this is obsolete doc -- see instead

Setting up a Sendmail SMTP server with DNSBL / RBL, greylisting, ClamAV-milter, procmail and SASL on FreeBSD 8 



Do not forget to register your SMTP host as an MX for the hosted domain in its DNS records, and also make sure it reverse-resolves. 


Make sure HOSTNAME points to FQDN otherwise you would have to deal with the "WHO AM I" FAQ into cf/README. 


Configuring Sendmail 

Enable and start the daemon already, 

ps aux | grep sendmail 

cd /etc/ 

echo sendmail_enable=YES >> rc.conf 

rc.d/sendmail restart 

ps aux | grep sendmail 


Generate the default configuration based on the FreeBSD template, 

cd /etc/mail/ 


sed '/^#/d; /^dnl/d; /^divert/d; /^$/d; /^VERSIONID/d;' | tee $ > $ 

vi $ 

remove the mailertable and virtusertable features if you do not need them, you should end up with something like this, 



FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access') 



define(`confCW_FILE', `-o /etc/mail/local-host-names') 

DAEMON_OPTIONS(`Name=IPv4, Family=inet') 

DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') 

define(`confBIND_OPTS', `WorkAroundBrokenAAAA') 

define(`confNO_RCPT_ACTION', `add-to-undisclosed') 

define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy') 




note. [message maximum size]( is set to 30MB, change accordingly e.g. 10485760 for 10MB. 

configure your local hostnames and domains you need to receive messages for, 

cd /etc/mail/ 

cat >> local-host-names <<EOF9 


and apply, 

  make all install restart 


Configure aliases (at least 'root' and 'postmaster' accounts -- 'webmaster' and 'contact' too eventually), 

  cd /etc/mail/ 

  cp aliases aliases.dist 

  vi aliases 

and apply, 



Create some mail user, 

  pw useradd MAILUSER -g mail -s /sbin/nologin -m 

  passwd MAILUSER 

  chmod 700 /home/MAILUSER/ 


At this point you should be able to receive messages from the public, check into, 




less /usr/src/contrib/sendmail/cf/README 

protocole smtp: log d'une session telnet: 

Installing and Using procmail as the LDA for sendmail under FreeBSD: 

[Features] ( ==> local_procmail 

Saving in MAILDIR format with Sendmail: 


Enabling procmail 

Enable procmail by lmtp, 

  cp /usr/local/share/examples/procmail/local_procmail_lmtp.m4 /usr/share/sendmail/cf/feature/local_procmail_lmtp.m4 

in the .mc file, replace "local_lmtp" with "local_procmail_lmtp", 

dnl FEATURE(local_procmail) 


Note. keep mailer local, MAILER(procmail) is not needed. 

and apply, 

  make all install restart 


Note. you could also proceed otherwise with the simple .forward trick for each mail user (this isn't needed as we hard-configured procmail as LDA into Sendmail), 

  #vi ~/.forward 


#"|IFS=' '&&p=/usr/local/bin/procmail&&test -f $p&&exec $p -f-||exit 75" 


See for further procmail configuration. 




Mail Filtering with Procmail: 

Procmail FAQ: 

Mail Filtering with Procmail: 


Enabling DNSBL / RBL 

Simply add those to your <hostname>.mc, 

dnl and too agressive 

dnl apews may be too agressive - 








dnl FEATURE(`dnsbl',`') 

dnl FEATURE(`dnsbl',`') 

dnl FEATURE(`dnsbl',`') 

dnl FEATURE(`dnsbl',`') 

dnl FEATURE(`dnsbl',`') 

dnl FEATURE(`dnsbl',`') 

dnl FEATURE(`dnsbl',`') 

dnl FEATURE(`dnsbl',`') 

and apply, 

  make all install restart 


Other available blacklists, (whitelist) 



Blacklists Compared: 

DNSBL: Configuring Sendmail for DNS-Based Blacklisting: 

Using SORBS DNSBL with Sendmail.: 


Enabling SASL authentication 

Recompile Sendmail with with the Cyrus SASL library, 



pkg_add -r cyrus-sasl2 

cd /usr/local/lib/sasl2/ 

[[ ! -f Sendmail.conf ]] && echo 'pwcheck_method: saslauthd' > Sendmail.conf 

cat Sendmail.conf 

pkg_add -r cyrus-sasl-saslauthd 

echo 'saslauthd_enable="YES"' >> /etc/rc.conf 

service saslauthd start 

cat >> /etc/make.conf <<EOF9 

SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL 




tail -3 /etc/make.conf 

#uname -r 

#cd /usr/src 


cd /usr/src/lib/libsmutil 

make cleandir && make obj && make 

cd /usr/src/lib/libsm 

make cleandir && make obj && make 

cd /usr/src/usr.sbin/sendmail 

make cleandir && make obj && make && make install 

check that SASL is now compiled in, 

  sendmail -d0.1 < /dev/null | grep SASL 


Setup and restart Sendmail for SASL authentication to be enabled, 

cd /etc 

vi `hostname`.mc 

make install restart 


You can now send outgoing emails with your mail account through your server using port 587 (submission) only without TLS nor SSL for now. 


Note. I had also to overcome the DNSBL blocking my client IP (internet access provider customers' IP are blocked), 

cd /etc/mail 

vi access 

# comment 

localhost RELAY 

resolv_of_your_IAP_IP RELAY 

make install restart 



27.9. SMTP Authentication: 

Configuring a FreeBSD client & server to use SASL Auth for client to identify itself to server to send outgoing mail to proxy smart mailer.: 


Enabling Greylisting 

See for greylisting. 


Enabling ClamAV-milter 

See for that. 


Culumating input filters 

Once you've placed your input filters in order (say greylist and clmilter), redefine them in order, for example, 

define(`confINPUT_MAIL_FILTERS', `greylist, clmilter') 


Further precautions 

You can also tweak the system tcp wrapper so host names that do not resolv get refused without being able to connect, 

vi /etc/hosts.allow 

# Block possibly spoofed requests to sendmail: 

sendmail : PARANOID : deny 


Limiting Access to TCP-wrapped Services with hosts.allow 


And finally on the firewall (I prefer ipfilter on netbsd and freebsd) I just let the port 25 open, not the submission port 587. 



Make sure the machine resolves from the public network, 


make sure it is recorded as MX for the hosted domain, 

  host -t mx 

make sure it also reverse-resolves, 

  host X.X.X.X 


Check that the standard activty, namely receiving messages through non-blacklisted SMTP relays for actually works. 


Connect to the host through telnet on port 25 from an IAP IP (DNSBL blocked), 

helo lala 

helo lala 


should return, 

550 5.7.1 Rejected: listed at 


Disable DNSBL temporarily and check for open proxy from a remote IP that is not relayed in the access file (comment temporarily and remake the access.db if necessary), 

helo lala 

helo lala 



should return, 

550 5.7.1 Relaying denied. Proper authentication required. 



Find out which version of Sendmail you are running, 

  sendmail -d0.4 -bv root 

  telnet 25 

Ref. Other often asked questions about sendmail: 


Show the server (MTA) queue, 


Note. 'mailq' is equivalent fot 'sendmail -bp' 

Note. '-v' for details on the mqueue filename 


List the client (mail submission) mqueue, 

  mailq -Ac 


To force the delivery of the server queue, 

  sendmail -q -v