Sendmail

Jan 20, 2014
3 min read
May 31, 2023 18:15 EEST

Using RBL blacklists

Add to your /etc/mail/.mc the following lines:

FEATURE(blacklist_recipients)
FEATURE(delay_checks)
FEATURE(dnsbl, `sbl-xbl.spamhaus.org', `Rejected mail from $&{client_addr} - see http://www.spamhaus.org/')dnl
FEATURE(dnsbl, `relays.ordb.org', `Rejected mail from $&{client_addr} - see http://ordb.org/')dnl
FEATURE(dnsbl, `list.dsbl.org', `Rejected mail from $&{client_addr} - see http://dsbl.org/')dnl
FEATURE(dnsbl, `china.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://china.blackholes.us/')
FEATURE(dnsbl, `cn-kr.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://cn-kr.blackholes.us/')
FEATURE(dnsbl, `korea.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://korea.blackholes.us/')
FEATURE(dnsbl, `comcast.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://comcast.blackholes.us/')
FEATURE(dnsbl, `wanadoo-fr.blackholes.us',`550 Mail from $&{client_addr} rejected - see http://wanadoo-fr.blackholes.us/')

Install the config:

cd /etc/mail
make
make install
make restart

Installing spamassassin and clamav

Install the two ports with milter-support:

cd /usr/ports/mail/p5-Mail-SpamAssassin/
make install clean
cd /usr/ports/security/clamav
make install clean
cd /usr/ports/mail/spamass-milter
make install clean

Enable the deamons in /etc/rc.conf:

  -  enable spamd
spamd_enable="YES"
  - spamd_flags="-u spamd -a -c -d -r ${spamd_pidfile}"

  -  enable spamassmilter
spamass_milter_enable="YES"
spamass_milter_flags="-f -m -r 7 -p ${spamass_milter_socket} -- -u spamd"

  -  enable clamav (virus scanner)
clamav_freshclam_enable="YES"
clamav_clamd_enable="YES"
clamav_milter_enable="YES"

Configuration for spamassassin can be found under /usr/local/etc/mail/spamassassin/local.cf.

To Configure sendmail add the following lines to the /etc/mail/.mc file:

INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=, T=S:4m;R:4m')dnl

define(`confINPUT_MAIL_FILTERS', `clmilter,spamassassin')

Now start the deamons:

/usr/local/etc/rc.d/clamav-freshclam start
/usr/local/etc/rc.d/clamav-clamd start
chown clamav /var/log/clamav/clamd.log
/usr/local/etc/rc.d/clamav-milter start
/usr/local/etc/rc.d/sa-spamd start
/usr/local/etc/rc.d/spamass-milter.sh start

Compile the config files, install them and restart sendmail with:

cd /etc/mail
make
make install
make restart

Check the configfiles for errors.

Installing SPF

Check if sendmail has milter support:

sendmail -d0.8 < /dev/null

 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2
                SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG```

Search for the key MILTER.

At first install the milter:

/usr/ports/mail/sid-milter
make
make install
make clean

To enable the SPF milter edit /etc/rc.conf:

  -  enable SPF milter
miltersid_enable="YES"
miltersid_socket="local:/var/run/sid-filter"
miltersid_pid="/var/run/sid-filter.pid"
miltersid_flags="-r 0 -t -h"

Start the milter with:

/usr/local/etc/rc.d/milter-sid start

Installing Greylisting

Enable SPF support by editing /etc/make.conf:

  -  with SPF support
WITH_LIBSPF2="YES"

cd /usr/ports/mail/milter-greylist
make
make install
cd /usr/local/etc/mail
cp greylist.conf.sample greylist.conf

Edit the file greylist.conf to your needs, insert as last line:

acl greylist default
geoipdb "/usr/local/share/GeoIP/GeoIP.dat"

To start the milter insert into /etc/rc.conf:

miltergreylist_enable="YES"

Start it with:

/usr/local/etc/rc.d/milter-greylist.sh start

To check logging:

tail -f /var/log/maillog

Edit the sendmail .mc file:

INPUT_MAIL_FILTER(`greylist', `S=local:/var/milter-greylist/milter-greylist.sock')
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
define(`confMILTER_MACROS_CONNECT', confMILTER_MACROS_CONNECT`, {daemon_port}')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
define(`confMILTER_MACROS_ENVRCPT', `{greylist}')

define(`confINPUT_MAIL_FILTERS', `greylist')

SSL Key

Create a CA:

- Edit /etc/ssl/openssl.cfn -> default_days    = 10950
- Edit /etc/ssl/openssl.cfn -> default_bits    = 4096
- Generate CAcertificate
-> /usr/src/crypto/openssl/apps/CA.pl -newca
cp demoCA/cacert.pem .
- Edit /etc/ssl/openssl.cfn -> default_days    = 365

Create a key:

/usr/src/crypto/openssl/apps/CA.pl -newreq

Remove passphrase from key:

openssl rsa -in newkey.pem -out key.pem

Sign key:

/usr/src/crypto/openssl/apps/CA.pl -sign

Set permissions:

chmod 0600 *

Sendmail:

define(`confCACERT_PATH',`/etc/mail/certs')
define(`confCACERT',`/etc/mail/certs/cacert.pem')
define(`confSERVER_CERT',`/etc/mail/certs/newcert.pem')
define(`confSERVER_KEY',`/etc/mail/certs/key.pem')
define(`confCLIENT_CERT',`/etc/mail/certs/newcert.pem')
define(`confCLIENT_KEY',`/etc/mail/certs/key.pem')

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl


> Add client CERTS to me
/etc/mail/certs
C=FileName_of_CA_Certificate
ln -s $C `openssl x509 -noout -hash < $C`.0

Renew Certificate

Make sure demoCA/index.txt.attr has the content:

unique_subject = no

Renew the certificate then with:

cd /etc/mail/certs/
/usr/src/crypto/openssl/apps/CA.pl -sign
cd /etc/mail
make restart

Backup MX

To configure a server as a backup MX we must create a second MX entry in the zone file which points to the backup mx with a higher number.

Then create an entry in mailertable on the backup machine:

domain  smtp:mail.domain

Now edit the access:

To:domain RELAY

Related Posts