SENDMAIL Q/A

1) /usr/lib/sendmail -d0.4 -bt < /dev/null

2)sendmail supports several map types. The main types are:

hash/btree
requries the compile flag -DNEWDB. This is the new Berkeley DB package.
If your system does not have this pre-installed, or the version
installed is not version 2.0 or greater (e.g., is Berkeley DB 1.85 or
1.86), get the current version from http://www.sleepycat.com/.
dbm
requries the compile flag -DNDBM. This is the older NDBM
implementation.

3)Which sendmail version do I run?

To find out which version of sendmail is installed on your system, you can try the following
commands:

sendmail -d0.5 -bv root
should tell you its version and some basic settings.

telnet localhost 25
sendmail should greet you with its welcome message and tell you the version of its binary and config
file. Enter QUIT to leave this mode.

4)I can't send mail to users whose accounts have upper case letters?

First: Don't use uppercase letters...: man 5 passwd:

tains  no  uppercase characters, and must not
be more than eight characters in length.

If you really need it, set the flag 'u' in

Mlocal,..F=..u..
^

in sendmail.cf

u   Upper case should be preserved in user  names  for
this mailer.

If you use procmail as local mailer, make sure you define NO_USER_TO_LOWERCASE_HACK (in
config.h ?).

5)Cannot alias non-local names

If you get the error: name: cannot alias non-local names when running newaliases (or
sendmail -bi ), there are several possibilities to check:

1.Does

sendmail -bt
> 3,0 name

resolve to the local mailer?
2.Make sure you have the flag F=A for Mlocal in your sendmail.cf . (This applies to
sendmail 8.8 ).

6)Config error: mail loops back to myself

You are still getting this message:

553 relay.domain.net config error: mail loops back to myself
554 <user@domain.net>... Local configuration error
How can I solve this problem? There are two possibilities:

1.You have asked mail to the domain (e.g., dom.ain) to be forwarded to a specific host (in this
case, relay.dom.ain) by using an MX record, but the relay machine doesn't recognize itself
as dom.ain. Add dom.ain to /etc/sendmail.cw (if you are using

Cwdom.ain

2.Another possibility is that relay.dom.ain should send this to another host mail.dom.ain
which really handles the mail for dom.ain. If this host is reachable by SMTP you should
create an MX record with the best (lowest) priority pointing to mail.dom.ain. Make sure
that relay.dom.ain really knows it is relay.dom.ain! If you setup the MX records, you
must use the correct name for relay.dom.ain.
If mail.dom.ain is reachable by some other mail transport protocol (UUCP) or it is not
directly reachable from the outside, you may have a look at the feature mailertable. E.g., use
in your .mc configuration file something like

FEATURE(mailertable,dbm -o /etc/mailertable')

(or another database type, see makemap(8)) and add a line like the following to the
mailertable:

dom.ain smtp:[mail.dom.ain]

The square brackets ([ ]) tell sendmail to ignore MX records for mail.dom.ain.

Two more hints: An MX record shouldn't point to a CNAME, it will most probably cause you a lot
of trouble. (And currently it violates RFC 974 ).
WILDCARD MX RECORDS ARE A BAD IDEA! The only situation in which they work reliably
is if you have two versions of DNS, one in the real world which has a wildcard pointing to your
firewall, and a completely different version of the database internally that does not include wildcard
MX records that match your domain. ANYTHING ELSE WILL GIVE YOU HEADACHES!

IMPORTANT: Be sure you kill and restart the sendmail daemon after you change the configuration
file (for ANY change in the configuration, not just this one):

kill head -1 /etc/sendmail.pid
sh -c "tail -1 /etc/sendmail.pid"

NOTA BENE: kill -1 does not work!

and both hints didn't solve your problem?

So here is another hint what might be wrong: You use a

LOCAL_RULE_0

in your sendmail.mc (which is S98 in sendmail.cf)? This rule is evaluated before the local recognition
of S0 happens. So if you use some rule here, which (by accident) also matches your local host but
doesn't resolve to local, you have a problem. Try to debug that address and see where it fails (where
it gets resolved to another mailer than local).

7)How to route all mail to a single user?

Sometimes you want to route all mail for a domain to a single user. You can do this by a rule like
this:

R$+ < @ the.domain. >$#local $: the-user all to one user This usually goes into ruleset 0. 8)How to route mail to unknown users to one account? sendmail 8 has a feature to route all mail which ends up a local on the system but isn't a valid account (or alias), to another system (the so-called LUSER_RELAY ), see cf/README (from 8.8). However, this feature is disrecommended, since it can break working'' addresses if you introduce new local users. If you want to route all mail to unknown users to one account (instead of giving the standard error reply), you can put in your .mc file the following: define(LUSER_RELAY',local:someuser@your.domain') or look in your sendmail.cf for these lines and remove the hash in front of them: Kuser user -m -a<> DLlocal:someuser@your.domain R< >$+                 $: <$L . > $( user$1 $) look up user R<$* > $+ <>$*        $: < >$2 $3 found; strip$L
R< $* . >$+            $: <$1 > $2 strip extra dot Something similar can be accomplished for virtual domains. 9)How do I queue mail for another domain? Your system mailserver.my.domain should act as a backup mailserver for mailserver.client.domain. The client wants to receive mail for the address user@client.domain. This requires: 1.MX Records: client.domain. IN MX 10 mailserver.client.domain. client.domain. IN MX 10 mailserver.my.domain. mailserver.client.domain. IN MX 10 mailserver.client.domain. mailserver.client.domain. IN MX 10 mailserver.my.domain. The last two records are there "just in case". Make sure you use the real names of all systems. mailserver.my.domain must know its own name, otherwise you'll get the famous mail loops back to myself error. 2.On your system: do nothing unless you have anti-relay rules installed (which you really should have!). In this case, add client.domain to the required files. Don't add client.domain or mailserver.client.domain to class w on your system! 3.sendmail on your system will try to deliver mail during queue runs, however, the client may trigger delivery by using the ETRN command. 10)Class w contains all local addresses sendmail 8.8 includes all local addresses into class w to avoid the well-known config error: mail loops back to myself . If this is not intended, there's an undocumented compile-time-option, -D_FFR_DONT_PROBE_INTERFACES_OPTION which enables the option O DontProbeInterfaces in your sendmail.cf . Set it to True to keep sendmail from adding all local addresses to class w. 11)How do I refuse e-mail from unwanted domains (users)? Using rules with sendmail 8.8 or 8.9 sendmail 8.8 has some new rulesets to check who can use your machine as a mail gateway. Using check_* in sendmail 8.8 gives an overview how to use these rulesets, 8.9 has standard FEATUREs to this effect. Using rules with sendmail 8.x If you have sendmail 8.x (with x < 8), you can do the following to refuse mails from unwanted domains/hosts: Put into ruleset 98 something like: (this is LOCAL_RULE_0 in your .mc file) R$* < @$*$=K . > $*$#error $@ 5.7.1$: "This domain is banned."
R$* < @$*$=K >$*               $#error$@ 5.7.1 $: "This domain is banned." And define a class K by: FK/etc/banned.domains In this file, you should put the names of the banned domains, e.g., cyberpromo.com quantcom.com savetrees.com If you want to specify the user(s) too, you have to replace the first$* with the name or a match for a
class.

Using tcp_wrappers

Another possibility is to use tcp_wrappers. There is a patch available for sendmail 8.7.x, which
incorporates the functionality directly into sendmail. Using this approach, you can define the access
to your sendmail daemon based on the rules available for tcp_wrappers .

sendmail 8.8 supports this without a patch, just use -DTCPWRAPPERS=1 for compilation and add the
appropriate library -lwrap . There is a patch for a problem with sendmail 8.8.8 which passes
incorrect data to the library routines. A patch can be found in ftp://ftp.win.tue.nl/pub/security/.
Thanks to Lou Rinaldi for pointing this out.

Using checkcompat()

A third possibility is to use the checkcompat() routine. Kyle Jones proposed the following patch.
It is intended to disallow all non-local e-mail traffic through your host. Use at your own risk.

12)Unsafe map file /etc/mail/aliases

With the latest sendmail release many people get an error message like:

unsafe map file /etc/mail/aliases

(or another map). There may be several reasons for this, the most common is that the permissions of
the directories leading to the alias file are incorrect. It must be:

drwxr-xr-x 12 root     staff        3072 Nov 20 10:47 /etc/
drwxr-xr-x  4 root     staff        1024 Dec 21 16:40 /etc/mail/

i.e., the directory must be owned by root and not writable by the group or the rest of the world.
The alias file itself must have similar permissions. Moreover, if you have a db map, you may try to
touch the resulting map (file.db) and call makemap or newaliases thereafter.

See the release notes for further details. /usr/lib/sendmail -bi -d44.4 gives some debug
output for the alias map.

13)Allowing controlled SMTP relaying in Sendmail 8.9

As of sendmail version 8.9, forwarding of SMTP messages is not permitted by default. For example,
if you are on site A.COM, you will not accept mail from B.NET destined for C.ORG without special
arrangements. These instructions assume that you are using the M4 technique for creating your
sendmail.cf files; if you are not, you are on your own.

The simplest approach is to list the domains you are willing to relay in the file
/etc/mail/relay-domains. Anything listed in this file will be accepted for relaying. N.B.:
Sendmail must be restarted after this file is modified.

For more precise tuning, several FEATUREs have been added to control relaying:

FEATURE(relay_hosts_only). Normally domains are listed in
/etc/mail/relay-domains; any hosts in those domains match. With this feature, each host
in a domain must be listed.
FEATURE(relay_entire_domain). Setting this feature allows relaying of all hosts within
your domain. For example, on the host gateway.A.COM, this feature allows mail to or from
any host in the A.COM domain. More precisely, this relays any host listed in the $=m class. This is equivalent to listing the name of the domain in /etc/mail/relay-domains. FEATURE(access_db). This enables the hash database /etc/mail/access to enable or disable access from individual domains (or hosts, if FEATURE(relay_hosts_only) is set). The database format is described below. FEATURE(blacklist_recipients). If set, this feature looks up recipients as well as senders in the access database. FEATURE(rbl). Enables rejection of mail based on the Realtime Blackhole List maintained at maps.vix.com. FEATURE(accept_unqualified_senders). Normally, sendmail will not accept mail from a sender without a domain attached -- for example, user instead of user@B.NET. This feature allows such users. FEATURE(accept_unresolvable_domains). Normally, sendmail will refuse to accept mail that has a return address with a domain that cannot be resolved using the regular host lookups (a technique commonly used by spammers). This feature permits acceptance of such addresses. Unresolvable domains can be selectively accepted using the access database. FEATURE(relay_based_on_MX). Setting this feature permits relaying for any domain that is directed to your host. Several other features are probably a bad idea, unless you are inside a firewall, because they make your system vulnerable to abuse by spammers: FEATURE(relay_local_from). This feature allows relaying if the message claims to originate at your domain. Since forging this address is trivial, this is probably a bad idea. FEATURE(loose_relay_check). This turns off checking for explicit routing through your host, such as target%C.ORG@A.COM. FEATURE(promiscuous_relay). If you really want to forward all the spam on the net, this will turn off all checking for relaying. The Access Database The access database (normally in /etc/mail/access) allows a mail administrator to administratively allow access to the mail server by individual domains. Each database entry consists of a domain name or network number as the key and an action as the value. Keys can be a fully or partly qualified host or domain name such as host.subdomain.domain.com, subdomain.domain.com, or domain.com. The last two forms match any host or subdomain under the specified domain. (If FEATURE(relay_hosts_only) is set, only the first form works.) Keys can also be a network address or subnetwork, e.g., 205.199.2.250, 205.199.2, or 205.199. The latter two forms match any host in the indicated subnetwork. Lastly, keys can be user@host.domain to reject mail from a specific user. Values can be REJECT to refuse connections from this host, DISCARD to accept the message but silently discard it (the sender will think it has been accepted), OK to allow access (overriding other built-in checks), RELAY to allow access including relaying SMTP through your machine, or an arbitrary message to reject the mail with the customized message. For example, a database might contain: cyberpromo.com REJECT sendmail.org RELAY spam@buyme.com 550 Spammers shan't see sunlight here to reject all mail from any host in the cyberpromo.com domain, allow any relaying to or from any host in the sendmail.org domain, and reject mail from spam@buyme.com with a specific message. 14)Dont Blame Sendmail and Enhanced File Security Beginning with version 8.9.0, sendmail has tightened the rules used for opening files. Sendmail now checks the modes and ownership of the files and the directory path leading up to that file to prevent users from taking advantage of overly permissive modes on directories and files. During your migration to sendmail 8.9, you will need to fix up any permissions which would be considered unsafe such as non-root owned directories containing maps or group writable directories and files. In general, directories which sendmail reads from should be owned by root unless the RunAsUser option is set. There are exceptions to this rule such as user .forward files. You may have to tweak your environment to make it safer for sendmail to run. If you find that some of the safeties in sendmail are too restrictive for your environment, they can be turned off by setting the option DontBlameSendmail. The option is appropriately named as sendmail is not to be blamed for problems resulting from unsafe permissions on directories and files. Checking your system for these unsafe files is simply a matter of performing a few commands to see if they report any problems. For example, if rebuilding the aliases file with: # newaliases -v gives messages such as: WARNING: writable directory /etc WARNING: writable directory /usr/spool/mqueue then the directories listed have inappropriate write permissions and should be secured to avoid various possible security attacks. Although somewhat verbose, a good test to make sure sendmail is satisfied with the permissions on your database maps, class files, and aliases file is the command: # sendmail -v -d44.4 -bv postmaster This will output the file safety checks as they are done and the results of each one. The biggest surprise is likely to come from .forward and :include: files in unsafe directory paths (directory paths which are group or world writable). This is no longer allowed. This would mean that if user joe's home directory was writable by group staff, sendmail would not use his .forward file. This behavior can be altered, at the possible expense of system security, by setting the DontBlameSendmail option. For example, to allow forward files in group writable directories: O DontBlameSendmail=forwardfileingroupwritabledirpath Or to allow them in both group and world writable directories: O DontBlameSendmail=forwardfileinunsafedirpath Items from these unsafe .forward and :include: files will be marked as unsafe addresses -- the items can not be deliveries to files or programs. This behavior can also be altered via DontBlameSendmail: O DontBlameSendmail=forwardfileinunsafedirpath, forwardfileinunsafedirpathsafe The first flag allows the forward file to be read, the second allows the items in the file to be marked as safe for file and program delivery. Other files affected by this strengthened security include class files (i.e. Fw /etc/sendmail.cw), persistent host status files, and the files specified by the ErrorHeader and HelpFile options. Similar DontBlameSendmail flags are available for these files. The DontBlameSendmail option takes one or more names that disable checks. In the descriptions that follow, "unsafe directory" means a directory that is writable by anyone other than the owner. The values are: Safe No special handling. AssumeSafeChown Assume that the chown system call is restricted to root. Since some versions of UNIX permit regular users to give away their files to other users on some filesystems, sendmail often cannot assume that a given file was created by the owner, particularly when it is in a writable directory. You can set this flag if you know that file giveaway is restricted on your system. ClassFileInUnsafeDirPath When reading class files (using the F line in the configuration file), allow files that are in unsafe directories. ErrorHeaderInUnsafeDirPath Allow the file named in the ErrorHeader option to be in an unsafe directory. GroupWritableDirPathSafe Change the definition of "unsafe directory" to consider group-writable directories to be safe. World-writable directories are always unsafe. GroupWritableForwardFileSafe Accept group-writable .forward files. GroupWritableIncludeFileSafe Accept group-writable :include: files. GroupWritableAliasFile Allow group-writable alias files. HelpFileInUnsafeDirPath Allow the file named in the HelpFile option to be in an unsafe directory. WorldWritableAliasFile Accept world-writable alias files. ForwardFileInGroupWritableDirPath Allow .forward files in group writable directories. IncludeFileInGroupWritableDirPath Allow :include: files in group writable directories. ForwardFileInUnsafeDirPath Allow .forward files in unsafe directories. IncludeFileInUnsafeDirPath Allow :include: files in unsafe directories. ForwardFileInUnsafeDirPathSafe Allow a .forward file that is in an unsafe directory to include references to program and files. IncludeFileInUnsafeDirPathSafe Allow a :include: file that is in an unsafe directory to include references to program and files. MapInUnsafeDirPath Allow maps (e.g., hash, btree, and dbm files) in unsafe directories. LinkedAliasFileInWritableDir Allow an alias file that is a link in a writable directory. LinkedClassFileInWritableDir Allow class files that are links in writable directories. LinkedForwardFileInWritableDir Allow .forward files that are links in writable directories. LinkedIncludeFileInWritableDir Allow :include: files that are links in writable directories. LinkedMapInWritableDir Allow map files that are links in writable directories. LinkedServiceSwitchFileInWritableDir Allow the service switch file to be a link even if the directory is writable. FileDeliveryToHardLink Allow delivery to files that are hard links. FileDeliveryToSymLink Allow delivery to files that are symbolic links. RunProgramInUnsafeDirPath Go ahead and run programs that are in writable directories. RunWritableProgram Go ahead and run programs that are group- or world-writable. WriteMapToHardLink Allow writes to maps that are hard links. WriteMapToSymLink Allow writes to maps that are symbolic links. WriteStatsToHardLink Allow the status file to be a hard link. WriteStatsToSymLink Allow the status file to be a symbolic link. 15) FR-o /etc/mail/relay-domains class R (relay-domains) doesn't act on MAIL FROM, but on the address of the connecting system 16)Is there an already written FEATURE or HACK which allows me to ban a spam domain like hostmail.com yet allow certain users who have accounts on hostmail.com access? Use FEATURE(access_db) and create an access map with entries like: hostmail.com REJECT friend1@hostmail.com OK another@hostmail.com OK However, it doesn't really work :-( You have to disable check_relay. If you want to make use of this trick and you don't need check_relay (see the docs for info about this ruleset), you can disable it: SLocal_check_relay R$*  $@$# OK

