330 likes | 512 Views
Configuring Linux Mail Servers. Objectives This chapter will show you how to install and use Mailservers Contents An Overview Of How Sendmail Works Sendmail configruation files Relaying Sendmail Masquerading Using Sendmail to Change the Sender's Email Address Practical
E N D
Configuring Linux Mail Servers • Objectives • This chapter will show you how to install and use Mailservers • Contents • An Overview Of How Sendmail Works • Sendmail configruation files • Relaying • Sendmail Masquerading • Using Sendmail to Change the Sender's Email Address • Practical • Setting up mailserver
Introduction • MTA Mail transport agents • transfer mail with SMTP protocol to other MTA based on DNS MX record Popular agents: Sendmail Exim Postfix • MUA Mail user agents • Accesses users mailboxes for reading and writing Popular agents: Fetchmail (POP & IMP) IMAP Qpopper Courier IMAPD (POP & IMP) –server Cyrus IMAPD (POP & IMP) –server • Mailbox processing • Various mechanismes to process users mail when arrived to mailboxes Procmail Spamassasin Vacation Amavisd • SMTP trusts the user • Everyone who have is allowed to login a computer is trusted for e-mail sending • SMTP needs DNS • MX entry for domains is needed if not only local mail • Sendmail lives in smrsh chroot-jail
How sendmail works, incoming mail • How Sendmail Works • As stated before, sendmail can handle both incoming and outgoing mail for your domain. Take a closer look • Incoming Mail • Sendmail processes it and deposits it in the mailbox file of the user's Linux account(var/spool/mail) • Mail isn't actually sent directly to the user's PC • Users retrieve their mail from the mail server using client software that supports imap and pop • Linux users logged into the mail server can read their mail directly using a text-based client, such as mail, or a GUI client • Sendmail belong to what we call MTA • MTA is responcible to encapsulate the message with header and trailer. • MTA need DNS MX record to recognize mailserver that serves recieving domain. • Header contain destination e-mail and source e-mail • Header contain also the path email traverses throughout the network • Trailer contain error correction code
How sendmail works, outgoing mail • Outgoing Mail • PC and Linux workstation users configure their e-mail software to make the mail server their outbound SMTP mail server, e.g the user MTA. • Local mail If sendmail consider email local and places it directly in the destination users mailbox (var/spool/mail) (it can be any nfs store to or database) • If destination is localdomain (my-site.com). • Virtual hosted domain in same server. • If destination is localuser or virtualuser at same host. • Mail to another domain If sendmail consider the email to have destination outside localdomain it schedule the mail for delivery within 15 minutes and temporary places it in (/var/spool/mqueue) • Sendmail uses DNS to get the MX record for the other domain • Attempts to relay the mail using SMTP • Relaying only for trustful domains that sendmail serves must be allowed • Localhost/Localdomain must be allowed to relay.
How sendmail works, mail processing • Sendmail main configuration /etc/sendmail.cf • Using a series of highly complicated regular expressions • The mail header contain mail routing information, sendmail inspects this header and then acts accordingly. • Sendmail configuration is highly configurable • Simplified configuration /etc/sendmail.mc or /etc/mail/linux.mc • Contains more understandable instructions for systems administrators to use • Interpreted by a number of macro routines to create the sendmail.cf file • You must always run the macros and restart sendmail for the changes to take effect • Available macros sit in /usr/share/sendmail • Sendmail files is in /etc/mail • SuSE and RedHat also uses /etc/sysconfig/mail • SuSE and RedHat also uses /etc/sysconfig/sendmail • Mail is parsed with sendmail.cf • Header parsing • Header processing & shaping • Header rewrite engine rules • Calls to external processors like anti (spam and virus) appz • Sendmail logfiles /var/log/mail* and /var/log/messages
