Hints about sendmail/e-mail

Last Update 2003-02-22

Content and links to other pages:


Introduction

If you need some basic information about SMTP, sendmail, e-mail in general, you should read the UnixWorld Online Tutorial Article No. 008. This describes sendmail 8.7.
The probably best book about sendmail up to now is: Costales, Allman, and Rickert: "Sendmail" ; O'Reilly + Associates. It describes sendmail versions up to 8.8. Another book about sendmail is Sendmail: Theory and Practice. But this does not include sendmail V8.

sendmail: configuration/sources

The Sendmail Installation and Operation Guide (HTML) is part of the documentation from the sendmail package. It provides an in-depth explanation of sendmail. The cf/README file from the sendmail distribution explains how to build a configuration file for your specific needs from a simple m4 description file.

Other questions should be answered in the FAQ for sendmail.

The most frequently asked questions on comp.mail.sendmail

config error: mail loops back to myself

From the FAQ of sendmail V8:

* I'm getting "Local configuration error" messages, such as:

        553 MX list for domain.net points back to relay.domain.net
        554 <user@domain.net>... Local configuration error

How can I solve this problem? 

You have asked mail to the domain (e.g., domain.net) to be forwarded to a specific
host (in this case, relay.domain.net) by using an MX record, but the relay machine
doesn't recognize itself as domain.net. Add domain.net to /etc/sendmail.cw (if you
are using FEATURE(use_cw_file)) or add "Cw domain.net" to your configuration file. 

IMPORTANT: When making changes to your configuration file, be sure you kill and
restart the sendmail daemon (for ANY change in the configuration, not just this one):

        kill `head -1 /etc/sendmail.pid`
        sh -c "`tail -1 /etc/sendmail.pid`"

NOTA BENE: kill -1 does not work with versions prior to 8.7.y! 

How can I solve this problem? There are two possibilities:

  1. You have asked mail to the domain (e.g., dom.ain) to be forwarded to a specific host (in this case, relay.dom.ain) by using an MX record, but the relay machine doesn't recognize itself as dom.ain. Add dom.ain to /etc/sendmail.cw (if you are using FEATURE(use_cw_file)) or add
    Cwdom.ain
    to your configuration file.
  2. Another possibility is that relay.dom.ain should send this to another host mail.dom.ain which really handles the mail for dom.ain. If this host is reachable by SMTP you should create an MX record with the best (lowest) priority pointing to mail.dom.ain. Make sure that relay.dom.ain really knows it is relay.dom.ain! If you setup the MX records, you must use the correct name for relay.dom.ain.
    If mail.dom.ain is reachable by some other mail transport protocol (UUCP) or it is not directly reachable from the outside, you may have a look at the feature mailertable. E.g., use in your .mc configuration file something like
    FEATURE(mailertable,`dbm -o /etc/mailertable')
    
    (or another database type, see makemap(8)) and add a line like the following to the mailertable:
    dom.ain	smtp:[mail.dom.ain]
    
    The square brackets ([ ]) tell sendmail to ignore MX records for mail.dom.ain.

Two more hints: An MX record shouldn't point to a CNAME, it will most probably cause you a lot of trouble. (And currently it violates RFC 974 ).
And from src/READ_ME:
WILDCARD MX RECORDS ARE A BAD IDEA! The only situation in which they work reliably is if you have two versions of DNS, one in the real world which has a wildcard pointing to your firewall, and a completely different version of the database internally that does not include wildcard MX records that match your domain. ANYTHING ELSE WILL GIVE YOU HEADACHES!

IMPORTANT: Be sure you kill and restart the sendmail daemon after you change the configuration file (for ANY change in the configuration, not just this one):

		kill `head -1 /etc/sendmail.pid`
		sh -c "`tail -1 /etc/sendmail.pid`"

NOTA BENE: kill -1 does not work!

See also next paragraph for a related question!

If it still doesn't work, take a look at some more explanations.

How do I change user@host.my.dom.ain to user@my.dom.ain?

sendmail V8

Again from the FAQ of sendmail V8:

* How do I make all my addresses appear to be from a single host?

Using the V8 configuration macros, use:

		MASQUERADE_AS(my.dom.ain)

This will cause all addresses to be sent out as being from the indicated domain.
If you're using version 8.7 sendmail, and you want to hide this information in the envelope as well as the headers, use:

	FEATURE(masquerade_envelope)

If you also want to masquerade the recipients, use

FEATURE(allmasquerade)
But be careful and read cf/README about possible problems!

Another section in cf/README explains how to masquerade for other hosts too. Usually, masquerading works only for all elements of class w. This class contains all names local to that host. But you can also add more hosts to class M which will be masqueraded too.

sendmail 8.8 offers even more flexibility with respect to masquerading.

You may also have a look at the genericstable FEATURE.

How do I refuse e-mail from unwanted domains (users)?

Using rules with sendmail 8.8, 8.9, or later

sendmail 8.8 has some new rulesets to check who can use your machine as a mail gateway. Using check_* in sendmail 8.8 gives an overview how to use these rulesets, 8.9 has standard FEATUREs to this effect.

Using rules with sendmail 8.x

If you have sendmail 8.x (with x < 8), then you should upgrade.

Using tcp_wrappers

Another possibility is to use tcp_wrappers, so you can define the access to your sendmail daemon based on the rules available for tcp_wrappers .

sendmail 8.8 and later support this directly, just use -DTCPWRAPPERS=1 for compilation and add the appropriate library -lwrap. There is a patch for a problem with sendmail 8.8.8 which passes incorrect data to the library routines. A patch can be found in ftp://ftp.win.tue.nl/pub/security/. Thanks to Lou Rinaldi for pointing this out.

Using checkcompat()

A third possibility is to use the checkcompat() routine. Kyle Jones proposed the following patch. It is intended to disallow all non-local e-mail traffic through your host. Use at your own risk.

unsafe map file /etc/mail/aliases

With the latest sendmail release many people get an error message like:
unsafe map file /etc/mail/aliases
(or another map). There may be several reasons for this, the most common is that the permissions of the directories leading to the alias file are incorrect. It must be:
drwxr-xr-x 12 root     staff        3072 Nov 20 10:47 /etc/
drwxr-xr-x  4 root     staff        1024 Dec 21 16:40 /etc/mail/
i.e., the directory must be owned by root and not writable by the group or the rest of the world. The alias file itself must have similar permissions. Moreover, if you have a db map, you may try to touch the resulting map (file.db) and call makemap or newaliases thereafter.

See the release notes for further details. /usr/lib/sendmail -bi -d44.4 gives some debug output for the alias map.


[(links)] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.