====== Sendmail relay via Submission howto ======
This document describes how to enable a Sendmail mailserver located within a private network to send mail to the public Internet.((For remote-mail //retrieval// use the [[http://www.fetchmail.info|//fetchmail//]] program.
))
Debian: 8.8 (Jessie)
sendmail: 8.14.4
===== 1. Introduction =====
==== 1.1 Reasons for having a mailserver within a private network ====
The main advantage of having a mailserver within a private network is that it will be protected by the firewall of the Internet router. Therefore it will be less vulnerable to Internet attacks.
A mailserver within a private network can be used for many purposes:
* Long-term mail storage (IMAP server)
* Private mailing lists
* Mail processing
* Application support
* System monitoring
==== 1.2 Help! My ISP has locked down port 25 (smtp) ====
When operating a mailserver within a private network you can get stuck while sending mail to the Internet, because your ISP has locked down port 25 (smtp). Many ISPs lock down port 25 for residential accounts to prevent spamming. This measure is very effective. The only way to circumvent port 25 is to set up a VPN connection to an external network on the Internet.
Another approach is to relay all mail from the private mailserver to a mailserver on the Internet using the Submission protocol (port 587). The Submission protocol is normally used by mail clients (MUA) to send messages to their mailserver (MTA). In this howto we will modify the Sendmail "relay" mailer((Sendmail delivery agents are called //mailers//.
Sendmail //mailers// are defined in the "/etc/mail/sendmail.mc" (e.g. define local delivery agent: MAILER(`local')dnl).
)) to use the Submission protocol instead of plain SMTP/ESMTP. It will act as a mail client like a MUA.
===== 2. Configuring the private mailserver for relaying using the Submission protocol =====
==== 2.1 Modifying the "relay" mailer to use port 587, esmtp ====
By default the Sendmail "relay" mailer sends messages using ESTMP or SMTP via port 25.
We modify this to ESMTP((The Submission protocol is based on the ESMTP command set.
)) via port 587 by setting the "RELAY_MAILER" and "RELAY_MAILER_ARGS" macros to their appropriate values.
sendmail.mc:
define(`RELAY_MAILER',`esmtp')dnl
define(`RELAY_MAILER_ARGS',`TCP $h 587')dnl
==== 2.2 SMTP client authentication ====
=== 2.2.1 Sendmail feature authinfo ===
The Submission protocol demands authentication. In order for this to work properly we have to configure Sendmail with the "authinfo" feature.
The following line in the "sendmail.mc" configures Sendmail with the "authinfo" feature using "client-info.db" as authentication database map:
FEATURE(`authinfo',`hash /etc/mail/auth/client-info.db')dnl
=== 2.2.2 Authinfo database creation ===
Since the client database contains sensitive information it can best be located in a directory accessible to root only:
# cd /etc/mail
# mkdir auth
# chmod 700 auth
# cd auth
The database map is created from a text file which we will call "client-info". This file contains one "AuthInfo" line per remote mailserver stating its FQDN ((Fully Qualified Domain Name
)) and authentication information:
AuthInfo:mailserver.somedom.com "U:root" "I:user_name" "P:password"
* Legenda:((Legenda client authentication file:
-
Authinfo: must exactly match the FQDN of the server!
-
U: user (authorization) id
-
I: authentication id
-
P: password
-
R: realm
-
M: list of mechanisms delimited by spaces
))
The Sendmail utility "makemap" creates the database from the text file "client-info":
# makemap hash client-info.db < client-info
=== 2.2.3 STARTTLS/SSL ===
If PLAIN or LOGIN authentication mechanisms are used, a strong encryption layer (STARTTLS/SSL) should be active to prevent sniffering.
sendmail.mc:
include(`/etc/mail/tls/starttls.m4')dnl
==== 2.3 Mail routing ====
If all non-local mail has to be relayed to a remote mailserver, a mail routing/forwarding mechanism has to be implemented in the Sendmail configuration.
Amongst the many routing/forwarding mechanisms in Sendmail two of them are appropriate in this case:
* Smart host definition
* Mailertable feature
=== 2.3.1 Smart host ===
The //Smart host// definition is the most simple forwarding mechanism. This will forward all non-local mail to the defined //mailer:mailhost//.
sendmail.mc:
define(`SMART_HOST',`esmtp:mailhost.somedom.com')dnl
=== 2.3.2 Mailertable feature ===
A more fine grained control can be achieved using the mailertable feature.
sendmail.mc:
FEATURE(`mailertable')dnl
Example /etc/mail/mailertable:
.darknet.lan esmtp:[mailhost.private.lan]
.lan esmtp:[%1.lan]
. relay:[relayhost.somedom.com]
* The pattern on the left hand side (LHS) of the mailertable will be matched with the host/domain part of the mail destination.
LHS entries beginning with a dot match anything ending with that domain name. Note: host/domain "darknet.lan" does //not// match entry ".darknet.lan"!
Matching is done in order of most-to-least qualified. So "foo.darknet.lan" matches entry ".darknet.lan" not ".lan".
LHS entry "." matches any host/domain destination.
* The right hand side (RHS) is a "mailer:mailhost" pair.
The //host// part will be passed as an argument to the specified mailer.
The [square brackets] turn off DNS MX record lookup by the mailhost. The use of [square brackets] is advised to prevent MX loops.
Symbol "%1" may be used to interpolate the LHS wildcarded part of the host name. E.g. hosta.private.lan -> esmtp:hosta.private.lan
After creating/updating the "mailertable" file a new Berkeley DB file must be generated:((This action is included in the Debian "/etc/mail/Makefile".
