Red Hat Linux 7.2 Sendmail configuration

Kurt Seifried, [email protected]


 

This has got to be one of the worst and best features about Red Hat Linux 7.2. My first major complaint would be the lack of Postfix. Not only did they fail to ship it on the CD, they failed to include it in anything like powertools online. To make matters worse the Postfix RPM from 7.1 does not work properly as it expects older libraries, although you should be able to get it working with some effort. But instead of doing all that I thought I would give Sendmail a chance, I haven't used it in approximately 2-3 years, and it has been audited (very few remote root hacks in the last few months, although there were some local root hacks). There are several significant problems with the default sendmail configuration and scripts that manage it.

 

Getting sendmail to listen to things other then itself (localhost)

This is a nice "secureity feature" but horribly documented (i.e. not at all) and non trivial to fix. By default Red Hat 7.2's sendmail installation only listens on 127.0.0.1. It can receive mail sent locally on the system (i.e. pine) and it can send out mail, but if you want to send mail through it or recieve mail from other systems it will not work by default. You can tell if it is doing this by issuing a netstat command:

[root@server mail]# netstat -vatn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      

After looking through several files I discovered how to fix it:

First you need to edit /etc/mail/sendmail.mc, find the following section:

dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

You will need to comment out the like with DAEMON_OPTIONS, using "dnl" at the begining of the line:

dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

You will then need to rebuild the file:

m4 /etc/mail/sendmail.mc > /etc/sendmail.cf

Once you have done this sendmail will listen on all IP address on the system:

[root@server mail]# netstat -vatn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      

And you can recieve mail from others, and send mail from your clients.

 

Configuring sendmail and rebuilding the configuration database files

So you've got sendmail listening, and you've configured your access table, and restarted sendmail, but still cannot send mail. Do not worry, you've probably edited the access file correctly, the default script to handle sendmail is broken. Normally when you start sendmail with the script that is responsible, /etc/rc.d/init.d/sendmail, it will automatically rebuild the databases if they do not exist. This script does not work properly by default and I reccomend modifying it. Find the following section in /etc/rc.d/init.d/sendmail:

echo -n $"Starting $prog: "
/usr/bin/newaliases > /dev/null 2>&1
if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then
  make -C /etc/mail -q
else
  for i in virtusertable access domaintable mailertable ; do
    if [ -f /etc/mail/$i ] ; then
makemap hash /etc/mail/$i < /etc/mail/$i
    fi
  done
fi

This section should rebuild the databases files if they do not exist, and if they do it leaves them alone if there is a Makefile present in /etc/mail. If this file is not present it builds the files and replaces the existing database files (so they are not preserved). I prefer to rebuild databases by default, if your site is large enough that this rebuild takes significant time do not do this and do it manually. Modifying the section so that it looks like this will force a rebuild of the configuraiton databases each time you start or restart sendmail:

        echo -n $"Starting $prog: "
        /usr/bin/newaliases > /dev/null 2>&1
        cd /etc/mail
        rm -f *.db
        make

You must remove the "-q" option on make or it will not work (the option should only suppress messages, but for some reasons with the "-q" option make does not work at all). I also reccomend removing the "else" clause that manually rebuilds the files, as it is no longer needed. The Makefile in /etc/mail should look like:

 These could be used by sendmail, but are not part of the default install.
# To use them you will have to generate your own sendmail.cf with
#  FEATURE('whatever')
#
POSSIBLE += $(shell test -f bitdomain     && echo     bitdomain.db)
POSSIBLE += $(shell test -f uudomain      && echo      uudomain.db)
POSSIBLE += $(shell test -f genericstable && echo genericstable.db)


all: ${POSSIBLE} virtusertable.db access.db domaintable.db mailertable.db

virtusertable.db : virtusertable
        @makemap -f hash $@ < $<

userdb.db : userdb
        @makemap -f hash $@ < $<

%.db : %
        @makemap hash $@ < $<

clean:
        @rm -f *.db *~

And sendmail should be working like it is supposed to.

 

Configuring the sendmail access file

This file is probably the most critical file for sendmail security after keeping sendmail up to date. Rules consist of an IP address or a network block, a domain name, or an email address. The main targets for the rules are "OK", "RELAY", "REJECT" and "DISCARD", and the secondary targets are any RFC821 compliant message, or RFC 1893 compliant. Chances are you will only use the primary targets and not the secondary. To quote the documentation:

OK              Accept mail even if other rules in the
                running ruleset would reject it, for example,
                if the domain name is unresolvable.
RELAY           Accept mail addressed to the indicated domain or
                received from the indicated domain for relaying
                through your SMTP server.  RELAY also serves as
                an implicit OK for the other checks.
REJECT          Reject the sender or recipient with a general
                purpose message.
DISCARD         Discard the message completely using the
                $#discard mailer.  If it is used in check_compat,
                it affects only the designated recipient, not
                the whole message as it does in all other cases.
                This should only be used if really necessary.
### any text    where ### is an RFC 821 compliant error code and
                "any text" is a message to return for the command.
                The string should be quoted to avoid surprises,
                e.g., sendmail may remove spaces otherwise.
ERROR:### any text
                as above, but useful to mark error messages as such.
ERROR:D.S.N:### any text
                where D.S.N is an RFC 1893 compliant error code
                and the rest as above.

The rules can be in the form:

127.0.0.1		OK
10.2.0			RELAY
spam.com		DISCARD
annoying.org		REJECT
[email protected]	OK
[email protected]	REJECT

I reccomend using DISCARD with known spammers, if you REJECT messages you will simply use up outgoing bandwidth. Spammers do not really care if the message gets through or not, and they do not bother to clean their lists to make sure names and domains are active.

 


Back

Last updated 31/10/2001

Copyright Kurt Seifried 2001