17)Anti Spam Again

Sendmail 8.8.x

For now I'll just link the spam rule I install on the linux boxes here at Infinex. It works great to the
best of my knowledge ( not much up there ;) ). Basicly you list which Network blocks are allowed
to send mail through you.. ie

127.0.0.1
207.113.220
10.2
207.201.8.22

and for domain names

localhost
infinex.com
subdomain.infinex.com

Here's a tiny modified version of the link above that is actually used at Infinex.

# please use the .m4 file, this file is not maintained!
LOCAL_CONFIG
F{LocalIP} /etc/spam/OkIPs
F{RelayTo} /etc/spam/OkDomains
LOCAL_RULESETS
Scheck_rcpt
# make sure you have TABs here, not BLANKs! sendmail will complain otherwise...
R$+$: $(dequote ""$&{client_addr} $)$| $1 R0$| $*$@ ok                   no client addr: directly invoked
R$={LocalIP}$* $|$*    $@ ok from here # not local, check rcpt R$* $|$*               $:$>3 $2 # remove local part, maybe repeatedly R$+                     $:$>remove_local $1 # still something left? R$*<@$+>$*              $#error$@ 5.7.1 $: 550 Sorry.. we do not allow relaying Sremove_local # remove RelayTo part (maybe repeatedly) R$*<@$*$={RelayTo}.>$*$>3 $1$4
R$*<@$=w.>$*$: $>remove_local$>3 $1$3
R$*<@$*>$*$@ $1<@$2>$3 # dequote local part R$-                     $:$>3 $(dequote$1 $) R$*<@$*>$*              $:$>remove_local $1<@$2>$3 If anyone knows if the above sendmail rule can still be relaied though email me!! please!! ;).. Compile/Config Sendmail 8.9.0 The following should work for most Slackware boxes... other Distribs may vary.. The compile part should work for any linux box. The cf part is made to support virtual domains and spam control.. SENDMAIL 8.9.0 DOES NOT SUPPORT DBM ANYMORE. Use "hash" instead of "dbm".. hash is the default db type for everything now.. So far the "spam control" [FEATURE(access_db)] checks From:, To:, some part of Recieved: fields. download ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.0.tar.gz # tar -zxf sendmail.8.9.0.tar.gz # cd sendmail-8.9.0 # pico -w BuildTools/OS/Linux #add the following lines. define(confLDOPTS', -s') define(confOPTIMIZE', -m486 -O2') # cd src # Build # cd ../cf/cf # pico -w linux.mc divert(-1) # # Copyright (c) 1998 Sendmail, Inc. All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 # The Regents of the University of California. All rights reserved. # # By using this file, you agree to the terms and conditions set # forth in the LICENSE file which can be found at the top level of # the sendmail distribution. # # # # This is the prototype file for a configuration that supports nothing # but basic SMTP connections via TCP. # # You MUST change the OSTYPE' macro to specify the operating system # on which this will run; this will set the location of various # support files for your operating system environment. You MAY # create a domain file in ../domain and reference it by adding a # DOMAIN' macro after the OSTYPE' macro. I recommend that you # first copy this to another file name so that new sendmail releases # will not trash your changes. # divert(0)dnl VERSIONID(@(#)tcpproto.mc 8.10 (Berkeley) 5/19/98') define(PROCMAIL_MAILER_PATH', /usr/bin/procmail') OSTYPE(linux)dnl DOMAIN(linuxrox.com)dnl FEATURE(nouucp)dnl FEATURE(local_procmail)dnl FEATURE(virtusertable, hash -o /etc/mail/virtusertable)dnl FEATURE(access_db)dnl MAILER(local)dnl MAILER(smtp)dnl # pico -w ../domain/linuxrox.com.m4 # replace linuxrox.com with your own domain name. divert(-1)dnl # # This file contains the global definitions for yourdomain.com # divert(0)dnl VERSIONID(@(#)linuxrox.com.m4 1.0 (linuxrox.com) 06/01/98') FEATURE(use_cw_file)dnl # m4 ../m4/cf.m4 linux.mc > /tmp/sendmail-8.9.0.cf # cd ../.. # make install # this is install all the new sendmail programs # cd /etc # mv sendmail.cf sendmail-original.cf # just incase the new cf won't work we save the old which will.. # cp /tmp/sendmail.cf sendmail-8.9.0.cf # ln -s sendmail-8.9.0.cf sendmail.cf # pico -w /etc/sendmail.cw #list all the domains hosted on you box linuxrox.com gman.infinex.com evilpeople.com Any mail to a specific host on your box that is not listed will be REJECTED. The only exception is if the host is a CNAME to the domain name. # kill -TERM head -1 /var/run/sendmail.pid # /usr/sbin/sendmail -bd -q15m All done with sendmail.. just "spam control" and virtual domains need to be modifed/configed.. # pico -w /etc/mail/virtusertable #Example of /etc/mail/virtusertable mp3@evilpeople.com error:nouser Unknown user suggest@evilpeople.com evilppl @evilpeople.com evilppl @mp3.evilpeople.com error:nouser Unknown user # makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable mp3@evilpeople.com is an email address I don't want people email so people get a "550 Unknown user" when they do try to email mp3@evilpeople.com. suggest@evilpeople.com really goes to the local user called 'evilppl'. You can also redirect to a remote email address (ie. username@hotmail.com). To offer unlimited "unlimited aliases" just direct everything to as user on your system. For example. @domain.com username_on_system Example of /etc/mail/access Friend@ 550 Sorry FROM field invalid evilusername@evilplace.com 550 Spammer, Go away!! test.com REJECT domain.com 550 Sorry, domain.com is not a valid domain. 10.0.2.10 OK 10.0.2 550 Your Netblock not allowed.. Pretty simple 1.Friend@ - reject email address with Friend@ 2.evilusername@evilplace.com - rejects msg with "550 Spammer, Go away!!" err msg 3.test.com - gets rejected with REJECT msg 4.domain.com - sends a "550 Sorry, domain.com is not a valid domain." REJECT msg.. 5.10.0.2.10 - gets not error msg. Mail always accepted. 6.10.0.2 - sends a "550 Your Netblock not allowed.." REJECT msg for any host with IP 10.0.2 except 10.0.2.10 18)I need the m4 definition to relay all unmatched virtualusers to another machine: LUSER_RELAY . This option will cause all local mail for which there is no corresponding user account to be sent to the machine of your choice. For example in M4 you would add this line: define(LUSER_RELAY', other-smtphost.my.domain')dnl 19)How I can feed sendmail a subject field when using CGI in mail forms. In Perl, I can simply invoke sendmail with "system('/usr/local/sendmail$email < $somefile')" Is there a way to feed a variable like$subject to sendmail on the command line? Pardon my
ignorance!!!!

