Modifying the sendmail.mc file for internal servers....
Listed below are the changes to a default RH 9 /etc/mail/sendmail.mc file required to operate a mail server behind a corectly configured Sendmail gateway server. These intranet servers can send mail to local users, users on the gateway server, and external Internet addresses. Why would you want to do this? There are many applications that utilize mail (sendmail) to send status information and data to you or other users. Some examples of such handy software include cron, apinger, and logwatch. However, you may not want to expose these internal machines to the outside world. The following details will allow you to use your gateway server as a relay.
Again, this is a specialized application of Sendmail. For a more general application, see our other page.
We will assume that your firewall will not let outsiders touch these internal servers on port 25. As such, several of the lock-down and anti-spam measures that were implemented on the gateway server will not be emplemented here.
You are NOT done once you change the .mc file. There are other changes that need to be done to the server.
Anything not listed for change/add/delete here should work fine with the default settings. I do NOT know if this will work for any other installation (e.g. Red Hat 7.2 or Mandrake). This worked with the default sendmail RPM shipped with RH 9 (and subsequent sendmail updates). I gleaned some parts of this from several sources but one of your best resources is the published Red Hat documentation.RTFM. Red Hat has excellent manuals and you will find most of this stuff there.
Some hearty souls may chose to edit the sendmail.cf file directly however I do not see the need for this. The whole idea of the sendmail.mc file is to make the configuration file manageable and to generate the .cf file. When I dove into this, I read as much as I could, including the vaunted O'Reilly Bat Book. Everything I read said to stick with the macros (m4 and mc) and let them generate the .cf. I've played with both files from time to time and find the .mc to be much more manageable for my pea-brain. The sendmail.mc file is 145 lines, the sendmail.cf file is 1800 lines. You figure it out....
You will need to run make -C /etc/mail as root to generate the sendmail.cf file from the sendmail.mc macro after you are finished making these changes. You will also need to do a /sbin/service sendmail restart as root once you have made the new sendmail.cf file. More on this below.
Please let me know if you see any errors or omissions in this document. Also, note that I am well aware I am not saving the world here.
Comment out: Place a dnl or a dnl # in front of the line in the macro file. This will cause the m4 compiler to ignore that line.
Uncomment: Remove the dnl or dnl # in front of the line in the macro file. There may also be changes after you uncomment.
Add: New lines that should be added just like they are shown.
Replace: Replace the existing line (which will be shown) with the new line.
Notes: These are listed in roughly the order they appear in the sendmail.mc file, not by importance. I suggest you read through them all and sort out the ones you need. Don't change the order of things too much as the compiler can get picky if too many things are defined out of order. Also, they insist on using forward-single-quotes (`) which are a pain if you don't notice them. It is best to copy existing lines and modify them so you don't mix up the forward and standard quotes.
Modify the actual sendmal.mc file
1. The most important change you need to make is this first step. You must comment out the following line:
This will allow sendmail to make connections with machines other than the localhost. Duh. The reason for having this line included (turned on) by default will be left as an exercise for the reader.
2. Comment out the following line:
You don't need this. Leave it if you like.
3. Comment out the following line:
FEATURE(`local_procmail,`', `procmail -t -Y -a $h -d $u')dnl
You don't need procmail for the simple stuff. Leave it or modify it if you like.
4. Comment out the following line:
Leave it or modify it if you like.
5. Comment out the following line:
If this line is NOT commented out, you will open yourself up to more spam as sendmail will not do one of its basic checks on the incoming MTA.
6. Another key change is to set up your gateway machine as your "null client". This is done by the following add:
FEATURE(`nullclient',`[192.168.100.1]')dnl (assuming your SMTP gateway machine is 192.168.100.1)
This will forward mail to your other machine which will interface to the outside world and local users. You will need to have your access file set up correctly on your gateway machine to allow relaying from this internal sendmail machine.
7. Replace the following line and modify it as required.
This causes all sent mail to appear to come from eexamplee.net.
8. Replace the following line and modify it as required.
Note this is identical to the previous line except without the single quotes. Don't know about this one.
9. Uncomment the following:
This is similar to the previous masquerade statement except in also masquerades the entire envelope.
10. Replace and modify the following:
This defines the domain name to masquerade.
11. Comment out the following line:
12. Comment out the following line:
Other changes beyond sendmail.mc
The next step is to modify the ancillary files to let sendmail do its thing.
Setting up the access file
The /etc/mail/access file allows you to block access to the mail server based on host names and IP addresses. You can use this to create blacklists and whitelists although they can be a bit hard to maintain as they are static. There are some lines you need to have in here even if you don't explicitly list anything else. The required lines are the localhost and the hostname.
hostname.eexamplee.net RELAY localhost RELAY 127.0.0.1 RELAY 192.168.5 RELAY 192.168.100 RELAY
Setting up the local-host-names file
The /etc/mail/local-host-names file defines the aliases for the local machine. You want to put all the names in here that will be used by sendmail to define the host.
# local-host-names - include all aliases for your machine here.
Pretty self explanatory.
Modifying the aliases file
The /etc/aliases file contains the mail aliases for the server. It is important that some of these be here to be compliant with RFCs. Usually you will only need to edit the last line.
# Person who should get root's mail
You may want to add some other lines for something like spamtrap: or any other aliases.
Now we will make sure everything is prepped and ready to use by sendmail. Execute the following commands as root:
/usr/bin/newalises This activates the changes you made to the /etc/aliases file. Note: if you change aliases in the future, you only need to execute this command, you do not need to restart sendmail for the changes to show through.
makemap hash /etc/mail/access < /etc/mail/access This creates a hashed version of your access database. This will keep your ISP username and password secure. A new /etc/mail/access.db file will be created.
makemap hash /etc/mail/local-host-names < /etc/mail/local-host-names Like above, this creates a one-way hash of the local-host-names file you modified.
make -C /etc/mail (That's an upper case "C") This creates the /etc/mail/sendmail.cf file from the /etc/mail/sendmail.mc file you modified earlier. Note: some of the above steps are covered here by the makefile but it won't hurt to make them again.
Now all you have to do is restart the server.
/sbin/service sendmail restart This will kill the sendmail job (if its running) and restart it using all your configuration changes.
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl # make -C /etc/mail
VERSIONID(`setup for Red Hat Linux')dnl
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # make -C /usr/share/ssl/certs usage
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl # For this to work your OpenSSL certificates must be configured.
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl # a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl # masquerade not just the headers, but the envelope as well
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well