rcinformatica
asked on
Sendmail
Hi Experts,
I had to rebuild a Linux server after hacking so is FC4, the problem is that I would like remote users being able to send mail through my server after being authenticated. They are able to send mail through webMail, but I would like to enable to send mail through Outlook express but the keep receving a Relay Denied message if they try to send mail with outlook. This is my sendmail.cf
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendma il-cf/m4/c f.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp. your.provi der')
dnl #
define(`confDEF_USER_ID',` `8:12'')dn l
define(`confTRUSTED_USER', `smmsp')dnl
dnl define(`confAUTO_REBUILD') dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LI ST',true)d nl
define(`confDONT_PROBE_INT ERFACES',t rue)dnl
define(`PROCMAIL_MAILER_PA TH',`/usr/ bin/procma il')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS' , `authwarnings,novrfy,noexp n,restrict qrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISM S', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',` /usr/share /ssl/certs ')
dnl define(`confCACERT',`/usr/ share/ssl/ certs/ca-b undle.crt' )
dnl define(`confSERVER_CERT',` /usr/share /ssl/certs /sendmail. pem')
dnl define(`confSERVER_KEY',`/ usr/share/ ssl/certs/ sendmail.p em')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SEN DMAIL',`gr oupreadabl ekeyfile') dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN ', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',` dnl')dnl
FEATURE(`smrsh',`/usr/sbin /smrsh')dn l
FEATURE(`mailertable',`has h -o /etc/mail/mailertable.db') dnl
FEATURE(`virtusertable',`h ash -o /etc/mail/virtusertable.db ')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain) dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie nts')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp, Addr=127.0 .0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submi ssion, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps , Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl # a kernel patch
dnl #
dnl DAEMON_OPTIONS(`port=smtp, Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvab le_domains ')dnl
dnl #
dnl FEATURE(`relay_based_on_MX ')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.lo caldomain' )dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.co m')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelop e)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_ domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhos t)dnl
dnl MASQUERADE_DOMAIN(localhos t.localdom ain)dnl
dnl MASQUERADE_DOMAIN(mydomain alias.com) dnl
dnl MASQUERADE_DOMAIN(mydomain .lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
is there anything I shold chenge on this configuration?
Thanks for help
I had to rebuild a Linux server after hacking so is FC4, the problem is that I would like remote users being able to send mail through my server after being authenticated. They are able to send mail through webMail, but I would like to enable to send mail through Outlook express but the keep receving a Relay Denied message if they try to send mail with outlook. This is my sendmail.cf
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendma
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp.
dnl #
define(`confDEF_USER_ID',`
define(`confTRUSTED_USER',
dnl define(`confAUTO_REBUILD')
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LI
define(`confDONT_PROBE_INT
define(`PROCMAIL_MAILER_PA
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS'
define(`confAUTH_OPTIONS',
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS',
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISM
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`
dnl define(`confCACERT',`/usr/
dnl define(`confSERVER_CERT',`
dnl define(`confSERVER_KEY',`/
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SEN
dnl #
dnl define(`confTO_QUEUEWARN',
dnl define(`confTO_QUEUERETURN
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`
FEATURE(`smrsh',`/usr/sbin
FEATURE(`mailertable',`has
FEATURE(`virtusertable',`h
FEATURE(redirect)dnl
FEATURE(always_add_domain)
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submi
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl # a kernel patch
dnl #
dnl DAEMON_OPTIONS(`port=smtp,
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvab
dnl #
dnl FEATURE(`relay_based_on_MX
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.lo
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.co
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelop
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_
dnl #
dnl MASQUERADE_DOMAIN(localhos
dnl MASQUERADE_DOMAIN(localhos
dnl MASQUERADE_DOMAIN(mydomain
dnl MASQUERADE_DOMAIN(mydomain
MAILER(smtp)dnl
MAILER(procmail)dnl
is there anything I shold chenge on this configuration?
Thanks for help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi
after accomplish http://www.debian-administration.org/articles/275 and installing poprelay rebuilding senmail.mc when I try to send mail within outlook it keeps asking me for the user name and password, no problems in receiving mails with outlook
after accomplish http://www.debian-administration.org/articles/275 and installing poprelay rebuilding senmail.mc when I try to send mail within outlook it keeps asking me for the user name and password, no problems in receiving mails with outlook
Hi,
The username/password is recived from the /etc/passwd and /etc/shadow file. The user must have an account on the system
and he will use the information to login.
The username/password is recived from the /etc/passwd and /etc/shadow file. The user must have an account on the system
and he will use the information to login.
ASKER
yes tue user has an account in /etc/oasswd and /etc/shadow, actually the user can log to hte system with out look and receive the mail normally but cannot send mail using the server SMTP
Hi,
Ahh ok, I aint used sendmail much but have a read of this:
http://www.brennan.id.au/12-Sendmail_Server.html
Ahh ok, I aint used sendmail much but have a read of this:
http://www.brennan.id.au/12-Sendmail_Server.html
please check /var/log/mail (or whatever logfile is used by sendmail) and post the relevant messages when authentication fails
ASKER
I get htis errore message:
Apr 29 13:24:28 myserver sendmail[20798]: k3TBORjJ020798: host160-247.pool871.interb usiness.it [87.1.247.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 29 13:24:30 myserver sendmail[20800]: k3TBOTnl020800: host160-247.pool871.interb usiness.it [87.1.247.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 29 13:24:31 myserver sendmail[20801]: k3TBOUPM020801: host160-247.pool871.interb usiness.it [87.1.247.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 29 13:24:28 myserver sendmail[20798]: k3TBORjJ020798: host160-247.pool871.interb
Apr 29 13:24:30 myserver sendmail[20800]: k3TBOTnl020800: host160-247.pool871.interb
Apr 29 13:24:31 myserver sendmail[20801]: k3TBOUPM020801: host160-247.pool871.interb
you have configured that sending a mail through your MTA requires a valid MAIL command, but the client does not provide one
ASKER
how can I fix this?
thanks
thanks
There are several way to authenticate user an enable relay (pop before smtp, sasl,GSSAPI, DIGEST-MD5, NTLM, LOGIN...)
with Outlook Express you need to enable LOGIN PLAIN or NTLM (http://www.sendmail.org/~ca/email/mel/SASL_ClientRef.html)
if you think to authenticate with LOGIN PLAIN you "MUST" use TLS, OExpress password encryption is VERY WEAK ...
IF you want simply send mail without authentication from your mail client (OE, virus, troian :) modify your access file or relay-domains
(http://www.sendmail.org/tips/relaying.html)
line to add or modify in your sendmail.mc after certificate creation:
dnl #turns off the request for a client certificate during the TLS handshake
define(`confTLS_SRV_OPTION
dnl # OPTIONAL message displayed by the smtp daemon
define(`confSMTP_LOGIN_MSG
dnl # from your sendmail.mc define(`confAUTH_OPTIONS',
dnl # offer authentication only after a secure channel is active
dnl # Options `A' and `P' suppress SMTP AUTH and PIPELINING, respectively.
dnl # `c' is the equivalent to AuthOptions=p, i.e.,
dnl # it doesn't permit mechanisms susceptible to simple
dnl # passive attack (e.g., PLAIN, LOGIN), unless a security layer is active.
define(`confAUTH_OPTIONS',
dnl Type of encryption offered and offered
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISM
dnl # OPTIONAL The timeout waiting for a response to an SMTP STARTTLS command
define(`confTO_STARTTLS',`
dnl # certificates for STARTTLS
define(`confCACERT_PATH',`
define(`confCACERT',`/etc/
define(`confSERVER_CERT',`
define(`confSERVER_KEY',`/
define(`confCLIENT_CERT',`
define(`confCLIENT_KEY',`/
dnl # OPTIONAL Log level debug
define(`confLOG_LEVEL',`14
for reference
http://www.sendmail.org/~ca/email/roaming.html
http://www.joreybump.com/code/howto/smtpauth.html
http://www.sendmail.org/~ca/email/starttls.html
If you already have the users set up, then you need to edit the /etc/mail/access file and add their IP address as a source that can relay, such as:
<ip address> relay
Then you hash it with:
makemap hash /etc/mail/access < access
Then restart sendmail
/etc/init.d/sendmail restart
<ip address> relay
Then you hash it with:
makemap hash /etc/mail/access < access
Then restart sendmail
/etc/init.d/sendmail restart
ASKER
thanks for the answer but since most people do not have static IP i need to enable them through pop server once they are authenticated
I'm using starttls and Plain login with several client : outlook express, outlook 2000/2003, thunderbird.. without problem..
At home whith my ISP and my dynamyc ip can send mail after the smtp authentication.
Ciao Gastone
PS questa soluzione la uso da anni e' perfetta
At home whith my ISP and my dynamyc ip can send mail after the smtp authentication.
Ciao Gastone
PS questa soluzione la uso da anni e' perfetta
well ,
If u dont have fix ip address u can use.
network pool with big subnet mask and do it ..
like suppose u know u r getting ip in 202.131.128.5 with netmask 255.255.255.0
than
u can addfollowing line in
202.131.128.0/255.255.0.0 REPLAY
regards
www.linux-directory.net :: it's all about Open Source & Linux
If u dont have fix ip address u can use.
network pool with big subnet mask and do it ..
like suppose u know u r getting ip in 202.131.128.5 with netmask 255.255.255.0
than
u can addfollowing line in
202.131.128.0/255.255.0.0 REPLAY
regards
www.linux-directory.net :: it's all about Open Source & Linux
To accommplish this you will need dovecot have a look at
http://www.debian-administration.org/articles/275
even tho that is for debian version it will work the same for Fedora :)