Sendmail

As root you can redeliver all mail in the mail server queue via:

If you put multiple addresses in a .forward file, a copy will be sent to each.

If you want to keep a copy of each message in the original account without causing a .forward infinite loop, put a backslash in front of the account name.

The below is specific to CentOS-5.4 and may work similarly with other distros.

• Additional packages required if not installed already:
  

  sendmail-cf
  m4
  make
  cyrus-sasl-plain

• Edit ”/etc/mail/sendmail.mc”:
  
  define(`SMART_HOST', `{smtprelay.domain.tld}')dnl
FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl

• Create file ”/etc/mail/authinfo” with below contents and chmod 640:
  
  AuthInfo:smtprelay.domain.tld "U:{username}" "P:{password}" "M:PLAIN"

• Update the sendmail conf and db hashes:
  
  cd /etc/mail
make

• Restart sendmail for the new configs to pick up.
  
• Now mails sent to localhost is relayed via your SMTP provider.

1. Edit /etc/mail/sendmail.mc and add the below lines replacing domain.tld with the actual domain name:
   dnl # BEGIN: Rewriting Sender addresses for Entire Domain
dnl #
dnl # Process login names through the genericstable
FEATURE(`genericstable', `hash -o /etc/mail/genericstable.db')dnl
dnl # Interpret the value in G as a domain name
FEATURE(generics_entire_domain)dnl
dnl # masquerade not just the headers, but the envelope as well
FEATURE(masquerade_envelope)dnl
dnl # Load domain.tld into G
GENERICS_DOMAIN(domain.tld)dnl
dnl #
dnl # END: Rewriting Sender addresses for Entire Domain

2. Create /etc/mail/genericstable, which is very similar to an /etc/aliases, two columns separated by whitespace:
   web1_user1    user1@domain.tld
web1_user2    user2@domain.tld
web1_user3    user3@domain.tld

3. Create the db:
   # makemap -hash /etc/mail/genericstable < /etc/mail/genericstable

4. Restart sendmail.

Feature "genericstable" tells sendmail to use the generics table.

Feature "generics_entire_domain" allows to add hosts to genericstable without having to rebuild sendmail.cf.

Feature "masquerade_envelope" applies the rewriting process to the mail envelope as well as to the mail header.

"GENERICS_DOMAIN" defines the domains to which you wish to apply the generics table.

When submitting mail by using sendmail as a mail submission program, sendmail copies all messages to "/var/spool/clientmqueue" first. Sendmail is a setgid smmsp program and thus gives any user the permission to do so (/var/spool/clientmqueue belongs to user and group smmsp). Later, another sendmail process, the sendmail mail transfer agent (MTA) copies the messages from /var/spool/clientmqueue to /var/spool/mqueue and sends them to their destination.

/var/spool/clientmqueue is thus the holding area used by the MSP (Mail Submission Protocol) sendmail instance before it injects the messages into the main MTA (Mail Transport Agent) sendmail instance.

Sendmail will save the message in /var/spool/clientmqueue for safe keeping before trying to connect to the MTA to get the message delivered. Normally there would be a 'queue runner' MSP sendmail instance which every half hour would retry sending any message that couldn't be sent immediately. Each message will generate a 'df' (message routing info) and 'qf' (message headers and body) file. You can list out all of the messages and their status by:

When files accumulate in /var/spool/clientmqueue, this is probably due to sendmail localhost MTA not running, and thus the mails don't get send.

1. Backup files:
   
      /etc/mail/sendmail.mc
   /etc/mail/sendmail.cf
   /etc/mail/access
   /etc/mail/access.db
   /etc/aliases

2. These changes go in the /etc/mail/sendmail.mc file:

   Security enhancements:

   • Require a HELO or EHLO greeting from the sending SMTP server.
     
   • Put limits on Sendmail forks and other settings to stop a DOS attack from overwhelming server.
     
   • Munge the Sendmail server identification.
     
   • Recipient throttle to identify when an envelope arrives with more than 4 invalid users, presuming that this is a dictionary attack.
     
   • Limit the number of recipients in a single message.
   dnl #
dnl #start security mods
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl
define(`confMAX_DAEMON_CHILDREN',20)dnl
define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl
define(`confMIN_FREE_BLOCKS', `4000')dnl
define(`confMAX_HEADERS_LENGTH', `32000')dnl
define(`confMAX_MIME_HEADER_LENGTH', `1024')dnl
define(`confBAD_RCPT_THROTTLE',`4')dnl
define(`confMAX_RCPTS_PER_MESSAGE', `10')
dnl #end security mods
dnl #

   Enable DNS BlockLists:

   dnl #
dnl # Begin Spam Block Enhancement mod
dnl # Start BlockList
FEATURE(`dnsbl', `bl.spamcop.net', `"554 Spam blocked - see http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`dnsbl', `zen.spamhaus.org', `"554 Rejected - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}')dnl
dnl # sorbs dynamic user list ( not dial up )
FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}" - see http://dnsbl.sorbs.net"')dnl
dnl # End BlockList
dnl # Start dont bounce errors back to me
define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')dnl
dnl # End dont bounce
dnl # Start delay checks, so we see the intended recipient
dnl # Added friend so we can exempt specified local user via access file
FEATURE(`delay_checks',`friend')dnl
dnl # End delay checks
dnl # End Spam Block Enhancement mod
dnl #

   All of the above should go before the line:

   FEATURE(`blacklist_recipients')dnl

   Notes:

   The above Double Bounce Address throws the double bounces into the bit bucket.

   The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

3. Create an alias in "/etc/aliases" called dev-null and point it to "/dev/null":
   dev-null: /dev/null

4. In file "/etc/mail/access", enter:
   Connect:xxx.xxx.xxx.xxx OK

   where xxx.xxx.xxx.xxx is the server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists used!

5. To apply the configurations, run:
   # newaliases
# makemap hash /etc/mail/access.db < /etc/mail/access
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /sbin/service sendmail restart

The -b switch instructs sendmail to "Become"/operate in a mode.
The -d0 switch, instructs sendmail to produce debugging information.
The level .11 prints more information than the default level of .1 .
The -bp switch instructs sendmail to print the contents of the queue.

You can verify aliases with the -bv switch:

To run sendmail verbosely, use the -v switch:

The sendmail access database file can be created to accept or reject mail from selected domains.

Since "/etc/mail/access" is a database, after creating the text file, use makemap to create the database map.

Below is what my access file currently looks like and can be used as a starting point. All internal addresses have been changed except for spammers!!

# by default we allow relaying from localhost...
localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY

# Allow Connect from local server IPs
Connect:207.44.206.144   OK

# Accept Mail
# accept mail from PayPal
paypal.com      OK

# Reject Mail
posterclub@e.allposters.com     REJECT
posterclub@email.allposters.com REJECT
plastmarket.com                 REJECT
jr@jrtr.org                     REJECT
7b2.606@fe01.atl2.webusenet.com REJECT
mysoldpad.com                   REJECT

# Discard Mail
1and1-private-registration.com  DISCARD
# forum admin mails:
fictionaluser@gmail.com         DISCARD

# Reject full mailbox
fictionaluser@linuxweblog.com ERROR:4.2.2:450 mailbox full
fictionaluser@linuxweblog.net REJECT

# Blacklist recipients
linuxweblog.net ERROR:550 That host does not accept mail

# Spam friend domains: exempt domains from dnsbl list checking
Spam:linuxweblog.org      FRIEND

# Spam friend users: exempt email users from dnsbl list checking
# example:
# Spam:user@domain.tld         FRIEND
# clients
Spam:fictionalclient@hotmail.com  FRIEND

# Auto REJECT via hourly cron added below

When starting sendmail, I would get the below messgage:

Although, sendmail would still run without the CRL File and just complain about it missing. A quick way to include it in the sendmail configuration is to download revoke.crl from cacert.org, add the below option in sendmail.mc and rebuild the sendmail conf file as below.

Download revoke.crl:

Add the below line to "/etc/mail/sendmail.mc" just below the "confSERVER_KEY":

Rebuild sendmail conf by running make:

Check sendmail.cf with the revoke.crl listed as below:

Now restarting sendmail should not complain about the missing Certificate Revocation List (CRL) File.

Regenerate sendmail config:

Regenerate access file:

Generate new aliases: