This document describes how to enable a Sendmail mailserver located within a private network to send mail to the public Internet.1)
Debian: 8.8 (Jessie)
sendmail: 8.14.4
The main advantage of having a mailserver within a private network is that it will be protected by the firewall of the Internet router. Therefore it will be less vulnerable to Internet attacks.
A mailserver within a private network can be used for many purposes:
When operating a mailserver within a private network you can get stuck while sending mail to the Internet, because your ISP has locked down port 25 (smtp). Many ISPs lock down port 25 for residential accounts to prevent spamming. This measure is very effective. The only way to circumvent port 25 is to set up a VPN connection to an external network on the Internet.
Another approach is to relay all mail from the private mailserver to a mailserver on the Internet using the Submission protocol (port 587). The Submission protocol is normally used by mail clients (MUA) to send messages to their mailserver (MTA). In this howto we will modify the Sendmail “relay” mailer2) to use the Submission protocol instead of plain SMTP/ESMTP. It will act as a mail client like a MUA.
By default the Sendmail “relay” mailer sends messages using ESTMP or SMTP via port 25.
We modify this to ESMTP3) via port 587 by setting the “RELAY_MAILER” and “RELAY_MAILER_ARGS” macros to their appropriate values.
sendmail.mc:
define(`RELAY_MAILER',`esmtp')dnl define(`RELAY_MAILER_ARGS',`TCP $h 587')dnl
The Submission protocol demands authentication. In order for this to work properly we have to configure Sendmail with the “authinfo” feature.
The following line in the “sendmail.mc” configures Sendmail with the “authinfo” feature using “client-info.db” as authentication database map:
FEATURE(`authinfo',`hash /etc/mail/auth/client-info.db')dnl
Since the client database contains sensitive information it can best be located in a directory accessible to root only:
# cd /etc/mail # mkdir auth # chmod 700 auth # cd auth
The database map is created from a text file which we will call “client-info”. This file contains one “AuthInfo” line per remote mailserver stating its FQDN 4) and authentication information:
AuthInfo:mailserver.somedom.com "U:root" "I:user_name" "P:password"
The Sendmail utility “makemap” creates the database from the text file “client-info”:
# makemap hash client-info.db < client-info
If PLAIN or LOGIN authentication mechanisms are used, a strong encryption layer (STARTTLS/SSL) should be active to prevent sniffering.
sendmail.mc:
include(`/etc/mail/tls/starttls.m4')dnl
If all non-local mail has to be relayed to a remote mailserver, a mail routing/forwarding mechanism has to be implemented in the Sendmail configuration.
Amongst the many routing/forwarding mechanisms in Sendmail two of them are appropriate in this case:
The Smart host definition is the most simple forwarding mechanism. This will forward all non-local mail to the defined mailer:mailhost.
sendmail.mc:
define(`SMART_HOST',`esmtp:mailhost.somedom.com')dnl
A more fine grained control can be achieved using the mailertable feature.
sendmail.mc:
FEATURE(`mailertable')dnl
Example /etc/mail/mailertable:
.darknet.lan esmtp:[mailhost.private.lan] .lan esmtp:[%1.lan] . relay:[relayhost.somedom.com]
After creating/updating the “mailertable” file a new Berkeley DB file must be generated:6)
# makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable
The “.lan” domain is an unofficial DNS domain for private use only. Email addresses containing an unofficial DNS domain cannot be used on the public Internet. Therefore the private mailserver has to masquerade as an official DNS domain.
sendmail.mc:
MASQUERADE_AS(`somedom.com')dnl FEATURE(`masquerade_envelope')dnl
Excerpt from “/etc/mail/sendmail.mc”:
.. .. dnl # include(`/etc/mail/tls/starttls.m4')dnl dnl # dnl # Modify the relay mailer to use port 587, esmtp dnl # (Submission is based on esmtp) define(`RELAY_MAILER',`esmtp')dnl define(`RELAY_MAILER_ARGS',`TCP $h 587')dnl dnl # dnl # We use the mailertable feature here dnl # define(`SMART_HOST',`esmtp:mailhost.somedom.com')dnl dnl # FEATURE(`mailertable')dnl dnl # dnl # Masquerade as the relay domain MASQUERADE_AS(`somedom.com')dnl FEATURE(`masquerade_envelope')dnl dnl # dnl # Client authentication FEATURE(`authinfo',`hash /etc/mail/auth/client-info.db')dnl dnl # dnl # FEATURE() definitions must precede MAILER() definitions dnl # dnl # Default Mailer setup MAILER_DEFINITIONS MAILER(`local')dnl MAILER(`smtp')dnl dnl #
Notes: 7)
Run the Makefile:
# cd /etc/mail # make Updating databases ... Reading configuration from /etc/mail/sendmail.conf. Validating configuration. Creating /etc/mail/databases... Updating Makefile ... Reading configuration from /etc/mail/sendmail.conf. Validating configuration. Creating /etc/mail/Makefile... Updating sendmail.cf ... The following file(s) have changed: /etc/mail/sendmail.cf ** ** You should issue `/etc/init.d/sendmail reload` ** **
Reload sendmail:
# /etc/init.d/sendmail reload [ ok ] Reloading Mail Transport Agent (MTA): sendmail.
Test address routing/forwading using Sendmail in address test mode:
$ /usr/sbin/sendmail -bt ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address>
Use the “/parse” command to test an address.
Sendmail will parse the given addres into the triple: mailer, host, user
> /parse foo@somedom.com Cracked address = $g Parsing envelope recipient address canonify input: foo @ somedom . com Canonify2 input: foo < @ somedom . com > Canonify2 returns: foo < @ somedom . com > canonify returns: foo < @ somedom . com > parse input: foo < @ somedom . com > Parse0 input: foo < @ somedom . com > Parse0 returns: foo < @ somedom . com > Parse1 input: foo < @ somedom . com > MailerToTriple input: < esmtp : relayhost . somedom . com > foo < @ somedom . com > MailerToTriple returns: $# esmtp $@ relayhost . somedom . com $: foo < @ somedom . com > Parse1 returns: $# esmtp $@ relayhost . somedom . com $: foo < @ somedom . com > parse returns: $# esmtp $@ relayhost . somedom . com $: foo < @ somedom . com > 2 input: foo < @ somedom . com > 2 returns: foo < @ somedom . com > EnvToSMTP input: foo < @ somedom . com > PseudoToReal input: foo < @ somedom . com > PseudoToReal returns: foo < @ somedom . com > MasqSMTP input: foo < @ somedom . com > MasqSMTP returns: foo < @ somedom . com > EnvToSMTP returns: foo < @ somedom . com > final input: foo < @ somedom . com > final returns: foo @ somedom . com mailer esmtp, host relayhost.somedom.com, user foo@somedom.com > > ^d $
Doc item | Resource | |
---|---|---|
Message Submission Agent | Wikipedia | |
SMTP Authentication | Wikipedia | |
O'Reilly Sendmail “Bat” book | Sendmail 4th edition Nov. 2007, Bryan Costales ISBN:978-0596510299 | |
Sendmail Installation and Operation Guide | sendmail-doc: /usr/share/doc/sendmail-doc/op/op.ps.gz | |
cf/README | sendmail-doc: /usr/share/doc/sendmail-doc/cf.README.gz | |
cf/README 8.12 html | http://www.sendmail.org/~ca/email/doc8.12/cf/m4/readme.html | |
Sendmail Config David Bank | http://hiredavidbank.com/prac-send.html | |
etutorials.org Sendmail 8.12 | http://etutorials.org/Server+Administration/Sendmail/ | |
Sendmail 3rd edition 8.12 | https://docstore.mik.ua/orelly/other/Sendmail_3rd/ |
Copyright © 2017 Tux4u.be - Author: Marjan Waldorp; sendmail-submission-relay.md.txt 2017-08-04