Transcript Unix System Admin

Configuring Linux Mail Servers
• Objectives
– This chapter will show you how to install and use Mailservers
• Contents
–
–
–
–
–
An Overview Of How Sendmail Works
Sendmail configruation files
Relaying
Sendmail Masquerading
Using Sendmail to Change the Sender's Email Address
• Practical
– Setting up mailserver
Getting SENDMAIL
• Installing Sendmail
– You will need to make sure that the sendmail, sendmail-cf and m4 software
RPMs are installed.
rpm –ivh sendmail-8.12.8-4.i386.rpm
(The client/server)
rpm –ivh sendmail-cf-8.12.8-4.i386.rpm
(Config files)
rpm –ivh sendmail-devel-8.12.8-4.i386.rpm
(Optional)
rpm –ivh sendmail-doc-8.12.8-4.i386.rpm
(Optional)
• Starting/Stopping Sendmail
– You can use the chkconfig command to get Sendmail configured to start at boot:
# chkconfig sendmail on
– To start/stop/restart sendmail after booting
# service sendmail start
# service sendmail stop
# service sendmail restart
– You need to restart sendmail after changing sendmail.cf
The /etc/mail/sendmail.mc File
• How to Put Comments in sendmal.mc
– The sendmail.mc file doesn't use the "#" for commenting, but instead uses the
string "dnl".
Disabled statements due to "dnl" commenting
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
Incorrectly disabled statement
# DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
Active statement
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
• Configuring the DNS for sendmail
– Make Your Mail Server The Mail Server For Your Domain in DNS
IN MX 10
mail.my-site.com
# host mail.my-site.com
mail.my-site.com has address 192.168.0.1
Sendmail & name resolution
• All hosts that are not the nameserver should have
/etc/resolv.conf file like this:
domain my-site.com
nameserver 192.168.0.1
• And incorrectly configured resolv.conf
– file can lead to errors like this when running the m4
WARNING: local host name (smallfry) is not qualified;
fix $j in config file
• The /etc/hosts File must have loopback address
127.0.0.1 bigboy.my-site.com
localhost
bigboy
localhost.localdomain \
How To Configure Linux Sendmail
• All Linux mail clients in your home or company need to
know which server is the mail server.
– In /etc/mail/sendmail.mc file:
define(`SMART_HOST',`mail.my-site.com')
• Converting From a Mail Client to a Mail Server
– Determine Which NICs Sendmail Is Running On
– We can verify that sendmail is running by first using the pgrep command
# pgrep sendmail
22131
# netstat -an | grep :25 | grep tcp
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
Convert the sendmail client to server
• Edit sendmail.mc To Make Sendmail Listen On All
Interfaces
dnl This changes sendmail to only listen on the loopback device
127.0.0.1
dnl and not on any other network devices. Comment this out if you
want
dnl to accept email over the network.
-> dnl DAEMON_OPTIONS(`Port=smtp,Addr=mail.my-site.com, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port
requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6,
Family=inet6')
dnl We strongly recommend to comment this one out if you want to
protect
dnl yourself from spam. However, the laptop and users on
computers that do
dnl not have 24x7 DNS do need this.
-> dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
Convert the sendmail client to server
• Comment out the "SMART_HOST" Entry In sendmail.mc
dnl define(`SMART_HOST',`mail.my-site.com')
• Regenerate The sendmail.cf File & Restart sendmail
– This step can be accomplished by running the script we created at the beginning
of the chapter.