Use -s.  For example...

system("/usr/lib/sendmail -s '$subject'$email <$somefile"); 20)SMTP connections from 127.0.0.1 only - How? 1. Compile sendmail with the TCP wrappers library and use it to control from where sendmail will accept connections from. 2. Install a local packet filter to control what IP addresses may connect to which ports on the computer (on some OSes, such capability is included if you remake a kernel with that option enabled; on some other OSes, something like ip-filter may be usable). 3. Set "DaemonPortOptions=Addr=127.0.0.1" in sendmail.cf (or the necessary incantation in your .mc). 21)There are two reasons why sendmail is setuid root. 1. It reacts to system load by unbinding port 25 when the load is too high, and rebinding it when the load goes down again. 2. It changes uid to a specific user when executing programs for that user, in the case of program executing from a .forward file. 3. And, less important than these, sendmail needs to be root to be able to read each user's .forward file. 22)Why do only some hosts reject my email with the following response? > Any advice on how to correct it will be greatly appreciated. > > ----- Transcript of session follows ----- > ... while talking to pop.uunet.ca.: >>>> HELO fres.GLFC.Forestry.CA. > <<< 501 5.5.4 Invalid HELO parameter: "fres.GLFC.Forestry.CA." The HELO string identifies the calling system. sendmail can check the name in a number of ways: * Does the IP address of the client reverse map into the same name? * Does it conform to the rules in RFC 1123. That is, is it a canonical name, is it a fully qualified name, must not end in trailing dot (see section 5.2.5 of rfc1123). Since the above clearly has a trailing dot, that's why it's invalid 23)Try the MaxMessageSize option, e.g. in your m4 file: define(confMAX_MESSAGE_SIZE', 5000000')dnl will set the limit to 5000000 bytes. See the KNOWNBUGS file that comes with the source for some additional subtleties. 24)You can find your all In & out mails achives in the Exchange sever directories . driveletter : exchsrvr\imcdata\in\archive. driveletter: exchsrvr\imcdata\out\archive. It all in the text file format. 25)>sh: vacation not available for sendmail programs >554 "|/usr/bin/vacation user"... Service unavailable Sendmail may only execute certain programs (depends on the path of the program) if "smrsh" is used as shell for those. >From "man smrsh": Briefly, smrsh limits programs to be in the directory /usr/adm/sm.bin, allowing the system administrator to choose the set of acceptable commands. It also rejects any comma'd(carriageereturn),eor 0', <', >', |', ;', &', $', (', )',
(newline) on the command line to prevent end run'' attacks.

Initial pathnames on programs are stripped, so forwarding to
/usr/ucb/vacation'', /usr/bin/vacation'',
/home/server/mydir/bin/vacation'', and vacation'' all
actually
forward to /usr/adm/sm.bin/vacation''.
procmail(1),
and  the  like.   No matter how brow-beaten you may be, never
include any shell or shell-like program (such as perl(1)) in
the sm.bin directory.
Note that this does not restrict the use of shell or perl scripts
in the sm.bin directory (using the #!'' syntax); it simply
disallows execution of arbitrary programs.

26)Another aliasing problem
I'm having a strange problem with setting up aliases to send to
> : multiple addresses.  My aliases file works fine if I only list one
> : recipient that it should go to, but if I have, say:
> : allusers: user1, user2
> : for some reason the mail only gets sent to user2.  It is always the
> : last person in the list that receives it.  Has anyone else had this
>
> Have you tried leaving out the space after the comma, so :
> allusers: user1,user2

Unless something major is wrong this shouldn't change anything.
Sendmail strips out spaces...

Does it do this for *any* values of user1 and user2?  Does it do this
if user1 and user2 are foreign addresses?  Test it...

The reason I ask: If user1 and user2 end up equating to the same
address string (the samde character string for final delivery), only
one copy will be sent.  To give an example,  if user1 has this in his
..forward

"|procmail"

and user2 has the same in her .forward, only user1 will get mail sent
to this list. That's why you're instructed to put a comment or command
argument or somethhing to differentiate such things, for example

"|procmail #user1"

and

"|procmail #user2"

27)> Can anyone tell me how to stop sendmail adding a "content-type" header
> entry to messages that it receives without one ?

