Solved

Postfix and Sendmail

Posted on 2004-03-28
4
1,116 Views
Last Modified: 2007-12-19
Thank you in advance!

Hi,
I have installed Sendmail and Openwebmail on RedHat 9. I am also using IMAPS to log on and download my mail. I am using SSL on the web to use Openwebmail. I have a registered domain. I am currently hosting it at my business. I have DNS installed. I have an MX record pointing to my mailserver. When I use "DIG" or "NSLOOKUP" I get an appropriate response. I have configured my hosts file. I have configured sendmail using sendmail.mc and NOT sendmail.cf. I have run m4 after making changes. I believe my problem is with "relay". I also have a side question when editing the sendmail.mc file. If you comment out by removing the " # " character, should you also leave the dnl at the beginning and the end as not to create a line space? Example:
dnl # DaemonPortOptions=Port=smtp, Name=MTA dnl ( I assume this is comment out and not parsed)
dnl DaemonPortOptions=Port=smtp, Name=MTA dnl (This is uncommented out and parsed?)
or is this correct?
DaemonPortOptions=Port=smtp, Name=MTA dnl (dnl at the end only)
or this?
DaemonPortOptions=Port=smtp, Name=MTA     (No dnl at end or beginning)

The major PROBLEM:

I can send mail from Outlook or Webmail using https: both on my network and remotely to users only on my domain. I can't send e-mail via sendmail to anyone who is not part or my domain. I receive the following error almost exclusively:

The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'randol.larson@emcmail.maricopa.edu'. Subject 'Again', Account: 'mail.larsonlinux.org', Server: 'mail.larsonlinux.org', Protocol: SMTP, Server Response: '550 5.7.1 <randol.larson@emcmail.maricopa.edu>... Relaying denied', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79

I have open on my firewall the following: 25 53 80 443 and 993. I have tried "providing a username and password to outgoing mail to authenticate. I am pretty sure it is in "relaying" the mail, and I have tried several suggestions from postings here. I can telnet to port 25 as the instructions explain. I have read the relaying is turned off or tweaked to prevent others from using you as SPAM in a can.

I will copy my sendmail.mc file (I have taken out some of the comments because of size of posting here. Should I drop sendmail and try Postfix, can I do that after configuring sendmail. Any help you can give will be surely appreciated. Again, thank you. Christy Jo

divert(-1)dnl
dnl #     make -C /etc/mail
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`SMART_HOST',`smtp.mail.larsonlinux.org')
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DaemonPortOptions=Port=smtp, Name=MTA dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl #       a kernel patch
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(larsonlinux.org)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
FEATURE(always_add_domain)dnl
FEATURE(`masquerade_entire_domain')dnl
dnl FEATURE(`masquerade_envelop')dnl
MASQUERADE_AS(`larsonlinux.org')dnl
MASQUERADE_DOMAIN(`larsonlinux.org')dnl
MASQUERADE_AS(larsonlinux.org)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl


0
Comment
Question by:christyjo
  • 2
  • 2
4 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 500 total points
ID: 10701630
First let me say that anything beginning with dnl is commented out. It is normal and proper to end each line with dnl.

Looking at your sendmail.mc I see that:

DaemonPortOptions=Port=smtp, Name=MTA dnl

should be simply removed. You've commented out the localhost only restriction and don't need or want that line.

You have:

MASQUERADE_AS(`larsonlinux.org')dnl
MASQUERADE_DOMAIN(`larsonlinux.org')dnl
MASQUERADE_AS(larsonlinux.org)dnl

and that's redundant. You should delete the last two lines.

Now on to the real problem. The default with recent versions of Sendmail is to deny relaying for anything not explicitly permitted. That explains why your client can send mail to an account on the server but not anywhere else.

Sendmail will relay mail for any of the following cases:

1) The mail is sent from the mail server itself.

2) The sendmail.mc includes FEATURE(`relay_entire_domain')dnl and the IP of the client can be resolved via DNS to a hostname within the domain of the mail server.

3) The network that the client is in or the IP of the client is listed in the access map as RELAY, e.g.:

192.168      RELAY
1.2.3.4        RELAY

4) Sendmail is configured for SMTP AUTH and the client sucessfully authenticates

There are some other less commonly used methods of allowing clinets relay privs, but those  cover the common cases.

In general, one configures Sendmail to operate according to either (2) or (3) for clients on the local LAN. Access from the Internet are best handled by (4) since in most cases the client won't have a fixed IP.

0
 

Author Comment

by:christyjo
ID: 10705040
Hi jlevie!

You are indeed talented! I had worked on this for hours, but not wasted. I continually learn more and more when things don't go well. I had stated so many points because how critical this issue was, and to me it was very complicated. I thank you so much. I can now forward mail from Openwebmail. I can send mail out on my local domain. Your instuctions are very well written. Can I ask two questions from above before I close this ticket out?

1. The access map I changed to 192.168.1.0          RELAY (This of course must of have worked)
The example 1.2.3.4 listed, would that be an example if I was another office and wanted to use Outlook? The remote network would say example.... 140.180.1.0? Would I substitute that 1.2.3.4? But what would really be difficult, what if you are on various networks. How could you list them all? Or because of security, would that be dangerous? Also does the access file under /etc/mail/ write to the access.db auto-magically or is there a command to do this. Or is access.db and acess unrelated?

2. I also want to ask the user remotely to choose under Outlook account options;  "Under Servers" "My outgoing mail requires authentication" I can choose it now either way and it sends mail. My ulimate goal is to require users in Outlook to choose the option.. "Log on using secure password authentication". If this is possible I will open up another ticket.
Thanks again:
Christyjo
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10745555
(1) Yes, replacing 1.2.3.4 with, say 140.180.1.0, would allow any machine on the 140.180.1.0/24 network to relay mail through your server.

(2) I presume that you mean that the Outloook client is on the 192.168.1.0/24 network. Since the access map is checked first a client on that network would be allowed to relay whether the client authenticates or not. And if Sendmail isn't configured to offer SMTP AUTH the client won't even try it even if authentication is configured.

It is possible to restrict relaying to only authenticated users. This means that you first must configure sendmail to offer authentication and then remove any network relay privs from the access map.
0
 

Author Comment

by:christyjo
ID: 10746054
Thanks again!
R
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now