Sendmail 2020

From Coolscript
Jump to navigation Jump to search

Mailer installation 2020 at Telehouse, this will replace the inhouse mailer (10.0.3.5), FQDN is test.anydomain.com.
The Mailer supports the typical MTA (Port 25) and IMAP (143) protocols. Optional encryption is available for IMAP (993/SSL/Normal password)
and SMTP (587/STARTTLS/Normal password).

APT Packages

Mail

apt-get install libmail-sendmail-perl sendmail sendmail-base sendmail-bin sendmail-cf sendmail-doc dnsutils mailutils libyaml-dev

Imap

apt-get install dovecot-imapd php-imap

SASL

apt-get install libauthen-sasl-perl libsasl2-2:amd64 libsasl2-modules:amd64 libsasl2-modules-db:amd64 sasl2-bin

SA

apt-get install spamass-milter spamassassin spamc

DKIM

apt-get install libdkim1d libmail-dkim-perl libopendkim11 opendkim opendkim-tools

DMARC

apt-get install libopendmarc2 opendmarc

Apache2

apt-get install apache2 libapache2-mod-php

Roundcube

apt-get install roundcube roundcube-core roundcube-mysql

MTA Configuration

Sendmail

  • /etc/mail/sendmail.mc
  • Authentication for MTA,IMAP, allow PLAIN, LOGIN DIGEST-MD5 and CRAM-MD5
define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
  • /etc/mail/sendmail.mc
  • STARTTLS
include(`/etc/mail/tls/starttls.m4')dnl
  • /etc/mail/sendmail.mc
  • Spamassassin
INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass/spamass.sock,T=S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, {auth_type}')dnl
define(`confMILTER_MACROS_ENVFROM',`{auth_type}, i')dnl
  • /etc/mail/sendmail.mc
  • Dkim
INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/opendkim/opendkim.sock,F=,T=C:10m;S:10m;R:20m;E:20m')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl
  • /etc/mail/sendmail.mc
  • Dmarc
INPUT_MAIL_FILTER(`milter-opendkim',`S=unix:/var/run/opendmarc/opendmarc.sock, F=, T=R:2m')
  • /etc/mail/tls/starttls.m4
  • TLS (see also the Letsencrypt configuration further down)
define(`confCACERT',           `/etc/mail/tls/fullchain.pem')dnl   # <= EDIT
  • Full configuration /etc/mail/sendmail.mc
divert(-1)dnl
#-----------------------------------------------------------------------------
# $Sendmail: debproto.mc,v 8.15.2 2016-12-08 18:43:49 cowboy Exp $
#
# Copyright (c) 1998-2010 Richard Nelson.  All Rights Reserved.
#
# cf/debian/sendmail.mc.  Generated from sendmail.mc.in by configure.
#
# sendmail.mc prototype config file for building Sendmail 8.15.2
#
# Note: the .in file supports 8.7.6 - 9.0.0, but the generated
#       file is customized to the version noted above.
#
# This file is used to configure Sendmail for use with Debian systems.
#
# If you modify this file, you will have to regenerate /etc/mail/sendmail.cf
# by running this file through the m4 preprocessor via one of the following:
#       * make   (or make -C /etc/mail)
#       * sendmailconfig
#       * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# The first two options are preferred as they will also update other files
# that depend upon the contents of this file.
#
# The best documentation for this .mc file is:
# /usr/share/doc/sendmail-doc/cf.README.gz
#
#-----------------------------------------------------------------------------
divert(0)dnl
#
#   Copyright (c) 1998-2005 Richard Nelson.  All Rights Reserved.
#
#  This file is used to configure Sendmail for use with Debian systems.
#
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.15.2-8 2016-12-08 18:43:49 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
dnl #
dnl # General defines
dnl #
dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
dnl #   into this directory before writing files.
dnl #   If *all* your user accounts are under /home then use that
dnl #   instead - it will prevent any writes outside of /home !
dnl #   define(`confSAFE_FILE_ENV',             `')dnl
dnl #
dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
dnl # Remove `, Addr=' clauses to receive from any interface
dnl # If you want to support IPv6, switch the commented/uncommentd lines
dnl #
FEATURE(`no_default_msa')dnl
FEATURE(virtusertable)dnl
dnl Allow IPv4
DAEMON_OPTIONS(`Port=submission, M=Ea, Name=MSA, Family=inet')dnl
DAEMON_OPTIONS(`Port=smtp,Name=MTA, Family=inet')dnl

