Difference between revisions of "Sendmail"

From ArchWiki
Jump to: navigation, search
(Still unfinished! Ok, first version here. Sendmail documentation tends to be somehow hard, so I want to create a very KISS article here. Still missing stuff, like how to add mail-only accounts. Any (KISS) help is welcome)
 
(Now that the systemd unit files and the support for TLS is finally on the package, I have updated the article to reflect those changes)
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[Category:Networking]]
+
[[Category:Mail Server]]
 +
Sendmail is the classical SMTP server from the unix world. It was originally coded long time ago, when the internet was a safer place, and back then, security didn't matter as much as does today. Therefore it used to have several security bugs and it got some bad reputation for that. But those bugs are long fixed and a recent sendmail version is as safe as any other SMTP server. If your top priority is security, you should probably use netqmail, however.
  
Sendmail is the classical SMTP server from the unix world. It was originally coded long time ago, when the internet was a safer place, and back then, security didn't matter as much as does today. Therefore it used to have several security bugs and it got some bad reputation for that. But those bugs are long fixed and a recent sendmail version is as safe as other SMTP servers. If your top priority is security, you should probably use netqmail, however.
+
The goal of this article is to setup Sendmail for local users accounts, '''without using mysql or other database''', and allowing also the creation of ''mail-only accounts''.  
  
The goal of this article is to setup Sendmail for local users accounts, '''without using mysql or other database''', and allowing also the creation of ''mail-only accounts''. This article only explains the required steps configuring Sendmail; after that, you probably want to add IMAP and POP3 access, so you should install Dovecot.
+
This article only explains the required steps configuring Sendmail; after that, you probably want to add IMAP and POP3 access, so you could follow the [[Dovecot]] article.
  
 
==Installation==
 
==Installation==
Install the package {{AUR|sendmail}} from the [[AUR]].
+
Install the package {{AUR|sendmail}} from the [[AUR]], and the packages {{Pkg|procmail}} and {{Pkg|m4}} from the [[Official Repositories|official repositories]].
 
==DNS Records==
 
==DNS Records==
 
You should have a domain, and edit your MX records to point your server. Remember some servers have problems with MX records pointing to CNAMEs, so your MX should point to an A record instead.
 
You should have a domain, and edit your MX records to point your server. Remember some servers have problems with MX records pointing to CNAMEs, so your MX should point to an A record instead.
 +
==Adding users==
 +
* By default, all the local users can have an email address like username@your-domain.com. But if you want to add ''mail-only accounts'', that is, users who can get email, but can't have shell access or login on X, you can add them like this:
 +
{{bc|useradd -m -s /sbin/nologin joenobody}}
 +
* Assign a password:
 +
{{bc|passwd joenobody}}
 
==Configuration==
 
==Configuration==
 +
=== Create SSL certs ===
 +
* Generate a key and sign it. Read [[OpenSSL#Generating_keys|OpenSSL]] for more information.
 
===sendmail.cf===
 
===sendmail.cf===
* Create the file {{ic|/etc/mail/sendmail.mc}} with the following content:
+
* Create the file {{ic|/etc/mail/sendmail.mc}}.
<pre>
+
 
 +
You can read all the options for configuring sendmail on the file {{ic|/usr/share/sendmail-cf/README}}.
 +
 
 +
{{Warning|If you create your own sendmail.mc file, remember that plaintext auth over '''non-TLS''' is very risky. Using the following example forces TLS and is therefore more safe unless you know what are you doing}}
 +
 
 +
Here is an example using auth over [[Wikipedia:Transport_Layer_Security|TLS]]. The example has comments explaing how it works. The comments start with {{ic|dnl }}.
 +
 
 +
{{hc|/etc/mail/sendmail.mc|<nowiki>
 
include(`/usr/share/sendmail-cf/m4/cf.m4')
 
include(`/usr/share/sendmail-cf/m4/cf.m4')
 +
define(`confDOMAIN_NAME', `your-domain.com')dnl
 
FEATURE(use_cw_file)
 