This is controlled using the "EightBitMode" option (or "8", for old cf
files.)  From the manual:

EightBitMode=action
[8]  Set  handling of eight-bit data.  There
are  two  kinds  of  eight-bit  data:   that
declared  as  such  using  the BODY=8BITMIME
ESMTP declaration or the -B8BITMIME  command
line  flag,  and undeclared 8-bit data, that
is, input that  just  happens  to  be  eight
bits.  There are three basic operations that
can happen: undeclared  8-bit  data  can  be
automatically  converted  to 8BITMIME, unde­
clared 8-bit data can be passed as-is  with­
out  conversion  to  MIME (just send 8''),
and declared 8-bit data can be converted  to
7-bits  for  transmission  to a non-8BITMIME
mailer.  The possible actions are:

s Reject undeclared 8-bit data (strict'')
m Convert undeclared 8-bit data to MIME (mime'')
p Pass undeclared 8-bit data (pass'')

In all cases properly declared 8BITMIME data
will be converted to 7BIT as needed.

28) > Some of my users have complained that their email msg gets chopped up
> into separate lines, each line terminating with a '=' character. I don't
> believe it's a problem with sendmail.

It may be a configuration problem. If you use the esmtp mailer (the
default), if you try to send mail to a version of sendmail without ESMTP or
one configured not to accept 8BITMIME (an ESMTP extention), your sendmail
will convert all mails into Quoted Printable.

That means -- among other things -- that lines longer than 74 characters
(from memory) are truncated and '=\n' put at the end of the end to mark an
incomplete line.

If you want to disable QP encoding use the following in your .mc file:

define(confSMTP_MAILER', smtp8')dnl

before including

MAILER(smtp)
--

29)  is there a better programm to generate mail statistics than "mailstats"
> for solaris 2.5.1 or 2.6 on a sun?!

There's a program written by Bryan Beecher called "smtpstats" which
called "popstats" (also from Bryan Beecher) at

30)If you just want to block access from a particular IP address, you could use
> >the "route" command to route anything destined for that IP address to an
> >unassigned IP address.  This is sort of a "trick" being used in an antispam script I
> >found called  "spamshield" by Kai Schlichting (kai@abest.com).  You end up doing something
> >like:
> >route add -host <spammer-IP> -gateway <unassigned-IP> -reject

31)> Is there a way to check is a host have a reverse DNS and if
>not block that host to send e-mail using the check_relay rule?

Yes.

> I'm using sendmail 8.8.7?

See my HACKs for an example, it's the option:

_DNSRELAY_
check whether client_name resolved to a host name or an IP address,
temporarily refuse the mail if it is an IP address.
used by: check_mail3.m4
not recommended, may cause problems with some relay hosts

http://www.informatik.uni-kiel.de/%7Eca/email/check.html
('%7E' is the required encoding for '~')

You can put those rules also in check_relay.

32)If you set the RunAsUser option in sendmail.cf, the /var/spool/mqueue
directory needs to be owned by the RunAsUser user. Otherwise, the
Sendmail docs say that it needs to be owned by root. FWIW, CERT
recommends that the permissions on /var/spool/mqueue be 0700. The
Sendmail book by Costales (with Allman) also recommends this and says
that /var should be 0755 and /var/spool should also be 0755, both owned
by root.

33)Using sendmail 8.9.1 is it possible to masquerade an entire domain
expect for a few specific hosts? I know you can use the EXPOSED_USERS
feature to expose certain users from the masquerade. But I have not been
able to find something similar for hostnames.

>Here is the relevant section of my .mc file:
>--
>--
>a nightmare to maintain.
>
>I did find a post that some came up with to hack around this problem:
>http://x11.dejanews.com/getdoc.xp?AN=292419838&CONTEXT=901236509.1935737000&hitnum=0
>
>However, I'd like to have something that can be kept in an m4 file for
>future changes.
>
>Thanks!

I came up with the following local feature some time ago, which may
be close to what you want.  It will "collapse" the specified domains,
removing any host and sub-domain information from _all_ addresses (Note
that I do this in Ruleset 3).  This is different than MASQUERADE_AS
and friends, because it preserves the domain (ie, davburns@foo.cat.pdx.edu
becomes davburns@cat.pdx.edu, while davburns@bar.ee.pdx.edu becomes
davburns@ee.pdx.edu) instead of using $M. -- feature/collapse.m4 define(EXPOSE_HOSTS', C{exposed_hosts}$*')
define(COLLAPSE_DOMAINS',
C{collapsed_domains}$* Cw$*')

LOCAL_RULE_3
R$*<$*>$*$: $>collapse$1<$2>$3  Try to collapse domains

LOCAL_RULESETS
Scollapse
R$=E<@$*>$*$@ $1<@$2>$3 Exposed user R$*<@$={exposed_hosts}>$*               $@$1<@$2>$3    Exposed host
R$*<@$*.$={collapsed_domains}>$*        $@$1<@$3>$4    Collapse domain
---

I reference this from a domain file, but you could do a .mc like this:

---
DOMAIN(seas)dnl
FEATURE(collapse)dnl
COLLAPSE_DOMAINS(ee.pdx.edu)dnl
COLLAPSE_DOMAINS(cat.pdx.edu)dnl
COLLAPSE_DOMAINS(seas.pdx.edu)dnl
EXPOSE_HOSTS(pager.cat.pdx.edu)dnl
EXPOSE_HOSTS(speak.cat.pdx.edu)dnl
EXPOSE_HOSTS(spew.ee.pdx.edu)dnl
EXPOSE_HOSTS(figaro.ee.pdx.edu)dnl
EXPOSED_USER(root)dnl
EXPOSED_USER(daemon)dnl
----

(The MASQUERADE_AS is used only for unqualified names like <davburns>.)

34)You may turn on aliasing for ANY mailer.

Just make sure that F=A flag is set for every

after that it is simple :-)
/etc/aliases:
robert.reitenbach@tto.de: robert

Don't forget:
1) restart sendmail after making any changes to /etc/sendmail.cf
2) run newaliases after making changes in /etc/aliases.

35)Restricting Mail sizes
If you need only few sizes try the following:

Multiplicate your smtp mailer definition (/etc/sendmail.cf),
name them smtp1, smtp2, smpt3 ... .
Set max message size limit for every new mailer (M=XXX).
Use mailertable to specify mailer for domains e.g.

/etc/mailertable:
..  smtp:%1%0
domain1.dom smtp1:domain1.dom
domain2.dom smtp2:domain2.dom

single dot is for default

36) How can I make non local users alias
Set F=A flag for the apropriate delivery agent
/etc/aliases
usr@x.y.z: me

If mailer for x.y.z has F=A flag set you have what you want

37)I would like to allow only authorized people to use my mail
>server as relay. The best solution would be if i have not a account
>or a valid alias on the mail server the mail to outside will be
>rejected.

You may try my hacks, at least they should give you an
impression how to accomplish this task.
It's the option:

_CHECK_LOCALUSER_
activate the check whether the local address of the sender appears in
passwd or aliases, i.e., if a mail is sent with the local domain
attached (@$=w), then the local part of it must appear in passwd or aliases. This denies at least sending with not-existing usernames etc. Of course it does not disable to send mails with other names or faked addresses. Warning: if you have multiple alias files, you have to specify all but the first again. For example: you have define(ALIAS_FILE',/etc/aliases,/etc/maj-aliases,/etc/list-aliases')dnl then you have to add this: define(ALIAS_FILE1',/etc/maj-aliases')dnl define(ALIAS_FILE2',/etc/list-aliases')dnl (this has been changed on 1997-12-23). Multiple alias files may cause a warning with some m4 versions: ../hack/check_mail3.m4:47: m4: Warning: Excess arguments to built-in define' ignored Geoff Gibbs pointed out that nisplus in Solaris 2.x (5 and 6 at least) requires a line like this: Kchkalias1 nisplus -m -a@LOCALUSER mail_aliases.org_dir This can be now defined in the normal version. used by: check_mail3.m4 recommended 38)>Most of these "roaming" users come in from a small number of small >(size) domains. So, I thought that an interim solution would be to >create an access db and just list the domains/ip addresses in there, .... >And my access db file (at this point) looks like this: >stephen@ourdomain.net RELAY >ourdomain.net RELAY >At this point, I think I must be missing some fundamental thing about >using the access db. But I don't know what? Can anyone help?? The access map entries for RELAY work only for the connection information, not for MAIL FROM (the envelope sender). So >stephen@ourdomain.net RELAY won't help anything for relaying. However, if stephen@ourdomain.net connects from a system within ourdomain.net then relaying should be allowed. Does this work? If it doesn't, see: http://www.informatik.uni-kiel.de/%7Eca/email/chk-dbg.html If you want to turn on relaying based on the envelope sender, you need to add a small hack, e.g., from http://www.informatik.uni-kiel.de/%7Eca/email/chk-89.html 39) have diald installed on my linux box that does ip masquerading. diald > dials when a user wants to use the internet, but how can I have outgoing > messages not trigger diald, but instead go somewhere and wait until > diald connects for other reasons. (I'm trying to minimize unnecessary Mark SMTP mailer as "Expensive" in your sendmail configuration. If you use mc, just add define(SMTP_MAILER_FLAGS', e') You will also have to start sendmail daemon without a -q (queue) parameter, just "daemon sendmail -bd" in /etc/rc.d/init.d/sendmail script. Then you can invoke sendmail (sendmail -q) from diald's ip-up script every time the PPP link goes up. 40)How can I add subject to an e-mail Put the subject in the "Email" file, followed by a blank line, like: ------------------------ Subject: An example of a subject line. Blah blah, grommish grommish, rhubarb rhubarb. Text text text...etc. ----------------------------------- The blank line is important. Sendmail will put that line in the headers as the "subject." 41) can someone please tell me what the xdelay= means coming out of syslog. According to my reading of the source code (for v8.8.8), it's the elapsed time between when Sendmail started delivery attempts for the message and when it successfully delivered the message to the recipient listed in the to= field. The delay= field shows the time elapsed from receipt of the message, which can be longer than the xdelay if the message sat in the queue for a while. You'll often see differences in delay and xdelay when the message has multiple recipients, or if the message was received when the load average was high enough to make Sendmail queue the message for later delivery. 42)Is there a way to keep outsiders from using the aliases I have created? I implemented the following hack exactly for that purpose when our internal distribution lists got hit by spam. I'm sure it could be easily adapted to meet your needs. Add the following to your m4 master configuration file: # LOCAL_CONFIG Kprivate hash -o /etc/private.db Kprivateok hash -o /etc/privateok.db # LOCAL_RULE_0 # Scheck_rcpt # check recipient. Let it through unless it's a private address # (possibly with host or local domain attached to it) R$*   $:$>3 $1 R$-   $:$(private $1$: OK $) ROK$@ OK non-private @ local
R$* < @$* $=m . >$* $:$(private $1$: OK $) R$* < @ $* >$*  $@ OK someone @ somewhere ROK$@ OK non-private @ here
# if private, check the sender (f macro). If the sender is local, let it
# through. The <@> and << >> hack is ugly, but I couldn't come up with a
# better way to treat user.something as a single token (any suggestions?)
RPRIVATE  $:$>3 $(dequote ""$&f $) R$*   $:$1 <@>
R$* < @$+ > $* < @ >$: $1 << @$2 >> $3 R$+ < @ >  $@ OK sender @ here R$* << @ $* >>$* $:$1 < @ $2 >$3
R$* < @$* $=m . >$* $@ OK address @ domain # not a local sender. Get the relay (client_name)... R$* < @ $+ . >$* $:$1@$2$| $>3 @$(dequote "" $&{client_name}$)
# a particular sender through a valid relay is ok
R$+$| $* < @$+ . > $*$: $(privateok$3:$1$: $1$) $|$3
ROK $|$*  $@ OK relay: user@host # anyone from a given host/domain from a valid relay is also ok R$-@$+$| $+$: $2$| $3 R$+ $|$+  $:$(privateok $2:@$1 $: notOK$)
ROK $*$@ OK relay: @host
# the rest can go to hell
R$*$#error $@ 5.7.1$: "571 private address."

The private map's keys are the list of private addresses with value PRIVATE:

list1 PRIVATE
list2 PRIVATE

The privateok keys are of the form relay:sender or relay:@host with values
OK:

relay.at.some.where:someone@some.where.else OK
relay.at.some.where:@its.ok.too   OK

You can test the rules by invoking the test mode and predefining the
client_name and f macros with different combinations and then calling
the check_rcpt rule with the recipient's address.

43)What is the best way to keep a logfile of all emails that went through a mail relay machine

sendmail -bd -X

44)How can I disable the DNS lookup on the sender's email address in
> sendmail in sendmail.cf (I don't use m4)?

You should use m4.

Anyway, find the lines in the rewriting rules that say $[...$] and delete
them.

ifdef(_NO_CANONIFY_', dnl', dnl
# try UUCP traffic as a local address
R$* < @$+ . UUCP > $*$: $1 < @$[ $2$] . UUCP . > $3 R$* < @ $+ . . UUCP . >$*      $@$1 < @ $2 . >$3')
')')
ifdef(_NO_CANONIFY_', dnl', dnl
# pass to name server to make hostname canonical
R$* < @$* $~P >$*             $:$1 < @ $[$2 $3$] > $4') 45)Is there a way (There always is but an easy one) to get sendmail to reject a message that's over say.. 30mb big? If you have a fairly recent sendmail with an m4 configuration file you can add the following to your sendmail.mc file and then regenerate the sendmail.cf file: For mail coming in via SMTP (limit to 10,000,000) define(confMAX_MESSAGE_SIZE', 10000000')dnl For mail coming in via UUCP (you don't need this if you have only an SMTP connection): define(UUCP_MAX_SIZE', 10000000')dnl If you don't use an mc file you can edit the sendmail.cf file directly, the relevant lines are: # maximum message size O MaxMessageSize=10000000 and for UUCP add M=10000000 to the mailer definitions. 46)...newaliases was run automatically by sendmail whenever needed. Is it possible to configure 8.9.1 as to restore this behavior? Add the following line to your sendmail.mc file and regenerate sendmail.cf define(confAUTO_REBUILD', True')dnl You may want to read the file cf/README in the sendmail distribution for information about this and other options you can define in sendmail.mc. 47)Is it possible to redefine - presumably by some extra parameter in a >mailer definition -the port to which sendmail connects when performing delivery. i.e. make >it different from port 25. Yes, you can do this via the A= declaration - see e.g. http://www.dejanews.com/getdoc.xp?AN=352619898 48)HTML mails with sendmail Add 'MIME-Version: 1.0' in ur sendmail.cf file. 49)Many users at our site use PC based mail programs to read and send >mail. Some of them manage to enter incorrect From addresses into their >configuration. I want to catch them already in the MAIL FROM command. This is integrated in my HACKs for 8.8: _CHECK_LOCALUSER_ activate the check whether the local address of the sender appears in passwd or aliases, i.e., if a mail is sent with the local domain attached (@$=w), then the local part of it must appear in passwd or
aliases. This denies at least sending with not-existing usernames etc.
Of course it does not disable to send mails with other names or faked
Warning: if you have multiple alias files, you have to specify all but
the first again. For example: you have

define(ALIAS_FILE',/etc/aliases,/etc/maj-aliases,/etc/list-aliases')dnl

then you have to add this:

define(ALIAS_FILE1',/etc/maj-aliases')dnl
define(ALIAS_FILE2',/etc/list-aliases')dnl

