Transcript Unix System Admin

Configuring Linux Mail Servers
• Objectives
– This chapter will show you how to install and use Mailservers
• Contents
–
–
–
–
–
An Overview Of How Sendmail Works
Sendmail configruation files
Relaying
Sendmail Masquerading
Using Sendmail to Change the Sender's Email Address
• Practical
– Setting up mailserver
Introduction
• MTA Mail transport agents
– transfer mail with SMTP protocol to other MTA based on DNS MX record
Popular agents:
Sendmail
Exim
Postfix
• MUA Mail user agents
– Accesses users mailboxes for reading and writing
Popular agents:
Fetchmail (POP & IMP)
IMAP
Qpopper
Courier IMAPD (POP & IMP) –server
Cyrus IMAPD (POP & IMP) –server
• Mailbox processing
– Various mechanismes to process users mail when arrived to mailboxes
Procmail
Spamassasin
Vacation
Amavisd
• SMTP trusts the user
– Everyone who have is allowed to login a computer is trusted for e-mail sending
• SMTP needs DNS
– MX entry for domains is needed if not only local mail
• Sendmail lives in smrsh chroot-jail
How sendmail works, incoming mail
• How Sendmail Works
– As stated before, sendmail can handle both incoming and outgoing mail for
your domain. Take a closer look
• Incoming Mail
– Sendmail processes it and deposits it in the mailbox file of the user's Linux
account (var/spool/mail)
– Mail isn't actually sent directly to the user's PC
– Users retrieve their mail from the mail server using client software that supports
imap and pop
– Linux users logged into the mail server can read their mail directly using a textbased client, such as mail, or a GUI client
• Sendmail belong to what we call MTA
–
–
–
–
–
MTA is responcible to encapsulate the message with header and trailer.
MTA need DNS MX record to recognize mailserver that serves recieving domain.
Header contain destination e-mail and source e-mail
Header contain also the path email traverses throughout the network
Trailer contain error correction code
How sendmail works, outgoing mail
• Outgoing Mail
– PC and Linux workstation users configure their e-mail software to make the mail
server their outbound SMTP mail server, e.g the user MTA.
• Local mail
If sendmail consider email local and places it directly in the destination users
mailbox (var/spool/mail) (it can be any nfs store to or database)
– If destination is localdomain (my-site.com).
– Virtual hosted domain in same server.
– If destination is localuser or virtualuser at same host.
• Mail to another domain
If sendmail consider the email to have destination outside localdomain it schedule
the mail for delivery within 15 minutes and temporary places it in
(/var/spool/mqueue)
– Sendmail uses DNS to get the MX record for the other domain
– Attempts to relay the mail using SMTP
– Relaying only for trustful domains that sendmail serves must be allowed
– Localhost/Localdomain must be allowed to relay.
How sendmail works, mail processing
• Sendmail main configuration /etc/sendmail.cf
– Using a series of highly complicated regular expressions
– The mail header contain mail routing information, sendmail inspects this header and
then acts accordingly.
– Sendmail configuration is highly configurable
• Simplified configuration /etc/sendmail.mc or /etc/mail/linux.mc
– Contains more understandable instructions for systems administrators to use
– Interpreted by a number of macro routines to create the sendmail.cf file
– You must always run the macros and restart sendmail for the changes to take effect
• Available macros sit in /usr/share/sendmail
• Sendmail files is in /etc/mail
– SuSE and RedHat also uses /etc/sysconfig/mail
– SuSE and RedHat also uses /etc/sysconfig/sendmail
• Mail is parsed with sendmail.cf
–
–
–
–
Header parsing
Header processing & shaping
Header rewrite engine rules
Calls to external processors like anti (spam and virus) appz
• Sendmail logfiles /var/log/mail* and /var/log/messages
How sendmail works, sendmail macros
• Macrofiles
– Macros is found in /usr/share/sendmail/
– There are several macrofiles, they have lastname .mc or .m4
• Macrofiles have keywords to call submacros/dirictives
– They can begin with DOMAIN, FEATURE, or OSTYPE and DNL
– Keywords is usally followed by a keyword
• Macro example with keyword and hashfile command
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
–
–
–
–
the macro name is /usr/share/sendmail/feature/virtusertable.m4,
the instruction `\ hash -o /etc/mail/virtusertable.db' is being passed to it.
hash makes simple database format db
hash –o means output generated database to the db file taht follows
• Example with only macro FEATURE(`masquerade_envelope')dnl
• Use the m4 command to generate /etc/sendmail.cf
# m4 /etc/mail/linux.mc > /etc/sendmail.cf
Getting SENDMAIL from rpm
• Sendmail you can get as
– Open Source
– Commersial
http://www.sendmail.org
http://www.sendmail.com
• Installing Sendmail from RPM (SuSE)
– You will need to make sure that the sendmail, and m4 software RPMs are installed.
