1) /usr/lib/sendmail -d0.4 -bt < /dev/null
which shows you how sendmail thinks about your host.
2)sendmail supports several map types. The main types are:
hash/btree
requries the compile flag -DNEWDB. This is
the new Berkeley DB package.
If your system does not have this pre-installed,
or the version
installed is not version 2.0 or greater (e.g.,
is Berkeley DB 1.85 or
1.86), get the current version from http://www.sleepycat.com/.
dbm
requries the compile flag -DNDBM. This is
the older NDBM
implementation.
3)Which sendmail version do I run?
To find out which version of sendmail is installed on your system, you
can try the following
commands:
sendmail -d0.5 -bv root
should tell you its version and some basic settings.
telnet localhost 25
sendmail should greet you with its welcome message and tell you the
version of its binary and config
file. Enter QUIT to leave this mode.
4)I can't send mail to users whose accounts have upper case letters?
First: Don't use uppercase letters...: man 5 passwd:
username
is the user's login name. This field con-
tains no uppercase characters, and must not
be more than eight characters in length.
If you really need it, set the flag 'u' in
Mlocal,..F=..u..
^
in sendmail.cf
u Upper case should be preserved in user names
for
this mailer.
If you use procmail as local mailer, make sure you define NO_USER_TO_LOWERCASE_HACK
(in
config.h ?).
5)Cannot alias non-local names
If you get the error: name: cannot alias non-local names when running
newaliases (or
sendmail -bi ), there are several possibilities to check:
1.Does
sendmail -bt
> 3,0 name
resolve to the local mailer?
2.Make sure you have the flag F=A for Mlocal in your sendmail.cf
. (This applies to
sendmail 8.8 ).
6)Config error: mail loops back to myself
You are still getting this message:
553 relay.domain.net config
error: mail loops back to myself
554 <user@domain.net>...
Local configuration error
How can I solve this problem? There are two possibilities:
1.You have asked mail to the domain (e.g., dom.ain) to
be forwarded to a specific host (in this
case, relay.dom.ain) by using an MX record,
but the relay machine doesn't recognize itself
as dom.ain. Add dom.ain to /etc/sendmail.cw
(if you are using
FEATURE(use_cw_file)) or add
Cwdom.ain
to your configuration file.
2.Another possibility is that relay.dom.ain should send
this to another host mail.dom.ain
which really handles the mail for dom.ain.
If this host is reachable by SMTP you should
create an MX record with the best (lowest)
priority pointing to mail.dom.ain. Make sure
that relay.dom.ain really knows it is relay.dom.ain!
If you setup the MX records, you
must use the correct name for relay.dom.ain.
If mail.dom.ain is reachable by some other
mail transport protocol (UUCP) or it is not
directly reachable from the outside, you may
have a look at the feature mailertable. E.g., use
in your .mc configuration file something like
FEATURE(mailertable,`dbm -o /etc/mailertable')
(or another database type, see makemap(8))
and add a line like the following to the
mailertable:
dom.ain smtp:[mail.dom.ain]
The square brackets ([ ]) tell sendmail to ignore MX records for mail.dom.ain.
Two more hints: An MX record shouldn't point to a CNAME, it will most
probably cause you a lot
of trouble. (And currently it violates RFC 974 ).
And from src/READ_ME :
WILDCARD MX RECORDS ARE A BAD IDEA! The only situation in which they
work reliably
is if you have two versions of DNS, one in the real world which has
a wildcard pointing to your
firewall, and a completely different version of the database internally
that does not include wildcard
MX records that match your domain. ANYTHING ELSE WILL GIVE YOU HEADACHES!
IMPORTANT: Be sure you kill and restart the sendmail daemon after you
change the configuration
file (for ANY change in the configuration, not just this one):
kill `head -1 /etc/sendmail.pid`
sh -c "`tail -1 /etc/sendmail.pid`"
NOTA BENE: kill -1 does not work!
and both hints didn't solve your problem?
So here is another hint what might be wrong: You use a
LOCAL_RULE_0
in your sendmail.mc (which is S98 in sendmail.cf)? This rule is evaluated
before the local recognition
of S0 happens. So if you use some rule here, which (by accident) also
matches your local host but
doesn't resolve to local, you have a problem. Try to debug that address
and see where it fails (where
it gets resolved to another mailer than local).
7)How to route all mail to a single user?
Sometimes you want to route all mail for a domain to a single user.
You can do this by a rule like
this:
R$+ < @ the.domain. > $#local $: the-user all to one user
This usually goes into ruleset 0.
8)How to route mail to unknown users to one account?
sendmail 8 has a feature to route all mail which ends up a local on
the system but isn't a valid account
(or alias), to another system (the so-called LUSER_RELAY ), see cf/README
(from 8.8). However,
this feature is disrecommended, since it can break ``working'' addresses
if you introduce new local
users.
If you want to route all mail to unknown users to one account (instead
of giving the standard error
reply), you can put in your .mc file the following:
define(`LUSER_RELAY',`local:someuser@your.domain')
or look in your sendmail.cf for these lines and remove the hash in front of them:
Kuser user -m -a<>
DLlocal:someuser@your.domain
R< > $+
$: < $L . > $( user $1 $) look up
user
R< $* > $+ <> $* $:
< > $2 $3
found; strip $L
R< $* . > $+
$: < $1 > $2
strip extra dot
Something similar can be accomplished for virtual domains.
9)How do I queue mail for another domain?
Your system mailserver.my.domain should act as a backup mailserver for
mailserver.client.domain. The client wants to receive mail for the
address
user@client.domain. This requires:
1.MX Records:
client.domain.
IN MX 10 mailserver.client.domain.
client.domain.
IN MX 10 mailserver.my.domain.
mailserver.client.domain.
IN MX 10 mailserver.client.domain.
mailserver.client.domain.
IN MX 10 mailserver.my.domain.
The last two records are there "just in case".
Make sure you use the real names of all systems.
mailserver.my.domain must know its
own name, otherwise you'll get the famous
mail loops back to myself error.
2.On your system: do nothing unless you have anti-relay
rules installed (which you really should
have!). In this case, add client.domain to
the required files. Don't add client.domain
or mailserver.client.domain to class w on
your system!
3.sendmail on your system will try to deliver mail during
queue runs, however, the client may
trigger delivery by using the ETRN command.
10)Class w contains all local addresses
sendmail 8.8 includes all local addresses into class w to avoid the
well-known config error: mail loops
back to myself . If this is not intended, there's an undocumented compile-time-option,
-D_FFR_DONT_PROBE_INTERFACES_OPTION which enables the option O
DontProbeInterfaces in your sendmail.cf . Set it to True to keep sendmail
from adding all
local addresses to class w.
11)How do I refuse e-mail from unwanted domains (users)?
Using rules with sendmail 8.8 or 8.9
sendmail 8.8 has some new rulesets to check who can use your machine
as a mail gateway. Using
check_* in sendmail 8.8 gives an overview how to use these rulesets,
8.9 has standard FEATUREs
to this effect.
Using rules with sendmail 8.x
If you have sendmail 8.x (with x < 8), you can do the following to
refuse mails from unwanted
domains/hosts: Put into ruleset 98 something like: (this is LOCAL_RULE_0
in your .mc file)
R$* < @$*$=K . > $*
$#error $@ 5.7.1 $: "This domain is banned."
R$* < @$*$=K > $*
$#error $@ 5.7.1 $: "This domain is banned."
And define a class K by:
FK/etc/banned.domains
In this file, you should put the names of the banned domains, e.g.,
cyberpromo.com
quantcom.com
savetrees.com
If you want to specify the user(s) too, you have to replace the first
$* with the name or a match for a
class.
