Sendmail tips...

sendmail access.db by example

The sendmail access database file can be created to accept or reject mail from selected domains.

Since "/etc/mail/access" is a database, after creating the text file, use makemap to create the database map.

# makemap hash /etc/mail/access.db < /etc/mail/access

Below is what my access file currently looks like and can be used as a starting point. All internal addresses have been changed except for spammers!!

# by default we allow relaying from localhost...
localhost.localdomain           RELAY
localhost                       RELAY                       RELAY

# Allow Connect from local server IPs
Connect:   OK

# Accept Mail
# accept mail from PayPal      OK

# Reject Mail     REJECT REJECT                 REJECT                     REJECT REJECT                   REJECT

# Discard Mail  DISCARD
# forum admin mails:         DISCARD

# Reject full mailbox ERROR:4.2.2:450 mailbox full REJECT

# Blacklist recipients ERROR:550 That host does not accept mail

# Spam friend domains: exempt domains from dnsbl list checking      FRIEND

# Spam friend users: exempt email users from dnsbl list checking
# example:
# Spam:user@domain.tld         FRIEND
# clients  FRIEND

# Auto REJECT via hourly cron added below


When starting sendmail, I would get the below messgage:

Oct 18 23:59:01 srv02 sendmail[20857]: alias database /etc/aliases rebuilt by root
Oct 18 23:59:01 srv02 sendmail[20857]: /etc/aliases: 79 aliases, longest 22 bytes, 860 bytes total
Oct 18 23:59:01 srv02 sendmail[20862]: starting daemon (8.13.1): SMTP+queueing@01:00:00
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS: CRLFile missing
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, init=1
Oct 18 23:59:01 srv02 sendmail[20862]: started as: /usr/sbin/sendmail -bd -q1h
Oct 18 23:59:01 srv02 sm-msp-queue[20872]: starting daemon (8.13.1): queueing@01:00:00

Although, sendmail would still run without the CRL File and just complain about it missing. A quick way to include it in the sendmail configuration is to download revoke.crl from, add the below option in and rebuild the sendmail conf file as below.

Download revoke.crl:

# cd /usr/share/ssl/certs
# wget

Add the below line to "/etc/mail/" just below the "confSERVER_KEY":

define(`confCRL', `/usr/share/ssl/certs/revoke.crl')

Rebuild sendmail conf by running make:

# cd /etc/mail
# make

Check with the revoke.crl listed as below:

O CRLFile=/usr/share/ssl/certs/revoke.crl

Now restarting sendmail should not complain about the missing Certificate Revocation List (CRL) File.

Sendmail config regeneration

Regenerate sendmail config:

# m4 /etc/mail/ > /etc/mail/

Regenerate access file:

# makemap hash /etc/mail/access.db < /etc/mail/access

Generate new aliases:

# newaliases

Reducing Spam with milter-greylist

milter-greylist is a sendmail milter which implements the greylist filtering method, as proposed by Evan Harris.

Greylisting works by assuming that, unlike legitimate MTA, spam engines will not retry sending their junk mail on a temporary error. The filter will always reject mail temporarily on a first attempt, then accept it after some time has elapsed.

So this method of greylisting works very well if used with a combination of DNS-Based Blacklisting as the spammer would have gotten blacklisted in several real-time distributed black lists before the second attempt and effectively reducing spam emails.

Below is an outline of quickly building and installing the greylist milter and configuring sendmail to use the milter. This was done on a RHEL3 box.

Check mail server for open relay

If you are new to setting up a mail server be cautious that you do not open your server accidently and relay mail...

One very simple way of testing it is to run:

$ telnet

This will attempt to connect back to your machine and run a series of mail relaying tests against it. The success or failure will be printed at the end.

You may need to turn off firewall temporarily during the test or allow for outgoing connection through the firewall.

Syndicate content