Sendmail Notes

There are a number of neat features in sendmail that I have used in various places. Although there is documentation for this in The Sendmail FAQ and Scripts and Patches for ISP's, there always seems to be some missing details that I have to grub through the .cf source for.

Virtual Domains

This is the ability to accept mail for arbitrary mail addresses. The basics are explained in the virtual hosting page. Here's the real rules you need and why:

FEATURE(use_cw_file)

Not really necessary, but for each virtual domain, an entry is required in class w to allow sentmail to do something other than try to forward the mail. The /etc/sendmail.cw file is easier than constantly editing the sendmail.cf file.

FEATURE(virtusertable)

This allows you to map user@virt.dom.ain to someone@another.domain, or, to map whole domains. The key is the user address or domain, and the data is the destination.

The flip side is that you probably want the outgoing mail for these users to have their virtual domains added on if not there already.

FEATURE(genericstable)

This allows you to set up a table which provides the reverse mapping of the virtusertable

GENERICS_DOMAIN_FILE(`/etc/sendmail.cG')

You need to set this and populate the file with the domains of any mapping in the gernerics table which is not from a local user. For example, if one of the entries is for

joe@foo.com	fred@bar.com
	

foo.com must be in /etc/sendmail.cG.

FEATURE(masquerade_envelope)

You have to have this on to get any addressed passed to the genreicstable rules. This is probably a bug in the m4 macros, but it's required in 8.8.7

Security and Relaying

OutLook

When Outlook is setup to use SSL, it just does a normal SSL wrapped conversation for encryption, and does authentication the normal way. In other words, it does not use STARTTLS like Netscape does. On the server end, you can just use stunnel to wrap both these services on the new ports.

Some of these instructions are only applicable if you are useing self-signed certificates.

1. Make sure that you have the latest version installed. Go the the windows update page, on the left hand side you will find a link to Microsoft Office Updates. Click on that and download and install:
   • Outlook 2000 SR-1 Extended E-mail Security Update
   • Outlook 2000 SR-1 View Control Security Update
   • and maybe Office 2000 SP2
   Without these patches, Outlook will complain about the security certificate every time it checks for new mail. Even with them, some people have reported that it still does. If it does this for you, let me know and I'll open up relaying for whatever domain you are connecting from.

   Also, I have seen mail retrieval stop working for no apparent reason. Restarting outlook seems to fix it.

2. Assuming that you've already setup an account to use mail.your.domain for incoming and outgoing mail: Go to Tools->Accounts->mail.your.domain->Properties->Advanced, check the boxes that turn on SSL for both incoming and outgoing mail. Set the SMTP port to 587 and the pop3 port to 995.
3. go to Tools->Accounts->mail.your.domain->Properties->Servers and click the box at the bottom that says "My server requires authentication", then goto Settings and click either "Use same settings as incoming mail server", or "Log on using" and enter your mail id and password (NOT the domain login and password).

   When you first start outlook, it will complain that it can't verify the certificate because the root certificate is not trusted. Just click ok.

Authentication

Sendmail will relay (bypassing all IP or other relay checks) if a client authenticates using an AUTH method, or by presenting a valid client certificate.

Turing on AUTH, requires sendmail be compiled with SASL (already done in RedHat 7.x).

For sendmail to use SSL requires that it be compiled with sfio and openssl, plus the generation of certificates.

To make certificate authority:

mkdir CA
cd CA
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cp /usr/local/openssl/openssl.cnf.sample openssl.cnf
vi openssl.cnf   (set values)
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

To make a new certificate:

cd CA        (same directory created above)
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf

(certificate and private key in file newreq.pem) To sign new certificate with certificate authority:

cd CA        (same directory created above)
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
rm -f tmp.pem

(newcert.pem contains signed certificate, newreq.pem still contains
unsigned certificate and private key) 

Also check

• http://www.sendmail.org/~ca/email/starttls.html
• http://www.sendmail.org/~ca/email/other/cagreg.html

How do I tell sendmail to use a smaller key size?

Compile with -D_FFR_TLS_1 and set CipherList to deal with the shortcomings of that MUA.

Can I put more than one name in CN, so that I can cover DNS aliases?

No. But you can use "*.ev.co.yu", and that might do what you want.

According to http://home.netscape.com/products/security/ssl/certformat.html CN="(Uprava|SMTP).ev.co.yu" should work with Netscape. No idea if OE understands it. Of course your CA should allow you to request such a certificate.

Procmail

Infinite Ink's Processing Mail with Procmail

Alcor On-Line Help: catching spam with procmail

check_local rulesets and patches for sendmail 8.9

Spam

Spamassassin

Available as Mail::Spamassassin from CPAN. Does a ton of checks to classify mail as spam or not. Uses Razor, Pyzor, and DCC, if installed. Reqires:

Digest::SHA1 - RH8 package

DB_File - RH8 package

Net::DNS - RH8 package

Razor

Vipul's Razor colaborative system. Requires

Net::Ping - RH8/perl 5.8 builtin

Net::DNS - RH8 package

Time::HiRes - RH8 package

Digest::SHA1 - RH8 package

Getopt::Long - RH8/perl 5.8 builtin

File::Copy - RH8/perl 5.8 builtin

Digest::Nilsimsa

URI::Escape - RH8 package

DCC

Distributed Checksum Clearinghouse

Pyzor

Python Razor. Requires pythin >= 2.2.1

Spamass-milter

A Milter to feed mail through spamassassin. Some people like to run spamassassin from Mime-Defang, but that milter won't let spamassassin re-write the message, and I find the information usefull in tuning spamassassin.

Mime-Defang

The swiss army knife of milters. It can 'defang' attachments by making them un-executable, or quarentine them. It can also run virus scanners and other stuff like spamassassin.