips

  1. Backup files:
       /etc/mail/sendmail.mc
       /etc/mail/sendmail.cf
       /etc/mail/access
       /etc/mail/access.db
       /etc/aliases
  2. These changes go in the /etc/mail/sendmail.mc file:

    Security enhancements:

    • Require a HELO or EHLO greeting from the sending SMTP server.
    • Put limits on Sendmail forks and other settings to stop a DOS attack from overwhelming server.
    • Munge the Sendmail server identification.
    • Recipient throttle to identify when an envelope arrives with more than 4 invalid users, presuming that this is a dictionary attack.
    • Limit the number of recipients in a single message.

    dnl #
    dnl #start security mods
    define(`confPRIVACY_FLAGS�39;, `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl
    define(`confMAX_DAEMON_CHILDREN',20)dnl
    define(`confSMTP_LOGIN_MSG&#039;,$j Sendmail; $b)dnl
    define(`confMIN_FREE_BLOCKS&#039;, `4000')dnl
    define(`confMAX_HEADERS_LENGTH', `32000')dnl
    define(`confMAX_MIME_HEADER_LENGTH', `1024')dnl
    define(`confBAD_RCPT_THROTTLE',`4')dnl
    define(`confMAX_RCPTS_PER_MESSAGE', `10')
    dnl #end security mods
    dnl #

    Enable DNS BlockLists:

    dnl #
    dnl # Begin Spam Block Enhancement mod
    dnl # Start BlockList
    FEATURE(`dnsbl', `bl.spamcop.net', `"554 Spam blocked - see http://spamcop.net/bl.shtml?&quot;$&{client_addr}')dnl
    FEATURE(`dnsbl', `zen.spamhaus.org', `"554 Rejected - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}')dnl
    dnl # sorbs dynamic user list ( not dial up )
    FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}"; - see http://dnsbl.sorbs.net"&#039;)dnl
    dnl # End BlockList
    dnl # Start dont bounce errors back to me
    define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')dnl
    dnl # End dont bounce
    dnl # Start delay checks, so we see the intended recipient
    dnl # Added friend so we can exempt specified local user via access file
    FEATURE(`delay_checks',`friend')dnl
    dnl # End delay checks
    dnl # End Spam Block Enhancement mod
    dnl #

    All of the above should go before the line:

    FEATURE(`blacklist_recipients&#039;)dnl

    Notes:

    The above Double Bounce Address throws the double bounces into the bit bucket.

    The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

  3. Create an alias in "/etc/aliases" called dev-null and point it to "/dev/null":

    dev-null: /dev/null

  4. In file "/etc/mail/access", enter:

    Connect:xxx.xxx.xxx.xxx OK

    where xxx.xxx.xxx.xxx is the server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists used!

  5. To apply the configurations, run:

    # newaliases
    # makemap hash /etc/mail/access.db < /etc/mail/access
    # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
    # /sbin/service sendmail restart

Debugging sendmail

The -b switch instructs sendmail to "Become"/operate in a mode.
The -d0 switch, instructs sendmail to produce debugging information.
The level .11 prints more information than the default level of .1 .
The -bp switch instructs sendmail to print the contents of the queue.

$ sendmail -d0.11 -bp

You can verify aliases with the -bv switch:

$ sendmail -bv root

To run sendmail verbosely, use the -v switch:

$ cat /dev/null | sendmail -v root

Comment