27.3. Mail Transport Agents
Red Hat Enterprise Linux includes two primary MTAs, Sendmail and Postfix. Sendmail is configured as the default MTA, although it is easy to switch the default MTA to Postfix.
Sendmail's core purpose, like other MTAs, is to safely transfer email among hosts, usually using the SMTP protocol. However, Sendmail is highly configurable, allowing control over almost every aspect of how email is handled, including the protocol used. Many system administrators elect to use Sendmail as their MTA due to its power and scalability.
18.104.22.168. Purpose and Limitations
It is important to be aware of what Sendmail is and what it can do, as opposed to what it is not. In these days of monolithic applications that fulfill multiple roles, Sendmail may seem like the only application needed to run an email server within an organization. Technically, this is true, as Sendmail can spool mail to each users' directory and deliver outbound mail for users. However, most users actually require much more than simple email delivery. Users usually want to interact with their email using an MUA, that uses POP or IMAP, to download their messages to their local machine. Or, they may prefer a Web interface to gain access to their mailbox. These other applications can work in conjunction with Sendmail, but they actually exist for different reasons and can operate separately from one another.
It is beyond the scope of this section to go into all that Sendmail should or could be configured to do. With literally hundreds of different options and rule sets, entire volumes have been dedicated to helping explain everything that can be done and how to fix things that go wrong. Refer to the Section 27.7, “Additional Resources” for a list of Sendmail resources.
This section reviews the files installed with Sendmail by default and reviews basic configuration changes, including how to stop unwanted email (spam) and how to extend Sendmail with the Lightweight Directory Access Protocol (LDAP).
22.214.171.124. The Default Sendmail Installation
The Sendmail executable is
Sendmail's lengthy and detailed configuration file is
/etc/mail/sendmail.cf. Avoid editing the
sendmail.cffile directly. To make configuration changes to Sendmail, edit the
/etc/mail/sendmail.mcfile, back up the original
/etc/mail/sendmail.cf, and use the following alternatives to generate a new configuration file:
More information on configuring Sendmail can be found in Section 126.96.36.199, “Common Sendmail Configuration Changes”.
- Use the included makefile in
make all -C /etc/mail) to create a new
/etc/mail/sendmail.cfconfiguration file. All other generated files in
/etc/mail(db files) will be regenerated if needed. The old makemap commands are still usable. The make command will automatically be used by
service sendmail start | restart | reloadif the
makepackage is installed.
- Alternatively you may use the included
m4macro processor to create a new
Various Sendmail configuration files are installed in the
access— Specifies which systems can use Sendmail for outbound email.
domaintable— Specifies domain name mapping.
local-host-names— Specifies aliases for the host.
mailertable— Specifies instructions that override routing for particular domains.
virtusertable— Specifies a domain-specific form of aliasing, allowing multiple virtual domains to be hosted on one machine.
Several of the configuration files in
/etc/mail/, such as
virtusertable, must actually store their information in database files before Sendmail can use any configuration changes. To include any changes made to these configurations in their database files, run the following command:
makemap hash /etc/mail/<name> < /etc/mail/<name>
where <name> is replaced with the name of the configuration file to convert.
For example, to have all emails addressed to the
example.comdomain delivered to
email@example.com, add the following line to the
To finalize the change, the
virtusertable.dbfile must be updated using the following command as root:
makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable
This creates an updated
virtusertable.dbfile containing the new configuration.
188.8.131.52. Common Sendmail Configuration Changes
When altering the Sendmail configuration file, it is best not to edit an existing file, but to generate an entirely new
Before changing the
sendmail.cffile, it is a good idea to create a backup copy.
To add the desired functionality to Sendmail, edit the
/etc/mail/sendmail.mcfile as the root user. When finished, use the
m4macro processor to generate a new
sendmail.cfby executing the following command:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
By default, the
m4macro processor is installed with Sendmail but is part of the
After creating a new
/etc/mail/sendmail.cffile, restart Sendmail for the changes to take effect. The easiest way to do this is to type the following command:
service sendmail restart
sendmail.cffile does not allow Sendmail to accept network connections from any host other than the local computer. To configure Sendmail as a server for other clients, edit the
/etc/mail/sendmail.mcfile, and either change the address specified in the
Addr=option of the
127.0.0.1to the IP address of an active network device or comment out the
DAEMON_OPTIONSdirective all together by placing
dnlat the beginning of the line. When finished, regenerate
/etc/mail/sendmail.cfby executing the following command:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
The default configuration which ships with Red Hat Enterprise Linux works for most SMTP-only sites. However, it does not work for UUCP (UNIX to UNIX Copy) sites. If using UUCP mail transfers, the
/etc/mail/sendmail.mcfile must be reconfigured and a new
/etc/mail/sendmail.cfmust be generated.
