How to setup sendmail to actually send mails (!)
For novices sendmail has quite a steep learning curve, the recommended MTA is postfix.
To determine what sendmail currently supports; telnet to the smtp port and issue the help command, sendmail will display it's capabilities:
]$ telnet localhost 25
220 example.com ESMTP Sendmail 8; Mon, 4 Nov 2013 17:27:20 +0100
help
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
AUTH means that this sendmail servers supports SMTP authentication.
STARTTLS means that SSL/startTLS is supported.
To enable both you'll need to modify your sendmail configuration. The sendmail configuration file is, well, let's say as clear as mud. The easier way is to edit the sendmail.mc a macro file that can be used to generate a functional sendmail.cf configuration. Lines starting with #
are comments as are lines starting with dnl
.
The uncomenting following three lines will enable smtp authentication:
# /etc/mail/sendmail.mc
<snip>
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
<snip>
To enable TLS/SSL uncomment the following lines and make sure that you certificates are (self-signed or public) are present.
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/CAcert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/MYcert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/MYkey.pem')dnl
Most clients will use starttls over smtp port 25 but you can have a SSL only smtp sendmail listening on port 465 by uncommenting:
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
make sure the sendmail-cf and cyrus-sasl rpm packges are installed:
]# yum -y install cyrus-sasl sendmail-cf
Generate the new sendmail.cf from your modified sendmail.mc and restart sendmail
]# cd /etc/mail ; ./make
]# service sendmail restart
Configure sasl authentication server with your preferred authentication method for mail users and make sure it will be running. (default is set to pam in /etc/sysconfig/saslauthd)
]# chkconfig saslauthd on
]# service saslauthd start
Now to test SMTPAUTH we'll use the PLAIN method, we'll check if the earlier telnet test now shows support for the AUTH method.
If it does we'll try plain auth. This requires a base64 encoded string containing a NULL seperated username+password:
]$ perl -MMIME::Base64 -e 'print encode_base64("\000USERNAME\000PASSWORD");'
AFVTRVJOQU1FAFBBU1NXT1JE
Now we can catch two birds with one stone, check the SSL setup and PLAIN auth (PLAIN and LOGIN are only allowed over SSL encrypted connections):
]$ openssl s_client -starttls smtp -connect example.com:25
. <snip more SSL stuff>
. ---
. SSL handshake has read 17078 bytes and written 357 bytes
. ---
. New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
.
EHLO example2.com
.
. 250-mail.example.com Hello example2.com [1x.2x.3x.4x], pleased to meet you
. 250-ENHANCEDSTATUSCODES
. 250-PIPELINING
. 250-8BITMIME
. 250-SIZE
. 250-DSN
. 250-ETRN
. 250-AUTH LOGIN PLAIN
. 250-DELIVERBY
. 250 HELP
.
AUTH PLAIN AFVTRVJOQU1FAFBBU1NXT1JE
Now clients that use valid SMTP authentication can use your sendmail server to send email.
Mike
Updated on September 18, 2022Comments
-
Mike almost 2 years
I'm configuring a mail server but sendmail doesn't let me send mails from remote devices or/and softwares. My config : CentOS 6.4, Sendmail 8.14.4.
Here's the message I get when trying to send emails from outside the server
sendmail[25390]: rA4Fp855025390: [213.x.x.x] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA sendmail[25391]: rA4Fp86s025391: ruleset=check_rcpt, arg1=<[email protected]>, relay=[213.x.x.x], reject=550 5.7.1 <[email protected]>... Relaying denied. IP name lookup failed [213.x.x.x] sendmail[25391]: rA4Fp86s025391: from=<[email protected]>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[213.x.x.x]
I know there's something with the relay host but what if you don't know the relay host !? I mean... Anyway, here's the sendmail.mc file
divert(-1)dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`setup for linux')dnl OSTYPE(`linux')dnl dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl dnl define(`confLOG_LEVEL', `9')dnl dnl define(`SMART_HOST', `smtp.your.provider')dnl define(`confDEF_USER_ID', ``8:12'')dnl dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl MASQUERADE_AS(mydomain.com)dnl MASQUERADE_DOMAIN(mydomain.com)dnl dnl define(`confAUTH_OPTIONS', `A p')dnl dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confCACERT_PATH', `/etc/mail/certs')dnl dnl define(`confCACERT', `/etc/mail/certs/CAcert.pem')dnl dnl define(`confSERVER_CERT', `/etc/mail/certs/MYcert.pem')dnl dnl define(`confSERVER_KEY', `/etc/mail/certs/MYkey.pem')dnl dnl define(`confCLIENT_CERT', `/etc/mail/certs/MYcert.pem')dnl dnl define(`confCLIENT_KEY', `/etc/mail/certs/MYkey.pem')dnl dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl define(`confTO_IDENT', `0')dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl FEATURE(`relay_hosts_only')dnl FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl dnl define(`confLOCAL_MAILER', `cyrusv2')dnl dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') FEATURE(`accept_unresolvable_domains')dnl FEATURE(masquerade_envelope)dnl FEATURE(masquerade_entire_domain)dnl dnl FEATURE(`relay_based_on_MX')dnl LOCAL_DOMAIN(`mydomain.com')dnl dnl MASQUERADE_AS(`mydomain.com')dnl dnl FEATURE(masquerade_envelope)dnl dnl FEATURE(masquerade_entire_domain)dnl dnl MASQUERADE_DOMAIN(localhost)dnl dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl dnl MASQUERADE_DOMAIN(mydomain.lan)dnl MAILER(smtp)dnl MAILER(procmail)dnl dnl MAILER(cyrusv2)dnl
What should I do ? How do I know if SMTP-AUTH works ? TLS ?
Thank you very much for your help -.-
-
MadHatter over 10 yearsFor sendmail to take email from random devices, for delivery to random third-parties, would be to run as an open relay, and it won't do that by default. You would do well to look into SMTP AUTH; setting it up and configuring it is painful, but if you just configure your system to be an open relay, you'll end up blacklisted and unable to send to noone.
-
Mike over 10 yearsI know :( So what can I do ? It shouldn't be so hard to just allow authenticated users to send mails from their devices...
-
MadHatter over 10 yearsIt isn't - but you really, really shouldn't.
-
-
Mike over 10 yearsI know, I usually install postfix but the boss needs the php mail thing and asked me to move to sendmail... Anyway, from this output (help), both should be supported by sendmail. But when I 'telnet localhost 25' the STARTTLS option doesn't show rrr...
-
HBruijn over 10 yearsI'll add some additional instructions to my earlier response.