Nethence Newdoc Olddoc Lab Your IP BBDock  

Warning: those guides are mostly obsolete, please have a look at the new documentation.


Setting up a Sendmail SMTP server with DNSBL / RBL, greylisting, ClamAV-milter, procmail and SASL on FreeBSD 8
Do not forget to register your SMTP host as an MX for the hosted domain in its DNS records, and also make sure it reverse-resolves.
Make sure HOSTNAME points to FQDN otherwise you would have to deal with the "WHO AM I" FAQ into cf/README.
Configuring Sendmail
Enable and start the daemon already,
ps aux | grep sendmail
cd /etc/
echo sendmail_enable=YES >> rc.conf
rc.d/sendmail restart
ps aux | grep sendmail
Generate the default configuration based on the FreeBSD template,
cd /etc/mail/
sed '/^#/d; /^dnl/d; /^divert/d; /^$/d; /^VERSIONID/d;' | tee $ > $
vi $
remove the mailertable and virtusertable features if you do not need them, you should end up with something like this,
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
define(`confCW_FILE', `-o /etc/mail/local-host-names')
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
note. message maximum size is set to 30MB, change accordingly e.g. 10485760 for 10MB.
configure your local hostnames and domains you need to receive messages for,
cd /etc/mail/
cat >> local-host-names <<EOF9
and apply,
make all install restart
Configure aliases (at least 'root' and 'postmaster' accounts -- 'webmaster' and 'contact' too eventually),
cd /etc/mail/
cp aliases aliases.dist
vi aliases
and apply,
Create some mail user,
pw useradd MAILUSER -g mail -s /sbin/nologin -m
chmod 700 /home/MAILUSER/
At this point you should be able to receive messages from the public, check into,
less /usr/src/contrib/sendmail/cf/README
protocole smtp: log d'une session telnet:
Installing and Using procmail as the LDA for sendmail under FreeBSD:
Features ==> local_procmail
Saving in MAILDIR format with Sendmail:
Enabling procmail
Enable procmail by lmtp,
cp /usr/local/share/examples/procmail/local_procmail_lmtp.m4 /usr/share/sendmail/cf/feature/local_procmail_lmtp.m4
in the .mc file, replace "local_lmtp" with "local_procmail_lmtp",
dnl FEATURE(local_procmail)
Note. keep mailer local, MAILER(procmail) is not needed.
and apply,
make all install restart
Note. you could also proceed otherwise with the simple .forward trick for each mail user (this isn't needed as we hard-configured procmail as LDA into Sendmail),
#vi ~/.forward
#"|IFS=' '&&p=/usr/local/bin/procmail&&test -f $p&&exec $p -f-||exit 75"
See for further procmail configuration.
Mail Filtering with Procmail:
Procmail FAQ:
Mail Filtering with Procmail:
Enabling DNSBL / RBL
Simply add those to your <hostname>.mc,
dnl and too agressive
dnl apews may be too agressive -
dnl FEATURE(`dnsbl',`')
dnl FEATURE(`dnsbl',`')
dnl FEATURE(`dnsbl',`')
dnl FEATURE(`dnsbl',`')
dnl FEATURE(`dnsbl',`')
dnl FEATURE(`dnsbl',`')
dnl FEATURE(`dnsbl',`')
dnl FEATURE(`dnsbl',`')
and apply,
make all install restart
Other available blacklists, (whitelist)
Blacklists Compared:
DNSBL: Configuring Sendmail for DNS-Based Blacklisting:
Using SORBS DNSBL with Sendmail.:
Enabling SASL authentication
Recompile Sendmail with with the Cyrus SASL library,
pkg_add -r cyrus-sasl2
cd /usr/local/lib/sasl2/
[[ ! -f Sendmail.conf ]] && echo 'pwcheck_method: saslauthd' > Sendmail.conf
cat Sendmail.conf
pkg_add -r cyrus-sasl-saslauthd
echo 'saslauthd_enable="YES"' >> /etc/rc.conf
service saslauthd start
cat >> /etc/make.conf <<EOF9
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
tail -3 /etc/make.conf
#uname -r
#cd /usr/src
cd /usr/src/lib/libsmutil
make cleandir && make obj && make
cd /usr/src/lib/libsm
make cleandir && make obj && make
cd /usr/src/usr.sbin/sendmail
make cleandir && make obj && make && make install
check that SASL is now compiled in,
sendmail -d0.1 < /dev/null | grep SASL
Setup and restart Sendmail for SASL authentication to be enabled,
cd /etc
vi `hostname`.mc
make install restart
You can now send outgoing emails with your mail account through your server using port 587 (submission) only without TLS nor SSL for now.
Note. I had also to overcome the DNSBL blocking my client IP (internet access provider customers' IP are blocked),
cd /etc/mail
vi access
# comment
localhost RELAY
resolv_of_your_IAP_IP RELAY
make install restart
27.9. SMTP Authentication:
Configuring a FreeBSD client & server to use SASL Auth for client to identify itself to server to send outgoing mail to proxy smart mailer.:
Enabling Greylisting
See for greylisting.
Enabling ClamAV-milter
See for that.
Culumating input filters
Once you've placed your input filters in order (say greylist and clmilter), redefine them in order, for example,
define(`confINPUT_MAIL_FILTERS', `greylist, clmilter')
Further precautions
You can also tweak the system tcp wrapper so host names that do not resolv get refused without being able to connect,
vi /etc/hosts.allow
# Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny
Limiting Access to TCP-wrapped Services with hosts.allow
And finally on the firewall (I prefer ipfilter on netbsd and freebsd) I just let the port 25 open, not the submission port 587.
Make sure the machine resolves from the public network,
make sure it is recorded as MX for the hosted domain,
host -t mx 
make sure it also reverse-resolves,
host X.X.X.X 
Check that the standard activty, namely receiving messages through non-blacklisted SMTP relays for actually works.
Connect to the host through telnet on port 25 from an IAP IP (DNSBL blocked),
helo lala
helo lala
should return,
550 5.7.1 Rejected: listed at
Disable DNSBL temporarily and check for open proxy from a remote IP that is not relayed in the access file (comment temporarily and remake the access.db if necessary),
helo lala
helo lala
should return,
550 5.7.1 Relaying denied. Proper authentication required.
Find out which version of Sendmail you are running,
sendmail -d0.4 -bv root
telnet 25
Ref. Other often asked questions about sendmail:
Show the server (MTA) queue,
Note. 'mailq' is equivalent fot 'sendmail -bp'
Note. '-v' for details on the mqueue filename
List the client (mail submission) mqueue,
mailq -Ac
To force the delivery of the server queue,
sendmail -q -v

(obsolete, see the new doc)