– You will need to remove/uninstall othermailers like exim and postfix before installing
#
#
#
#
#
rpm
rpm
rpm
rpm
rpm
–ivh
–ivh
–ivh
–ivh
–ivh
sendmail-8.13.3-5.i386.rpm
(The client/server)
sendmail-devel-8.13.3-5.i386.rpm
(Optional)
sendmail-debug-8.13.3-5.i386.rpm
(Optional)
m4-1.4.2-4.i586.rpm
(macrocompilator)
db-devel-4.3.27-3.1.i586.rpm (Needed if compile)
• Starting/Stopping Sendmail
– You can use the chkconfig or insserv command to get Sendmail configured to start at boot:
# insserv sendmail
– To start/stop/restart sendmail after booting
# rcsendmail start
# rcsendmail stop
# rcsendmail restart
– You need to restart sendmail after changing sendmail.cf and reload sendmail if the other files has
been manipulated
SENDMAIL from sources
• Get sendmail tar-ball, here 8.13.5
# cd /usr/local/src
# wget ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.5.tar.gz
• Unpack the tar-ball and add one group that sendmail needs
# tar xvfz sendmail.8.13.5.tar.gz
# cd sendmail.8.13.5
# groupadd smmsp
• Read the tar-ball INSTALL and README files
– If you need extras like TLS or other you might need compile options
– Sendmail is very advanced and flexible
• The default build of should do in most cases
# cd sendmail ; sh ./Build
• Copy current sendmail.mc or linux.mc to sendmail.mc in the cf-cf
directory and make a new with all the new and updated macros.
– You can also copy generic-linux.mc if you do not have any sendmail.mc
# cd cf/cf ; cp /etc/mail/linux.mc sendmail.mc
# sh ./Build sendmail.cf
SENDMAIL from sources, continued
• Backup old sendmail configuration and binaries
# tar cvfz /root/sm-config.tar.gz /etc/mail /etc/sendmail*
# tar cvfz /root/sm-bin.tar.gz /usr/sbin/sendmail /usr/lib/sendmail
• Install the new configuration
# sh ./Build install-cf
• Create a new user for sendmail called smmsp and make softlink for manuals
# useradd -m –g smmsp -G mail smmsp; ln –s /usr/share/man /usr/man
• Install the new sendmail binaries and change owner on clientmqueue
# cd ../../sendmail
# sh ./Build install ; cd ..
# chown smmsp:smmsp /var/spool/ \
clientmqueue
• Sendmail utility directories contain the Build command
– They contain ectra functionality like support for antispam, antivirus, databases etc..
# find * -type f -maxdepth 1 -name Build
• Make and install example for mailstats
# cd mailstats ; sh ./Build ; sh ./Build install
• You will also have one output directory for all your makes
# ls obj.Linux*
The directories contain the compiled binaries and extras, ready for mass
deployment
Standard sendmail.mc comment & DNS
• If sendmail uses /etc/mail/linux.mc we make some links
– Needed in SuSE and some other RPM distributions
# ln –s /etc/sendmail.cf /etc/mail/sendmail.cf
# ln –s /etc/mail/linux.mc /etc/mail/sendmail.mc
• How to Put Comments in sendmail.mc
– The sendmail.mc file doesn't use the "#" for commenting, but instead uses the
string "dnl". dnl Disabled statements due to "dnl" commenting
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl Incorrectly disabled statement
# DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl Active statement, here sendmail client daemon is enabled
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
• Configuring the DNS for sendmail
– Make Your Mail Server The Mail Server For Your Domain in DNS
my-site.com. IN MX 10
mail.my-site.com.
# host my-site.com
my-site.com mail is handled by 10 mail.my-site.com.
Sendmail & name resolution
• All hosts that are not the nameserver should have
/etc/resolv.conf file like this:
Server
domain my-site.com
nameserver 127.0.0.1
Client
domain my-site.com
nameserver 192.168.0.1
• And incorrectly configured resolv.conf
– file can lead to errors like this when running the m4
WARNING: local host name (smallfry) is not qualified;
fix $j in config file
• The /etc/hosts File must have loopback address
– For a sample mailserver:
127.0.0.1
mail.my-site.com localhost.localdomain localhost mail
– For a sample client:
127.0.0.1
client.my-site.com localhost.localdomain localhost client
How To Configure Linux Sendmail Client
• All Linux mail clients in your home or company need to know which
server is the mail server, in /etc/mail/sendmail.mc
define(`SMART_HOST',`mail.my-site.com')
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
• If you run SuSE sendmail from RPM, take full control again
– In /etc/sysconfig/mail change:
MAIL_CREATE_CONFIG=“no”
SMTPD_LISTEN_REMOTE="yes“
• Smarthost (the mailserver) must accept mail from your host/domain
– In /etc/mail/access:
my-site.com
RELAY
• Converting From a Mail Client to a Mail Server
– Determine Which NICs Sendmail Is Running On
– We can verify that sendmail is running by first using the pgrep command
# pgrep sendmail
22131
# netstat -an | grep :25 | grep tcp
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
– Here sendmail listens on loopback interface, this is normal because a client does not
normally recieve email directly
Convert the sendmail client to server
• Edit sendmail.mc To Make Sendmail Listen On All Interfaces
dnl This changes sendmail to only listen on the loopback device
127.0.0.1
dnl and not on any other network devices. Comment this out if you
want
dnl to accept email over the network.
-> dnl DAEMON_OPTIONS(`Port=smtp,Addr=mail.my-site.com, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port
requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6,
Family=inet6')
dnl We strongly recommend to comment this one out if you want to
protect
dnl yourself from spam. However, the laptop and users on
computers that do
dnl not have 24x7 DNS do need this.
-> dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
Convert the sendmail client to server
• If you run SuSE sendmail from RPM, take full control again
– In /etc/sysconfig/mail change:
MAIL_CREATE_CONFIG=“no”
SMTPD_LISTEN_REMOTE="yes“
– SuSEconfig will write over your /etc/sendmail.cf
• Comment out the "SMART_HOST" Entry In sendmail.mc
dnl define(`SMART_HOST',`mail.my-site.com')
• Regenerate The sendmail.cf File & Restart sendmail
– This step can be accomplished by running the script we created at the beginning
of the chapter.
# ./smmake
• Now Make Sure Sendmail Is Listening On All Interfaces
# netstat -an | grep :25 | grep tcp
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
A General Guide To Using The sendmail.mc File
• Primary rule, nice and clean sendmail.mc with comments
– Masquerade rewrites all mail from hosts to coming from
domain
– FEATURE adds functionallity to sendmail
dnl ***** Customized section 1 start *****
Dnl
Dnl
FEATURE(delay_checks)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(allmasquerade)dnl
FEATURE(masquerade_entire_domain)dnl
dnl
dnl
dnl ***** Customized section 1 end *****
• After adding some features make a new sendmail.cf, but
first make a backup of the old working:
# cp sendmail.cf sendmail-v1.cf
# m4 sendmail.mc > sendmail.cf
Sendmail feature files
• The /etc/mail/relay-domains File
– Relay those domains directly
my-other-site.com
my-site.com
• The /etc/mail/access File
– Keywords include:
localhost.localdomain
localhost
127.0.0.1
192.168.1.16
192.168.1.17
192.168.2
my-site.com
RELAY # Allow access + Relay
REJECT # Refuse connection
OK
# Allow access
DISCARD # Silently drop email
after recieved
550 You are not welcome here # Bounceback messages
• The /etc/mail/local-host-names File
– Also recieve mail from my other site
– In DNS we need to enter:
RELAY
RELAY
RELAY
RELAY
RELAY
RELAY
RELAY
my-site.com
my-other-site.com
my-other-site.com. MX 10 mail.my-site.com.
• After changing any sendmail files exept the .mc do a
# cd /etc/mail ; newaliases ; make
Which User Should Really Receive The Mail?
• The /etc/mail/virtusertable file
[email protected]
@my-other-site.com
[email protected]
[email protected]
[email protected]
@my-site.com
webmasters
marc
[email protected]
paul
paul
error:nouser User unknown
– The string @my-site.com actually rejects all non local emails with error message
• The /etc/aliases File
. . .
manager:
root
abuse:
root
# trap decode to catch security attacks
decode:
root
# Person who should get root's mail
root:
marc,kalle,[email protected]
# My mailing list file
admin-list:
":include:/home/mailings/admin-list"
• Allways run command newaliases after working with
aliases
# cd /etc/mail ; newaliases ; make
Mail-aliases ”/etc/aliases” explanations
• Mail to "[email protected]" goes to users "peter",
"paul" and "mary".
# Directors of my SOHO company
directors: peter,paul,mary
• Mail sent to "[email protected]" goes to users "grandma",
"brother" and "sister"
# My family family:
grandma,brother,sister
• Mail sent to ”[email protected]” gets sent to all the
users listed in the file /home/mailings/admin-list.