))
# makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable
==== 2.4 Masquerading as the relay server ====
The ".lan" domain is an unofficial DNS domain for private use only. Email addresses containing an unofficial DNS domain cannot be used on the public Internet. Therefore the private mailserver has to masquerade as an official DNS domain.
sendmail.mc:
MASQUERADE_AS(`somedom.com')dnl
FEATURE(`masquerade_envelope')dnl
===== 3. Putting it all together =====
==== 3.1 sendmail.mc ====
Excerpt from "/etc/mail/sendmail.mc":
..
..
dnl #
include(`/etc/mail/tls/starttls.m4')dnl
dnl #
dnl # Modify the relay mailer to use port 587, esmtp
dnl # (Submission is based on esmtp)
define(`RELAY_MAILER',`esmtp')dnl
define(`RELAY_MAILER_ARGS',`TCP $h 587')dnl
dnl #
dnl # We use the mailertable feature here
dnl # define(`SMART_HOST',`esmtp:mailhost.somedom.com')dnl
dnl #
FEATURE(`mailertable')dnl
dnl #
dnl # Masquerade as the relay domain
MASQUERADE_AS(`somedom.com')dnl
FEATURE(`masquerade_envelope')dnl
dnl #
dnl # Client authentication
FEATURE(`authinfo',`hash /etc/mail/auth/client-info.db')dnl
dnl #
dnl # FEATURE() definitions must precede MAILER() definitions
dnl #
dnl # Default Mailer setup
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl
dnl #
Notes: ((M4 syntax:
-
dnl: m4 macro //Delete through New Line//. Use "dnl" for comment lines in m4 files, not "#"!
-
FEATURE() definitions must precede MAILER() definitions
))
==== 3.2 Activate new configuration ====
Run the Makefile:
# cd /etc/mail
# make
Updating databases ...
Reading configuration from /etc/mail/sendmail.conf.
Validating configuration.
Creating /etc/mail/databases...
Updating Makefile ...
Reading configuration from /etc/mail/sendmail.conf.
Validating configuration.
Creating /etc/mail/Makefile...
Updating sendmail.cf ...
The following file(s) have changed:
/etc/mail/sendmail.cf
** ** You should issue `/etc/init.d/sendmail reload` ** **
Reload sendmail:
# /etc/init.d/sendmail reload
[ ok ] Reloading Mail Transport Agent (MTA): sendmail.
===== 4. Troubleshooting =====
==== 4.1 Mail routing/forwarding ====
Test address routing/forwading using Sendmail in address test mode:
$ /usr/sbin/sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter
Use the "/parse" command to test an address.
Sendmail will parse the given addres into the triple: //mailer//, //host//, //user//
> /parse foo@somedom.com
Cracked address = $g
Parsing envelope recipient address
canonify input: foo @ somedom . com
Canonify2 input: foo < @ somedom . com >
Canonify2 returns: foo < @ somedom . com >
canonify returns: foo < @ somedom . com >
parse input: foo < @ somedom . com >
Parse0 input: foo < @ somedom . com >
Parse0 returns: foo < @ somedom . com >
Parse1 input: foo < @ somedom . com >
MailerToTriple input: < esmtp : relayhost . somedom . com > foo < @ somedom . com >
MailerToTriple returns: $# esmtp $@ relayhost . somedom . com $: foo < @ somedom . com >
Parse1 returns: $# esmtp $@ relayhost . somedom . com $: foo < @ somedom . com >
parse returns: $# esmtp $@ relayhost . somedom . com $: foo < @ somedom . com >
2 input: foo < @ somedom . com >
2 returns: foo < @ somedom . com >
EnvToSMTP input: foo < @ somedom . com >
PseudoToReal input: foo < @ somedom . com >
PseudoToReal returns: foo < @ somedom . com >
MasqSMTP input: foo < @ somedom . com >
MasqSMTP returns: foo < @ somedom . com >
EnvToSMTP returns: foo < @ somedom . com >
final input: foo < @ somedom . com >
final returns: foo @ somedom . com
mailer esmtp, host relayhost.somedom.com, user foo@somedom.com
>
> ^d
$
* Close address test mode with //ctrl-d//
===== 5. Documentation =====
^Doc item ^^Resource ^
|Message Submission Agent ||[[https://en.wikipedia.org/wiki/Message_submission_agent|Wikipedia]]|
|SMTP Authentication ||[[https://en.wikipedia.org/wiki/SMTP_Authentication|Wikipedia]] |
|O'Reilly Sendmail "Bat" book ||Sendmail 4th edition Nov. 2007, Bryan Costales ISBN:978-0596510299 |
|Sendmail Installation and Operation Guide||sendmail-doc: /usr/share/doc/sendmail-doc/op/op.ps.gz |
|cf/README ||sendmail-doc: /usr/share/doc/sendmail-doc/cf.README.gz |
|cf/README 8.12 html ||http://www.sendmail.org/~ca/email/doc8.12/cf/m4/readme.html |
|Sendmail Config David Bank ||http://hiredavidbank.com/prac-send.html |
|etutorials.org Sendmail 8.12 ||http://etutorials.org/Server+Administration/Sendmail/ |
|Sendmail 3rd edition 8.12 ||https://docstore.mik.ua/orelly/other/Sendmail_3rd/ |
----
Copyright (c) 2017 Tux4u.be - Author: Marjan Waldorp; sendmail-submission-relay.md.txt 2017-08-04