Sendmail 2020
Jump to navigation
Jump to search
Mailer installation 2020 at Telehouse, this will replace the inhouse mailer (10.0.3.5), FQDN is test.anydomain.com.
The Mailer supports the typical MTA (Port 25) and IMAP (143) protocols. Optional encryption is available for IMAP (993/SSL/Normal password)
and SMTP (587/STARTTLS/Normal password).
APT Packages
apt-get install libmail-sendmail-perl sendmail sendmail-base sendmail-bin sendmail-cf sendmail-doc dnsutils mailutils libyaml-dev
Imap
apt-get install dovecot-imapd php-imap
SASL
apt-get install libauthen-sasl-perl libsasl2-2:amd64 libsasl2-modules:amd64 libsasl2-modules-db:amd64 sasl2-bin
SA
apt-get install spamass-milter spamassassin spamc
DKIM
apt-get install libdkim1d libmail-dkim-perl libopendkim11 opendkim opendkim-tools
DMARC
apt-get install libopendmarc2 opendmarc
Apache2
apt-get install apache2 libapache2-mod-php
Roundcube
apt-get install roundcube roundcube-core roundcube-mysql
MTA Configuration
Sendmail
- /etc/mail/sendmail.mc
- Authentication for MTA,IMAP, allow PLAIN, LOGIN DIGEST-MD5 and CRAM-MD5
define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
- /etc/mail/sendmail.mc
- STARTTLS
include(`/etc/mail/tls/starttls.m4')dnl
- /etc/mail/sendmail.mc
- Spamassassin
INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass/spamass.sock,T=S:4m;R:4m;E:10m')dnl define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, {auth_type}')dnl define(`confMILTER_MACROS_ENVFROM',`{auth_type}, i')dnl
- /etc/mail/sendmail.mc
- Dkim
INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/opendkim/opendkim.sock,F=,T=C:10m;S:10m;R:20m;E:20m')dnl define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl
- /etc/mail/sendmail.mc
- Dmarc
INPUT_MAIL_FILTER(`milter-opendkim',`S=unix:/var/run/opendmarc/opendmarc.sock, F=, T=R:2m')
- /etc/mail/tls/starttls.m4
- TLS (see also the Letsencrypt configuration further down)
define(`confCACERT', `/etc/mail/tls/fullchain.pem')dnl # <= EDIT
- Full configuration /etc/mail/sendmail.mc
divert(-1)dnl #----------------------------------------------------------------------------- # $Sendmail: debproto.mc,v 8.15.2 2016-12-08 18:43:49 cowboy Exp $ # # Copyright (c) 1998-2010 Richard Nelson. All Rights Reserved. # # cf/debian/sendmail.mc. Generated from sendmail.mc.in by configure. # # sendmail.mc prototype config file for building Sendmail 8.15.2 # # Note: the .in file supports 8.7.6 - 9.0.0, but the generated # file is customized to the version noted above. # # This file is used to configure Sendmail for use with Debian systems. # # If you modify this file, you will have to regenerate /etc/mail/sendmail.cf # by running this file through the m4 preprocessor via one of the following: # * make (or make -C /etc/mail) # * sendmailconfig # * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf # The first two options are preferred as they will also update other files # that depend upon the contents of this file. # # The best documentation for this .mc file is: # /usr/share/doc/sendmail-doc/cf.README.gz # #----------------------------------------------------------------------------- divert(0)dnl # # Copyright (c) 1998-2005 Richard Nelson. All Rights Reserved. # # This file is used to configure Sendmail for use with Debian systems. # define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.15.2-8 2016-12-08 18:43:49 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE dnl # dnl # General defines dnl # dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot() dnl # into this directory before writing files. dnl # If *all* your user accounts are under /home then use that dnl # instead - it will prevent any writes outside of /home ! dnl # define(`confSAFE_FILE_ENV', `')dnl dnl # dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!! dnl # Remove `, Addr=' clauses to receive from any interface dnl # If you want to support IPv6, switch the commented/uncommentd lines dnl # FEATURE(`no_default_msa')dnl FEATURE(virtusertable)dnl dnl Allow IPv4 DAEMON_OPTIONS(`Port=submission, M=Ea, Name=MSA, Family=inet')dnl DAEMON_OPTIONS(`Port=smtp,Name=MTA, Family=inet')dnl dnl Set Masq and Domain FEATURE(`masquerade_envelope')dnl FEATURE(`limited_masquerade')dnl define(`confDOMAIN_NAME',`anydomain.com')dnl dnl # dnl # Be somewhat anal in what we allow define(`confPRIVACY_FLAGS',dnl `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl dnl # dnl # Define connection throttling and window length define(`confCONNECTION_RATE_THROTTLE', `15')dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl dnl # dnl # Features dnl # dnl # use /etc/mail/local-host-names FEATURE(`use_cw_file')dnl dnl # dnl # The access db is the basis for most of sendmail's checking FEATURE(`access_db', , `skip')dnl dnl # dnl # The greet_pause feature stops some automail bots - but check the dnl # provided access db for details on excluding localhosts... FEATURE(`greet_pause', `1000')dnl 1 seconds dnl # dnl # Delay_checks allows sender<->recipient checking FEATURE(`delay_checks', `friend', `n')dnl dnl # dnl # If we get too many bad recipients, slow things down... define(`confBAD_RCPT_THROTTLE',`3')dnl dnl # dnl # Stop connections that overflow our concurrent and time connection rates FEATURE(`conncontrol', `nodelay', `terminate')dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl dnl ------------------------------------------- dnl MK Authentication used for IMAP and Dovecot dnl ------------------------------------------- define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl dnl MK Fix for error messages in debug log define(`confCRL', `/etc/ssl/revoke/revoke.crl') dnl --------------------------- dnl MK Add optional TLS Support dnl --------------------------- include(`/etc/mail/tls/starttls.m4')dnl dnl --------------------------------------------------------- dnl MK Tweaks dnl #http://heretic.net-ronin.org/~ramune/sysadmin/sendmail/ dnl --------------------------------------------------------- define(`confSUPER_SAFE',`true')dnl define(`confMAX_MESSAGES_SIZE',`1000000')dnl define(`confMIN_FREE_BLOCKS',`3000')dnl dnl #define(`confTIME_ZONE',`PST8PDT')dnl dnl MK Procmail support FEATURE(`local_procmail')dnl dnl ******************* dnl MK Spamassassin dnl Tipp: run sa-update dnl ******************* INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass/spamass.sock,T=S:4m;R:4m;E:10m')dnl dnl **** dnl DKIM dnl **** INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/opendkim/opendkim.sock,F=,T=C:10m;S:10m;R:20m;E:20m')dnl define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl dnl ***** dnl DMARC dnl ***** INPUT_MAIL_FILTER(`milter-opendkim',`S=unix:/var/run/opendmarc/opendmarc.sock, F=, T=R:2m') dnl the below eliminates the mesage: dnl Could not retrieve sendmail macro "b"!. Please add it to confMILTER_MACROS_ENVRCPT for better spamassassin results define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, {auth_type}')dnl define(`confMILTER_MACROS_ENVFROM',`{auth_type}, i')dnl MAILER_DEFINITIONS MAILER(`local')dnl MAILER(`smtp')dnl dnl ********************************* dnl Debug logging on demand only dnl define(`confLOG_LEVEL', `98')dnl dnl ********************************* dnl ***************** dnl Supported Domains dnl ***************** Cwanydomain.com dnl Add because of poodle attack https://disablessl3.com/ - 28Okt2014 LOCAL_CONFIG O CipherList=HIGH O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 O PrivacyOptions=goaway
Sasl
- /etc/default/saslauthd
START=yes MECHANISMS="pam"
Spamd
- Add systemuser spamd
useradd -M spamd usermod -L spamd
- Modify defaults
- /etc/default/spamassassin
OPTIONS="-q -x --max-children 10 -u spamd"
Roundcube
Fix to allow mailsent from roundcube
- /etc/roundcube/config.inc.php
$config['smtp_user'] = ''
Dovecot (Imap)
- Needed for Jira or Clients who wants to use unencrypted IMAP via port 143
- /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
DNS Configuration
- /etc/hosts, the very first record
127.0.0.1 vm-mail01.anydomain.com vm-mail01
- Check
# hostname -f vm-mail01.anydomain.com
On the DNS Server
- A Record
# host anydomain.com anydomain.com has address x.y.z.x
- PTR Record
# nslookup x.y.z.z x.y.z.z.in-addr.arpa name = anydomain.com.
- MX Record
# host -t mx anydomain.com anydomain.com mail is handled by 10 vm-mail01.anydomain.com.
- TXT Record for DKIM
host -t txt mail._domainkey.anydomain.com mail._domainkey.anydomain.com descriptive text "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlQCpa4N7LELD6fBhX5BLxUoIqlxkasJ52mMyJR7ZXVXe603mZQ4oUeVDXLPGUPfUxLmG5VPsCO8o5hrj18pwe+F3W9Y5wH8U9HzHNzLmj8HM9oYBKfMIryeUmzuC/uKVrtLGMih9zz67t7iis590U3eYfuLZFdAS6U9wbV1PeTwIDAQAB"
- TXT Record for DMARC
host -t txt _dmarc.anydomain.com _anydomain.com descriptive text "v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400 ;rua=mailto:mailauth-reports@anydomain.com"
- TXT Record for SPF
host -t txt anydomain.com anydomain.com descriptive text "v=spf1 ip4:x.x.x.x/27 ip4:x.x.x.x/27 include:spf.nl2go.com -all"
DKIM
Configuration
- /etc/opendkim.conf
Syslog yes SyslogSuccess Yes Mode sv SubDomains yes Socket local:/var/run/opendkim/opendkim.sock PidFile /run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key UserID opendkim LogWhy yes Nameservers x.x.x.x KeyTable /etc/opendkim/KeyTable SigningTable /etc/opendkim/SigningTable InternalHosts /etc/opendkim/TrustedHosts
- /etc/opendkim/KeyTable
mail._domainkey.anydomain.com anydomain.com:mail:/etc/opendkim/keys/anydomain.com/mail.private
- /etc/opendkim/SigningTable
anydomain.com mail._domainkey.anydomain.com
- /etc/opendkim/TrustedHosts
127.0.0.1 localhost 192.168.100.0/255.255.255.0
Letsencrypt
Two sertficates are installed.
vm-mail01.anydomain.com is used for the MTA encryption for sendmail.
test.anydomain.com is used for Imap and Roundcube.
Renew:
/root/certbot-auto certonly --webroot --webroot-path /var/www/html --renew-by-default --text --agree-tos -d test.anydomain.com /root/certbot-auto certonly --webroot --webroot-path /var/www/html --renew-by-default --text --agree-tos -d vm-mail01.anydomain.com
Copy certs for sendmail:
FQDN=vm-mail01.anydomain.com cp /etc/letsencrypt/live/$FQDN/privkey.pem /etc/mail/tls/sendmail-common.key cp /etc/letsencrypt/live/$FQDN/cert.pem /etc/mail/tls/sendmail-client.crt cp /etc/letsencrypt/live/$FQDN/cert.pem /etc/mail/tls/sendmail-server.crt cp /etc/letsencrypt/live/$FQDN/fullchain.pem /etc/mail/tls/fullchain.pem
Run Sendmailconfig and dovecot after:
sendmailconfig /etc/init.d/dovecot restart
Dovecot
- /etc/dovecot/conf.d/10-auth.conf
ssl_cert = </etc/letsencrypt/live/mail.anydomain.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.anydomain.com/privkey.pem
Testing
- Test cert for sasl
openssl s_client -crlf -connect test.anydomain.com:993
- Test cert for imap
openssl s_client -starttls smtp -connect test.anydomain.com:587
- Test TLS
https://www.checktls.com/TestReceiver
- Dkim
- http://dkimvalidator.com/
- Other web sites
- https://esmtp.email/tools/mta-sts/?#
- https://starttls-everywhere.org
- https://luxsci.com/smtp-tls-checker
- http://multirbl.valli.org/
- https://intodns.com/mailtower.de
- https://mxtoolbox.com/
- https://dmarcly.com/tools/