Sendmail tips

  1. Backup files:
  2. These changes go in the /etc/mail/ file:

    Security enhancements:

    • Require a HELO or EHLO greeting from the sending SMTP server.
    • Put limits on Sendmail forks and other settings to stop a DOS attack from overwhelming server.
    • Munge the Sendmail server identification.
    • Recipient throttle to identify when an envelope arrives with more than 4 invalid users, presuming that this is a dictionary attack.
    • Limit the number of recipients in a single message.

    dnl #
    dnl #start security mods
    define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl
    define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl
    define(`confMIN_FREE_BLOCKS', `4000')dnl
    define(`confMAX_HEADERS_LENGTH', `32000')dnl
    define(`confMAX_MIME_HEADER_LENGTH', `1024')dnl
    define(`confMAX_RCPTS_PER_MESSAGE', `10')
    dnl #end security mods
    dnl #

    Enable DNS BlockLists:

    dnl #
    dnl # Begin Spam Block Enhancement mod
    dnl # Start BlockList
    FEATURE(`dnsbl', `', `"554 Spam blocked - see"$&{client_addr}')dnl
    FEATURE(`dnsbl', `', `"554 Rejected - see"$&{client_addr}')dnl
    dnl # sorbs dynamic user list ( not dial up )
    FEATURE(`dnsbl', `', `"554 Rejected "$&{client_addr}" - see"')dnl
    dnl # End BlockList
    dnl # Start dont bounce errors back to me
    define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')dnl
    dnl # End dont bounce
    dnl # Start delay checks, so we see the intended recipient
    dnl # Added friend so we can exempt specified local user via access file
    dnl # End delay checks
    dnl # End Spam Block Enhancement mod
    dnl #

    All of the above should go before the line:



    The above Double Bounce Address throws the double bounces into the bit bucket.

    The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

  3. Create an alias in "/etc/aliases" called dev-null and point it to "/dev/null":

    dev-null: /dev/null

  4. In file "/etc/mail/access", enter: OK

    where is the server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists used!

  5. To apply the configurations, run:

    # newaliases
    # makemap hash /etc/mail/access.db < /etc/mail/access
    # m4 /etc/mail/ > /etc/mail/
    # /sbin/service sendmail restart