(this has been changed on 1997-12-23).
Multiple alias files may cause a warning with some m4 versions:
../hack/check_mail3.m4:47: m4: Warning: Excess arguments to built-in
define' ignored
Geoff Gibbs pointed out that nisplus in Solaris 2.x (5 and 6 at least)
requires a line like this:

Kchkalias1 nisplus -m -a@LOCALUSER mail_aliases.org_dir

This can be now defined in the normal version.
used by: check_mail3.m4
recommended

http://www.informatik.uni-kiel.de/%7Eca/email/check.html
('%7E' is the required encoding for '~')

50)Yesterday I noticed that our server stopped receiving SMTP requests on port 25
>when the load on the machine reached 32. I was viewing the load through the
>perfmeter utility on Solaris. As soon as the load dropped below 32 it started
>recieving requests again.?

This is normal behaviour. Check the sendmail.cf, it has something similar
to:

# load average at which we just queue messages
Ox8

# load average at which we refuse connections
OX12

51)Took a while to notice it, since the other rulesets I swiped from Wolfgang's
} web page have been catching most of the spam (thanks Wolfgang!).  But it turns
} out that sendmail is making no use of the access map.  I ran sendmail -bt to
} see what it thought it was doing:
}
} > /map access.db friend@public.com
}
}Yes, I did makemap hash /etc/mail/access.db </etc/mail/access.  The
} line in the .mc file is FEATURE(access_db, hash -o /etc/mail/access.db').
} Running 8.9.1 on RedHat 5.1.  It's all very annoying because I know after
} spending the last week searching the bat book and the expert web pages, one of
} you brains is going to say "Oh, you just need to do this," and it will work.

Actually, you've done everything correctly, except that the map is referred to
as just "access" internal to sendmail, not "access.db".

52) >Does ETRN use MX records?

ETRN in sendmail simply starts queueing for the domain
that is given as parameter, so the answer is: yes.

See the RELEASE_NOTES:
Implement ESMTP ETRN command to flush the queue for a specific host.
The command takes a host name; data for that host is
immediately (and asynchronously) flushed.  Because this shares
the -qR implementation, other hosts may be attempted, but
there should be no security implications.  Implementation
from John Beck of InReference, Inc.

53)       Can anyone comment on the protocol
legality of MAIL FROM: <>, and what might break if
it was not allowed?  Please CC: me in any
responces.

http://www.faqs.org/rfcs/rfc821.html

</section 3.6>

54)  I've been looking for some time for information on the ETRN command,
> and how to set it up within sendmail 8.9.x.
>
> I've looked on www.sendmail.org and can't seem to find any
> information. Can anyone direct me to a site that has either a FAQ or
> further info on how to set it up?

http://www.sendmail.org/faq/section3.html#3.23
http://www.sendmail.org/faq/section4.html#4.12
http://www.swinc.com/resource/exch_smtp.htm

55) Does anyone know where i can get a program that will strip email addresses
>from an html file.

Try visiting
http://www.senate.gov/~murkowski/commercialemail/EmailBillText.html and

56) want to run sendmail in a mode where it will only take messages, place
>them into the queue, and send them out, without attempting
>local delivery.  This is for a box that will only do relaying from
>a Lotus cc:Mail or Notes system.

I just did this for an Exchange server. (it just came up today as a
matter of fact!)

I used the following MC file (based on tcpproto.mc)

divert(0)dnl
VERSIONID(@(#)odc-tcpproto.mc  8.10 (Ohio Dominican) 8/4/98')dnl
OSTYPE(linux)dnl
FEATURE(local_procmail,/usr/bin/procmail')dnl
define(LUSER_RELAY,exchange.odc.edu')dnl
FEATURE(relay_entire_domain)dnl
FEATURE(access_db)dnl
FEATURE(use_cw_file)dnl
MAILER(smtp)dnl

The LUSER_RELAY sent any mail that wasn't for a local user to my
Exchange server.  The access_db feature allowed me to choose what
hosts to allow relay (for outgoing mail from my exchange server).  The
use_cw_file feature allowed me to tell sendmail that mail for the
following domains (odc.edu, exchange.odc.edu) were local domains in
addition to the localhost domain (name of the sendmail box).

This probably isn't optimal; but it's working...

Good Luck!

Arron

57) >I would like to set a limit in the number of recipients that a message can
>reach (for anti-spamming considerations), but I haven't found any variable
>in sendmail.cf suitable for that.
>
>    I see in /var/log/syslog that the number of recipients (nrcpts) appear.

It's in sendmail 8.9.1, ftp://ftp.sendmail.org/pub/sendmail.

O MexRecipientsPerMessage or something like that. By the way, you should
use m4 and not edit sendmail.cf.

58)
> Is there any directory program for Linux so i can have the  same
> funcionality as in NT Exchange server with the adress book?
>
>
Yes.

You can load and compile the LDAP 3.3 server distribution, and create an
LDAP
database.

If you use a mail client like Outlook 98, and check the "check mail
addresses with this directory server" then it will query the LDAP server
and rewrite the e-mail address to the correct address, or give you a choice

If anyone wants detailed instructions on how to set this up, mail me at
tedm@toybox.placo.com

Ted

59)I've got a question with Sendmail 8.9.1 and mail relaying.
>*>
>*>I'm trying to set up relay protection based on the relay_local_from
>*>feature.  We provide e-mail services for a wide variety of customers
>*>unfortunately most of them relay mail off our server from a variety of
>*>other Internet providers.  I wanted to verify that the "mail from"
>*>address matched either a list of domains that would be approved "mail
>*>from" domains (not the domain their connection is coming from, but just
>*>the domain specified in the mail from header).
>*>
>*>I added the following two lines to the .mc file and created the .cf file
>*>
>*>for sendmail...
>*>
>*>FEATURE(relay_local_from)
>*>FEATURE(relay_entire_domain)
>*>
>*>I also have the following specified in the sendmail.cf file;
>*>
>*># Hosts that will permit relaying ($=R) >*>FR-o /etc/mail/relay-domains >*> >*>and /etc/mail/relay-domains exists and lists all available mail domains. >*> >*>However, I still cannot relay mail from an authorized source email >*>"domain".. >*> >*>Can anyone catch anything I'm doing incorrectly? >*> >*>Thanks in advance. >*> >*> 60) in a quite complex environment I need to do some port redirection > based on recipient domains. That means : if a mail is received on port > 25, that is intended to go to firm.mx, it needs to be relayed through > and sent to port xyz of a screening router, a mail heading to firm.es > however should be sent out to the same router but with a different > destination port. > > Any ideas ? > You could do this with a custom mailer and the mailertable. Here is the mailer (in M4 format) MAILER_DEFINITIONS ################################################################## ### SMTP to a specific port on a host mailer specification ### ################################################################## Mportredirect, P=[IPC], F=mDFMuXa, S=11/31, R=21/31, E=\r\n, L=990, T=DNS/RFC822/SMTP, A=IPC firewall.gadget.com$h
^^^^^^^^^^^^^^^^^^^

It is simply the esmtp mailer definition with a new name, portredirect, and
a modified A= line.  I have added a specific host between IPC and $h. This means that$h will be a port number rather than a host to connect to.

