sendmail

In the past, EITS provided pre-built sendmail packages for the Unix OSes we supported. This was because SMTP was not the standard for mail, and configuring sendmail was a complex task.

Now, the sendmail binaries and config files that ship with OSes work "out of the box" with little or no setup needed.

You only need the sendmail daemon running on your machine if you need it to accept inbound mail. Otherwise, it suffices to have the software on your disk, but not running all the time.

Your most important task will be to make sure you're not an "open relay" (see below).

Here are some configuration notes:

If your machine will accept mail for your entire domain, or for other machines in your department, you must edit /etc/mail/local-host-names (/etc/sendmail.cw or /etc/mail/sendmail.cw for old sendmail versions). Add a line for each host or domain name. For example, if your machine is called mail.dept.uga.edu and it will accept also mail for dept.uga.edu and oldmail.dept.uga.edu, add these lines to the sendmail.cw file:
```
      dept.uga.edu
      oldmail.dept.uga.edu
```
Use a "null" cf file on machines that NFS mount their mail spool from another machine or on machines that do not need to accept mail from the outside world. All mail sent via a machine using a null cf file is forwarded to another machine for delivery.
You must edit the null cf file to specify the machine to which mail will be forwarded. You'll need a line that reads
```
DHsome.box.uga.edu
```
where "some.box.uga.edu" is the machine that you want mail forwarded to.
To control what host name appears in outbound mail from your machine, you can put a line like this in the sendmail.cf file:
```
DMsome.box.uga.edu
```
Sendmail will complain, or not even start, if various directory permissions aren't set to its liking. If it does complain, try these commands: chmod go-w / /etc /etc/mail /var /var/spool /var/spool/mqueue chown root / /etc /etc/mail Your box may already have the proper permissions.
For Solaris, there's a script you can run ( ftp://ftp.uga.edu/pub/unix/packages/sendmail.uga/check-permissions.sh) which will check whether sendmail will honour any forward and .procmailrc files your users may have in their home directories. Run the script check-permissions.sh ALL as root.
If for some reason you use a sendmail other than the one that comes with the OS, take note of this: Since Solaris has a group writable /etc by default, any Solaris patch which writes in /etc will probably reset /etc to be group writable. Also, any Solaris patch designed to replace /usr/lib/sendmail or /etc/mail/sendmail.cf will do so. If /usr/lib/sendmail is replaced by a patch, then sendmail will probably not start at all, or else give errors during most delivery attempts. Therefore, WSG recommends that you install a startup script which corrects the directory permissions and copies the correct sendmail binary and config file into place. Your sendmail will then be immune to Solaris patching. Such a script is available at ftp://ftp.uga.edu/pub/unix/sun/scripts/S87prep.sendmail.

For more possibly useful info on potential startup problems on Solaris, see http://www.sendmail.org/sun-specific/.

Important notes

Read root's mail

Somebody should check root's mail regularly. If nobody logs into the root account, forward root's mail to by adding an entry to /etc/aliases and running sendmail -bi to rebuild the aliases database.

`/etc/shells`

If you or any of your users are using a .forward file to forward mail into other programs (like


/usr/local/bin/procmail

), then you need to add the names of these programs to the file /etc/shells for sendmail work properly. If this file does not exist, create it. If you have to create it, you also need to add the names of the other standard shells on your system. For example:

    /bin/csh
    /bin/sh
    /bin/tcsh
    /usr/local/bin/procmail

Do not add program names to /etc/shells unless you know that they are secure and you wish to allow your users to be able to forward their mail through them. NEVER add an entry to /etc/shells if it is a shell script.

"Group writable directory" warnings

Sendmail is becoming more and more picky about the permissions of directories that it uses. Do not be surprised if you see messages like "Warning: group writable directory /var/spool/mqueue". If you want to be as secure as possible, and you understand the consequences, you can remove the group-write bits for the directories sendmail complains about.

Access Database

Access Database The access database is used to control which sites can use your machine as a relay. It can also deny all mail services to certain sites. If you are getting a lot of spam from a site, this is a good way to take care of it.

The access database is a table that maps email addresses, domain names, and/or IP addresses to actions. For example, the following line allows all machines in the uga.edu domain to relay:

uga.edu          RELAY

Here is a list of all possible actions (mostly stolen from the sendmail docs):

OK: Accept mail even if other rules in the running ruleset would reject it. This won't let your host relay mail from the given domain. You need to use "relay" for that.
RELAY: Allow domain to relay through your SMTP server. RELAY also serves an implicit OK for the other checks. This is the action you want to specify for your users who use POP/IMAP clients through their ISPs and who need to relay through your machine.
REJECT: Reject the sender/recipient with a general purpose message.
DISCARD: Discard the message completely using the $#discard mailer. That is, send the messages to /dev/null.
### any text: Where ### is an RFC 821 compliant error code and "any text" is a message to return for the command. Note that in most cases 550 will be returned no matter what you substitute for "###".

Here's an example access database.

        cyberspammer.com        550 We don't accept mail from spammers
        okay.cyberspammer.com   OK
        sendmail.org            OK
        128.32                  RELAY
        dorkslayers.com         DISCARD

This table would accept mail from okay.cyberspammer.com, but would reject mail from all other hosts at cyberspammer.com with the indicated message. It would allow accept mail from any hosts in the sendmail.org domain, and allow relaying for the 128.32.*.* network. It would also discard all mail from the dorkslayers.com domain.

If you want to use this feature, put your table in /etc/sendmail.access (or /etc/mail/sendmail.access) and run the appropriate makemap command. The command depends a bit on which OS you are running but in general it looks like this:

cd /etc  # or /etc/mail
/usr/local/bin/makemap dbm sendmail.access < sendmail.access

If you are running RedHat, replace dbm with


hash

You do not need to restart sendmail after updating the access database. Your changes take effect immediately. But note: If you have updated your access database because of in in-progress spam attack you should kill all sendmail processes and restart sendmail. This will take care of any existing connections the spammer may have to your machine. The processes associated with existing connections do not re-read the access database every time it gets updated :)

Click here to test your host to see if it's vulnerable to mail relay.

Learning more about sendmail

You can learn more about Sendmail on its website.

Last modified: Friday, 07-Mar-2003 12:56:35 EST
URL: http://www.uga.edu /~ucns/wsg/sendmail/home.html