10.10. Configuring the Sendmail E-mail Daemon

I use the Sendmail package to provide e-mail services. Sendmail is the definitive mail handler; in fact it is so popular that it is estimated that over 80% of e-mail passing over the Internet will be handled at one or both ends by it. It does just about anything and I couldn't imagine running an Internet server without it (another e-mail server package called Qmail seems to be quite popular as well -- but I haven't had a reason yet to give it a try).

To keep up with new features and bug-fixes, and most importantly, for reasons of security, it is a probably a good idea to upgrade Sendmail from time to time. In addition, the very latest versions of Sendmail include powerful anti-spam features which can help prevent your mail server being abused by unauthorized users.

This section will discuss some of the things you should do if you wish to use Sendmail as an incoming e-mail server. This would be the likely scenario for server systems. If, instead, you have no need to use it for incoming mail and wish to only use it as an outgoing mail queue, you should ((need some info here)).

For this section, it is assumed that you are using the very latest version of Sendmail (8.9.3 at the time of this writing), have it installed and running.

As packaged with the Red Hat distribution, Sendmail usually contains appropriate configuration information to operate correctly in the majority of server setups. Nonetheless, you may find it necessary to edit the ``/etc/sendmail.cf'' file and customize some settings as required. This, however, is beyond the scope of this document.

One thing I find helpful, however, is to make a couple of changes to the configuration file to thwart off spammers. These include:

O PrivacyOptions=authwarnings
change to:
O PrivacyOptions=authwarnings,noexpn,novrfy

O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
change to:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b  NO UCE  C=xx L=xx

(The first change prevents spammers from using the ``EXPN'' and ``VRFY'' commands in sendmail. I find that these commands are too often abused by unethical individuals. The second change modifies the banner which Sendmail displays upon receiving a connection. You should replace the ``xx'' in the ``C=xx L=xx'' entries with your country and location codes. For example, in my case, I would use ``C=CA L=ON'' for Ontario, Canada. (The latter change doesn't actually affect anything, but was recommended by folks in the news.admin.net-abuse.email newsgroup as a legal precaution.

Next, if your mail server will have a different host name than the actual machine it is running on, you can add one or more aliases in the ``/etc/sendmail.cw'' file. For example, if you have a system called "kirk.mydomain.name" which is set up as the mail exchanger for mydomain.name, but want incoming mail addressed in the format ``user@mydomain.name'' to be delivered to your users on "kirk", simply add this alias as follows:

mydomain.name

Finally, If you need to restrict a domain (or subdomain) from connecting to your sendmail service, you can edit the ``/etc/mail/access'' and add the domain information as well as type of restriction. For example:

some.domain             REJECT
hax0r.another.domain    550 Contact site administrator at (555) 555-1234.

The above examples would reject all e-mail connections from the ``some.domain'' site, as well as reject the specific machine name ``hax0r.another.domain'' with a descriptive message.

After making changes to this file, you will need to update the ``access.db'' file, and then restart sendmail as follows:

/usr/sbin/makemap hash /etc/mail/access.db < /etc/mail/access
/etc/rc.d/init.d/sendmail restart

Tip: Tip: If you are concerned with e-mail abuse, you can get some very helpful information from the "Mail Abuse Prevention System" (MAPS) project on dealing with such abuse; see the web pages at http://www.mail-abuse.org/

If you're using Sendmail version 8.9 or above, RBL support is already built in, but not enabled by default. To enable this support, add the following to your sendmail.mc file:

        FEATURE(rbl)

Then, reconfigure and restart the Sendmail daemon.

For more detailed information, including configuration instructions for other mail transport agents, see http://www.mail-abuse.org/rbl/usage.html.

Sometimes, a domain may end up in the RBL list with which you wish to continue communications with. Perhaps it is vital for you to communicate with certain users at the black-listed domain. In this case, Sendmail allows you to override these domains to allow their e-mail to be received. Simply edit the ``/etc/mail/access'' file in the manner described above with the appropriate domain information. For example:

blacklisted.domain      OK

Don't forget to rebuild your access.db file (described above)!

If you do decide to subscribe to the RBL, it is probably a wise idea to inform your mail users, if applicable, so they can make other service arrangements if they disagree with your decision.

For more information on Sendmail, see the FAQ document located at http://www.sendmail.org/faq/.