How sendmail works, sendmail macros • Macrofiles • Macros is found in /usr/share/sendmail/ • There are several macrofiles, they have lastname .mc or .m4 • Macrofiles have keywords to call submacros/dirictives • They can begin with DOMAIN, FEATURE, or OSTYPE and DNL • Keywords is usally followed by a keyword • Macro example with keyword and hashfile command • the macro name is /usr/share/sendmail/feature/virtusertable.m4, • the instruction `\ hash -o /etc/mail/virtusertable.db' is being passed to it. • hash makes simple database format db • hash –o means output generated database to the db file taht follows • Example with only macro • Use the m4 command to generate /etc/sendmail.cf FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(`masquerade_envelope')dnl # m4 /etc/mail/linux.mc > /etc/sendmail.cf
Getting SENDMAIL from rpm • Sendmail you can get as • Open Source http://www.sendmail.org • Commersial http://www.sendmail.com • Installing Sendmail from RPM (SuSE) • You will need to make sure that the sendmail, and m4 software RPMs are installed. • You will need to remove/uninstall othermailers like exim and postfix before installing • Starting/Stopping Sendmail • You can use the chkconfig or insserv command to get Sendmail configured to start at boot: • To start/stop/restart sendmail after booting • You need to restart sendmail after changing sendmail.cf and reload sendmail if the other files has been manipulated # rpm –ivh sendmail-8.13.3-5.i386.rpm (The client/server) # rpm –ivh sendmail-devel-8.13.3-5.i386.rpm (Optional) # rpm –ivh sendmail-debug-8.13.3-5.i386.rpm (Optional) # rpm –ivh m4-1.4.2-4.i586.rpm (macrocompilator) # rpm –ivh db-devel-4.3.27-3.1.i586.rpm (Needed if compile) # insserv sendmail # rcsendmail start # rcsendmail stop # rcsendmail restart
SENDMAIL from sources • Get sendmail tar-ball, here 8.13.5 • Unpack the tar-ball and add one group that sendmail needs • Read the tar-ball INSTALL and README files • If you need extras like TLS or other you might need compile options • Sendmail is very advanced and flexible • The default build of should do in most cases • Copy current sendmail.mc or linux.mc to sendmail.mc in the cf-cf directory and make a new with all the new and updated macros. • You can also copy generic-linux.mc if you do not have any sendmail.mc # cd /usr/local/src # wget ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.5.tar.gz # tar xvfz sendmail.8.13.5.tar.gz # cd sendmail.8.13.5 # groupadd smmsp # cd sendmail ; sh ./Build # cd cf/cf ;cp /etc/mail/linux.mc sendmail.mc # sh ./Build sendmail.cf
SENDMAIL from sources, continued • Backup old sendmail configuration and binaries • Install the new configuration • Create a new user for sendmail called smmsp and make softlink for manuals • Install the new sendmail binaries and change owner on clientmqueue • Sendmail utility directories contain the Build command • They contain ectra functionality like support for antispam, antivirus, databases etc.. • Make and install example for mailstats • You will also have one output directory for all your makes The directories contain the compiled binaries and extras, ready for mass deployment # tar cvfz /root/sm-config.tar.gz /etc/mail /etc/sendmail* # tar cvfz /root/sm-bin.tar.gz /usr/sbin/sendmail /usr/lib/sendmail # sh ./Build install-cf # useradd -m –g smmsp -G mail smmsp; ln –s /usr/share/man /usr/man # cd ../../sendmail # sh ./Build install ; cd .. # chown smmsp:smmsp /var/spool/ \ clientmqueue # find * -type f -maxdepth 1 -name Build # cd mailstats ; sh ./Build ; sh ./Build install # ls obj.Linux*
Standard sendmail.mc comment & DNS • If sendmail uses/etc/mail/linux.mcwe make some links • Needed in SuSE and some other RPM distributions • How to Put Comments in sendmail.mc • The sendmail.mc file doesn't use the "#" for commenting, but instead uses the string "dnl". • Configuring the DNS for sendmail • Make Your Mail Server The Mail Server For Your Domain in DNS # ln –s /etc/sendmail.cf /etc/mail/sendmail.cf # ln –s /etc/mail/linux.mc /etc/mail/sendmail.mc dnl Disabled statements due to "dnl" commenting dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnlIncorrectly disabled statement # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnlActive statement, here sendmail client daemon is enabled DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') my-site.com. IN MX 10 mail.my-site.com. # host my-site.com my-site.com mail is handled by 10 mail.my-site.com.
Sendmail & name resolution • All hosts that are not the nameserver should have /etc/resolv.conf file like this: Server Client • And incorrectly configured resolv.conf • file can lead to errors like this when running the m4 • The /etc/hosts File must have loopback address • For a sample mailserver: • For a sample client: domain my-site.com nameserver 127.0.0.1 domain my-site.com nameserver 192.168.0.1 WARNING: local host name (smallfry) is not qualified; fix $j in config file 127.0.0.1 mail.my-site.com localhost.localdomain localhost mail 127.0.0.1 client.my-site.com localhost.localdomain localhost client
How To Configure Linux Sendmail Client • All Linux mail clients in your home or company need to know which server is the mail server, in /etc/mail/sendmail.mc • If you run SuSE sendmail from RPM, take full control again • In /etc/sysconfig/mail change: • Smarthost (the mailserver) must accept mail from your host/domain • In /etc/mail/access: • Converting From a Mail Client to a Mail Server • Determine Which NICs Sendmail Is Running On • We can verify that sendmail is running by first using the pgrep command • Here sendmail listens on loopback interface, this is normal because a client does not normally recieve email directly define(`SMART_HOST',`mail.my-site.com') DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') MAIL_CREATE_CONFIG=“no” SMTPD_LISTEN_REMOTE="yes“ my-site.com RELAY # pgrep sendmail22131 # netstat -an | grep :25 | grep tcp tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
Convert the sendmail client to server • Edit sendmail.mc To Make Sendmail Listen On All Interfaces dnl This changes sendmail to only listen on the loopback device 127.0.0.1dnl and not on any other network devices. Comment this out if you wantdnl to accept email over the network. -> dnl DAEMON_OPTIONS(`Port=smtp,Addr=mail.my-site.com, Name=MTA')dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requiresdnl a kernel patchdnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl We strongly recommend to comment this one out if you want to protectdnl yourself from spam. However, the laptop and users on computers that dodnl not have 24x7 DNS do need this. -> dnl FEATURE(`accept_unresolvable_domains')dnldnl FEATURE(`relay_based_on_MX')dnl
Convert the sendmail client to server • If you run SuSE sendmail from RPM, take full control again • In /etc/sysconfig/mail change: • SuSEconfig will write over your /etc/sendmail.cf • Comment out the "SMART_HOST" Entry In sendmail.mc • Regenerate The sendmail.cf File & Restart sendmail • This step can be accomplished by running the script we created at the beginning of the chapter. • Now Make Sure Sendmail Is Listening On All Interfaces MAIL_CREATE_CONFIG=“no” SMTPD_LISTEN_REMOTE="yes“ dnl define(`SMART_HOST',`mail.my-site.com') # ./smmake # netstat -an | grep :25 | grep tcp tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
A General Guide To Using The sendmail.mc File • Primary rule, nice and clean sendmail.mc with comments • Masquerade rewrites all mail from hosts to coming from domain • FEATURE adds functionallity to sendmail • After adding some features make a new sendmail.cf, but first make a backup of the old working: dnl ***** Customized section 1 start ***** Dnl Dnl FEATURE(delay_checks)dnl FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl FEATURE(masquerade_entire_domain)dnl dnl dnl dnl ***** Customized section 1 end ***** # cp sendmail.cf sendmail-v1.cf # m4 sendmail.mc > sendmail.cf
Sendmail feature files • The /etc/mail/relay-domains File • Relay those domains directly • The /etc/mail/access File • Keywords include: RELAY # Allow access + Relay REJECT # Refuse connection OK # Allow access DISCARD # Silently drop email after recieved 550 You are not welcome here # Bounceback messages • The /etc/mail/local-host-names File • Also recieve mail from my other site • In DNS we need to enter: • After changing any sendmail files exept the .mc do a my-other-site.com my-site.com localhost.localdomain RELAYlocalhost RELAY127.0.0.1 RELAY192.168.1.16 RELAY192.168.1.17 RELAY 192.168.2 RELAY my-site.com RELAY my-site.com my-other-site.com my-other-site.com. MX 10 mail.my-site.com. # cd /etc/mail ;newaliases ; make
Which User Should Really Receive The Mail? • The /etc/mail/virtusertable file • The string @my-site.com actually rejects all non local emails with error message • The /etc/aliases File • Allways run command newaliases after working with aliases webmaster@my-other-site.com webmasters @my-other-site.com marc sales@my-site.com sales@my-other-site.com paul@my-site.com paul finance@my-site.com paul @my-site.com error:nouser User unknown . . . manager: rootabuse: root# trap decode to catch security attacksdecode: root# Person who should get root's mailroot: marc,kalle,webmaster@my-site.com # My mailing list file admin-list: ":include:/home/mailings/admin-list" # cd /etc/mail ;newaliases ; make
Mail-aliases ”/etc/aliases” explanations • Mail to "directors@my-site.com" goes to users "peter", "paul" and "mary". • Mail sent to "family@my-site.com" goes to users "grandma", "brother" and "sister" • Mail sent to ”admin-list@my-site.com” gets sent to all the users listed in the file /home/mailings/admin-list. • Mail sent to peter.steen@ing-steen.se goes to peter # Directors of my SOHO company directors: peter,paul,mary # My family family: grandma,brother,sister # My mailing list file admin-list: ":include:/home/mailings/admin-list" # peter.steen@ing-steen.se become same as peter@ing-steen.se peter.steen: peter
Sendmail ”.mc” Masquerading Explained • The MASQUERADE_ASdirective makes all mail originating on mail appear to come from a server within the domain my-site.com by rewriting the email header. • The MASQUERADE_DOMAINdirective makes mail relayed via mail from all machines in the another-site.com and localdomain domains appear to come from the MASQUERADE_AS domain of my-site.com. Using DNS, sendmail checks the domain name associated with the IP address of the mail relay client sending the mail to help it determine whether it should do masquerading or not. • FEATUREmasquerade_entire_domainmakes sendmail masquerade servers named *my-site.com, and *another-site.com as my-site.com. In other words, mail from sales.my-site.com would be masqueraded as my-site.com. If this wasn't selected, then only servers named my-site.com and my-othersite.com would be masqueraded. Use this with caution when you are sure you have the necessary authority to do this. • FEATURE allmasquerademakes sendmail rewrite both recipient addresses and sender addresses relative to the local machine. If you cc: yourself on an outgoing mail, the other recipient sees a cc: to an address he knows instead of one on localhost.localdomain. • FEATURE always_add_domainalways masquerades email addresses, even if the mail is sent from a user on the mail server to another user on the same mail server. • FEATURE masquerade_enveloperewrites the email envelope just as MASQUERADE_AS rewrote the header.
Sendmail Masquerading example • If you want your mail to appear to come from • user@mysite.com and not user@mail.mysite.com or user@client.my-site.com You can in that case: • Configure your email client, such as Outlook Express, to set your email address to user@mysite.com • Set up masquerading to modify the domain name of all traffic originating from and passing trough your mail server • Configuring masquerading • This can be solved by editing your sendmail.mc configuration file and adding some masquerading commands: FEATURE(`always_add_domain')dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl MASQUERADE_AS(`my-site.com')dnl MASQUERADE_DOMAIN(`my-site.com.')dnl MASQUERADE_DOMAIN(`localhost')dnl MASQUERADE_DOMAIN(`localhost.localdomain')dnl
Testing Sendmail Masquerading • Testing Masquerading • You should also tail the /var/log/mail* file to verify that the masquerading is operating • Verify reciever of email • Logfiles /var/log/mail /var/log/mail.info /var/log/mail.warn /var/log/mail.err /var/log/messages • Other Masquerading Notes • By default, user "root" will not be masqueraded. This is achieved with the: • in /etc/mail/sendmail.mc # mail -v username # sendmail -bv username@domain EXPOSED_USER(`root')dnl
Using Sendmail to Change the Sender's Email Address • Add these statements to your /etc/mail/sendmail.mc • In order to rewrite emails origin address, you need some features: • Create a /etc/mail/generics-domains • Same file as local-host-names • Make sure the file includes your server's canonical domain name, which you can obtain using the command: • Remember to do the make after changing your sendmail files • Create your /etc/mail/genericstable • Mail sent from alert, peter, anton will have new source address FEATURE(`genericstable',`hash -o /etc/mail/genericstable.db')dnl GENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl my-site.com my-other-site.com mail.my-site.com sendmail -bt -d0.1 </dev/null #linux-username new source address: user@domain alert security-alert@my-site.com peter urgent-message@my-site.com anton anton@my-other-site.com
Sendmailand virtualusers • At slide 17 we created your /etc/mail/virtusertable • /etc/aliases can also be used, althought virtusertable is more flexible • We need to add virtual domains last in file /etc/sendmail.cf • For revieving email for virtual domains • Everytime you run m4 command you will have to put back your virtualdomains • sendmail.cf is a long complicated file, sometimes you will need to add and change things inside this file. CGmy-site.com CGmy-other-site.com
