jump to navigation

HOWTO: Sendmail SMTP Auth May 1, 2006

Posted by devhen in HOWTO, Linux, sendmail.
trackback

These notes are designed to help a Linux geek setup SMTP auth on a Linux + sendmail server. Without proper SMTP auth settings your server is liable to be used by spammers and spam bots to send out copious amounts of unwanted mail. This can get your server’s IP blacklisted and can really eat up your resources. Needless to say, we need to avoid this. Start by editing your sendmail.mc file (found in /etc/mail). I use the following commands, try replacing the corresponding lines in your mc file with these ones: (Note that lines beginning with ‘dnl’ are essentially considered comments and are ignored)

define(`confAUTH_OPTIONS’, `A’)
dnl
dnl Accept PLAIN and LOGIN authentications.dnl
TRUST_AUTH_MECH(`LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN’)dnl

Now you need to rebuild your sendmail.cf file from the .mc file you’ve just edited:

make sendmail.cf -C /etc/mail

Next we need to make sure saslauthd is running and configured correctly. Edit your saslauthd configuration file (/etc/sysconfig/saslauthd) and replace shadow with pam for the MECH variable like so:

# Mechanism to use when checking passwords. Run “saslauthd -v” to get a list
# of which mechanism your installation was compiled to use.
MECH=pam

Restart sendmail and saslauthd

/etc/rc.d/init.d/sendmail restart
/etc/rc.d/init.d/saslauthd restart

and don’t forget to configure your email clients to use authentication when sending outgoing mail.

For more information and some tips on installing a certificate for secure SMTP connections, try this article:

http://www.madboa.com/geek/sendmail-auth/

Read on for a full copy of my sendmail.mc file.

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4′)dnl
VERSIONID(`setup for Red Hat Linux’)dnl
OSTYPE(`linux’)dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL’, `9′)dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
undefine(`SMART_HOST’)
dnl #
define(`confDEF_USER_ID’,“8:12”)dnl
dnl define(`confAUTO_REBUILD’)dnl
define(`confTO_CONNECT’, `1m’)dnl
define(`confTRY_NULL_MX_LIST’,true)dnl
define(`confDONT_PROBE_INTERFACES’,true)dnl
define(`PROCMAIL_MAILER_PATH’,`/usr/bin/procmail’)dnl
define(`ALIAS_FILE’, `/etc/aliases’)dnl
define(`STATUS_FILE’, `/var/log/mail/statistics’)dnl
define(`UUCP_MAILER_MAX’, `2000000′)dnl
define(`confUSERDB_SPEC’, `/etc/mail/userdb.db’)dnl
define(`confPRIVACY_FLAGS’, `authwarnings,novrfy,noexpn,restrictqrun’)dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
define(`confAUTH_OPTIONS’,`A’)
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
dnl # TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl # define(`confAUTH_MECHANISMS’, `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl #
TRUST_AUTH_MECH(`LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN’)dnl
dnl #
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # make -C /usr/share/ssl/certs usage
dnl # or use the included makecert.sh script
dnl #
dnl define(`confCACERT_PATH’,`/usr/share/ssl/certs’)
dnl define(`confCACERT’,`/usr/share/ssl/certs/ca-bundle.crt’)
dnl define(`confSERVER_CERT’,`/usr/share/ssl/certs/sendmail.pem’)
dnl define(`confSERVER_KEY’,`/usr/share/ssl/certs/sendmail.pem’)
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP’s
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL’,`groupreadablekeyfile’)dnl
dnl #
dnl define(`confTO_QUEUEWARN’, `4h’)dnl
dnl define(`confTO_QUEUERETURN’, `5d’)dnl
dnl define(`confQUEUE_LA’, `12′)dnl
dnl define(`confREFUSE_LA’, `18′)dnl
define(`confTO_IDENT’, `0′)dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa’,`dnl’)dnl
FEATURE(`smrsh’,`/usr/sbin/smrsh’)dnl
FEATURE(`mailertable’,`hash -o /etc/mail/mailertable.db’)dnl
FEATURE(`virtusertable’,`hash -o /etc/mail/virtusertable.db’)dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`’,`procmail -t -Y -a $h -d $u’)dnl
FEATURE(`access_db’,`hash -T<TMPF> -o /etc/mail/access.db’)dnl
FEATURE(`blacklist_recipients’)dnl
EXPOSED_USER(`root’)dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can’t reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea’)dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can’t
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn’t support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled– STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6′)dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6′)
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24×7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains’)dnl
dnl #
dnl FEATURE(`relay_based_on_MX’)dnl
dnl #
dnl # Also accept email sent to “localhost.localdomain” as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain’)dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`sprinkler.com’)dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

About these ads

Comments»

1. VeRTiTo - December 27, 2006

nice.

2. Joan Garnet - May 10, 2007

Thank you, it’s been very useful ;)

3. Stacy Fabian - September 19, 2007

that’s why it will never wor. Stacy Fabian.

4. Eka Kolour - October 21, 2007

your way to beautiful gir. Eka Kolour.

5. Swaroop - Hosting.India.to - November 5, 2008

It helped , thanks

6. Liviu - March 31, 2009

thanks, very helpful and concise, exactly what i needed.

7. Kay - September 30, 2009

both howto’s helped me – thanks.

One remark:
RELAY entries in /etc/mail/access bypassing the auth.

Kay

8. Tsquare - March 5, 2010

Great Blog!……There’s always something here to make me laugh…Keep doing what ya do :)

9. Carlos - September 13, 2010

it’s very very nices, thanks, :-)

10. Techlook - September 16, 2010

Thanks. its nice

11. DJ - March 22, 2011

OMG. You my friend are a f%^&*( genius. I never bothered to do this because i thought it was a nightmare then i was required to by a client then i came across your post. Worked it in less than 10. A big thank you

12. HOWTO: Sendmail SMTP Auth | Auto responder - December 20, 2011

[…] devhen.wordpress.com © 2011 Auto responder SEO services Powered by CTR Theme […]

13. pagina - June 26, 2013

Excellent items from you, man. I’ve take note your stuff prior to and you are simply too great. I really like what you’ve acquired right here, certainly like
what you are saying and the way during which you assert it.
You are making it enjoyable and you continue to care for to keep it smart.

I cant wait to read much more from you. That is actually a tremendous website.

14. www.sylverblog.com - July 18, 2013

Fastidious response in return of this issue with
firm arguments and explaining the whole thing concerning that.

15. www.milan-taxis.com - July 26, 2013

Having read this I thought it was really informative.
I appreciate you spending some time and energy to put this content together.

I once again find myself spending a significant amount of time
both reading and commenting. But so what, it was still worthwhile!

16. cheap computer Processors - April 29, 2014

Can I simply just say what a relief to find a
person that actually understands what they are talking about on the internet.
You definitely realize how to bring an issue to light and
make it important. More people should read this and understand this side of
your story. I was surprised that you are not more popular since you certainly possess the gift.

17. vince delmonte fitness program free - September 5, 2014

Thanks for sharing your thoughts. I really appreciate your efforts
and I am waiting for your further post thanks once again.

18. jack lmui - September 6, 2014

Aw, this was a really good post. Spending some time and actual effort to make a superb article… but what can I say… I put things off a
whole lot and never seem to get nearly anything done.

19. linux reseller hosting Baripada Town - October 31, 2014

Any time you’re to create your individual website, you simply must be in speak to which includes
a internet hosting service that’sthrough which reseller web hosting service comes into perform.
It works, and thanks to that, many firms can host their individual websites.
This basically refers towards thee kind of situation where somebody or company buys space oon the server who’s then sells with other who need the host service.
Re-Tweet – Promoting other people’s work might bring about additional traffic and
attention in your tweets. If you want to initiate a
small business of reselling the reseller package, you are able to start reseller hosting at the minimum
possible investment. 9% Uptime Guarantee Widely popular
Parallels Plesk panel 30-Day Money-Back Guarantee RWI-1 Rs.
Hence, this article is exactly for people that have looking forward to
certainly be a reseller to be sure their future in website hosting industries.
Thee rate of the domains might be as low as one dollar.
Therefore, you could have to put extra effort to create sure that you just promote your company.
This flow of communication must be consistent to take care of productivity and accountability.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: