Setting up a Sendmail SMTP server with DNSBL / RBL, greylisting, ClamAV-milter, procmail and SASL on FreeBSD 8b0

this is obsolete doc -- see http://doc.nethence.com/ instead

Setting up a Sendmail SMTP server with DNSBL / RBL, greylisting, ClamAV-milter, procmail and SASL on FreeBSD 8

http://pbraun.nethence.com/unix/mail/sendmail.html

http://pbraun.nethence.com/unix/mail/procmail.html

http://pbraun.nethence.com/unix/mail/procmail-qsf.html

http://pbraun.nethence.com/unix/mail/milter-greylist.html

http://pbraun.nethence.com/unix/mail/milter_clamav-milter.html

http://pbraun.nethence.com/unix/mail/dovecotv1_maildir.html

Requirements

Do not forget to register your SMTP host as an MX for the hosted domain in its DNS records, and also make sure it reverse-resolves.

Make sure HOSTNAME points to FQDN otherwise you would have to deal with the "WHO AM I" FAQ into cf/README.

Configuring Sendmail

Enable and start the daemon already,

ps aux | grep sendmail

cd /etc/

echo sendmail_enable=YES >> rc.conf

rc.d/sendmail restart

ps aux | grep sendmail

Generate the default configuration based on the FreeBSD template,

cd /etc/mail/

echo $HOSTNAME

sed '/^#/d; /^dnl/d; /^divert/d; /^$/d; /^VERSIONID/d;' freebsd.mc | tee $HOSTNAME.mc.dist > $HOSTNAME.mc

vi $HOSTNAME.mc

remove the mailertable and virtusertable features if you do not need them, you should end up with something like this,

OSTYPE(freebsd6)

DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')

FEATURE(blacklist_recipients)

FEATURE(local_lmtp)

define(`confCW_FILE', `-o /etc/mail/local-host-names')

DAEMON_OPTIONS(`Name=IPv4, Family=inet')

DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')

define(`confNO_RCPT_ACTION', `add-to-undisclosed')

define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')

define(`confMAX_MESSAGE_SIZE',`31457280')dnl

MAILER(local)

MAILER(smtp)

note. [message maximum size](http://hiredavidbank.com/prac-send.html) is set to 30MB, change accordingly e.g. 10485760 for 10MB.

configure your local hostnames and domains you need to receive messages for,

cd /etc/mail/

cat >> local-host-names <<EOF9

example.net

bsd.example.net

EOF9

and apply,

make all install restart

Configure aliases (at least 'root' and 'postmaster' accounts -- 'webmaster' and 'contact' too eventually),

cd /etc/mail/

cp aliases aliases.dist

vi aliases

and apply,

newaliases

Create some mail user,

pw useradd MAILUSER -g mail -s /sbin/nologin -m

passwd MAILUSER

chmod 700 /home/MAILUSER/

At this point you should be able to receive messages from the public, check into,

/var/mail/MAILUSER

Refs.

less /usr/src/contrib/sendmail/cf/README

protocole smtp: log d'une session telnet: http://www.iprelax.fr/smtp/smtp_session.php

Installing and Using procmail as the LDA for sendmail under FreeBSD: http://www.puresimplicity.net/~hemi/freebsd/procmail.html

[Features] (http://www.sendmail.com/sm/open_source/docs/m4/features.html) ==> local_procmail

Saving in MAILDIR format with Sendmail: http://lists.freebsd.org/pipermail/freebsd-questions/2006-April/117851.html

Enabling procmail

Enable procmail by lmtp,

cp /usr/local/share/examples/procmail/local_procmail_lmtp.m4 /usr/share/sendmail/cf/feature/local_procmail_lmtp.m4

in the .mc file, replace "local_lmtp" with "local_procmail_lmtp",

dnl FEATURE(local_procmail)

FEATURE(local_procmail_lmtp)

Note. keep mailer local, MAILER(procmail) is not needed.

and apply,

make all install restart

Note. you could also proceed otherwise with the simple .forward trick for each mail user (this isn't needed as we hard-configured procmail as LDA into Sendmail),

#vi ~/.forward

like,

#"|IFS=' '&&p=/usr/local/bin/procmail&&test -f $p&&exec $p -f-||exit 75"

See http://pbraun.nethence.com/unix/mail/procmail.html for further procmail configuration.

Refs.

Procmail: http://wiki.dreamhost.com/Procmail

Mail Filtering with Procmail: http://userpages.umbc.edu/~ian/procmail.html

Procmail FAQ: http://partmaps.org/era/procmail/mini-faq.html

Mail Filtering with Procmail: http://www.cs.columbia.edu/crf/howto/procmail-howto.html

Enabling DNSBL / RBL

Simply add those to your <hostname>.mc,

dnl hostkarma.junkemailfilter.com and spam.dnsbl.sorbs.net too agressive

dnl apews may be too agressive - http://www.anta.net/irt/apews.shtml

FEATURE(`dnsbl',`l2.apews.org')

FEATURE(`dnsbl',`b.barracudacentral.org')

FEATURE(`dnsbl',`public.sarbl.org')

FEATURE(`dnsbl',`dnsbl.sorbs.net')

FEATURE(`dnsbl',`bl.spamcop.net')

FEATURE(`dnsbl',`zen.spamhaus.org')

dnl FEATURE(`dnsbl',`cbl.abuseat.org')

dnl FEATURE(`dnsbl',`all.s5h.net')

dnl FEATURE(`dnsbl',`all.spamrats.com')

dnl FEATURE(`dnsbl',`bl.tiopan.com')

dnl FEATURE(`dnsbl',`dnsbl-1.uceprotect.net')

dnl FEATURE(`dnsbl',`dnsbl-2.uceprotect.net')

dnl FEATURE(`dnsbl',`ubl.unsubscore.com')

dnl FEATURE(`dnsbl',`free.v4bl.org')

and apply,

make all install restart

Other available blacklists,

psbl.surriel.com

list.dnswl.org (whitelist)

Refs.

Blacklists Compared: http://www.sdsc.edu/~jeff/spam/cbc.html

DNSBL: Configuring Sendmail for DNS-Based Blacklisting: http://weldon.whipple.org/sendmail/dnsbl.html

Using SORBS DNSBL with Sendmail.: http://www.sorbs.net/mailsystems/sendmail.shtml

Enabling SASL authentication

Recompile Sendmail with with the Cyrus SASL library,

echo $PACKAGESITE

#http://ftp.nerim.net/FreeBSD/releases/amd64/8.4-RELEASE/packages/Latest/

pkg_add -r cyrus-sasl2

cd /usr/local/lib/sasl2/

[[ ! -f Sendmail.conf ]] && echo 'pwcheck_method: saslauthd' > Sendmail.conf

cat Sendmail.conf

pkg_add -r cyrus-sasl-saslauthd

echo 'saslauthd_enable="YES"' >> /etc/rc.conf

service saslauthd start

cat >> /etc/make.conf <<EOF9

SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL

SENDMAIL_LDFLAGS=-L/usr/local/lib

SENDMAIL_LDADD=-lsasl2

EOF9

tail -3 /etc/make.conf

#uname -r

#cd /usr/src

#grep RELEASE UPDATING

cd /usr/src/lib/libsmutil

make cleandir && make obj && make

cd /usr/src/lib/libsm

make cleandir && make obj && make

cd /usr/src/usr.sbin/sendmail

make cleandir && make obj && make && make install

check that SASL is now compiled in,

sendmail -d0.1 < /dev/null | grep SASL

Setup and restart Sendmail for SASL authentication to be enabled,

cd /etc

vi `hostname`.mc

make install restart

You can now send outgoing emails with your mail account through your server using port 587 (submission) only without TLS nor SSL for now.

Note. I had also to overcome the DNSBL blocking my client IP (internet access provider customers' IP are blocked),

cd /etc/mail

vi access

# comment

localhost RELAY

resolv_of_your_IAP_IP RELAY

make install restart

Refs.

27.9. SMTP Authentication: http://www.freebsd.org/doc/handbook/SMTP-Auth.html

Configuring a FreeBSD client & server to use SASL Auth for client to identify itself to server to send outgoing mail to proxy smart mailer.: http://www.berklix.com/~jhs/txt/sasl.html

Enabling Greylisting

See http://pbraun.nethence.com/unix/mail/milter-greylist.html for greylisting.

Enabling ClamAV-milter

See http://pbraun.nethence.com/unix/mail/milter_clamav-milter.html for that.

Culumating input filters

Once you've placed your input filters in order (say greylist and clmilter), redefine them in order, for example,

define(`confINPUT_MAIL_FILTERS', `greylist, clmilter')

Further precautions

You can also tweak the system tcp wrapper so host names that do not resolv get refused without being able to connect,

vi /etc/hosts.allow

# Block possibly spoofed requests to sendmail:

sendmail : PARANOID : deny

Refs.

Limiting Access to TCP-wrapped Services with hosts.allow

http://static.closedsrc.org/articles/dn-articles/hosts_allow.html

And finally on the firewall (I prefer ipfilter on netbsd and freebsd) I just let the port 25 open, not the submission port 587.

Testing

Make sure the machine resolves from the public network,

ping mx.example.net

make sure it is recorded as MX for the hosted domain,

host -t mx example.net

make sure it also reverse-resolves,

host X.X.X.X

Check that the standard activty, namely receiving messages through non-blacklisted SMTP relays for example.net actually works.

Connect to the host through telnet on port 25 from an IAP IP (DNSBL blocked),

helo lala

mail from:email@example.net

should return,

550 5.7.1 Rejected: 87.88.90.231 listed at zen.spamhaus.org

Disable DNSBL temporarily and check for open proxy from a remote IP that is not relayed in the access file (comment temporarily and remake the access.db if necessary),

helo lala

mail from:email@example.net

rcpt to:email@another-domain-non-hosted.net

should return,

550 5.7.1 email@another-domain-non-hosted.net... Relaying denied. Proper authentication required.

Usage

Find out which version of Sendmail you are running,

sendmail -d0.4 -bv root

telnet 127.0.0.1 25

Ref. Other often asked questions about sendmail: http://www.sendmail.org/~ca/email/lfaq.html

Show the server (MTA) queue,

mailq

Note. 'mailq' is equivalent fot 'sendmail -bp'

Note. '-v' for details on the mqueue filename

List the client (mail submission) mqueue,

mailq -Ac

To force the delivery of the server queue,

sendmail -q -v