Nethence Newdoc Olddoc Lab Your IP BBDock  


Warning: those guides are mostly obsolete, please have a look at the new documentation.

UnixWindowsOracleObsoleteHardwareDIYMechanicsScriptsConfigs

Setting up a Sendmail SMTP server with DNSBL / RBL, greylisting, ClamAV-milter, procmail and SASL on FreeBSD 8
 
http://pbraun.nethence.com/unix/mail/sendmail.html
http://pbraun.nethence.com/unix/mail/procmail.html
http://pbraun.nethence.com/unix/mail/procmail-qsf.html
http://pbraun.nethence.com/unix/mail/milter-greylist.html
http://pbraun.nethence.com/unix/mail/milter_clamav-milter.html
http://pbraun.nethence.com/unix/mail/dovecotv1_maildir.html
 
Requirements
Do not forget to register your SMTP host as an MX for the hosted domain in its DNS records, and also make sure it reverse-resolves.
 
Make sure HOSTNAME points to FQDN otherwise you would have to deal with the "WHO AM I" FAQ into cf/README.
 
Configuring Sendmail
Enable and start the daemon already,
ps aux | grep sendmail
cd /etc/
echo sendmail_enable=YES >> rc.conf
rc.d/sendmail restart
ps aux | grep sendmail
 
Generate the default configuration based on the FreeBSD template,
cd /etc/mail/
echo $HOSTNAME
sed '/^#/d; /^dnl/d; /^divert/d; /^$/d; /^VERSIONID/d;' freebsd.mc | tee $HOSTNAME.mc.dist > $HOSTNAME.mc
vi $HOSTNAME.mc
remove the mailertable and virtusertable features if you do not need them, you should end up with something like this,
OSTYPE(freebsd6)
DOMAIN(generic)
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
define(`confCW_FILE', `-o /etc/mail/local-host-names')
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
define(`confMAX_MESSAGE_SIZE',`31457280')dnl
MAILER(local)
MAILER(smtp)
note. message maximum size is set to 30MB, change accordingly e.g. 10485760 for 10MB.
configure your local hostnames and domains you need to receive messages for,
cd /etc/mail/
cat >> local-host-names <<EOF9
example.net
bsd.example.net
EOF9
and apply,
make all install restart
 
Configure aliases (at least 'root' and 'postmaster' accounts -- 'webmaster' and 'contact' too eventually),
cd /etc/mail/
cp aliases aliases.dist
vi aliases
and apply,
newaliases
 
Create some mail user,
pw useradd MAILUSER -g mail -s /sbin/nologin -m
passwd MAILUSER
chmod 700 /home/MAILUSER/
 
At this point you should be able to receive messages from the public, check into,
/var/mail/MAILUSER
 
Refs.
less /usr/src/contrib/sendmail/cf/README
protocole smtp: log d'une session telnet: http://www.iprelax.fr/smtp/smtp_session.php
Installing and Using procmail as the LDA for sendmail under FreeBSD: http://www.puresimplicity.net/~hemi/freebsd/procmail.html
Features ==> local_procmail
Saving in MAILDIR format with Sendmail: http://lists.freebsd.org/pipermail/freebsd-questions/2006-April/117851.html
 
Enabling procmail
Enable procmail by lmtp,
cp /usr/local/share/examples/procmail/local_procmail_lmtp.m4 /usr/share/sendmail/cf/feature/local_procmail_lmtp.m4
in the .mc file, replace "local_lmtp" with "local_procmail_lmtp",
dnl FEATURE(local_procmail)
FEATURE(local_procmail_lmtp)
Note. keep mailer local, MAILER(procmail) is not needed.
and apply,
make all install restart
 
Note. you could also proceed otherwise with the simple .forward trick for each mail user (this isn't needed as we hard-configured procmail as LDA into Sendmail),
#vi ~/.forward
like,
#"|IFS=' '&&p=/usr/local/bin/procmail&&test -f $p&&exec $p -f-||exit 75"
 
See http://pbraun.nethence.com/unix/mail/procmail.html for further procmail configuration.
 
Refs.
Procmail: http://wiki.dreamhost.com/Procmail
Mail Filtering with Procmail: http://userpages.umbc.edu/~ian/procmail.html
Procmail FAQ: http://partmaps.org/era/procmail/mini-faq.html
Mail Filtering with Procmail: http://www.cs.columbia.edu/crf/howto/procmail-howto.html
 
Enabling DNSBL / RBL
Simply add those to your <hostname>.mc,
dnl hostkarma.junkemailfilter.com and spam.dnsbl.sorbs.net too agressive
dnl apews may be too agressive - http://www.anta.net/irt/apews.shtml
FEATURE(`dnsbl',`l2.apews.org')
FEATURE(`dnsbl',`b.barracudacentral.org')
FEATURE(`dnsbl',`public.sarbl.org')
FEATURE(`dnsbl',`dnsbl.sorbs.net')
FEATURE(`dnsbl',`bl.spamcop.net')
FEATURE(`dnsbl',`zen.spamhaus.org')
 
dnl FEATURE(`dnsbl',`cbl.abuseat.org')
dnl FEATURE(`dnsbl',`all.s5h.net')
dnl FEATURE(`dnsbl',`all.spamrats.com')
dnl FEATURE(`dnsbl',`bl.tiopan.com')
dnl FEATURE(`dnsbl',`dnsbl-1.uceprotect.net')
dnl FEATURE(`dnsbl',`dnsbl-2.uceprotect.net')
dnl FEATURE(`dnsbl',`ubl.unsubscore.com')
dnl FEATURE(`dnsbl',`free.v4bl.org')
and apply,
make all install restart
 
Other available blacklists,
psbl.surriel.com
list.dnswl.org (whitelist)
 
Refs.
Blacklists Compared: http://www.sdsc.edu/~jeff/spam/cbc.html
DNSBL: Configuring Sendmail for DNS-Based Blacklisting: http://weldon.whipple.org/sendmail/dnsbl.html
Using SORBS DNSBL with Sendmail.: http://www.sorbs.net/mailsystems/sendmail.shtml
 
Enabling SASL authentication
Recompile Sendmail with with the Cyrus SASL library,
echo $PACKAGESITE
#http://ftp.nerim.net/FreeBSD/releases/amd64/8.4-RELEASE/packages/Latest/
pkg_add -r cyrus-sasl2
cd /usr/local/lib/sasl2/
[[ ! -f Sendmail.conf ]] && echo 'pwcheck_method: saslauthd' > Sendmail.conf
cat Sendmail.conf
pkg_add -r cyrus-sasl-saslauthd
echo 'saslauthd_enable="YES"' >> /etc/rc.conf
service saslauthd start
cat >> /etc/make.conf <<EOF9
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
EOF9
tail -3 /etc/make.conf
#uname -r
#cd /usr/src
#grep RELEASE UPDATING
cd /usr/src/lib/libsmutil
make cleandir && make obj && make
cd /usr/src/lib/libsm
make cleandir && make obj && make
cd /usr/src/usr.sbin/sendmail
make cleandir && make obj && make && make install
check that SASL is now compiled in,
sendmail -d0.1 < /dev/null | grep SASL
 
Setup and restart Sendmail for SASL authentication to be enabled,
cd /etc
vi `hostname`.mc
make install restart
 
You can now send outgoing emails with your mail account through your server using port 587 (submission) only without TLS nor SSL for now.
 
Note. I had also to overcome the DNSBL blocking my client IP (internet access provider customers' IP are blocked),
cd /etc/mail
vi access
# comment
localhost RELAY
resolv_of_your_IAP_IP RELAY
make install restart
 
Refs.
27.9. SMTP Authentication: http://www.freebsd.org/doc/handbook/SMTP-Auth.html
Configuring a FreeBSD client & server to use SASL Auth for client to identify itself to server to send outgoing mail to proxy smart mailer.: http://www.berklix.com/~jhs/txt/sasl.html
 
Enabling Greylisting
See http://pbraun.nethence.com/unix/mail/milter-greylist.html for greylisting.
 
Enabling ClamAV-milter
See http://pbraun.nethence.com/unix/mail/milter_clamav-milter.html for that.
 
Culumating input filters
Once you've placed your input filters in order (say greylist and clmilter), redefine them in order, for example,
define(`confINPUT_MAIL_FILTERS', `greylist, clmilter')
 
Further precautions
You can also tweak the system tcp wrapper so host names that do not resolv get refused without being able to connect,
vi /etc/hosts.allow
# Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny
Refs.
Limiting Access to TCP-wrapped Services with hosts.allow
http://static.closedsrc.org/articles/dn-articles/hosts_allow.html
 
And finally on the firewall (I prefer ipfilter on netbsd and freebsd) I just let the port 25 open, not the submission port 587.
 
Testing
Make sure the machine resolves from the public network,
ping mx.example.net 
make sure it is recorded as MX for the hosted domain,
host -t mx example.net 
make sure it also reverse-resolves,
host X.X.X.X 
 
Check that the standard activty, namely receiving messages through non-blacklisted SMTP relays for example.net actually works.
 
Connect to the host through telnet on port 25 from an IAP IP (DNSBL blocked),
helo lala
helo lala
mail from:email@example.net
should return,
550 5.7.1 Rejected: 87.88.90.231 listed at zen.spamhaus.org
 
Disable DNSBL temporarily and check for open proxy from a remote IP that is not relayed in the access file (comment temporarily and remake the access.db if necessary),
helo lala
helo lala
mail from:email@example.net
rcpt to:email@another-domain-non-hosted.net
should return,
550 5.7.1 email@another-domain-non-hosted.net... Relaying denied. Proper authentication required.
 
Usage
Find out which version of Sendmail you are running,
sendmail -d0.4 -bv root
telnet 127.0.0.1 25
Ref. Other often asked questions about sendmail: http://www.sendmail.org/~ca/email/lfaq.html
 
Show the server (MTA) queue,
mailq
Note. 'mailq' is equivalent fot 'sendmail -bp'
Note. '-v' for details on the mqueue filename
 
List the client (mail submission) mqueue,
mailq -Ac
 
To force the delivery of the server queue,
sendmail -q -v
 

(obsolete, see the new doc)