# My mailing list file admin-list:
":include:/home/mailings/admin-list"
• Mail sent to [email protected] goes to peter
# [email protected] become same as [email protected]
peter.steen: peter
Sendmail ”.mc” Masquerading Explained
•
•
•
•
•
•
The MASQUERADE_AS directive makes all mail originating on mail appear to
come from a server within the domain my-site.com by rewriting the email header.
The MASQUERADE_DOMAIN directive makes mail relayed via mail from all
machines in the another-site.com and localdomain domains appear to come from
the MASQUERADE_AS domain of my-site.com. Using DNS, sendmail checks the
domain name associated with the IP address of the mail relay client sending the
mail to help it determine whether it should do masquerading or not.
FEATURE masquerade_entire_domain makes sendmail masquerade
servers named *my-site.com, and *another-site.com as my-site.com. In other
words, mail from sales.my-site.com would be masqueraded as my-site.com. If
this wasn't selected, then only servers named my-site.com and my-othersite.com
would be masqueraded. Use this with caution when you are sure you have the
necessary authority to do this.
FEATURE allmasquerade makes sendmail rewrite both recipient addresses
and sender addresses relative to the local machine. If you cc: yourself on an
outgoing mail, the other recipient sees a cc: to an address he knows instead of one
on localhost.localdomain.
FEATURE always_add_domain always masquerades email addresses, even
if the mail is sent from a user on the mail server to another user on the same mail
server.
FEATURE masquerade_envelope rewrites the email envelope just as
MASQUERADE_AS rewrote the header.
Sendmail Masquerading example
•
If you want your mail to appear to come from
– [email protected] and not [email protected] or [email protected]
You can in that case:
a) Configure your email client, such as Outlook Express, to set your email address
to [email protected]
b) Set up masquerading to modify the domain name of all traffic originating from
and passing trough your mail server
•
Configuring masquerading
– This can be solved by editing your sendmail.mc configuration file and adding
some masquerading commands:
FEATURE(`always_add_domain')dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`allmasquerade')dnl
MASQUERADE_AS(`my-site.com')dnl
MASQUERADE_DOMAIN(`my-site.com.')dnl
MASQUERADE_DOMAIN(`localhost')dnl
MASQUERADE_DOMAIN(`localhost.localdomain')dnl
Testing Sendmail Masquerading
•
Testing Masquerading
– You should also tail the /var/log/mail* file to verify that the masquerading is
operating # mail -v username
– Verify reciever of email
•
# sendmail -bv username@domain
Logfiles
/var/log/mail
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/messages
•
Other Masquerading Notes
– By default, user "root" will not be masqueraded. This is achieved with the:
– in /etc/mail/sendmail.mc
EXPOSED_USER(`root')dnl
Using Sendmail to Change the Sender's Email Address
•
Add these statements to your /etc/mail/sendmail.mc
– In order to rewrite emails origin address, you need some features:
FEATURE(`genericstable',`hash -o /etc/mail/genericstable.db')dnl
GENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl
•
Create a /etc/mail/generics-domains
my-site.com
my-other-site.com
mail.my-site.com
– Same file as local-host-names
– Make sure the file includes your server's
canonical domain name, which you can
sendmail -bt -d0.1 </dev/null
obtain using the command:
– Remember to do the make after changing your sendmail files
•
Create your /etc/mail/genericstable
– Mail sent from alert, peter, anton will have new source address
#linux-username
new source address: user@domain
alert
[email protected]
peter
[email protected]
anton
[email protected]
Sendmail and virtualusers
•
At slide 17 we created your /etc/mail/virtusertable
– /etc/aliases can also be used, althought virtusertable is more flexible
•
We need to add virtual domains last in file /etc/sendmail.cf
– For revieving email for virtual domains
CGmy-site.com
CGmy-other-site.com
•
Everytime you run m4 command you will have to put
back your virtualdomains
•
sendmail.cf is a long complicated file, sometimes you will
need to add and change things inside this file.
Troubleshooting Sendmail 1
•
Testing TCP connectivity
– sendmail uses SMTP TCP port 25
Server  # netstat -an | grep :25 | grep tcp
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
The server can listen on all interfaces 0.0.0.0
or a deligated interface like 192.168.1.1
Client  # netstat -an | grep :25 | grep tcp
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
Allways listen on 127.0.0.0
•
Telnet to the mail server on port 25. You should get a
response with a 220 status code:
– Communication with sendmail remainds of radio communication
# telnet mail.my-site.com 25
Trying mail.my-site.com...