Using tcp_wrappers
Another possibility is to use tcp_wrappers. There is a patch available
for sendmail 8.7.x, which
incorporates the functionality directly into sendmail. Using this approach,
you can define the access
to your sendmail daemon based on the rules available for tcp_wrappers
.
sendmail 8.8 supports this without a patch, just use -DTCPWRAPPERS=1
for compilation and add the
appropriate library -lwrap . There is a patch for a problem with sendmail
8.8.8 which passes
incorrect data to the library routines. A patch can be found in ftp://ftp.win.tue.nl/pub/security/.
Thanks to Lou Rinaldi for pointing this out.
Using checkcompat()
A third possibility is to use the checkcompat() routine. Kyle Jones
proposed the following patch.
It is intended to disallow all non-local e-mail traffic through your
host. Use at your own risk.
12)Unsafe map file /etc/mail/aliases
With the latest sendmail release many people get an error message like:
unsafe map file /etc/mail/aliases
(or another map). There may be several reasons for this, the most common
is that the permissions of
the directories leading to the alias file are incorrect. It must be:
drwxr-xr-x 12 root staff
3072 Nov 20 10:47 /etc/
drwxr-xr-x 4 root staff
1024 Dec 21 16:40 /etc/mail/
i.e., the directory must be owned by root and not writable by the group
or the rest of the world.
The alias file itself must have similar permissions. Moreover, if you
have a db map, you may try to
touch the resulting map (file.db) and call makemap or newaliases thereafter.
See the release notes for further details. /usr/lib/sendmail -bi -d44.4
gives some debug
output for the alias map.
13)Allowing controlled SMTP relaying in Sendmail 8.9
As of sendmail version 8.9, forwarding of SMTP messages is not permitted
by default. For example,
if you are on site A.COM, you will not accept mail from B.NET destined
for C.ORG without special
arrangements. These instructions assume that you are using the M4 technique
for creating your
sendmail.cf files; if you are not, you are on your own.
The simplest approach is to list the domains you are willing to relay
in the file
/etc/mail/relay-domains. Anything listed in this file will be accepted
for relaying. N.B.:
Sendmail must be restarted after this file is modified.
For more precise tuning, several FEATUREs have been added to control relaying:
FEATURE(relay_hosts_only). Normally domains
are listed in
/etc/mail/relay-domains; any hosts in those
domains match. With this feature, each host
in a domain must be listed.
FEATURE(relay_entire_domain). Setting this
feature allows relaying of all hosts within
your domain. For example, on the host gateway.A.COM,
this feature allows mail to or from
any host in the A.COM domain. More precisely,
this relays any host listed in the $=m class. This
is equivalent to listing the name of the domain
in /etc/mail/relay-domains.
FEATURE(access_db). This enables the hash
database /etc/mail/access to enable or
disable access from individual domains (or
hosts, if FEATURE(relay_hosts_only) is set).
The database format is described below.
FEATURE(blacklist_recipients). If set, this
feature looks up recipients as well as
senders in the access database.
FEATURE(rbl). Enables rejection of mail based
on the Realtime Blackhole List maintained at
maps.vix.com.
FEATURE(accept_unqualified_senders). Normally,
sendmail will not accept mail from
a sender without a domain attached -- for
example, user instead of user@B.NET. This
feature allows such users.
FEATURE(accept_unresolvable_domains). Normally,
sendmail will refuse to accept mail
that has a return address with a domain that
cannot be resolved using the regular host lookups
(a technique commonly used by spammers). This
feature permits acceptance of such
addresses. Unresolvable domains can be selectively
accepted using the access database.
FEATURE(relay_based_on_MX). Setting this feature
permits relaying for any domain that is
directed to your host.
Several other features are probably a bad idea, unless you are inside
a firewall, because they make
your system vulnerable to abuse by spammers:
FEATURE(relay_local_from). This feature allows
relaying if the message claims to
originate at your domain. Since forging this
address is trivial, this is probably a bad idea.
FEATURE(loose_relay_check). This turns off
checking for explicit routing through your
host, such as target%C.ORG@A.COM.
FEATURE(promiscuous_relay). If you really
want to forward all the spam on the net, this
will turn off all checking for relaying.
The Access Database
The access database (normally in /etc/mail/access) allows a mail administrator
to
administratively allow access to the mail server by individual domains.
Each database entry consists
of a domain name or network number as the key and an action as the
value.
Keys can be a fully or partly qualified host or domain name such as
host.subdomain.domain.com, subdomain.domain.com, or domain.com. The
last two forms
match any host or subdomain under the specified domain. (If FEATURE(relay_hosts_only)
is
set, only the first form works.) Keys can also be a network address
or subnetwork, e.g.,
205.199.2.250, 205.199.2, or 205.199. The latter two forms match any
host in the indicated
subnetwork. Lastly, keys can be user@host.domain to reject mail from
a specific user.
Values can be REJECT to refuse connections from this host, DISCARD to
accept the message but
silently discard it (the sender will think it has been accepted), OK
to allow access (overriding other
built-in checks), RELAY to allow access including relaying SMTP through
your machine, or an
arbitrary message to reject the mail with the customized message.
For example, a database might contain:
cyberpromo.com REJECT
sendmail.org RELAY
spam@buyme.com 550 Spammers shan't see sunlight here
to reject all mail from any host in the cyberpromo.com domain, allow
any relaying to or from any
host in the sendmail.org domain, and reject mail from spam@buyme.com
with a specific message.
14)Dont Blame Sendmail and Enhanced File Security
Beginning with version 8.9.0, sendmail has tightened the rules used
for opening files. Sendmail now
checks the modes and ownership of the files and the directory path
leading up to that file to prevent
users from taking advantage of overly permissive modes on directories
and files.
During your migration to sendmail 8.9, you will need to fix up any permissions
which would be
considered unsafe such as non-root owned directories containing maps
or group writable directories
and files. In general, directories which sendmail reads from should
be owned by root unless the
RunAsUser option is set. There are exceptions to this rule such as
user .forward files.
You may have to tweak your environment to make it safer for sendmail
to run. If you find that some
of the safeties in sendmail are too restrictive for your environment,
they can be turned off by setting
the option DontBlameSendmail. The option is appropriately named as
sendmail is not to be
blamed for problems resulting from unsafe permissions on directories
and files.
Checking your system for these unsafe files is simply a matter of performing
a few commands to see
if they report any problems. For example, if rebuilding the aliases
file with:
# newaliases -v
gives messages such as:
WARNING: writable directory /etc
WARNING: writable directory /usr/spool/mqueue
then the directories listed have inappropriate write permissions and
should be secured to avoid
various possible security attacks. Although somewhat verbose, a good
test to make sure sendmail is
satisfied with the permissions on your database maps, class files,
and aliases file is the command:
# sendmail -v -d44.4 -bv postmaster
This will output the file safety checks as they are done and the results of each one.
The biggest surprise is likely to come from .forward and :include: files
in unsafe directory paths
(directory paths which are group or world writable). This is no longer
allowed. This would mean that
if user joe's home directory was writable by group staff, sendmail
would not use his .forward file.
This behavior can be altered, at the possible expense of system security,
by setting the
DontBlameSendmail option. For example, to allow forward files in group
writable directories:
O DontBlameSendmail=forwardfileingroupwritabledirpath
Or to allow them in both group and world writable directories:
O DontBlameSendmail=forwardfileinunsafedirpath
Items from these unsafe .forward and :include: files will be marked
as unsafe addresses -- the
items can not be deliveries to files or programs. This behavior can
also be altered via
DontBlameSendmail:
O DontBlameSendmail=forwardfileinunsafedirpath,
forwardfileinunsafedirpathsafe
The first flag allows the forward file to be read, the second allows
the items in the file to be marked
as safe for file and program delivery.
Other files affected by this strengthened security include class files
(i.e. Fw /etc/sendmail.cw),
persistent host status files, and the files specified by the ErrorHeader
and HelpFile options.
Similar DontBlameSendmail flags are available for these files.