You would then add entries in the mailer table of the form:

This would cause mail for user@gadget.com to be delivered to port 26 on host

If you want to connect to the local host remember to add the "k" mailer flag
to the F= field to disable the local loopback test.  If you do not do
this you will get the error message:

Hope this helps

RLH

Paul,

I alsop am a small ISP and we have many domains that we allow people
to relay to and from. In our case, we have this in our .cf file:

#
# This will deny relay spamming by checking entries in /etc/relayto
# and /etc/localip
#
F{LocalIP}      /etc/localip
F{RelayTo}      /etc/relayto
Scheck_rcpt
R$+$: $(dequote ""$&{client_addr} $)$| $1 R0$| $*$@ ok                   no client addr:
directly invoked
R$={LocalIP}$* $|$*    $@ ok from here R$* $|$*               $:$>3 $2 R$*<@$*$={RelayTo}.>$*$>3 $1$4
R$*<@$+>$*$#error $@ 5.7.1$: 571 WebCC does not relay,
see http://www.webcc.net/aup.htm#

This checks two files on our system. The first is a list of domains we
will accept mail for. This is /etc/relayto and has one domain listed
on each line. (ex: webcc.net)

The other file is a list of IP blocks we will allow to relay to
domains outside of our network. For example, all of our dial-up IP
addresses are listed in this file in addition to some offsite servers
and clients that use other providers but send mail through us.

Hope this helps you out.

61) Is there a way to make virtusertable lookups faster?  We are already using
> sendmail 8.9.x and DB2 with a hash map but our virtusertable has grown
> very large.  We are already using dedicated MX mail servers in a dual
> round-robin DNS configuration.
>
> Would it be worth splitting up virtusertable into domain-specific maps and
> telling sendmail to look up a virtusertable map depending on the domain?
>
> I'd say we're already at 100,000 entries in virtusertable.
>

How do you know that the virtusertable is you bottle neck?  My guess is
that it is not.  From a posting I made today on a related subject:

As a note, there is very little performance impact of large databases.
Sendmail does not sequentially search the database, but instead uses
the database's hash algorithm to find an index address.  It then checks
that index address in the data file and returns the result.  If a null
string is returned then sendmail knows that a match will not be found.
If a string is returned, then sendmail uses this as the matching
value.  If there is contention for the index address, then other stuff
happens.  But this does not happen for a significant number of the
index addresses.  The bottom line here is that most database (ndbm or
db hash) queries take a single disk operation reguardless of
database size.

So size of the database should not be a major issue.  Building a large
database does take longer, but the lookup time should remain the same.
Breaking the virtusertable up into multiple smaller tables would not
improve performance in my opinion.  I would expect that if anything, it
would decrease performance because of the extra database file opens and
closes.

If you are concerned about performance there are other areas that I would
look at:

Does each area of disk activity have its own private disk drive?
Disk heads are the first point of contention on a sendmail system.
mqueue
/var/log
The OS itself, root, /usr, and swap
/var/spool/mail
poptemp   if it is a pop server
.hoststat  if persistent host status is used
/etc/mail  for database lookups

Do you have enough physical memory?
Being short of memory impacts disk I/O as you page and swap

If you are using narrow SCSI use either:
2 disks per controller
Upgrade to ultra wide SCSI with 4/8 disks per controller

Are you using RAID?
Stripe mqueue across all of the disks using the outer most cylinders.

All of the above is what I call "heuristic performance tuning" in that
I am simply using common sense and a knowledge of what sendmail does
to define some potential bottle necks.  Disks, controllers, and memory
are relatively cheap these days.  A little bit of reconfiguration can
go along way in improving performance.

If you want to get more esoteric here are some more things to think about:
More RAID, more spindles, more controllers, more cache, faster bus
connection to the CPU backplain

What is the bus architecture of the server?
If it is a PC you should be looking at 100 MHz PCI (and BX chip
sets on the mother board, I think?)
If it is Sun Ultra 1, 2, and 450 have better busses
than Ultra 5, 10, 30, and ss 5, 10, and 20

If you are trying to speed up the database lookups you could move
them to a RAM disk and touch and rebuild the database(s) every time
the system reboots.

Put the mqueue directory on a battery backed up SCSI RAM disk
(expensive, but doable)

Put a prestoserv NFS accelerator before the mqueue, mail, poptemp,
and hoststat partitions to speed up disk writes.

On the software side, one of the biggest improvements is to keep the number
of messages waiting to be delivered in the mqueue directory small.  Either:
Paul Pomes re-mqueue.pl script in the contrib directory of the
sendmail release
Or my reque mailer that I cover in my class "Managing Internet Mail"

Another thing I have thought about is storing the "xf" temporary files
in a different location from the "qf" and "df" files.  This would allow
the "xf" file to be kept on a tempfs RAM disk partition (more memory).
The "xf" file is the most active set of files on a sendmail server.
One is created for each delivery attempt for each recipient host.  They
also are totally temporary.  If the server is rebooted or sendmail
restarted, the old "xf" files are never used again so the fact that the
tempfs goes away on a reboot is not a problem.

I am also posting this to comp.mail.sendmail to get more feedback.
Hey guys and gals, anything I missed, anything out to lunch?

Hope this helps

RLH

62)>Got a slight problem here with makemap and spam
>rules in /etc/mail/access.
>
>My setup is a Sparc 20 running Solaris 2.5.1 with
>sendmail 8.9.1a.
>
>        FEATURE(relay_entire_domain)
>        FEATURE(access_db)
>all hell broke loose.
>
>When I try to fire up sendmail I get
>        readcf: map access: class hash not available
>

I had this too: reason is 1) a missing NEWDB -package and 2) after installing
find the libdb.a und the *.h files and everything was fine

> just the same questions, without a good solution, Sorry if this question
> has allready been discussed , But I couldn't found any answers so far...
>
> here it goes:
>
> I need to restrict users mailbox, ie: 10 Mb per user, I heard quotas are not a
> good way to do this.
>
> Another thing I'd like to do is to restrict the maxium message size for smtp.
> at the sendmail.cf i've found the option to do this, but it applies for all
> local connections & connections comming from the internet, I'd like to set
> different values for each.. and if possible, restrict maxium message size per
> USER account. is this possible at all?

1) remove F=m flag from local delivery agent specification

2) replace local mailer program in sendmail.cf by your wrapper script
When mailbox size is ok it calls the original delivery agent.
When its too big it exits with the appropriate exit code chosen from
<sysexits.h>

Sample delivery agent script:
The Bat Book 2nd ed. chapter 24.3

64)Re: dbm map "alias0": unsafe map file /etc/aliases
]What does this error mean.

+-----------------------+
| DIRECTORY PERMISSIONS |
+-----------------------+

Sendmail often gets blamed for many problems that are actually the
result of other problems, such as overly permissive modes on directories.
For this reason, sendmail checks the modes on system directories and
files to determine if can have been trusted.  For sendmail to run
without complaining, you MUST execute the following command:

chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue