Postfix and Sendmail

Posted on 2004-03-28
Last Modified: 2007-12-19
Thank you in advance!

I have installed Sendmail and Openwebmail on RedHat 9. I am also using IMAPS to log on and download my mail. I am using SSL on the web to use Openwebmail. I have a registered domain. I am currently hosting it at my business. I have DNS installed. I have an MX record pointing to my mailserver. When I use "DIG" or "NSLOOKUP" I get an appropriate response. I have configured my hosts file. I have configured sendmail using and NOT I have run m4 after making changes. I believe my problem is with "relay". I also have a side question when editing the file. If you comment out by removing the " # " character, should you also leave the dnl at the beginning and the end as not to create a line space? Example:
dnl # DaemonPortOptions=Port=smtp, Name=MTA dnl ( I assume this is comment out and not parsed)
dnl DaemonPortOptions=Port=smtp, Name=MTA dnl (This is uncommented out and parsed?)
or is this correct?
DaemonPortOptions=Port=smtp, Name=MTA dnl (dnl at the end only)
or this?
DaemonPortOptions=Port=smtp, Name=MTA     (No dnl at end or beginning)

The major PROBLEM:

I can send mail from Outlook or Webmail using https: both on my network and remotely to users only on my domain. I can't send e-mail via sendmail to anyone who is not part or my domain. I receive the following error almost exclusively:

The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was ''. Subject 'Again', Account: '', Server: '', Protocol: SMTP, Server Response: '550 5.7.1 <>... Relaying denied', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79

I have open on my firewall the following: 25 53 80 443 and 993. I have tried "providing a username and password to outgoing mail to authenticate. I am pretty sure it is in "relaying" the mail, and I have tried several suggestions from postings here. I can telnet to port 25 as the instructions explain. I have read the relaying is turned off or tweaked to prevent others from using you as SPAM in a can.

I will copy my file (I have taken out some of the comments because of size of posting here. Should I drop sendmail and try Postfix, can I do that after configuring sendmail. Any help you can give will be surely appreciated. Again, thank you. Christy Jo

dnl #     make -C /etc/mail
VERSIONID(`setup for Red Hat Linux')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA')dnl
DaemonPortOptions=Port=smtp, Name=MTA dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl #       a kernel patch
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl #
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from
dnl #
dnl MASQUERADE_AS(`')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just, but @* as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
dnl FEATURE(`masquerade_envelop')dnl

Question by:christyjo
  • 2
  • 2
LVL 40

Accepted Solution

jlevie earned 500 total points
ID: 10701630
First let me say that anything beginning with dnl is commented out. It is normal and proper to end each line with dnl.

Looking at your I see that:

DaemonPortOptions=Port=smtp, Name=MTA dnl

should be simply removed. You've commented out the localhost only restriction and don't need or want that line.

You have:


and that's redundant. You should delete the last two lines.

Now on to the real problem. The default with recent versions of Sendmail is to deny relaying for anything not explicitly permitted. That explains why your client can send mail to an account on the server but not anywhere else.

Sendmail will relay mail for any of the following cases:

1) The mail is sent from the mail server itself.

2) The includes FEATURE(`relay_entire_domain')dnl and the IP of the client can be resolved via DNS to a hostname within the domain of the mail server.

3) The network that the client is in or the IP of the client is listed in the access map as RELAY, e.g.:

192.168      RELAY        RELAY

4) Sendmail is configured for SMTP AUTH and the client sucessfully authenticates

There are some other less commonly used methods of allowing clinets relay privs, but those  cover the common cases.

In general, one configures Sendmail to operate according to either (2) or (3) for clients on the local LAN. Access from the Internet are best handled by (4) since in most cases the client won't have a fixed IP.


Author Comment

ID: 10705040
Hi jlevie!

You are indeed talented! I had worked on this for hours, but not wasted. I continually learn more and more when things don't go well. I had stated so many points because how critical this issue was, and to me it was very complicated. I thank you so much. I can now forward mail from Openwebmail. I can send mail out on my local domain. Your instuctions are very well written. Can I ask two questions from above before I close this ticket out?

1. The access map I changed to          RELAY (This of course must of have worked)
The example listed, would that be an example if I was another office and wanted to use Outlook? The remote network would say example.... Would I substitute that But what would really be difficult, what if you are on various networks. How could you list them all? Or because of security, would that be dangerous? Also does the access file under /etc/mail/ write to the access.db auto-magically or is there a command to do this. Or is access.db and acess unrelated?

2. I also want to ask the user remotely to choose under Outlook account options;  "Under Servers" "My outgoing mail requires authentication" I can choose it now either way and it sends mail. My ulimate goal is to require users in Outlook to choose the option.. "Log on using secure password authentication". If this is possible I will open up another ticket.
Thanks again:
LVL 40

Expert Comment

ID: 10745555
(1) Yes, replacing with, say, would allow any machine on the network to relay mail through your server.

(2) I presume that you mean that the Outloook client is on the network. Since the access map is checked first a client on that network would be allowed to relay whether the client authenticates or not. And if Sendmail isn't configured to offer SMTP AUTH the client won't even try it even if authentication is configured.

It is possible to restrict relaying to only authenticated users. This means that you first must configure sendmail to offer authentication and then remove any network relay privs from the access map.

Author Comment

ID: 10746054
Thanks again!

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question