FEATURE(use_cw_file)
dnl FEATURE(`relay_entire_domain')dnl
+
dnl The following allows relaying if the user authenticates,
 +
dnl  and disallows plaintext authentication (PLAIN/LOGIN) on
 +
dnl  non-TLS links:
 +
define(`confAUTH_OPTIONS', `A p y')dnl
 +
dnl
 +
dnl  Accept PLAIN and LOGIN authentications:
 +
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
 +
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
 +
dnl
 +
dnl Make sure this paths correctly point to your SSL cert files:
 +
define(`confCACERT_PATH',`/etc/ssl/certs')
 +
define(`confCACERT',`/etc/ssl/certs/ca.pem')
 +
define(`confSERVER_CERT',`/etc/ssl/certs/server.crt')
 +
define(`confSERVER_KEY',`/etc/ssl/private/server.key')
 +
dnl
 
FEATURE(`virtusertable', `hash /etc/mail/virtusertable.db')dnl
 
FEATURE(`virtusertable', `hash /etc/mail/virtusertable.db')dnl
 
OSTYPE(linux)dnl
 
OSTYPE(linux)dnl
 
MAILER(local)dnl
 
MAILER(local)dnl
 
MAILER(smtp)dnl
 
MAILER(smtp)dnl
</pre>
+
</nowiki>}}
 
* Then process it with
 
* Then process it with
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
+
{{bc|# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf}}
 +
 
 
===local-host-names===
 
===local-host-names===
* Create the file {{ic|/etc/mail/local-host-names}} and put there your domains:
+
* Put your domains on the {{ic|local-host-names}} file:
<pre>
+
{{hc|/etc/mail/local-host-names|
 
localhost
 
localhost
 
your-domain.com
 
your-domain.com
 
mail.your-domain.com
 
mail.your-domain.com
 
localhost.localdomain
 
localhost.localdomain
</pre>
+
}}
 +
* Make sure the domains are also resolved by your {{ic|/etc/hosts}} file.
 
===access.db===
 
===access.db===
* Create the file {{ic|/etc/mail/access}}  and put there the base addresses where you want to be able to relay mail. Lets supose you have a vpn on 10.5.0.0/24, and you want to relay address from any ip from there:
+
* Create the file {{ic|/etc/mail/access}}  and put there the base addresses where you want to be able to relay mail. Lets suppose you have a vpn on {{ic|10.5.0.0/24}}, and you want to relay mails from any ip in that range:
<pre>
+
{{hc|/etc/mail/access|
 
10.5.0 RELAY
 
10.5.0 RELAY
 
127.0.0 RELAY
 
127.0.0 RELAY
</pre>
+
}}
 
* Then process it with
 
* Then process it with
makemap hash /etc/mail/access.db < /etc/mail/access
+
{{bc|# makemap hash /etc/mail/access.db < /etc/mail/access}}
 +
 
 
===aliases.db===
 
===aliases.db===
 
* Edit the file {{ic|/etc/mail/aliases}}  and  uncomment the line {{ic|#root:        human being here}} and change it to be like this:
 
* Edit the file {{ic|/etc/mail/aliases}}  and  uncomment the line {{ic|#root:        human being here}} and change it to be like this:
root:        your-username
+
{{bc|root:        your-username}}
 
* You can add aliases for your usernames there, like:
 
* You can add aliases for your usernames there, like:
coolguy:      your-username
+
{{bc|coolguy:      your-username
somedude:    your-username
+
somedude:    your-username}}
 
* Then process it with
 
* Then process it with
newaliases
+
{{bc|# newaliases}}
 
===virtusertable.db===
 
===virtusertable.db===
* Create the file {{ic|/etc/mail/virtusertable}} and put there aliases that includes domains (useful if your server is hosting several domains)
+
* Create your {{ic|virtusertable}} file and put there aliases that includes domains (useful if your server is hosting several domains)
<pre>
+
{{hc|/etc/mail/virtusertable|
 
your-username@your-domain.com        your-username
 
your-username@your-domain.com        your-username
dude@my-other.tk                     other-local-user
+
joe@my-other.tk                       joenobody
</pre>
+
}}
 +
 
 
* Then process it with
 
* Then process it with
makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable
+
{{bc|# makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable}}
==Start the server==
+
 
/etc/rc.d/sendmail start
+
=== Start on boot ===
 +
Enable and start the following services. Read [[Daemons]] for more datails.
 +
* {{ic|saslauthd.service}}
 +
* {{ic|sendmail.service}}
 +
* {{ic|sm-client.service}}
 +
== Tips and tricks ==
 +
=== Forward all the mail of one domain to certain user ===
 +
To forward all mail addressed to any user in the '''my-other.tk''' domain to '''your-username@your-domain.com''', add to the {{ic|/etc/mail/virtusertable}} file:
 +
{{bc|@my-other.tk        your-username@your-domain.com}}
 +
Do not forget to process it again with
 +
{{bc|# makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable}}

Revision as of 22:15, 5 January 2013

Sendmail is the classical SMTP server from the unix world. It was originally coded long time ago, when the internet was a safer place, and back then, security didn't matter as much as does today. Therefore it used to have several security bugs and it got some bad reputation for that. But those bugs are long fixed and a recent sendmail version is as safe as any other SMTP server. If your top priority is security, you should probably use netqmail, however.

