How to setup sendmail to actually send mails (!)

centos sendmail

8,902

For novices sendmail has quite a steep learning curve, the recommended MTA is postfix.

To determine what sendmail currently supports; telnet to the smtp port and issue the help command, sendmail will display it's capabilities:

]$ telnet localhost 25

 220 example.com ESMTP Sendmail 8; Mon, 4 Nov 2013 17:27:20 +0100

help

214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0       HELO    EHLO    MAIL    RCPT    DATA
214-2.0.0       RSET    NOOP    QUIT    HELP    VRFY
214-2.0.0       EXPN    VERB    ETRN    DSN     AUTH
214-2.0.0       STARTTLS

AUTH means that this sendmail servers supports SMTP authentication.

STARTTLS means that SSL/startTLS is supported.

To enable both you'll need to modify your sendmail configuration. The sendmail configuration file is, well, let's say as clear as mud. The easier way is to edit the sendmail.mc a macro file that can be used to generate a functional sendmail.cf configuration. Lines starting with # are comments as are lines starting with dnl.

The uncomenting following three lines will enable smtp authentication:

 # /etc/mail/sendmail.mc
 <snip>
 define(`confAUTH_OPTIONS', `A p')dnl
 TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl 
 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
 <snip>

To enable TLS/SSL uncomment the following lines and make sure that you certificates are (self-signed or public) are present.

define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/CAcert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/MYcert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/MYkey.pem')dnl

Most clients will use starttls over smtp port 25 but you can have a SSL only smtp sendmail listening on port 465 by uncommenting:

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

make sure the sendmail-cf and cyrus-sasl rpm packges are installed:

 ]#  yum -y install cyrus-sasl sendmail-cf

Generate the new sendmail.cf from your modified sendmail.mc and restart sendmail

 ]#  cd /etc/mail ; ./make
 ]#  service sendmail restart

Configure sasl authentication server with your preferred authentication method for mail users and make sure it will be running. (default is set to pam in /etc/sysconfig/saslauthd)

 ]#  chkconfig saslauthd on
 ]#  service saslauthd start

Now to test SMTPAUTH we'll use the PLAIN method, we'll check if the earlier telnet test now shows support for the AUTH method.

If it does we'll try plain auth. This requires a base64 encoded string containing a NULL seperated username+password:

 ]$  perl -MMIME::Base64 -e 'print encode_base64("\000USERNAME\000PASSWORD");'
 AFVTRVJOQU1FAFBBU1NXT1JE

Now we can catch two birds with one stone, check the SSL setup and PLAIN auth (PLAIN and LOGIN are only allowed over SSL encrypted connections):

 ]$  openssl s_client -starttls smtp -connect example.com:25
 .   <snip more SSL stuff> 
 .   ---
 .   SSL handshake has read 17078 bytes and written 357 bytes
 .   ---
 .   New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
 .   
 EHLO example2.com
 .
 .   250-mail.example.com Hello example2.com [1x.2x.3x.4x], pleased to meet you
 .   250-ENHANCEDSTATUSCODES
 .   250-PIPELINING
 .   250-8BITMIME
 .   250-SIZE
 .   250-DSN
 .   250-ETRN
 .   250-AUTH LOGIN PLAIN
 .   250-DELIVERBY
 .   250 HELP
 .
 AUTH PLAIN AFVTRVJOQU1FAFBBU1NXT1JE

Now clients that use valid SMTP authentication can use your sendmail server to send email.

8,902

Author by

Mike

Updated on September 18, 2022

Comments

Mike almost 2 years

I'm configuring a mail server but sendmail doesn't let me send mails from remote devices or/and softwares. My config : CentOS 6.4, Sendmail 8.14.4.

Here's the message I get when trying to send emails from outside the server

sendmail[25390]: rA4Fp855025390: [213.x.x.x] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
sendmail[25391]: rA4Fp86s025391: ruleset=check_rcpt, arg1=<[email protected]>, relay=[213.x.x.x], reject=550 5.7.1 <[email protected]>... Relaying denied. IP name lookup failed [213.x.x.x]
sendmail[25391]: rA4Fp86s025391: from=<[email protected]>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[213.x.x.x]

I know there's something with the relay host but what if you don't know the relay host !? I mean... Anyway, here's the sendmail.mc file

divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl define(`confLOG_LEVEL', `9')dnl
dnl define(`SMART_HOST', `smtp.your.provider')dnl
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
MASQUERADE_AS(mydomain.com)dnl
MASQUERADE_DOMAIN(mydomain.com)dnl
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confCACERT_PATH', `/etc/mail/certs')dnl
dnl define(`confCACERT', `/etc/mail/certs/CAcert.pem')dnl
dnl define(`confSERVER_CERT', `/etc/mail/certs/MYcert.pem')dnl
dnl define(`confSERVER_KEY', `/etc/mail/certs/MYkey.pem')dnl
dnl define(`confCLIENT_CERT', `/etc/mail/certs/MYcert.pem')dnl
dnl define(`confCLIENT_KEY', `/etc/mail/certs/MYkey.pem')dnl
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
FEATURE(`relay_hosts_only')dnl
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
FEATURE(`accept_unresolvable_domains')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
dnl FEATURE(`relay_based_on_MX')dnl
LOCAL_DOMAIN(`mydomain.com')dnl
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl FEATURE(masquerade_envelope)dnl
dnl FEATURE(masquerade_entire_domain)dnl
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl

What should I do ? How do I know if SMTP-AUTH works ? TLS ?

Thank you very much for your help -.-

MadHatter over 10 years

For sendmail to take email from random devices, for delivery to random third-parties, would be to run as an open relay, and it won't do that by default. You would do well to look into SMTP AUTH; setting it up and configuring it is painful, but if you just configure your system to be an open relay, you'll end up blacklisted and unable to send to noone.
Mike over 10 years

I know :( So what can I do ? It shouldn't be so hard to just allow authenticated users to send mails from their devices...
MadHatter over 10 years

It isn't - but you really, really shouldn't.

Mike over 10 years

I know, I usually install postfix but the boss needs the php mail thing and asked me to move to sendmail... Anyway, from this output (help), both should be supported by sendmail. But when I 'telnet localhost 25' the STARTTLS option doesn't show rrr...
HBruijn over 10 years

I'll add some additional instructions to my earlier response.