Gebruikershulpmiddelen

Site-hulpmiddelen


linux:network:mail:sendmail-submission-relay

Sendmail relay via Submission howto

This document describes how to enable a Sendmail mailserver located within a private network to send mail to the public Internet.1)

Debian: 8.8 (Jessie)
sendmail: 8.14.4

1. Introduction

1.1 Reasons for having a mailserver within a private network

The main advantage of having a mailserver within a private network is that it will be protected by the firewall of the Internet router. Therefore it will be less vulnerable to Internet attacks.

A mailserver within a private network can be used for many purposes:

  • Long-term mail storage (IMAP server)
  • Private mailing lists
  • Mail processing
  • Application support
  • System monitoring

1.2 Help! My ISP has locked down port 25 (smtp)

When operating a mailserver within a private network you can get stuck while sending mail to the Internet, because your ISP has locked down port 25 (smtp). Many ISPs lock down port 25 for residential accounts to prevent spamming. This measure is very effective. The only way to circumvent port 25 is to set up a VPN connection to an external network on the Internet.

Another approach is to relay all mail from the private mailserver to a mailserver on the Internet using the Submission protocol (port 587). The Submission protocol is normally used by mail clients (MUA) to send messages to their mailserver (MTA). In this howto we will modify the Sendmail “relay” mailer2) to use the Submission protocol instead of plain SMTP/ESMTP. It will act as a mail client like a MUA.

2. Configuring the private mailserver for relaying using the Submission protocol

2.1 Modifying the "relay" mailer to use port 587, esmtp

By default the Sendmail “relay” mailer sends messages using ESTMP or SMTP via port 25.
We modify this to ESMTP3) via port 587 by setting the “RELAY_MAILER” and “RELAY_MAILER_ARGS” macros to their appropriate values.

sendmail.mc:

define(`RELAY_MAILER',`esmtp')dnl
define(`RELAY_MAILER_ARGS',`TCP $h 587')dnl

2.2 SMTP client authentication

2.2.1 Sendmail feature authinfo

The Submission protocol demands authentication. In order for this to work properly we have to configure Sendmail with the “authinfo” feature.
The following line in the “sendmail.mc” configures Sendmail with the “authinfo” feature using “client-info.db” as authentication database map:

FEATURE(`authinfo',`hash /etc/mail/auth/client-info.db')dnl

2.2.2 Authinfo database creation

Since the client database contains sensitive information it can best be located in a directory accessible to root only:

# cd /etc/mail

# mkdir auth

# chmod 700 auth

# cd auth

The database map is created from a text file which we will call “client-info”. This file contains one “AuthInfo” line per remote mailserver stating its FQDN 4) and authentication information:

AuthInfo:mailserver.somedom.com "U:root" "I:user_name" "P:password"
  • Legenda:5)

The Sendmail utility “makemap” creates the database from the text file “client-info”:

# makemap hash client-info.db < client-info

2.2.3 STARTTLS/SSL

If PLAIN or LOGIN authentication mechanisms are used, a strong encryption layer (STARTTLS/SSL) should be active to prevent sniffering.

sendmail.mc:

include(`/etc/mail/tls/starttls.m4')dnl

2.3 Mail routing

If all non-local mail has to be relayed to a remote mailserver, a mail routing/forwarding mechanism has to be implemented in the Sendmail configuration.
Amongst the many routing/forwarding mechanisms in Sendmail two of them are appropriate in this case:

  • Smart host definition
  • Mailertable feature

2.3.1 Smart host

The Smart host definition is the most simple forwarding mechanism. This will forward all non-local mail to the defined mailer:mailhost.

sendmail.mc:

define(`SMART_HOST',`esmtp:mailhost.somedom.com')dnl

2.3.2 Mailertable feature

A more fine grained control can be achieved using the mailertable feature.

sendmail.mc:

FEATURE(`mailertable')dnl

Example /etc/mail/mailertable:

.darknet.lan             esmtp:[mailhost.private.lan]
.lan                     esmtp:[%1.lan]
.                        relay:[relayhost.somedom.com]
  • The pattern on the left hand side (LHS) of the mailertable will be matched with the host/domain part of the mail destination.
    LHS entries beginning with a dot match anything ending with that domain name. Note: host/domain “darknet.lan” does not match entry “.darknet.lan”!
    Matching is done in order of most-to-least qualified. So “foo.darknet.lan” matches entry “.darknet.lan” not “.lan”.
    LHS entry “.” matches any host/domain destination.
  • The right hand side (RHS) is a “mailer:mailhost” pair.
    The host part will be passed as an argument to the specified mailer.
    The [square brackets] turn off DNS MX record lookup by the mailhost. The use of [square brackets] is advised to prevent MX loops.
    Symbol “%1” may be used to interpolate the LHS wildcarded part of the host name. E.g. hosta.private.lan → esmtp:hosta.private.lan

After creating/updating the “mailertable” file a new Berkeley DB file must be generated:6)

# makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable

2.4 Masquerading as the relay server

The “.lan” domain is an unofficial DNS domain for private use only. Email addresses containing an unofficial DNS domain cannot be used on the public Internet. Therefore the private mailserver has to masquerade as an official DNS domain.

sendmail.mc:

MASQUERADE_AS(`somedom.com')dnl
FEATURE(`masquerade_envelope')dnl

3. Putting it all together

3.1 sendmail.mc

Excerpt from “/etc/mail/sendmail.mc”:

..
..
dnl #
include(`/etc/mail/tls/starttls.m4')dnl
dnl #
dnl # Modify the relay mailer to use port 587, esmtp
dnl # (Submission is based on esmtp)
define(`RELAY_MAILER',`esmtp')dnl
define(`RELAY_MAILER_ARGS',`TCP $h 587')dnl
dnl #
dnl # We use the mailertable feature here
dnl # define(`SMART_HOST',`esmtp:mailhost.somedom.com')dnl
dnl #
FEATURE(`mailertable')dnl
dnl #
dnl # Masquerade as the relay domain
MASQUERADE_AS(`somedom.com')dnl
FEATURE(`masquerade_envelope')dnl
dnl #
dnl # Client authentication
FEATURE(`authinfo',`hash /etc/mail/auth/client-info.db')dnl
dnl #
dnl # FEATURE() definitions must precede MAILER() definitions
dnl #
dnl # Default Mailer setup
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl
dnl #

Notes: 7)

3.2 Activate new configuration

Run the Makefile:

# cd /etc/mail

# make
Updating databases ...
Reading configuration from /etc/mail/sendmail.conf.
Validating configuration.
Creating /etc/mail/databases...
Updating Makefile ...
Reading configuration from /etc/mail/sendmail.conf.
Validating configuration.
Creating /etc/mail/Makefile...
Updating sendmail.cf ...
The following file(s) have changed:
  /etc/mail/sendmail.cf
** ** You should issue `/etc/init.d/sendmail reload` ** **

Reload sendmail:

# /etc/init.d/sendmail reload
[ ok ] Reloading Mail Transport Agent (MTA): sendmail.

4. Troubleshooting

4.1 Mail routing/forwarding

Test address routing/forwading using Sendmail in address test mode:

$ /usr/sbin/sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>

Use the “/parse” command to test an address.
Sendmail will parse the given addres into the triple: mailer, host, user

> /parse foo@somedom.com
Cracked address = $g
Parsing envelope recipient address
canonify           input: foo @ somedom . com
Canonify2          input: foo < @ somedom . com >
Canonify2        returns: foo < @ somedom . com >
canonify         returns: foo < @ somedom . com >
parse              input: foo < @ somedom . com >
Parse0             input: foo < @ somedom . com >
Parse0           returns: foo < @ somedom . com >
Parse1             input: foo < @ somedom . com >
MailerToTriple     input: < esmtp : relayhost . somedom . com > foo < @ somedom . com >
MailerToTriple   returns: $# esmtp $@ relayhost . somedom . com $: foo < @ somedom . com >
Parse1           returns: $# esmtp $@ relayhost . somedom . com $: foo < @ somedom . com >
parse            returns: $# esmtp $@ relayhost . somedom . com $: foo < @ somedom . com >
2                  input: foo < @ somedom . com >
2                returns: foo < @ somedom . com >
EnvToSMTP          input: foo < @ somedom . com >
PseudoToReal       input: foo < @ somedom . com >
PseudoToReal     returns: foo < @ somedom . com >
MasqSMTP           input: foo < @ somedom . com >
MasqSMTP         returns: foo < @ somedom . com >
EnvToSMTP        returns: foo < @ somedom . com >
final              input: foo < @ somedom . com >
final            returns: foo @ somedom . com
mailer esmtp, host relayhost.somedom.com, user foo@somedom.com
>
> ^d
$
  • Close address test mode with ctrl-d

5. Documentation

Doc item Resource
Message Submission Agent Wikipedia
SMTP Authentication Wikipedia
O'Reilly Sendmail “Bat” book Sendmail 4th edition Nov. 2007, Bryan Costales ISBN:978-0596510299
Sendmail Installation and Operation Guidesendmail-doc: /usr/share/doc/sendmail-doc/op/op.ps.gz
cf/README sendmail-doc: /usr/share/doc/sendmail-doc/cf.README.gz
cf/README 8.12 html http://www.sendmail.org/~ca/email/doc8.12/cf/m4/readme.html
Sendmail Config David Bank http://hiredavidbank.com/prac-send.html
etutorials.org Sendmail 8.12 http://etutorials.org/Server+Administration/Sendmail/
Sendmail 3rd edition 8.12 https://docstore.mik.ua/orelly/other/Sendmail_3rd/

Copyright © 2017 Tux4u.be - Author: Marjan Waldorp; sendmail-submission-relay.md.txt 2017-08-04

1)
For remote-mail retrieval use the //fetchmail// program.
2)
Sendmail delivery agents are called mailers.
Sendmail mailers are defined in the “/etc/mail/sendmail.mc” (e.g. define local delivery agent: MAILER(`local')dnl).
3)
The Submission protocol is based on the ESMTP command set.
4)
Fully Qualified Domain Name
5)
Legenda client authentication file:
  • Authinfo: must exactly match the FQDN of the server!
  • U: user (authorization) id
  • I: authentication id
  • P: password
  • R: realm
  • M: list of mechanisms delimited by spaces
6)
This action is included in the Debian “/etc/mail/Makefile”.
7)
M4 syntax:
  • dnl: m4 macro Delete through New Line. Use “dnl” for comment lines in m4 files, not “#”!
  • FEATURE() definitions must precede MAILER() definitions
linux/network/mail/sendmail-submission-relay.txt · Laatst gewijzigd: 2019/03/05 19:07 (Externe bewerking)