/usr/share/sendmail-cf/READMEfile before editing any files in the directories under the
/usr/share/sendmail-cfdirectory, as they can affect the future configuration of
One common Sendmail configuration is to have a single machine act as a mail gateway for all machines on the network. For instance, a company may want to have a machine called
mail.example.comthat handles all of their email and assigns a consistent return address to all outgoing mail.
In this situation, the Sendmail server must masquerade the machine names on the company network so that their return address is
To do this, add the following lines to
FEATURE(always_add_domain)dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl MASQUERADE_AS(`bigcorp.com.')dnl MASQUERADE_DOMAIN(`bigcorp.com.')dnl MASQUERADE_AS(bigcorp.com)dnl
After generating a new
m4, this configuration makes all mail from inside the network appear as if it were sent from
184.108.40.206. Stopping Spam
Email spam can be defined as unnecessary and unwanted email received by a user who never requested the communication. It is a disruptive, costly, and widespread abuse of Internet communication standards.
Sendmail makes it relatively easy to block new spamming techniques being employed to send junk email. It even blocks many of the more usual spamming methods by default. Main anti-spam features available in sendmail are header checks, relaying denial (default from version 8.9), access database and sender information checks.
For example, forwarding of SMTP messages, also called relaying, has been disabled by default since Sendmail version 8.9. Before this change occurred, Sendmail directed the mail host (
x.edu) to accept messages from one party (
y.com) and sent them to a different party (
z.net). Now, however, Sendmail must be configured to permit any domain to relay mail through the server. To configure relay domains, edit the
/etc/mail/relay-domainsfile and restart Sendmail.
However, many times users are bombarded with spam from other servers throughout the Internet. In these instances, Sendmail's access control features available through the
/etc/mail/accessfile can be used to prevent connections from unwanted hosts. The following example illustrates how this file can be used to both block and specifically allow access to the Sendmail server:
badspammer.com ERROR:550 "Go away and do not spam us anymore" tux.badspammer.com OK 10.0 RELAY
This example shows that any email sent from
badspammer.comis blocked with a 550 RFC-821 compliant error code, with a message sent back to the spammer. Email sent from the
tux.badspammer.comsub-domain, is accepted. The last line shows that any email sent from the 10.0.*.* network can be relayed through the mail server.
/etc/mail/access.dbis a database, use
makemapto activate any changes. Do this using the following command as root:
makemap hash /etc/mail/access < /etc/mail/access
Message header analysis allows you to reject mail based on header contents. SMTP servers store information about an emails journey in the message header. As the message travels from one MTA to another, each puts in a "Received" header above all the other Received headers. It is however important to note that this information may be altered by spammers.
The above examples only represent a small part of what Sendmail can do in terms of allowing or blocking access. Refer to the
/usr/share/sendmail-cf/READMEfor more information and examples.
Since Sendmail calls the Procmail MDA when delivering mail, it is also possible to use a spam filtering program, such as SpamAssassin, to identify and file spam for users. Refer to Section 220.127.116.11, “Spam Filters” for more about using SpamAssassin.
18.104.22.168. Using Sendmail with LDAP
Using the Lightweight Directory Access Protocol (LDAP) is a very quick and powerful way to find specific information about a particular user from a much larger group. For example, an LDAP server can be used to look up a particular email address from a common corporate directory by the user's last name. In this kind of implementation, LDAP is largely separate from Sendmail, with LDAP storing the hierarchical user information and Sendmail only being given the result of LDAP queries in pre-addressed email messages.
However, Sendmail supports a much greater integration with LDAP, where it uses LDAP to replace separately maintained files, such as
virtusertables, on different mail servers that work together to support a medium- to enterprise-level organization. In short, LDAP abstracts the mail routing level from Sendmail and its separate configuration files to a powerful LDAP cluster that can be leveraged by many different applications.
The current version of Sendmail contains support for LDAP. To extend the Sendmail server using LDAP, first get an LDAP server, such as OpenLDAP, running and properly configured. Then edit the
/etc/mail/sendmail.mcto include the following:
This is only for a very basic configuration of Sendmail with LDAP. The configuration can differ greatly from this depending on the implementation of LDAP, especially when configuring several Sendmail machines to use a common LDAP server.
/usr/share/sendmail-cf/READMEfor detailed LDAP routing configuration instructions and examples.
Next, recreate the
/etc/mail/sendmail.cffile by running
m4and restarting Sendmail. Refer to Section 22.214.171.124, “Common Sendmail Configuration Changes” for instructions.
For more information on LDAP, refer to Chapter 28, Lightweight Directory Access Protocol (LDAP).