The DontBlameSendmail option takes one or more names that disable checks.
In the descriptions
that follow, "unsafe directory" means a directory that is writable
by anyone other than the owner.
The values are:
Safe
No special handling.
AssumeSafeChown
Assume that the chown system call is restricted to root.
Since some versions of UNIX permit regular users to give
away their files to other users on some filesystems,
sendmail often cannot assume that a given file was
created by the owner, particularly when it is in a writable
directory. You can set this flag if you know that file
giveaway is restricted on your system.
ClassFileInUnsafeDirPath
When reading class files (using the F line in the
configuration file), allow files that are in unsafe directories.
ErrorHeaderInUnsafeDirPath
Allow the file named in the ErrorHeader option to be in
an unsafe directory.
GroupWritableDirPathSafe
Change the definition of "unsafe directory" to consider
group-writable directories to be safe. World-writable
directories are always unsafe.
GroupWritableForwardFileSafe
Accept group-writable .forward files.
GroupWritableIncludeFileSafe
Accept group-writable :include: files.
GroupWritableAliasFile
Allow group-writable alias files.
HelpFileInUnsafeDirPath
Allow the file named in the HelpFile option to be in an
unsafe directory.
WorldWritableAliasFile
Accept world-writable alias files.
ForwardFileInGroupWritableDirPath
Allow .forward files in group writable directories.
IncludeFileInGroupWritableDirPath
Allow :include: files in group writable directories.
ForwardFileInUnsafeDirPath
Allow .forward files in unsafe directories.
IncludeFileInUnsafeDirPath
Allow :include: files in unsafe directories.
ForwardFileInUnsafeDirPathSafe
Allow a .forward file that is in an unsafe directory to
include references to program and files.
IncludeFileInUnsafeDirPathSafe
Allow a :include: file that is in an unsafe directory to
include references to program and files.
MapInUnsafeDirPath
Allow maps (e.g., hash, btree, and dbm files) in unsafe
directories.
LinkedAliasFileInWritableDir
Allow an alias file that is a link in a writable directory.
LinkedClassFileInWritableDir
Allow class files that are links in writable directories.
LinkedForwardFileInWritableDir
Allow .forward files that are links in writable directories.
LinkedIncludeFileInWritableDir
Allow :include: files that are links in writable
directories.
LinkedMapInWritableDir
Allow map files that are links in writable directories.
LinkedServiceSwitchFileInWritableDir
Allow the service switch file to be a link even if the
directory is writable.
FileDeliveryToHardLink
Allow delivery to files that are hard links.
FileDeliveryToSymLink
Allow delivery to files that are symbolic links.
RunProgramInUnsafeDirPath
Go ahead and run programs that are in writable
directories.
RunWritableProgram
Go ahead and run programs that are group- or
world-writable.
WriteMapToHardLink
Allow writes to maps that are hard links.
WriteMapToSymLink
Allow writes to maps that are symbolic links.
WriteStatsToHardLink
Allow the status file to be a hard link.
WriteStatsToSymLink
Allow the status file to be a symbolic link.
15) FR-o /etc/mail/relay-domains
class R (relay-domains) doesn't act on MAIL FROM,
but
on the address of the connecting system
16)Is there an already written FEATURE or HACK which allows me to
ban a
spam domain like hostmail.com yet allow certain
users who have accounts
on hostmail.com access?
Use
FEATURE(access_db)
and create an access map with entries like:
hostmail.com REJECT
friend1@hostmail.com OK
another@hostmail.com OK
However, it doesn't really work :-(
You have to disable check_relay.
If you want to make use of this trick and you don't
need check_relay (see the docs for info about this
ruleset), you can disable it:
SLocal_check_relay
R$* $@ $# OK
17)Anti Spam Again
Sendmail 8.8.x
For now I'll just link the spam rule I install on the linux boxes here
at Infinex. It works great to the
best of my knowledge ( not much up there ;) ). Basicly you list which
Network blocks are allowed
to send mail through you.. ie
127.0.0.1
207.113.220
10.2
207.201.8.22
and for domain names
localhost
infinex.com
subdomain.infinex.com
Here's a tiny modified version of the link above that is actually used
at Infinex.
# please use the .m4 file, this file is not maintained!
LOCAL_CONFIG
F{LocalIP} /etc/spam/OkIPs
F{RelayTo} /etc/spam/OkDomains
LOCAL_RULESETS
Scheck_rcpt
# make sure you have TABs here, not BLANKs! sendmail will complain
otherwise...
# first: get client addr
R$+
$: $(dequote "" $&{client_addr} $) $| $1
R0 $| $*
$@ ok
no client addr: directly invoked
R$={LocalIP}$* $| $* $@ ok
from here
# not local, check rcpt
R$* $| $*
$: $>3 $2
# remove local part, maybe repeatedly
R$+
$:$>remove_local $1
# still something left?
R$*<@$+>$*
$#error $@ 5.7.1 $: 550 Sorry.. we do not allow relaying
Sremove_local
# remove RelayTo part (maybe repeatedly)
R$*<@$*$={RelayTo}.>$* $>3 $1 $4
R$*<@$=w.>$*
$: $>remove_local $>3 $1 $3
R$*<@$*>$*
$@ $1<@$2>$3
# dequote local part
R$-
$: $>3 $(dequote $1 $)
R$*<@$*>$*
$: $>remove_local $1<@$2>$3
If anyone knows if the above sendmail rule can still be relaied though email me!! please!! ;)..
Compile/Config Sendmail 8.9.0
The following should work for most Slackware boxes... other Distribs may vary..
The compile part should work for any linux box. The cf part is made
to support virtual domains and
spam control.. SENDMAIL 8.9.0 DOES NOT SUPPORT DBM ANYMORE. Use "hash"
instead
of "dbm".. hash is the default db type for everything now.. So far
the "spam control"
[FEATURE(access_db)] checks From:, To:, some part of Recieved: fields.
download ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.0.tar.gz
# tar -zxf sendmail.8.9.0.tar.gz
# cd sendmail-8.9.0
# pico -w BuildTools/OS/Linux #add the following lines.
define(`confLDOPTS', `-s')
define(`confOPTIMIZE', `-m486 -O2')
# cd src
# Build
# cd ../cf/cf
# pico -w linux.mc
divert(-1)
#
# Copyright (c) 1998 Sendmail, Inc.
All rights reserved.
# Copyright (c) 1983 Eric P. Allman.
All rights reserved.
# Copyright (c) 1988, 1993
# The
Regents of the University of California. All rights reserved.
#
# By using this file, you agree to the terms
and conditions set
# forth in the LICENSE file which can be found
at the top level of
# the sendmail distribution.
#
#
#
# This is the prototype file for a configuration
that supports nothing
# but basic SMTP connections via TCP.
#
# You MUST change the `OSTYPE' macro
to specify the operating system
# on which this will run; this will
set the location of various
# support files for your operating system
environment. You MAY
# create a domain file in ../domain
and reference it by adding a
# `DOMAIN' macro after the `OSTYPE'
macro. I recommend that you
# first copy this to another file name
so that new sendmail releases
# will not trash your changes.
#
divert(0)dnl
VERSIONID(`@(#)tcpproto.mc
8.10 (Berkeley) 5/19/98')
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')
OSTYPE(linux)dnl
DOMAIN(linuxrox.com)dnl
FEATURE(nouucp)dnl
FEATURE(local_procmail)dnl
FEATURE(virtusertable, hash -o /etc/mail/virtusertable)dnl
FEATURE(access_db)dnl
MAILER(local)dnl
MAILER(smtp)dnl
# pico -w ../domain/linuxrox.com.m4 # replace linuxrox.com with your own domain name.
divert(-1)dnl
#
# This file contains the global definitions
for yourdomain.com
#
divert(0)dnl
VERSIONID(`@(#)linuxrox.com.m4
1.0 (linuxrox.com) 06/01/98')
FEATURE(use_cw_file)dnl
# m4 ../m4/cf.m4 linux.mc > /tmp/sendmail-8.9.0.cf
# cd ../..
# make install # this is install all the new sendmail programs
# cd /etc
# mv sendmail.cf sendmail-original.cf # just incase the new cf won't
work we save the old which
will..
# cp /tmp/sendmail.cf sendmail-8.9.0.cf
# ln -s sendmail-8.9.0.cf sendmail.cf
# pico -w /etc/sendmail.cw #list all the domains hosted on you box
linuxrox.com
gman.infinex.com
evilpeople.com
Any mail to a specific host on your box that is not listed will be REJECTED.
The only exception is if
the host is a CNAME to the domain name.
# kill -TERM `head -1 /var/run/sendmail.pid`
# /usr/sbin/sendmail -bd -q15m
All done with sendmail.. just "spam control" and virtual domains need to be modifed/configed..
# pico -w /etc/mail/virtusertable #Example of /etc/mail/virtusertable
mp3@evilpeople.com
error:nouser Unknown user
suggest@evilpeople.com
evilppl
@evilpeople.com
evilppl
@mp3.evilpeople.com error:nouser Unknown user
# makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable
mp3@evilpeople.com is an email address I don't want people email so
people get a "550 Unknown
user" when they do try to email mp3@evilpeople.com. suggest@evilpeople.com
really goes to the
local user called 'evilppl'. You can also redirect to a remote email
address (ie.
username@hotmail.com).
To offer unlimited "unlimited aliases" just direct everything to as user on your system. For example.
@domain.com username_on_system
Example of /etc/mail/access
Friend@
550 Sorry FROM field invalid
evilusername@evilplace.com
550 Spammer, Go away!!
test.com
REJECT
domain.com 550
Sorry, domain.com is not a valid domain.
10.0.2.10
OK
10.0.2
550 Your Netblock not allowed..
Pretty simple
1.Friend@ - reject email address with Friend@
2.evilusername@evilplace.com - rejects msg with "550 Spammer,
Go away!!" err msg
3.test.com - gets rejected with REJECT msg
4.domain.com - sends a "550 Sorry, domain.com is not a
valid domain." REJECT msg..
5.10.0.2.10 - gets not error msg. Mail always accepted.
6.10.0.2 - sends a "550 Your Netblock not allowed.." REJECT
msg for any host with IP
10.0.2 except 10.0.2.10
18)I need the m4 definition to relay all unmatched virtualusers to
another machine:
LUSER_RELAY . This option will cause all
local mail for which there is no corresponding user account to be sent
to
the machine of your choice.
For example in M4 you would add this line:
define(`LUSER_RELAY', `other-smtphost.my.domain')dnl
19)How I can feed sendmail a subject field when using CGI
in mail forms. In Perl, I can simply invoke
sendmail with
"system('/usr/local/sendmail $email < $somefile')"
Is there a way to
feed a variable like $subject to sendmail on the
command line? Pardon my
ignorance!!!!
Use -s. For example...
system("/usr/lib/sendmail -s '$subject' $email <$somefile");
20)SMTP connections from 127.0.0.1 only - How?
1. Compile sendmail with the TCP wrappers library and use it
to control
from where sendmail will accept connections from.
2. Install a local packet filter to control what IP addresses
may connect
to which ports on the computer (on some OSes,
such capability is included
if you remake a kernel with that option enabled;
on some other OSes,
something like ip-filter may be usable).
3. Set "DaemonPortOptions=Addr=127.0.0.1" in sendmail.cf (or the necessary
incantation in your .mc).
21)There are two reasons why sendmail is setuid root.
1. It reacts to system load by unbinding port 25 when the load is too
high, and rebinding it when the load goes down again.
2. It changes uid to a specific user when executing programs for
that user, in the case of program executing from a .forward
file.
3. And, less important than these, sendmail needs to be root to be
able to read each user's .forward file.
22)Why do only some hosts reject my email with the following response?
> Any advice on how to correct it will be greatly appreciated.
>
> ----- Transcript of session follows -----
> ... while talking to pop.uunet.ca.:
>>>> HELO fres.GLFC.Forestry.CA.
> <<< 501 5.5.4 Invalid HELO parameter: "fres.GLFC.Forestry.CA."
The HELO string identifies the calling system. sendmail
can check the name
in a number of ways:
* Does the IP address of the client reverse map into the same name?
* Does it conform to the rules in RFC 1123. That
is, is it a canonical
name, is it a fully qualified name,
must not end in trailing dot
(see section 5.2.5 of rfc1123).
Since the above clearly has a trailing dot, that's why it's invalid
23)Try the MaxMessageSize option, e.g. in your m4 file:
define(`confMAX_MESSAGE_SIZE', `5000000')dnl
will set the limit to 5000000 bytes. See the KNOWNBUGS file that comes
with the source for some additional subtleties.
24)You can find your all In & out mails achives in the Exchange
sever
directories .
driveletter : exchsrvr\imcdata\in\archive.
driveletter: exchsrvr\imcdata\out\archive.
It all in the text file format.
25)>sh: vacation not available for sendmail programs
>554 "|/usr/bin/vacation user"... Service unavailable
Sendmail may only execute certain programs (depends on the path of the
program) if "smrsh" is used as shell for those.
>From "man smrsh":
Briefly, smrsh
limits programs to be in
the
directory /usr/adm/sm.bin,
allowing the system administrator
to choose the set of acceptable
commands. It also rejects
any comma'd(carriageereturn),eor `0',
`<',
`>', `|', `;', `&', `$', `(',
`)', `
(newline) on the command line
to prevent ``end run'' attacks.
Initial pathnames on programs are
stripped, so forwarding to
``/usr/ucb/vacation'', ``/usr/bin/vacation'',
``/home/server/mydir/bin/vacation'',
and ``vacation'' all
actually
forward to ``/usr/adm/sm.bin/vacation''.
System administrators should be
conservative about populating
/usr/adm/sm.bin. Reasonable
additions are vacation(1),
procmail(1),
and the like.
No matter how brow-beaten you may be, never
include any shell or shell-like
program (such as perl(1)) in
the sm.bin directory.
Note that this does not restrict
the use of shell or perl scripts
in the sm.bin directory (using
the ``#!'' syntax); it simply
disallows execution of arbitrary
programs.
26)Another aliasing problem
I'm having a strange problem with setting up aliases
to send to
> : multiple addresses. My aliases file works fine if I only
list one
> : recipient that it should go to, but if I have, say:
> : allusers: user1, user2
> : for some reason the mail only gets sent to user2. It is always
the
> : last person in the list that receives it. Has anyone else
had this
>
> Have you tried leaving out the space after the comma, so :
> allusers: user1,user2
Unless something major is wrong this shouldn't change anything.
Sendmail strips out spaces...
Does it do this for *any* values of user1 and user2? Does it do
this
if user1 and user2 are foreign addresses? Test it...
The reason I ask: If user1 and user2 end up equating to the same
address string (the samde character string for final delivery), only
one copy will be sent. To give an example, if user1 has
this in his
..forward
"|procmail"
and user2 has the same in her .forward, only user1 will get mail sent
to this list. That's why you're instructed to put a comment or command
argument or somethhing to differentiate such things, for example
"|procmail #user1"
and
"|procmail #user2"
27)> Can anyone tell me how to stop sendmail adding a "content-type"
header
> entry to messages that it receives without one ?
This is controlled using the "EightBitMode" option (or "8", for old
cf
files.) From the manual:
EightBitMode=action
[8] Set
handling of eight-bit data. There
are two
kinds of eight-bit data: that
declared
as such using the BODY=8BITMIME
ESMTP declaration
or the -B8BITMIME command
line flag,
and undeclared 8-bit data, that
is, input that
just happens to be eight
bits.
There are three basic operations that
can happen:
undeclared 8-bit data can be
automatically
converted to 8BITMIME, unde
clared 8-bit
data can be passed as-is with
out conversion
to MIME (``just send 8''),
and declared
8-bit data can be converted to
7-bits
for transmission to a non-8BITMIME
mailer.
The possible actions are:
s Reject undeclared 8-bit data (``strict'')
m Convert undeclared 8-bit data to MIME (``mime'')
p Pass undeclared 8-bit data (``pass'')
In all cases
properly declared 8BITMIME data
will be converted
to 7BIT as needed.
28) > Some of my users have complained that their email msg gets
chopped up
> into separate lines, each line terminating with a '=' character.
I don't
> believe it's a problem with sendmail.
It may be a configuration problem. If you use the esmtp mailer (the
default), if you try to send mail to a version of sendmail without
ESMTP or
one configured not to accept 8BITMIME (an ESMTP extention), your sendmail
will convert all mails into Quoted Printable.
That means -- among other things -- that lines longer than 74 characters
(from memory) are truncated and '=\n' put at the end of the end to
mark an
incomplete line.
If you want to disable QP encoding use the following in your .mc file:
define(`confSMTP_MAILER', `smtp8')dnl
before including
MAILER(smtp)
--
29) is there a better programm to generate mail statistics
than "mailstats"
> for solaris 2.5.1 or 2.6 on a sun?!
There's a program written by Bryan Beecher called
"smtpstats" which
analyzes syslog information. See
ftp://ftp.his.com/pub/brad/sendmail/smtpstats. It has a companion
called "popstats" (also from Bryan Beecher) at
ftp://ftp.his.com/pub/brad/sendmail/popstats.
30)If you just want to block access from a particular IP address, you
could use
> >the "route" command to route anything destined for that IP address
to an
> >unassigned IP address. This is sort of a "trick" being used
in an antispam script I
> >found called "spamshield" by Kai Schlichting (kai@abest.com).
You end up doing something
> >like:
> >route add -host <spammer-IP> -gateway <unassigned-IP> -reject
31)> Is there a way to check is a host have a reverse DNS and if
>not block that host to send e-mail using the check_relay rule?
Yes.
> I'm using sendmail 8.8.7?
See my HACKs for an example, it's the option:
_DNSRELAY_
check whether client_name resolved to a host
name or an IP address,
temporarily refuse the mail if it is an IP
address.
used by: check_mail3.m4
not recommended, may cause problems with some
relay hosts
http://www.informatik.uni-kiel.de/%7Eca/email/check.html
('%7E' is the required encoding for '~')
You can put those rules also in check_relay.
32)If you set the RunAsUser option in sendmail.cf, the /var/spool/mqueue
directory needs to be owned by the RunAsUser user. Otherwise, the
Sendmail docs say that it needs to be owned by root. FWIW, CERT
recommends that the permissions on /var/spool/mqueue be 0700. The
Sendmail book by Costales (with Allman) also recommends this and says
that /var should be 0755 and /var/spool should also be 0755, both owned
by root.
33)Using sendmail 8.9.1 is it possible to masquerade an entire domain
expect for a few specific hosts? I know you can use the EXPOSED_USERS
feature to expose certain users from the masquerade. But I have
not been
able to find something similar for hostnames.
>Here is the relevant section of my .mc file:
>--
>MASQUERADE_AS(domain.com)
>FEATURE(masquerade_entire_domain)
>MASQUERADE_DOMAIN(domain.com)
>MASQUERADE_DOMAIN(domain2.com)
>MASQUERADE_DOMAIN(domain3.com)
>--
>I thought about using the limited_masquerade feature, but that would
be
>a nightmare to maintain.
>
>I did find a post that some came up with to hack around this problem:
>http://x11.dejanews.com/getdoc.xp?AN=292419838&CONTEXT=901236509.1935737000&hitnum=0
>
>However, I'd like to have something that can be kept in an m4 file
for
>future changes.
>
>Thanks!
I came up with the following local feature some time ago, which may
be close to what you want. It will "collapse" the specified domains,
removing any host and sub-domain information from _all_ addresses (Note
that I do this in Ruleset 3). This is different than MASQUERADE_AS
and friends, because it preserves the domain (ie, davburns@foo.cat.pdx.edu
becomes davburns@cat.pdx.edu, while davburns@bar.ee.pdx.edu becomes
davburns@ee.pdx.edu) instead of using $M.
-- feature/collapse.m4
define(`EXPOSE_HOSTS',`
C{exposed_hosts}$*')
define(`COLLAPSE_DOMAINS',`
C{collapsed_domains}$*
Cw$*')
LOCAL_RULE_3
R$*<$*>$*
$: $>collapse $1<$2>$3 Try to collapse domains
LOCAL_RULESETS
Scollapse
R$=E<@$*>$*
$@ $1<@$2>$3 Exposed user
R$*<@$={exposed_hosts}>$*
$@ $1<@$2>$3 Exposed host
R$*<@$*.$={collapsed_domains}>$*
$@ $1<@$3>$4 Collapse domain
---
I reference this from a domain file, but you could do a .mc like this:
---
DOMAIN(seas)dnl
MASQUERADE_AS(ee.pdx.edu)dnl
FEATURE(collapse)dnl
COLLAPSE_DOMAINS(ee.pdx.edu)dnl
COLLAPSE_DOMAINS(cat.pdx.edu)dnl
COLLAPSE_DOMAINS(seas.pdx.edu)dnl
EXPOSE_HOSTS(pager.cat.pdx.edu)dnl
EXPOSE_HOSTS(speak.cat.pdx.edu)dnl
EXPOSE_HOSTS(spew.ee.pdx.edu)dnl
EXPOSE_HOSTS(figaro.ee.pdx.edu)dnl
EXPOSED_USER(root)dnl
EXPOSED_USER(daemon)dnl
----
(The MASQUERADE_AS is used only for unqualified names like <davburns>.)
34)You may turn on aliasing for ANY mailer.
Just make sure that F=A flag is set for every
"official address" domain delivery agent.
after that it is simple :-)
/etc/aliases:
robert.reitenbach@tto.de: robert
Don't forget:
1) restart sendmail after making any changes to /etc/sendmail.cf
2) run newaliases after making changes in /etc/aliases.
35)Restricting Mail sizes
If you need only few sizes try the following:
Multiplicate your smtp mailer definition (/etc/sendmail.cf),
name them smtp1, smtp2, smpt3 ... .
Set max message size limit for every new mailer (M=XXX).
Use mailertable to specify mailer for domains e.g.
/etc/mailertable:
.. smtp:%1%0
domain1.dom smtp1:domain1.dom
domain2.dom smtp2:domain2.dom
single dot is for default
36) How can I make non local users alias
Set F=A flag for the apropriate delivery agent
/etc/aliases
usr@x.y.z: me
If mailer for x.y.z has F=A flag set you have what you want
37)I would like to allow only authorized people to use my mail
>server as relay. The best solution would be if i have not a account
>or a valid alias on the mail server the mail to outside will be
>rejected.
You may try my hacks, at least they should give you an
impression how to accomplish this task.
It's the option:
_CHECK_LOCALUSER_
activate the check whether the local address
of the sender appears in
passwd or aliases, i.e., if a mail is sent
with the local domain
attached (@$=w), then the local part of it
must appear in passwd or
aliases. This denies at least sending with
not-existing usernames etc.
Of course it does not disable to send mails
with other names or faked
addresses.
Warning: if you have multiple alias files,
you have to specify all but
the first again. For example: you have
define(`ALIAS_FILE',`/etc/aliases,/etc/maj-aliases,/etc/list-aliases')dnl
then you have to add this:
define(`ALIAS_FILE1',`/etc/maj-aliases')dnl
define(`ALIAS_FILE2',`/etc/list-aliases')dnl
(this has been changed on 1997-12-23).
Multiple alias files may cause a warning with
some m4 versions:
../hack/check_mail3.m4:47: m4: Warning: Excess
arguments to built-in
`define' ignored
Geoff Gibbs pointed out that nisplus in Solaris
2.x (5 and 6 at least)
requires a line like this:
Kchkalias1 nisplus -m -a@LOCALUSER mail_aliases.org_dir
This can be now defined in the normal version.
used by: check_mail3.m4
recommended
38)>Most of these "roaming" users come in from a small number of
small
>(size) domains. So, I thought that an interim solution would be
to
>create an access db and just list the domains/ip addresses in there,
....
>And my access db file (at this point) looks like this:
>stephen@ourdomain.net RELAY
>ourdomain.net RELAY
>At this point, I think I must be missing some fundamental thing about
>using the access db. But I don't know what? Can anyone help??
The access map entries for RELAY work only for the connection
information, not for MAIL FROM (the envelope sender).
So
>stephen@ourdomain.net
RELAY
won't help anything for relaying.
However, if
stephen@ourdomain.net
connects from a system within
ourdomain.net
then relaying should be allowed.
Does this work?
If it doesn't, see:
http://www.informatik.uni-kiel.de/%7Eca/email/chk-dbg.html
If you want to turn on relaying based on the envelope sender,
you need to add a small hack, e.g., from
http://www.informatik.uni-kiel.de/%7Eca/email/chk-89.html
39) have diald installed on my linux box that does ip masquerading.
diald
> dials when a user wants to use the internet, but how can I have outgoing
> messages not trigger diald, but instead go somewhere and wait until
> diald connects for other reasons. (I'm trying to minimize unnecessary
Mark SMTP mailer as "Expensive" in your sendmail configuration. If you
use mc, just add
define(`SMTP_MAILER_FLAGS', `e')
You will also have to start sendmail daemon without a -q (queue)
parameter, just
"daemon sendmail -bd" in /etc/rc.d/init.d/sendmail script.
Then you can invoke sendmail (sendmail -q) from diald's ip-up script
every time the PPP link goes up.
40)How can I add subject to an e-mail
Put the subject in the "Email" file, followed by a blank line, like:
------------------------
Subject: An example of a subject line.
Blah blah, grommish grommish, rhubarb rhubarb. Text text text...etc.
-----------------------------------
The blank line is important. Sendmail will put that line in the
headers as
the "subject."
41) can someone please tell me what the xdelay= means coming out
of syslog.
According to my reading of the source code (for v8.8.8), it's the
elapsed time between when Sendmail started delivery attempts for
the message and when it successfully delivered the message to the
recipient listed in the to= field.
The delay= field shows the time elapsed from receipt of the message,
which can be longer than the xdelay if the message sat in the queue
for a while. You'll often see differences in delay and xdelay
when
the message has multiple recipients, or if the message was received
when the load average was high enough to make Sendmail queue the
message for later delivery.
42)Is there a way to keep outsiders from using the aliases I have
created?
I implemented the following hack exactly for that purpose when our
internal distribution lists got hit by spam. I'm sure it could be
easily adapted to meet your needs.
Add the following to your m4 master configuration file:
#
LOCAL_CONFIG
Kprivate hash -o /etc/private.db
Kprivateok hash -o /etc/privateok.db
#
LOCAL_RULE_0
#
Scheck_rcpt
# check recipient. Let it through unless it's a private address
# (possibly with host or local domain attached to it)
R$* $: $>3 $1
R$- $: $(private $1 $: OK $)
ROK $@ OK non-private @ local
R$* < @ $* $=m . > $* $: $(private $1 $: OK $)
R$* < @ $* > $* $@ OK someone @ somewhere
ROK $@ OK non-private @ here
# if private, check the sender (f macro). If the sender is local, let
it
# through. The <@> and << >> hack is ugly, but I couldn't
come up with a
# better way to treat user.something as a single token (any suggestions?)
RPRIVATE $: $>3 $(dequote "" $&f $)
R$* $: $1 <@>
R$* < @ $+ > $* < @ > $: $1 << @ $2 >> $3
R$+ < @ > $@ OK sender @ here
R$* << @ $* >> $* $: $1 < @ $2 > $3
R$* < @ $* $=m . > $* $@ OK address @ domain
# not a local sender. Get the relay (client_name)...
R$* < @ $+ . > $* $: $1@$2 $| $>3 @ $(dequote "" $&{client_name}
$)
# a particular sender through a valid relay is ok
R$+ $| $* < @ $+ . > $* $: $(privateok $3:$1 $: $1 $) $| $3
ROK $| $* $@ OK relay: user@host
# anyone from a given host/domain from a valid relay is also ok
R$-@$+ $| $+ $: $2 $| $3
R$+ $| $+ $: $(privateok $2:@$1 $: notOK $)
ROK $* $@ OK relay: @host
# the rest can go to hell
R$* $#error $@ 5.7.1 $: "571 private address."
The private map's keys are the list of private addresses with value PRIVATE:
list1 PRIVATE
list2 PRIVATE
The privateok keys are of the form relay:sender or relay:@host with
values
OK:
relay.at.some.where:someone@some.where.else OK
relay.at.some.where:@its.ok.too OK
You can test the rules by invoking the test mode and predefining the
client_name and f macros with different combinations and then calling
the check_rcpt rule with the recipient's address.
43)What is the best way to keep a logfile of all emails that went
through a mail relay machine
(header and body)?
sendmail -bd -X
44)How can I disable the DNS lookup on the sender's email address
in
> sendmail in sendmail.cf (I don't use m4)?
You should use m4.
Anyway, find the lines in the rewriting rules that say $[...$] and delete
them.
ifdef(`_NO_CANONIFY_', `dnl', `dnl
# try UUCP traffic as a local address
R$* < @ $+ . UUCP > $*
$: $1 < @ $[ $2 $] . UUCP . > $3
R$* < @ $+ . . UUCP . > $* $@ $1 <
@ $2 . > $3')
')')
ifdef(`_NO_CANONIFY_', `dnl', `dnl
# pass to name server to make hostname canonical
R$* < @ $* $~P > $*
$: $1 < @ $[ $2 $3 $] > $4')
45)Is there a way (There always is but an easy one) to get sendmail
to
reject a message that's over say.. 30mb big?
If you have a fairly recent sendmail with an m4 configuration file you
can add the following to your sendmail.mc file and then regenerate
the
sendmail.cf file:
For mail coming in via SMTP (limit to 10,000,000)
define(`confMAX_MESSAGE_SIZE', `10000000')dnl
For mail coming in via UUCP (you don't need this if you have only an
SMTP
connection):
define(`UUCP_MAX_SIZE', `10000000')dnl
If you don't use an mc file you can edit the sendmail.cf file directly,
the
relevant lines are:
# maximum message size
O MaxMessageSize=10000000
and for UUCP add M=10000000 to the mailer definitions.
46)...newaliases was run automatically by sendmail whenever needed.
Is it possible to configure 8.9.1 as to restore this behavior?
Add the following line to your sendmail.mc file and regenerate sendmail.cf
define(`confAUTO_REBUILD', `True')dnl
You may want to read the file cf/README in the sendmail distribution
for
information about this and other options you can define in sendmail.mc.
47)Is it possible to redefine - presumably by some extra parameter
in a
>mailer definition -the port to which sendmail connects when performing
delivery. i.e. make
>it different from port 25.
Yes, you can do this via the A= declaration - see e.g.
http://www.dejanews.com/getdoc.xp?AN=352619898
48)HTML mails with sendmail
Add 'MIME-Version: 1.0' in ur sendmail.cf file.
49)Many users at our site use PC based mail programs to read and
send
>mail. Some of them manage to enter incorrect From addresses into
their
>configuration. I want to catch them already in the MAIL FROM command.
This is integrated in my HACKs for 8.8:
_CHECK_LOCALUSER_
activate the check whether the local address
of the sender appears in
passwd or aliases, i.e., if a mail is sent
with the local domain
attached (@$=w), then the local part of it
must appear in passwd or
aliases. This denies at least sending with
not-existing usernames etc.
Of course it does not disable to send mails
with other names or faked
addresses.
Warning: if you have multiple alias files,
you have to specify all but
the first again. For example: you have
define(`ALIAS_FILE',`/etc/aliases,/etc/maj-aliases,/etc/list-aliases')dnl
then you have to add this:
define(`ALIAS_FILE1',`/etc/maj-aliases')dnl
define(`ALIAS_FILE2',`/etc/list-aliases')dnl
(this has been changed on 1997-12-23).
Multiple alias files may cause a warning with
some m4 versions:
../hack/check_mail3.m4:47: m4: Warning: Excess
arguments to built-in
`define' ignored
Geoff Gibbs pointed out that nisplus in Solaris
2.x (5 and 6 at least)
requires a line like this:
Kchkalias1 nisplus -m -a@LOCALUSER mail_aliases.org_dir
This can be now defined in the normal version.
used by: check_mail3.m4
recommended
http://www.informatik.uni-kiel.de/%7Eca/email/check.html
('%7E' is the required encoding for '~')
50)Yesterday I noticed that our server stopped receiving SMTP requests
on port 25
>when the load on the machine reached 32. I was viewing the load
through the
>perfmeter utility on Solaris. As soon as the load dropped below
32 it started
>recieving requests again.?
This is normal behaviour. Check the sendmail.cf, it has something similar
to:
# load average at which we just queue messages
Ox8
# load average at which we refuse connections
OX12
51)Took a while to notice it, since the other rulesets I swiped from
Wolfgang's
} web page have been catching most of the spam (thanks Wolfgang!).
But it turns
} out that sendmail is making no use of the access map. I
ran sendmail -bt to
} see what it thought it was doing:
}
} > /map access.db friend@public.com
} Map named "access.db" not found
}
}Yes, I did makemap hash /etc/mail/access.db </etc/mail/access.
The
} line in the .mc file is FEATURE(access_db, `hash -o /etc/mail/access.db').
} Running 8.9.1 on RedHat 5.1. It's all very annoying because
I know after
} spending the last week searching the bat book and the expert web
pages, one of
} you brains is going to say "Oh, you just need to do this," and it
will work.
Actually, you've done everything correctly, except that the map is referred
to
as just "access" internal to sendmail, not "access.db".
52) >Does ETRN use MX records?
ETRN in sendmail simply starts queueing for the domain
that is given as parameter, so the answer is: yes.
See the RELEASE_NOTES:
Implement ESMTP ETRN command to flush the queue
for a specific host.
The command takes a host
name; data for that host is
immediately (and asynchronously)
flushed. Because this shares
the -qR implementation,
other hosts may be attempted, but
there should be no security
implications. Implementation
from John Beck of InReference,
Inc.
or read RFC 1985.
53) Can anyone comment on the
protocol
legality of MAIL FROM: <>, and what might break if
it was not allowed? Please CC: me in any
responces.
http://www.faqs.org/rfcs/rfc821.html
</section 3.6>
54) I've been looking for some time for information on the
ETRN command,
> and how to set it up within sendmail 8.9.x.
>
> I've looked on www.sendmail.org and can't seem to find any
> information. Can anyone direct me to a site that has either a FAQ
or
> further info on how to set it up?
http://www.sendmail.org/faq/section3.html#3.23
http://www.sendmail.org/faq/section4.html#4.12
http://www.swinc.com/resource/exch_smtp.htm
55) Does anyone know where i can get a program that will strip email
addresses
>from an html file.
Try visiting
http://www.senate.gov/~murkowski/commercialemail/EmailBillText.html
and
reading very carefully.
56) want to run sendmail in a mode where it will only take messages,
place
>them into the queue, and send them out, without attempting
>local delivery. This is for a box that will only do relaying
from
>a Lotus cc:Mail or Notes system.
I just did this for an Exchange server. (it just came up today as a
matter of fact!)
I used the following MC file (based on tcpproto.mc)
divert(0)dnl
VERSIONID(`@(#)odc-tcpproto.mc 8.10 (Ohio Dominican) 8/4/98')dnl
OSTYPE(linux)dnl
FEATURE(local_procmail,`/usr/bin/procmail')dnl
define(LUSER_RELAY,`exchange.odc.edu')dnl
define(MASQUERADE_AS,`odc.edu')dnl
FEATURE(relay_entire_domain)dnl
FEATURE(access_db)dnl
FEATURE(use_cw_file)dnl
MAILER(smtp)dnl
The LUSER_RELAY sent any mail that wasn't for a local user to my
Exchange server. The access_db feature allowed me to choose what
hosts to allow relay (for outgoing mail from my exchange server).
The
use_cw_file feature allowed me to tell sendmail that mail for the
following domains (odc.edu, exchange.odc.edu) were local domains in
addition to the localhost domain (name of the sendmail box).
This probably isn't optimal; but it's working...
Good Luck!
Arron
57) >I would like to set a limit in the number of recipients that a
message can
>reach (for anti-spamming considerations), but I haven't found any
variable
>in sendmail.cf suitable for that.
>
> I see in /var/log/syslog that the number of recipients
(nrcpts) appear.
It's in sendmail 8.9.1, ftp://ftp.sendmail.org/pub/sendmail.
O MexRecipientsPerMessage or something like that. By the way, you should
use m4 and not edit sendmail.cf.
58)
> Is there any directory program for Linux so i can have the
same
> funcionality as in NT Exchange server with the adress book?
>
>
Yes.
You can load and compile the LDAP 3.3 server distribution, and create
an
LDAP
database.
If you use a mail client like Outlook 98, and check the "check mail
addresses with this directory server" then it will query the LDAP server
and rewrite the e-mail address to the correct address, or give you
a choice
of correct addresses.
If anyone wants detailed instructions on how to set this up, mail me
at
tedm@toybox.placo.com
Ted
59)I've got a question with Sendmail 8.9.1 and mail relaying.
>*>
>*>I'm trying to set up relay protection based on the relay_local_from
>*>feature. We provide e-mail services for a wide variety of
customers
>*>unfortunately most of them relay mail off our server from a variety
of
>*>other Internet providers. I wanted to verify that the "mail
from"
>*>address matched either a list of domains that would be approved
"mail
>*>from" domains (not the domain their connection is coming from, but
just
>*>the domain specified in the mail from header).
>*>
>*>I added the following two lines to the .mc file and created the
.cf file
>*>
>*>for sendmail...
>*>
>*>FEATURE(relay_local_from)
>*>FEATURE(relay_entire_domain)
>*>
>*>I also have the following specified in the sendmail.cf file;
>*>
>*># Hosts that will permit relaying ($=R)
>*>FR-o /etc/mail/relay-domains
>*>
>*>and /etc/mail/relay-domains exists and lists all available mail
domains.
>*>
>*>However, I still cannot relay mail from an authorized source email
>*>"domain"..
>*>
>*>Can anyone catch anything I'm doing incorrectly?
>*>
>*>Thanks in advance.
>*>
>*>
60) in a quite complex environment I need to do some port redirection
> based on recipient domains. That means : if a mail is received
on port
> 25, that is intended to go to firm.mx, it needs to be relayed
through
> and sent to port xyz of a screening router, a mail heading to
firm.es
> however should be sent out to the same router but with a different
> destination port.
>
> Any ideas ?
>
You could do this with a custom mailer and the mailertable.
Here is the mailer (in M4 format)
MAILER_DEFINITIONS
##################################################################
### SMTP to a specific port on a host mailer specification
###
##################################################################
Mportredirect, P=[IPC], F=mDFMuXa, S=11/31, R=21/31, E=\r\n,
L=990,
T=DNS/RFC822/SMTP,
A=IPC firewall.gadget.com $h
^^^^^^^^^^^^^^^^^^^
It is simply the esmtp mailer definition with a new name, portredirect,
and
a modified A= line. I have added a specific host between IPC
and $h. This
means that $h will be a port number rather than a host to connect to.
You would then add entries in the mailer table of the form:
gadget.com portredirect:26
This would cause mail for user@gadget.com to be delivered to port 26
on host
firewall.gadget.com
If you want to connect to the local host remember to add the "k" mailer
flag
to the F= field to disable the local loopback test. If you do
not do
this you will get the error message:
554 MX list for gadget.com points back to gadget.gadget.com
554 harker@gadget.com... Local configuration error
Hope this helps
RLH
Paul,
I alsop am a small ISP and we have many domains that we allow people
to relay to and from. In our case, we have this in our .cf file:
#
# This will deny relay spamming by checking entries in /etc/relayto
# and /etc/localip
#
F{LocalIP} /etc/localip
F{RelayTo} /etc/relayto
Scheck_rcpt
R$+
$: $(dequote "" $&{client_addr} $) $| $1
R0 $| $*
$@ ok
no client addr:
directly invoked
R$={LocalIP}$* $| $* $@ ok
from here
R$* $| $*
$: $>3 $2
R$*<@$*$={RelayTo}.>$*
$>3 $1 $4
R$*<@$+>$*
$#error $@ 5.7.1 $: 571 WebCC does not relay,
see http://www.webcc.net/aup.htm#
This checks two files on our system. The first is a list of domains
we
will accept mail for. This is /etc/relayto and has one domain listed
on each line. (ex: webcc.net)
The other file is a list of IP blocks we will allow to relay to
domains outside of our network. For example, all of our dial-up IP
addresses are listed in this file in addition to some offsite servers
and clients that use other providers but send mail through us.
Hope this helps you out.
61) Is there a way to make virtusertable lookups faster? We
are already using
> sendmail 8.9.x and DB2 with a hash map but our virtusertable has
grown
> very large. We are already using dedicated MX mail servers
in a dual
> round-robin DNS configuration.
>
> Would it be worth splitting up virtusertable into domain-specific
maps and
> telling sendmail to look up a virtusertable map depending on the
domain?
>
> I'd say we're already at 100,000 entries in virtusertable.
>
How do you know that the virtusertable is you bottle neck? My
guess is
that it is not. From a posting I made today on a related subject:
As a note, there is very little performance impact
of large databases.
Sendmail does not sequentially search the database,
but instead uses
the database's hash algorithm to find an index address.
It then checks
that index address in the data file and returns
the result. If a null
string is returned then sendmail knows that a match
will not be found.
If a string is returned, then sendmail uses this
as the matching
value. If there is contention for the index
address, then other stuff
happens. But this does not happen for a significant
number of the
index addresses. The bottom line here is that
most database (ndbm or
db hash) queries take a single disk operation reguardless
of
database size.
So size of the database should not be a major issue. Building
a large
database does take longer, but the lookup time should remain the same.
Breaking the virtusertable up into multiple smaller tables would not
improve performance in my opinion. I would expect that if anything,
it
would decrease performance because of the extra database file opens
and
closes.
If you are concerned about performance there are other areas that I
would
look at:
Does each area of disk activity have its own private disk drive?
Disk heads are the first point of contention on a sendmail system.
mqueue
/var/log
The OS itself, root, /usr, and swap
/var/spool/mail
poptemp if it is a pop server
.hoststat if persistent host status is used
/etc/mail for database lookups
Do you have enough physical memory?
Being short of memory impacts disk I/O as you page and swap
If you are using narrow SCSI use either:
2 disks per controller
Upgrade to ultra wide SCSI with 4/8 disks per controller
Are you using RAID?
Stripe mqueue across all of the disks using the outer most cylinders.
All of the above is what I call "heuristic performance tuning" in that
I am simply using common sense and a knowledge of what sendmail does
to define some potential bottle necks. Disks, controllers, and
memory
are relatively cheap these days. A little bit of reconfiguration
can
go along way in improving performance.
If you want to get more esoteric here are some more things to think
about:
More RAID, more spindles, more controllers, more cache, faster bus
connection to the CPU backplain
What is the bus architecture of the server?
If it is a PC you should be looking at 100 MHz PCI (and BX chip
sets on the mother board, I think?)
If it is Sun Ultra 1, 2, and 450 have better busses
than Ultra 5, 10, 30, and ss 5, 10, and 20
If you are trying to speed up the database lookups you could move
them to a RAM disk and touch and rebuild the database(s) every time
the system reboots.
Put the mqueue directory on a battery backed up SCSI RAM disk
(expensive, but doable)
Put a prestoserv NFS accelerator before the mqueue, mail, poptemp,
and hoststat partitions to speed up disk writes.
On the software side, one of the biggest improvements is to keep the
number
of messages waiting to be delivered in the mqueue directory small.
Either:
Paul Pomes re-mqueue.pl script in the contrib directory of the
sendmail release
Or my reque mailer that I cover in my class "Managing Internet
Mail"
Another thing I have thought about is storing the "xf" temporary files
in a different location from the "qf" and "df" files. This would
allow
the "xf" file to be kept on a tempfs RAM disk partition (more memory).
The "xf" file is the most active set of files on a sendmail server.
One is created for each delivery attempt for each recipient host.
They
also are totally temporary. If the server is rebooted or sendmail
restarted, the old "xf" files are never used again so the fact that
the
tempfs goes away on a reboot is not a problem.
I am also posting this to comp.mail.sendmail to get more feedback.
Hey guys and gals, anything I missed, anything out to lunch?
Hope this helps
RLH
62)>Got a slight problem here with makemap and spam
>rules in /etc/mail/access.
>
>My setup is a Sparc 20 running Solaris 2.5.1 with
>sendmail 8.9.1a.
>
>After adding
> FEATURE(relay_entire_domain)
> FEATURE(access_db)
>all hell broke loose.
>
>When I try to fire up sendmail I get
> readcf: map access: class
hash not available
>
I had this too: reason is 1) a missing NEWDB -package and 2) after installing
it, I had do add -L/usr/local/lib and -I/usr/local/include. Now 'Build'
could
find the libdb.a und the *.h files and everything was fine
63)I've allways wondered about this topic, and all I can find at
newsgroups is
> just the same questions, without a good solution, Sorry if this
question
> has allready been discussed , But I couldn't found any answers
so far...
>
> here it goes:
>
> I need to restrict users mailbox, ie: 10 Mb per user, I heard quotas
are not a
> good way to do this.
>
> Another thing I'd like to do is to restrict the maxium message size
for smtp.
> at the sendmail.cf i've found the option to do this, but it applies
for all
> local connections & connections comming from the internet, I'd
like to set
> different values for each.. and if possible, restrict maxium message
size per
> USER account. is this possible at all?
1) remove F=m flag from local delivery agent specification
2) replace local mailer program in sendmail.cf by your wrapper script
When mailbox size is ok it calls the original delivery agent.
When its too big it exits with the appropriate exit code chosen from
<sysexits.h>
Sample delivery agent script:
The Bat Book 2nd ed. chapter 24.3
64)Re: dbm map "alias0": unsafe map file /etc/aliases
]What does this error mean.
See the README file:
+-----------------------+
| DIRECTORY PERMISSIONS |
+-----------------------+
Sendmail often gets blamed for many problems that are actually the
result of other problems, such as overly permissive modes on directories.
For this reason, sendmail checks the modes on system directories and
files to determine if can have been trusted. For sendmail to
run
without complaining, you MUST execute the following command:
chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
run sendmail -bi -d44.4 for more info.
65)
****************************************************************************************************