dnl Set Masq and Domain
FEATURE(`masquerade_envelope')dnl
FEATURE(`limited_masquerade')dnl
define(`confDOMAIN_NAME',`anydomain.com')dnl



dnl #
dnl # Be somewhat anal in what we allow
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
dnl #
dnl # Define connection throttling and window length
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
dnl #
dnl # Features
dnl #
dnl # use /etc/mail/local-host-names
FEATURE(`use_cw_file')dnl
dnl #
dnl # The access db is the basis for most of sendmail's checking
FEATURE(`access_db', , `skip')dnl
dnl #
dnl # The greet_pause feature stops some automail bots - but check the
dnl # provided access db for details on excluding localhosts...
FEATURE(`greet_pause', `1000')dnl 1 seconds
dnl #
dnl # Delay_checks allows sender<->recipient checking
FEATURE(`delay_checks', `friend', `n')dnl
dnl #
dnl # If we get too many bad recipients, slow things down...
define(`confBAD_RCPT_THROTTLE',`3')dnl
dnl #
dnl # Stop connections that overflow our concurrent and time connection rates
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
 
dnl -------------------------------------------
dnl MK Authentication used for IMAP and Dovecot
dnl -------------------------------------------
define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
 
dnl MK Fix for error messages in debug log
define(`confCRL', `/etc/ssl/revoke/revoke.crl')

dnl ---------------------------
dnl MK Add optional TLS Support
dnl ---------------------------
include(`/etc/mail/tls/starttls.m4')dnl
 
dnl ---------------------------------------------------------
dnl MK Tweaks
dnl #http://heretic.net-ronin.org/~ramune/sysadmin/sendmail/
dnl ---------------------------------------------------------
define(`confSUPER_SAFE',`true')dnl
define(`confMAX_MESSAGES_SIZE',`1000000')dnl
define(`confMIN_FREE_BLOCKS',`3000')dnl
dnl #define(`confTIME_ZONE',`PST8PDT')dnl


dnl MK Procmail support
FEATURE(`local_procmail')dnl

dnl *******************
dnl MK Spamassassin
dnl Tipp: run sa-update
dnl *******************
INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass/spamass.sock,T=S:4m;R:4m;E:10m')dnl

dnl ****
dnl DKIM
dnl ****
INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/opendkim/opendkim.sock,F=,T=C:10m;S:10m;R:20m;E:20m')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl

dnl *****
dnl DMARC
dnl *****
INPUT_MAIL_FILTER(`milter-opendkim',`S=unix:/var/run/opendmarc/opendmarc.sock, F=, T=R:2m')
 
dnl the below eliminates the mesage:
dnl Could not retrieve sendmail macro "b"!.  Please add it to confMILTER_MACROS_ENVRCPT for better spamassassin results
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, {auth_type}')dnl
define(`confMILTER_MACROS_ENVFROM',`{auth_type}, i')dnl
 
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl
 
dnl *********************************
dnl Debug logging on demand only
dnl define(`confLOG_LEVEL', `98')dnl
dnl *********************************
 
dnl *****************
dnl Supported Domains
dnl *****************
Cwanydomain.com

dnl Add because of poodle attack https://disablessl3.com/ - 28Okt2014
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
O PrivacyOptions=goaway

Sasl

  • /etc/default/saslauthd
START=yes
MECHANISMS="pam"

Spamd

  • Add systemuser spamd
useradd -M spamd
usermod -L spamd
  • Modify defaults
  • /etc/default/spamassassin
OPTIONS="-q -x --max-children 10 -u spamd"

Roundcube

Fix to allow mailsent from roundcube

  • /etc/roundcube/config.inc.php
$config['smtp_user'] = ''

Dovecot (Imap)

  • Needed for Jira or Clients who wants to use unencrypted IMAP via port 143
  • /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no