The goal of this article is to setup Sendmail for local users accounts, without using mysql or other database, and allowing also the creation of mail-only accounts.

This article only explains the required steps configuring Sendmail; after that, you probably want to add IMAP and POP3 access, so you could follow the Dovecot article.

Installation

Install the package sendmailAUR from the AUR, and the packages procmail and m4 from the official repositories.

DNS Records

You should have a domain, and edit your MX records to point your server. Remember some servers have problems with MX records pointing to CNAMEs, so your MX should point to an A record instead.

Adding users

  • By default, all the local users can have an email address like username@your-domain.com. But if you want to add mail-only accounts, that is, users who can get email, but can't have shell access or login on X, you can add them like this:
useradd -m -s /sbin/nologin joenobody
  • Assign a password:
passwd joenobody

Configuration

Create SSL certs

  • Generate a key and sign it. Read OpenSSL for more information.

sendmail.cf

  • Create the file /etc/mail/sendmail.mc.

You can read all the options for configuring sendmail on the file /usr/share/sendmail-cf/README.

Warning: If you create your own sendmail.mc file, remember that plaintext auth over non-TLS is very risky. Using the following example forces TLS and is therefore more safe unless you know what are you doing

Here is an example using auth over TLS. The example has comments explaing how it works. The comments start with dnl .

/etc/mail/sendmail.mc
include(`/usr/share/sendmail-cf/m4/cf.m4')
define(`confDOMAIN_NAME', `your-domain.com')dnl
FEATURE(use_cw_file)
dnl  The following allows relaying if the user authenticates,
dnl  and disallows plaintext authentication (PLAIN/LOGIN) on
dnl  non-TLS links:
define(`confAUTH_OPTIONS', `A p y')dnl
dnl
dnl  Accept PLAIN and LOGIN authentications:
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
dnl
dnl Make sure this paths correctly point to your SSL cert files:
define(`confCACERT_PATH',`/etc/ssl/certs')
define(`confCACERT',`/etc/ssl/certs/ca.pem')
define(`confSERVER_CERT',`/etc/ssl/certs/server.crt')
define(`confSERVER_KEY',`/etc/ssl/private/server.key')
dnl
FEATURE(`virtusertable', `hash /etc/mail/virtusertable.db')dnl
OSTYPE(linux)dnl
MAILER(local)dnl
MAILER(smtp)dnl
  • Then process it with
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

local-host-names

  • Put your domains on the local-host-names file:
/etc/mail/local-host-names
localhost
your-domain.com
mail.your-domain.com
localhost.localdomain
  • Make sure the domains are also resolved by your /etc/hosts file.

access.db

  • Create the file /etc/mail/access and put there the base addresses where you want to be able to relay mail. Lets suppose you have a vpn on 10.5.0.0/24, and you want to relay mails from any ip in that range:
/etc/mail/access
10.5.0 RELAY
127.0.0 RELAY
  • Then process it with
# makemap hash /etc/mail/access.db < /etc/mail/access

aliases.db

  • Edit the file /etc/mail/aliases and uncomment the line #root: human being here and change it to be like this:
root:         your-username
  • You can add aliases for your usernames there, like:
coolguy:      your-username
somedude:     your-username
  • Then process it with
# newaliases

virtusertable.db

  • Create your virtusertable file and put there aliases that includes domains (useful if your server is hosting several domains)
/etc/mail/virtusertable
your-username@your-domain.com         your-username
joe@my-other.tk                       joenobody
  • Then process it with
# makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable

Start on boot

Enable and start the following services. Read Daemons for more datails.

  • saslauthd.service
  • sendmail.service
  • sm-client.service

Tips and tricks

Forward all the mail of one domain to certain user

To forward all mail addressed to any user in the my-other.tk domain to your-username@your-domain.com, add to the /etc/mail/virtusertable file:

@my-other.tk        your-username@your-domain.com

Do not forget to process it again with

# makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable