Sendmail - from the source

This document describes installing Sendmail to utilize some of it's neater features, to be a little more secure (we will run Sendmail under a non-root id, and with TLS), to support SMTP AUTH, and so we have a better understanding of Sendmail itself. Please note that we assume you have already installed Procmail and SASL and OpenSSL.

Since early in the 11.x series, Sendmail's milter interface has been greatly improved and enhanced. We are going to build Sendmail with its libmilter feature turned on. We do this because the milter interface is the preferred method of enhancing and extending Sendmail. The milter interface can be used to "hook" anti-spam, anti-virus, and many other features into the Sendmail daemon. If you're interested, please see www.milter.org for the latest developments in milter features.

Please note that on some distros, you will need to replace every 'sh ./Build' with 'sh ./Build -c' below.

  1. Download the latest source archive from www.sendmail.org and extract it
  2. Create Sendmail's needed directories, and ensure their proper permissions/ownerships
  3. Add our new user and group for Sendmail to run as
  4. Ensure ownership of needed directories
  5. Configure Sendmail to use the libmilter interface and TLS
  6. Build and install libmilter
  7. Build the sendmail daemon
  8. (If following the Sendmail Anti-SPAM instructions, stop here)
  9. Now we need to configure and build the dreaded CF files
  10. The supporting tools are now built and installed
    • cd ../..
    • sh Build && sh Build install
  11. Final configuration
    • cd /etc
    • ln -sf mail/aliases
    • ln -sf mail/sendmail.cf
    • Configure local-host-names file
      • hostname -f > /etc/mail/local-host-names
    • Configure access file
      • echo -e "127.0.0.1\tOK" > /etc/mail/access
      • echo -e "ClientRate:127.0.0.1\t0\nClientRate:\t10" >> /etc/mail/access
      • echo -e "ClientConn:127.0.0.1\t0\nClientConn:\t10" >> /etc/mail/access
      • echo -e "GreetPause:localhost\t0" >> /etc/mail/access
      • makemap -v hash /etc/mail/access < /etc/mail/access
    • Configure virtuser file
      • touch /etc/mail/virtusertable
      • makemap -v hash /etc/mail/virtusertable < /etc/mail/virtusertable
    • Configure mailertable
      • echo "aol.com your.isp.mail.server" > /etc/mail/mailertable
      • makemap -v hash /etc/mail/mailertable < /etc/mail/mailertable
      • (replace your.isp.mail.server with whatever mail server your ISP told you to use for outbound mail)
      • this is needed to get around AOL blocking mail from us 'home' users
    • create /etc/mail/aliases
      • touch /etc/mail/aliases
    • Rebuild your aliases file
      • newaliases
    • Setup smrsh
      • mkdir /etc/smrsh
      • mkdir /var/adm /usr/adm
      • ln -sf /etc/smrsh /var/adm/sm.bin
      • ln -sf /etc/smrsh /usr/adm/sm.bin
    • Configure SASL for Sendmail
      • mkdir /etc/sasl2
      • echo "pwcheck_method: saslauthd" > /etc/sasl2/Sendmail.conf
      • echo "mech_list: login plain" >> /etc/sasl2/Sendmail.conf
    • Create your certificates for TLS
      • mkdir /etc/mail/certs
      • openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365
      • openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 365
      • openssl x509 -noout -text -in sendmail.pem
      • chmod 600 sendmail.pem

Ensure that saslauthd is started with '-a shadow' if you're going to make use of the SMTP AUTH feature.

Decide if you machine is going to accept incoming mail from other systems, or if it is going to only send outbound mail. If you have a need for incoming mail on this machine, edit your sendmail startup script (usually in /etc/rc.d somewhere) and change it to something like:

  • #!/bin/sh
    
    SENDMAIL_ARGS="-bd -q5m"
    
    case "$1" in
        start)
    	find /var/spool/mqueue/ /var/spool/clientmqueue/ -maxdepth 1 -type f -mtime +7 -exec rm {} \;
    
    	echo "Starting Sendmail `grep ^DZ /etc/sendmail.cf|cut -c3-`"
    	/usr/sbin/sendmail $SENDMAIL_ARGS
    
    	echo "Starting Sendmail Queue Runner"
    	/usr/sbin/sendmail -Ac -qp1m
    
    	/bin/chmod 640 /var/run/sendmail.pid &>/dev/null
    
    	;;
        stop)
    	echo "Shutting down Sendmail"
    	killproc -TERM /usr/sbin/sendmail
    
    	;;
        reload)
    	$0 stop
    	$0 start
    	;;
        *)
    	echo "Usage: $0 {start|stop|reload}"
    	exit 1
    esac
    
    exit 0
          
If you don't need incoming mail, edit your sendmail startup script to something like this:
  • #!/bin/sh
    
    SENDMAIL_ARGS="-q5m"
    
    case "$1" in
        start)
    
    	find /var/spool/mqueue/ /var/spool/clientmqueue/ -maxdepth 1 -type f -mtime +7 -exec rm {} \;
    
    	echo "Starting Sendmail `grep ^DZ /etc/sendmail.cf|cut -c3-`"
    	/usr/sbin/sendmail $SENDMAIL_ARGS 
    
    	/bin/chmod 640 /var/run/sendmail.pid &>/dev/null
    
    	;;
        stop)
    	echo "Shutting down Sendmail"
    	killproc -TERM /usr/sbin/sendmail 
    
    
    	;;
        reload)
    	$0 stop
    	$0 start
    	;;
        *)
    	echo "Usage: $0 {start|stop|reload}"
    	exit 1
    esac
    
    exit 0
          

This will prevent sendmail from starting up as a listening deamon.

Once Sendmail is up and running, check your system logs for something like:

  • sendmail[7333]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
You may see 'verify=FAIL' (or anything other than 'ok'). This is normal. It simply means that Sendmail couldn't walk the CA chain and verify the client's cert. As long as the cipher and bits have values like the above then TLS is being used.

Enjoy!

© Douglas Hunley (doug at linux-sxs.org)

searchSearch Index