Professional Documents
Culture Documents
===========================================
In This Chapter
Chapter 21 Configuring Linux Mail Servers Configuring Sendmail Configuring Your POP Mail Server Peter Harrison, www.linuxhomenetworking. om ===========================================
This
ha!ter will hel! to show "ou how to set u! a mail server for "our home network. #t overs Sendmail whi h is res!onsi$le for rela"ing "our mail to a remote user%s mail$ox and also POP mail whi h is used to retrieve the mail from the mail $ox to "our lo al PC via a mail lient su h as outlook &x!ress.
Configuring Sendmail
'n Overview Of How Sendmail (orks
Sendmail is the most !o!ular )inux !rogram for !ro essing mail. On e the mail arrives on the mail server it an $e read in a num$er of wa"s* o o )inux users logged into the mail server an read their mail dire tl" using a text $ased lient su h as +mail+ or a ,-# lient su h as &volution. (indows users an use an email lient su h as +Outlook+ or +Outlook &x!ress+ to download the mail to their lo al PC via POP. (indows users also have the o!tion of either kee!ing or deleting the mail on the mail server after it has $een downloaded. #f the mail is destined for a lo al user then sendmail will !la e the message in that !erson%s mail$ox so that the" an retrieve it using one of the methods a$ove.
.he !ro ess is different when sending mail via the mail server* o
#f the mail isn/t destined for the mail$ox of a lo al user, then sendmail will attem!t to rela" it to the a!!ro!riate destination mail server via the Sim!le Mail .rans!ort Proto ol or SM.P. One of the main advantages of mail rela"ing is that when a PC user +'+ sends mail to another user +0+ on the #nternet, the PC of user +'+ an delegate the SM.P !ro essing to the mail server. Note:#f mail rela"ing is not onfigured !ro!erl" then "our mail server ould end u! rela"ing SP'M. Sim!le sendmail se urit" is outlined on this !age.
Configuring 12S
3emem$er that "ou will never re eive mail unless "ou have onfigured 12S for "our domain to make "our new )inux $ox mail server the target of the 12S domain/s M4 re ord. See either the Stati 12S or 1"nami 12S !ages on how to do this.
You%ll need to run the s ri!t ea h time "ou hange an" of the sendmail onfiguration files des ri$ed in the se tions to follow. .he line in the s ri!t that restarts sendmail is onl" needed if "ou have made hanges to the ;et ;mail;sendmail.m file, $ut it has $een in luded so that "ou don%t forget. .his ma" not $e a good idea in a !rodu tion s"stem. 1elete the a!!ro!riate +m>+ line de!ending on "our version of 3edHat. 0oth the newaliases and m> ommands de!end on the sendmail9 f 3PM !a kage. .his must $e installed, if not, "ou/ll get errors like this when running the s ri!t*
[root@bigboy tmp]# pgrep sendmail 221!1 [root@bigboy tmp]# .e can also see the interfaces on -hich 8endmail is listening -ith the @netstatA command. 8endmail listens on B7C port 251 so -e 0se DnetstatD and DgrepD for D25D to see a defa0lt config0ration listening only on =C address 12 .+.+.1 5loopbac#6. [root@bigboy tmp]# netstat -an E grep /25 E grep tcp tcp + + 12 .+.+.1/25 +.+.+.+/F >=8B?2 [root@bigboy tmp]#
Note: (hen sendmail starts, it reads the file sendmail. f for its onfiguration. sendmail.mc is a more user friendl" onfiguration file and reall" is mu h easier to fool around with without getting $urned. .he sendmail.cf file is lo ated in different dire tories de!endent on the version of 3edHat "ou use. /etc/sendmail.cf for versions u! to :.B, and /etc/mail/sendmail.cf for versions 5.@ and higher.
3edhat versions u! to :.B [root@bigboy tmp]# m& $etc$mail$sendmail.mc ' $etc$sendmail.cf 3edhat versions 5.@C [root@bigboy tmp]# m& $etc$mail$sendmail.mc ' $etc$mail$sendmail.cf
---
Here the #P address is followed $" the hostname.domain D$ig$o".m"9site. omE followed $" the hostname and all the 12S C2'M&s assigned to the server/s #P address. Sendmail uses this file to determine* o o .he s"stem name .he domains it is res!onsi$le for rela"ing
Sendmail looks for the #P address of "our 2#C in /etc/hosts and then assumes the first name after it is the full" =ualified domain name of the server su h as ig o!.m!"site.com. #f $ig$o" had an entr" like this* 1O2.1"8.1.1++ my-site.com 5.rong%%%6
Sendmail would assume the server/s name was m"9site and that the domain was all of +. om+. .he server would therefore $e o!en to rela" all mail from an" +. om+ domain and would ignore the se urit" features of the a ess and rela"9domains files we/ll des ri$e $elow. #f "ou fail to !ut the #P address of "our 2#C in the /etc/hosts file altogether, then "ou run the risk of having all "our mail a!!ear to ome from lo alhost.lo aldomain and not $ig$o".m"9site. om.
25+ )?>C ''' H<=> ;rom/Rroot@localhost.localdomain' 25+ Rroot@localhost.localdomain'... 8ender 9# ''' (7CB Bo/ReMample@another-site.com' 25+ ReMample@another-site.com'... (ecipient 9# ''' 4<B< !5& ?nter mail1 end -ith D.D on a line by itself ''' . 25+ Hessage accepted for delivery eMample@another-site.com... 8ent 5Hessage accepted for delivery6 7losing connection to mail.another-site.com. ''' 3U=B [root@bigboy tmp]# )o alhost.lo aldomain is the domain that all om!uters use to refer to themselves, it is therefore an illegal internet domain. #f mail sent from om!uter PC6 to PC7 a!!ears to ome from a user at lo alhost.lo aldomain on PC6 and is re?e ted, the re?e ted email will $e returned to lo alhost.lo aldomain. PC7 will see that the mail originated from lo alhost.lo aldomain and will think that the re?e ted email should $e sent to a user on PC7 that ma" not exist. You will !ro$a$l" get an error like this in /var/log/maillog if this ha!!ens* 9ct 1" 1+/2+/+& bigboy sendmail[25++]/ gOS):!i3++25++/ 8T8?((5root6/ savemail/ cannot save reUected email any-here 9ct 1" 1+/2+/+& bigboy sendmail[25++]/ gOS):!i3++25++/ >osing .$GfgOS):!i3++25++/ savemail panic Note* You ma" also get this error if "ou are using a SP'M !revention !rogram, for exam!le a s ri!t $ased on the P&3) module Mail**'udit. 'n error in the s ri!t ould ause this t"!e of message too. 'nother set of tell tale errors aused $" the same !ro$lem an $e generated when tr"ing to send mail to a user , in this exam!le +root+, or reating a new alias data$ase file. D.he newalias ommand will $e ex!lained laterE* [root@bigboy tmp]# sendmail -v root .<(2=2S/ local host name 5bigboy6 is not G0alifiedQ fiM VU in config file [root@bigboy tmp]# ne-aliases .<(2=2S/ local host name 5bigboy6 is not G0alifiedQ fiM VU in config file [root@bigboy tmp]# (ith the a om!an"ing error in /var/log/maillog log file that looks like this* 9ct 1" 1+/2!/58 bigboy sendmail[2582]/ Hy 0nG0alified host name 5bigboy6 0n#no-nQ sleeping for retry
.he /etc/mail/rela!"domains file is used to determine domains from whi h it will rela" mail. .he ontents of the rela"9domains file should $e limited to those domains that an $e trusted not to originate s!am. 0" default, this file does not exist in a standard 3edHat install. #n this ase, all mail sent from m!"super"duper"site.com and not destined for this mail server will $e forwarded. my-s0per-d0per-site.com One disadvantage of this file is that it an onl" ontrol mail $ased on the sour e domain whi h an $e s!oofed $" SP'M email servers. .he /etc/mail/access file has more a!a$ilities, su h as restri ting rela"ing $" #P address or network range and is more ommonl" used. #f "ou delete /etc/mail/rela!"domains, then rela" a ess is full" determined $" the /etc/mail/access file. Sendmail has to $e restarted after editing this file for the hanges to take effe t.
ess <ile
You an make sure that onl" trusted PCs on "our network have the a$ilit" to rela" mail via "our mail server $" using the /etc/mail/access file. .hat is to sa", the mail server will onl" rela" mail for those PCs on "our network that have their email lients onfigured to use the mail server as their +outgoing SM.P mail server+. D#n Outlook &x!ress "ou set this using* .ools Menu 9F ' ounts 9F Pro!erties 9F ServersE #f "ou don/t take the !re aution of using this feature, "ou ma" find "our server $eing used to rela" mail for SP'M email sites. Configuring the /etc/mail/access file will not sto! SP'M oming to "ou, onl" SP'M flowing through "ou. .he /etc/mail/access file has two olumns. .he first lists #P addresses and domains from whi h the mail is oming or going. .he se ond lists the t"!e of a tion to $e taken when mail from these sour es ; destinations is re eived. Ge"words in lude 3&)'Y, 3&H&C., OG Dnot 'CC&P.E and 1#SC'31. .here is no third olumn to state whether the #P address or domain is the sour e or destination of the mail, Sendmail assumes it ould $e either and tries to mat h $oth. Sendmail will 3&H&C. all other attem!ted rela"ed mail that doesn/t mat h an" of the entries in the /etc/mail/access file. 1es!ite this, m" ex!erien e has $een that ontrol on a !er email address $asis is mu h more intuitive via the /etc/mail/virtuserta le file. #n the sam!le file $elow, we allow rela"ing for onl" the server itself D67:.@.@.6, lo alhostE, two lient PCs on "our home 6I7.6J5.6.4 network, ever"one on "our 6I7.6J5.7.4 network and ever"one !assing email through the mail server from servers $elonging to m"9site. om. 3emem$er that a server will onl" $e onsidered a !art of m"9site. om if its #P address an $e found in a 12S reverse Kone file* localhost.localdomain localhost 12 .+.+.1 1O2.1"8.1.1" 1O2.1"8.1.1 1O2.1"8.2 my-site.com (?><T (?><T (?><T (?><T (?><T (?><T (?><T
You/ll then have to onvert this text file into a Sendmail reada$le data$ase file named /etc/mail/access.d . Here are the ommands to do that* [root@bigboy tmp]# cd $etc$mail [root@bigboy mail]# ma#e 3emem$er that the rela" se urit" features of this file ma" not work if "ou don/t have a orre tl" onfigured ;et ;hosts file.
.he true destination in the e"es of the mail server ould $e a lo al )inux user, a mailing list entr" in the /etc/aliases file or the email address of someone on some other mail server to whi h the mail should $e automati all" forwarded. .he ;et ;aliases file .his file has two olumns too. #t ould $e viewed as a mailing list file. .he first olumn has the mailing list name Dsometimes alled a virtual mail$oxE and the se ond olumn has the mem$ers of the mailing list se!arated $" ommas. o o o #f the mailing list mem$er doesn/t have an +M+ in the name, then sendmail assumes the re i!ient is on the lo al $ox. #t will then sear h the first olumn of the aliases file to see if the re i!ient isn/t on "et another mailing list. #f it doesn/t find a du!li ate, it assumes the re i!ient is a lo al user.
#f the re i!ient is a mailing list, then it goes through the !ro ess all over again to determine ea h individual in the mailing list and when it is all finished, the" will all get a o!" of the email message.
'fter editing this file "ou/ll have to onvert it into a sendmail reada$le data$ase file named /etc/mail/virtuserta le.d . Here are the ommands to do that*
# Pasic system aliases -- these HU8B be present. mailer-daemon/ postmaster postmaster/ root # Seneral redirections for pse0do acco0nts. bin/ root daemon/ root lp/ root sh0tdo-n/ root mail/ root apache/ root named/ root system/ root manager/ root ab0se/ root # trap decode to catch sec0rity attac#s decode/ root # Cerson -ho sho0ld get rootLs mail root/ marc1-ebmaster@my-site.com 2oti e that there are no s!a es $etween the mailing list entries for P rootQ. .his is im!ortant as "ou will get errors if "ou add s!a es. 'fter editing this file "ou/ll have to onvert it into a sendmail reada$le data$ase file named /etc/aliases.d . Here is the ommand to do that* [root@bigboy tmp]# ne-aliases
grandma1brother1sister
Mail sent to admin9list gets sent to all the users listed in the file ;usr;home;admin;admin9list. .he advantage of using mailing list files is that the admin9list file an $e a file that trusted users an edit, user ProotQ is onl" needed u!date the aliases file. 1es!ite this, there are some !ro$lems with mail refle tors. One is that $oun e messages from failed attem!ts to
$road ast goes to all users. 'nother is that all su$s ri!tions and unsu$s ri!tions have to $e done manuall" $" the mailing list administrator. #f either of these are a !ro$lem for "ou, then onsider using a mailing list manager like ma?ordomo.
# Hy mailing list file admin-list/ D/incl0de/$home$mailings$admin-listD 'fter editing this file, "ou/ll have to onvert it into a sendmail reada$le data$ase file named /etc/aliases.d . Here is the ommand to do that* [root@bigboy tmp]# ne-aliases
Con"ig%ring mas.%erading
#n the 12S onfiguration, we made $ig$o" the mailserver for the domain m"9site. om. You now have to tell $ig$o" in the sendmail onfiguration file sendmail.m that all outgoing mail originating on $ig$o" should a!!ear to $e oming from m"9site. om, if not, $ased on our settings in the /etc/hosts file, it will a!!ear to ome from mail.m"9site. om. .his isn/t terri$le, $ut "ou ma" not want "our we$site site to $e remem$ered with the word +mail+ in front of it. #n other words "ou ma" want "our mail server to handle all email $" assigning a onsistent return address to all outgoing mail, no matter whi h server originated the email. .his an $e solved $" editing "our sendmail.mc onfiguration file and adding some mas=uerading ommands and dire tives. .hese are ex!lained $elow*
;?<BU(?5al-aysIaddIdomain6dnl ;?<BU(?5JmasG0eradeIentireIdomainL6dnl ;?<BU(?5JmasG0eradeIenvelopeL6dnl ;?<BU(?5JallmasG0eradeL6dnl H<83U?(<4?I<85Jmy-site.com.L6dnl H<83U?(<4?I49H<=25Jmy-site.com.L6dnl H<83U?(<4?I<85my-site.com6dnl .he M#S$%&'#(&_#S dire tive will make all mail originating on $ig$o" a!!ear to ome from a server within the domain m"9site. om $" rewriting the email header. .he M#S$%&'#(&_()M#*N dire tive will make mail rela"ed via $ig$o" from all ma hines in the m"9other9site. om domain a!!ear to ome from the M#S$%&'#(&_#S domain of m"9site. om. <eature +masG0eradeIentireIdomain+ makes sendmail mas=uerade servers named Rm"9site. om, and Rm"9other9site. om as m"9site. om. #n other words, mail from sales.m"9site. om would $e mas=ueraded too. #f this wasn/t sele ted, then onl" servers named m"9site. om and m"9othersite. om would $e mas=ueraded. -se this with aution, onl" when "ou are sure "ou have the authorit" to do this. <eature +allmas+uerade+ will make sendmail rewrite $oth re i!ient addresses and sender addresses relative to the lo al ma hine. #f "ou * "ourself on an outgoing mail, the other re i!ient will see a * to an address he knows instead of one on lo alhost.lo aldomain. <eature +al-aysIaddIdomain+ will alwa"s mas=uerade email addresses, even if the mail is sent from a user on the mail server to another user on the same mail server. <eature +mas+uerade_envelope+ will rewrite the email envelo!e ?ust as +M#S$%&'#(&_#S + rewrote the header. .he email header is what email lients, su h as Outlook &x!ress, sa" the +to*+ and +from*+ should $e. .he +to*+ and +from*+ in the header is what is used when "ou use Outlook &x!ress to do a +re!l"+ or +re!l" all+. #t is eas" to fake the header, as S!ammers often do, it is detrimental to email deliver" to fake the envelo!e. .he email envelo!e ontains the +to*+ and +from*+ used $" mailservers for !roto ol negotiation. #t is the envelo!e/s +from*+ whi h is used when email re?e tion messages are sent $etween mail servers.
Testing (as.%erading
.he $est wa" of testing mas=uerading from the )inux ommand line is to use the + mail -v username+ ommand. # have noti ed that +sendmail -v username+ ignores mas=uerading altogether. You should also tail the /var/log/maillog file to verif" that the mas=uerading is o!erating orre tl" and he k the envelo!e and header of test email re eived $" test email a ounts.
0" default, user +root+ will not $e mas=ueraded. .his is a hieved with the* ?NC98?4IU8?(5JrootL6dnl ommand in /etc/mail/sendmail.mc. You an omment this out if "ou like with a +dnl+ at the $eginning of the line and re om!iling ; restarting sendmail
# have written a s ri!t alled mail9filter.!l that effe tivel" filters out SP'M email for m" home s"stem. .here are a few ste!s re=uired to make the s ri!t work* o o o #nstall P&3) and the P&3) modules listed a$ove. Pla e an exe uta$le version of the s ri!t in "our home dire tor" and modif" the s ri!t%s S<#)&P'.H varia$le !oint to "our home dire tor" -!date the two onfiguration files* o mail9filter.a e!t, whi h s!e ifies the su$?e ts and email addresses to a e!t, mail9filter.re?e t that s!e ifies those that "ou should re?e t.
Mail9filter will first re?e t all email $ased on the Pre?e tQ file and will then a e!t all mail found in the Pa e!tQ file. #t will then den" ever"thing else. # have in luded a sim!le s ri!t with instru tions on how to install the P&3) modules in the '!!endix.
Sendmail will ?ust handle mail sent to "our +m"9site. om+ domain. &a h user on "our )inux $ox will get mail sent to their a ount/s mail folder. #f "ou want to retrieve this mail from "our )inux $ox/s user a ount, using a mail lient su h as Mi rosoft Outlook or Outlook &x!ress, then "ou have a few more ste!s. You/ll also have to make "our )inux $ox a POP mail server.
soc#etItype K stream -ait K no 0ser K root server K $0sr$sbin$ipop!d logIonIs0ccess ,K )98B 4U(<B=92 logIonIfail0re ,K )98B disable K no
You will then have to restart xinetd for these hanges to take effe t using the startu! s ri!t in the /etc/init.d dire tor". 2aturall", to disa$le POP Mail on e again, "ou%ll have to edit the ;et ;xinetd.d;i!o!B file, set Pdisa$leQ to P"esQ and restart xinetd.