Troubleshooting Sendmail 1 • Testing TCP connectivity • sendmail uses SMTP TCP port 25 Server The server can listen on all interfaces 0.0.0.0 or a deligated interface like 192.168.1.1 Client Allways listen on 127.0.0.0 • Telnet to the mail server on port 25. You should get a response with a 220 status code: • Communication with sendmail remainds of radio communication # netstat -an | grep :25 | grep tcp tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN # netstat -an | grep :25 | grep tcp tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN # telnet mail.my-site.com 25 Trying mail.my-site.com... Connected to mail.my-site.com. Escape character is '^]'. 220 mail.my-site.com ESMTP server ready
Troubleshooting Sendmail 2 • Use the hello command to tell the mail server the domain you belong to: • You should receive a message with a successful status 250 code at the beginning of the response. • Inform the mail server from which the test message is coming with the MAIL FROM: statement: • Tell the mail server to whom the test message is going with the " RCPT TO:" statement: HELO my-other-site.com 250 mail.my-site.com Hello mail.my-site.com [192.168.3.5], pleased to meet you MAIL FROM:sender@my-other-site.com 250 2.1.0 sender@my-other-site.com... Sender ok RCPT TO::sender@my-other-site.com 250 2.1.0 sender@my-other-site.com... Sender ok
Troubleshooting Sendmail 3 • Prepare the mail server to receive data with the DATA statement: • Type the string "subject:" then type a subject. Type in your text message, ending it with a single period on the last line. For example: • Use the QUIT command to end the session: DATA 354 Enter mail, end with "." on a line by itself Subject: Test Message Testing sendmail interactively . 250 2.0.0 iA75r9si017840 Message accepted for delivery QUIT 221 2.0.0 mail.my-site.com closing connection Connection closed by foreign host.
Common Errors Due To Incomplete Installation • Sample Errors when running newaliases : • Sample errors when processing the sendmail.mc file : • Sample errors when restarting sendmail : # newaliases Warning: .cf file is out of date: sendmail 8.13.3 supports version 10, .cf file is version 0 No local mailer defined QueueDirectory (Q) option must be set # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf /etc/mail/sendmail.mc:8: m4: Cannot open /usr/share/sendmail-cf/m4/cf.m4: No such file or directory # rcsendmail restart Shutting down sendmail: [ OK ] Shutting down sm-client: [FAILED] Starting sendmail: 554 5.0.0 No local mailer defined 554 5.0.0 QueueDirectory (Q) option must be set [FAILED] Starting sm-client: [ OK ]
Incorrectly Configured /etc/hosts Files • By default, Linux inserts the hostname of the server between the 127.0.0.1 and the localhost entries in /etc/hosts like this: • Sendmail will think that the server's FQDN is mail • It will then default to sending e-mails in which the domain is localhost.localdomain. • The /etc/hosts file is also important for configuring mail relay • Here sendmail thinks that the server's FDQN was my-site and that the domain was all of .com. • The server would therefore be open to relay all mail from any .com domain and would ignore the security features of the access and relay-domains • The correct loopback entry should look like: 127.0.0.1 mail localhost.localdomain localhost 127.0.0.1 my-site.com localhost.localdomain localhost 127.0.0.1 mail.my-site.com localhost.localdomain localhost mail
Incorrect name resolution hosts file ? • Use the sendmail program to send a sample e-mail to someone in verbose mode : • Look in /var/log/mail • Also look in /var/log/mail.err • Offcourse /var/log/messages # sendmail -v example@another-site.com test text test text . example@another-site.com... Connecting to mail.another-site.com. via esmtp... 220 ltmail.another-site.com LiteMail v3.02(BFLITEMAIL4A); Sat, 21 Feb 2006 20:18:44 +0100 >>> EHLO localhost.localdomain 250-mx.another-site.com Hello [67.120.221.106], pleased to meet you 250 HELP >>> MAIL From:<root@localhost.localdomain> 250 <root@localhost.localdomain>... Sender Ok >>> RCPT To:<example@another-site.com> 250 <example@another-site.com>... Recipient Ok >>> DATA 354 Enter mail, end with "." on a line by itself >>> . 250 Message accepted for delivery example@another-site.com... Sent (Message accepted for delivery) Closing connection to mail.another-site.com. >>> QUIT
Fighting SPAM, add features to sendmail.mc • RFC-Ignorant valid IP address checker. • Easynet open proxy list. • The Open Relay Database open mail relay list. • Spamcop spammer blacklist. • Spamhaus spammer blacklist. FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from " $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP server - see http://www.rfc-ignorant.org/"') FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to OPEN PROXY SERVER "$&{client_name}" by easynet.nl DNSBL (http://proxies.blackholes.easynet.nl/errors.html)"', `')dnl FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"') FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dn