Connected to mail.my-site.com.
Escape character is '^]'.
220 mail.my-site.com ESMTP server ready
Troubleshooting Sendmail 2
•
Use the hello command to tell the mail server the domain
you belong to:
HELO my-other-site.com
250 mail.my-site.com Hello mail.my-site.com [192.168.3.5], pleased to meet you
•
•
You should receive a message with a successful status
250 code at the beginning of the response.
Inform the mail server from which the test message is
coming with the MAIL FROM: statement:
MAIL FROM:[email protected]
250 2.1.0 [email protected]... Sender ok
•
Tell the mail server to whom the test message is going
with the " RCPT TO:" statement:
RCPT TO::[email protected]
250 2.1.0 [email protected]... Sender ok
Troubleshooting Sendmail 3
•
Prepare the mail server to receive data with the DATA
statement: DATA
354 Enter mail, end with "." on a line by itself
•
Type the string "subject:" then type a subject. Type in your
text message, ending it with a single period on the last
line. For example: Subject: Test Message
Testing sendmail interactively
.
250 2.0.0 iA75r9si017840 Message accepted for delivery
•
Use the QUIT command to end the session:
QUIT
221 2.0.0 mail.my-site.com closing connection
Connection closed by foreign host.
Common Errors Due To Incomplete Installation
•
Sample Errors when running newaliases :
# newaliases
Warning: .cf file is out of date: sendmail 8.13.3 supports version 10, .cf file is version 0
No local mailer defined
QueueDirectory (Q) option must be set
•
Sample errors when processing the sendmail.mc file :
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
/etc/mail/sendmail.mc:8: m4: Cannot open /usr/share/sendmail-cf/m4/cf.m4: No such
file or directory
•
Sample errors when restarting sendmail :
# rcsendmail restart
Shutting down sendmail: [ OK ]
Shutting down sm-client: [FAILED]
Starting sendmail: 554 5.0.0 No local mailer defined
554 5.0.0 QueueDirectory (Q) option must be set
[FAILED]
Starting sm-client: [ OK ]
Incorrectly Configured /etc/hosts Files
•
By default, Linux inserts the hostname of the server between the
127.0.0.1 and the localhost entries in /etc/hosts like this:
127.0.0.1 mail localhost.localdomain localhost
– Sendmail will think that the server's FQDN is mail
– It will then default to sending e-mails in which the domain is
localhost.localdomain.
•
The /etc/hosts file is also important for configuring mail
relay 127.0.0.1 my-site.com localhost.localdomain localhost
– Here sendmail thinks that the server's FDQN was my-site and that the domain
was all of .com.
– The server would therefore be open to relay all mail from any .com domain
and would ignore the security features of the access and relay-domains
•
The correct loopback entry should look like:
127.0.0.1
mail.my-site.com localhost.localdomain localhost mail
Incorrect name resolution hosts file ?
•
Use the sendmail program to send a sample e-mail to
someone in verbose mode : # sendmail -v [email protected]
– Look in /var/log/mail
– Also look in /var/log/mail.err
– Offcourse /var/log/messages
test text
test text
.
[email protected]... Connecting to mail.another-site.com. via esmtp...
220 ltmail.another-site.com LiteMail v3.02(BFLITEMAIL4A); Sat, 21 Feb 2006 20:18:44 +0100
>>> EHLO localhost.localdomain
250-mx.another-site.com Hello [67.120.221.106], pleased to meet you
250 HELP
>>> MAIL From:<[email protected]>
250 <[email protected]>... Sender Ok
>>> RCPT To:<[email protected]>
250 <[email protected]>... Recipient Ok
>>> DATA
354 Enter mail, end with "." on a line by itself
>>> .
250 Message accepted for delivery
[email protected]... Sent (Message accepted for delivery)
Closing connection to mail.another-site.com.
>>> QUIT
Fighting SPAM, add features to sendmail.mc
•
RFC-Ignorant valid IP address checker.
FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from " $&{client_addr}
" refused. Rejected for bad WHOIS info on IP of your SMTP server - see
http://www.rfc-ignorant.org/"')
•
Easynet open proxy list.
FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to
OPEN PROXY SERVER "$&{client_name}" by easynet.nl
DNSBL (http://proxies.blackholes.easynet.nl/errors.html)"', `')dnl
•
The Open Relay Database open mail relay list.
FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server
misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl
•
Spamcop spammer blacklist.
FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} "
refused - see http://spamcop.net/bl.shtml"')
•
Spamhaus spammer blacklist.
FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dn