# ./smmake
• Now Make Sure Sendmail Is Listening On All Interfaces
# netstat -an | grep :25 | grep tcp
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
A General Guide To Using The sendmail.mc File
• Primary rule, nice and clean sendmail.mc with comments
– Masquerade rewrites all mail from hosts to coming from
domain
– FEATURE adds functionallity to sendmail
dnl ***** Customised section 1 start *****
Dnl
Dnl
FEATURE(delay_checks)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(allmasquerade)dnl
FEATURE(masquerade_entire_domain)dnl
dnl
dnl
dnl ***** Customised section 1 end *****
Sendmail feature files
• The /etc/mail/relay-domains File
my-other-site.com
my-site.com
• The /etc/mail/access File
– Keywords include RELAY, REJECT, OK (not ACCEPT) and DISCARD
localhost.localdomain
localhost
127.0.0.1
192.168.1.16
192.168.1.17
192.168.2
my-site.com
• The /etc/mail/local-host-names File
– Also recieve mail from my other site
– In DNS we need to enter:
RELAY
RELAY
RELAY
RELAY
RELAY
RELAY
RELAY
my-site.com
my-other-site.com
my-other-site.com. MX 10 mail.my-site.com.
Which User Should Really Receive The Mail?
• The /etc/mail/virtusertable file
[email protected]
@my-other-site.com
[email protected]
[email protected]
[email protected]
@my-site.com
webmasters
marc
[email protected]
paul
paul
error:nouser User unknown
• The /etc/aliases File
. . .
manager:
root
abuse:
root
# trap decode to catch security attacks
decode:
root
# Person who should get root's mail
root:
marc,[email protected]
# My mailing list file
admin-list:
":include:/home/mailings/admin-list"
• Allways run command newaliases after working with
aliases
Sendmail Masquerading Explained
•
If you want your mail to appear to come from
– [email protected] and not [email protected]
You can in that case:
a) Configure your email client, such as Outlook Express, to set your email address
to [email protected]
b) Set up masquerading to modify the domain name of all traffic originating from
and passing trough your mail server
•
Configuring masquerading
– This can be solved by editing your sendmail.mc configuration file and adding
some masquerading commands:
FEATURE(always_add_domain)dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`allmasquerade')dnl
MASQUERADE_AS(`my-site.com')dnl
MASQUERADE_DOMAIN(`my-site.com.')dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
Sendmail Masquerading Explained
•
Testing Masquerading
– You should also tail the /var/log/maillog file to verify that the masquerading is
operating
mail -v username
•
Other Masquerading Notes
– By default, user "root" will not be masqueraded. This is achieved with the:
– in /etc/mail/sendmail.mc
EXPOSED_USER(`root')dnl
Using Sendmail to Change the Sender's Email Address
•
Add these statements to your /etc/mail/sendmail.mc
– In order to rewrite emails origin address, you need some features:
FEATURE(`genericstable',`hash -o
/etc/mail/genericstable.db')dnl
GENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl
– In /etc/mail/sendmail.mc
•
Create a /etc/mail/generics-domains
•
Create your /etc/mail/genericstable
my-site.com
my-other-site.com
bigboy.my-site.com
#linux-username
[email protected]
alert
[email protected]
peter
[email protected]
Fighting SPAM, add features
•
RFC-Ignorant valid IP address checker.
FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from " $&{client_addr}
" refused. Rejected for bad WHOIS info on IP of your SMTP server - see
http://www.rfc-ignorant.org/"')
•
Easynet open proxy list.
FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to
OPEN PROXY SERVER "$&{client_name}" by easynet.nl
DNSBL (http://proxies.blackholes.easynet.nl/errors.html)"', `')dnl
•
The Open Relay Database open mail relay list.
FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server
misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl
•
Spamcop spammer blacklist.
FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} "
refused - see http://spamcop.net/bl.shtml"')
•
Spamhaus spammer blacklist.
FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dn
Spamassassin
•
Downloading & Installing Spamassassin
# rpm –ivh spamassassin-2.60-2.i386.rpm.
•
Starting Spamassassin
# chkconfig --level 35 spamassassin on
•
Configuring Procmail for Spamassassin
cp /etc/mail/spamassassin/spamassassin-spamc.rc /etc/procmailrc
•
Startup Spamassassin
# /etc/init.d/spamassassin start
– Combine spamassasin with sendmail features