DNS Configuration

  • /etc/hosts, the very first record
127.0.0.1       vm-mail01.anydomain.com vm-mail01
  • Check
# hostname -f
vm-mail01.anydomain.com

On the DNS Server

  • A Record
#  host anydomain.com
anydomain.com has address x.y.z.x
  • PTR Record
# nslookup x.y.z.z
x.y.z.z.in-addr.arpa       name = anydomain.com.
  • MX Record
# host -t mx anydomain.com
anydomain.com mail is handled by 10 vm-mail01.anydomain.com.
  • TXT Record for DKIM
host -t txt mail._domainkey.anydomain.com
mail._domainkey.anydomain.com descriptive text "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlQCpa4N7LELD6fBhX5BLxUoIqlxkasJ52mMyJR7ZXVXe603mZQ4oUeVDXLPGUPfUxLmG5VPsCO8o5hrj18pwe+F3W9Y5wH8U9HzHNzLmj8HM9oYBKfMIryeUmzuC/uKVrtLGMih9zz67t7iis590U3eYfuLZFdAS6U9wbV1PeTwIDAQAB"
  • TXT Record for DMARC
host -t txt    _dmarc.anydomain.com
_anydomain.com descriptive text "v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400 ;rua=mailto:mailauth-reports@anydomain.com"
  • TXT Record for SPF
host -t txt anydomain.com
anydomain.com descriptive text "v=spf1 ip4:x.x.x.x/27 ip4:x.x.x.x/27 include:spf.nl2go.com -all"

DKIM

Configuration

  • /etc/opendkim.conf
Syslog           yes
SyslogSuccess    Yes
Mode             sv
SubDomains       yes
Socket           local:/var/run/opendkim/opendkim.sock
PidFile          /run/opendkim/opendkim.pid
OversignHeaders  From
TrustAnchorFile  /usr/share/dns/root.key
UserID           opendkim
LogWhy           yes
Nameservers      x.x.x.x
KeyTable         /etc/opendkim/KeyTable
SigningTable     /etc/opendkim/SigningTable
InternalHosts    /etc/opendkim/TrustedHosts
  • /etc/opendkim/KeyTable
mail._domainkey.anydomain.com anydomain.com:mail:/etc/opendkim/keys/anydomain.com/mail.private
  • /etc/opendkim/SigningTable
anydomain.com mail._domainkey.anydomain.com
  • /etc/opendkim/TrustedHosts
127.0.0.1
localhost
192.168.100.0/255.255.255.0

Letsencrypt

Two sertficates are installed.
vm-mail01.anydomain.com is used for the MTA encryption for sendmail.
test.anydomain.com is used for Imap and Roundcube.

Renew:

/root/certbot-auto certonly --webroot --webroot-path /var/www/html --renew-by-default --text --agree-tos -d test.anydomain.com
/root/certbot-auto certonly --webroot --webroot-path /var/www/html --renew-by-default --text --agree-tos -d vm-mail01.anydomain.com

Copy certs for sendmail:

FQDN=vm-mail01.anydomain.com
cp /etc/letsencrypt/live/$FQDN/privkey.pem  /etc/mail/tls/sendmail-common.key
cp /etc/letsencrypt/live/$FQDN/cert.pem  /etc/mail/tls/sendmail-client.crt
cp /etc/letsencrypt/live/$FQDN/cert.pem  /etc/mail/tls/sendmail-server.crt
cp /etc/letsencrypt/live/$FQDN/fullchain.pem  /etc/mail/tls/fullchain.pem

Run Sendmailconfig and dovecot after:

sendmailconfig
/etc/init.d/dovecot restart

Dovecot

  • /etc/dovecot/conf.d/10-auth.conf
ssl_cert = </etc/letsencrypt/live/mail.anydomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.anydomain.com/privkey.pem

Testing

  • Test cert for sasl
openssl s_client -crlf -connect test.anydomain.com:993
  • Test cert for imap
openssl s_client -starttls smtp -connect test.anydomain.com:587
  • Test TLS
https://www.checktls.com/TestReceiver

Client Configuration Example

Thunderbird

Imap Imap

Jira

Imap