Category: Sendmail

Jul 30

Sendmail Mail Submission

I have struggled with this before and now I will make a note of it to save myself time when I encounter this again.

I have a setup on Solaris 11 where I am running a custom filter to accept mail on port 25 and then pass it on to sendmail for processing.  My filter need the sendmail daemon and I am running the sendmail daemon on port 10026. In a normal sendmail setup you are not stealing port 25 so I doubt you will have local mail submission problems.  And you might not need local mail submission with mail or mailx anyhow.  If you do need local mail submission and defaults are not working as was in my case below is my fix.

Make sure you are running the sendmail client.

# svcs -a | grep sendmail
online         Jun_30   svc:/network/smtp:sendmail
online          6:43:35 svc:/network/sendmail-client:default

Generate /etc/mail/submit.cf. In my case I copied and edited custom_submit.mc. Note I had to use "MSA".

# pwd
/etc/mail/cf/cf
# diff submit.mc custom_submit.mc
[...]
< FEATURE(`msp', `[127.0.0.1]')dnl
---
> FEATURE(`msp', `[127.0.0.1]',`MSA')dnl

# /usr/ccs/bin/m4 ../m4/cf.m4 custom_submit.mc > /etc/mail/submit.cf

Restart client

# svcadm disable svc:/network/sendmail-client:default
# svcadm enable svc:/network/sendmail-client:default

Links:
http://docs.oracle.com/cd/E19253-01/816-4555/mailrefer-106/index.html

Configuring sendmail as an MSA

Comments Off on Sendmail Mail Submission
comments

Dec 30

Sanitizing Email Recipient List

I wrote a couple articles on respectively using sendmail and postfix to block outbound email and only allow selective domains and selective email addresses.  I ran into problems with both sendmail and postfix doing exactly what I want.  Sendmail was fairly easy to satisfy the requirements for forwarding only to certain domains. Postfix got very close on doing domains plus a selective few email addresses.  I could not get the multi instance postfix method working 100% with my header checks though.

Below is another method to sanitize outbound email addresses using python smtplib and sendmail.

Sendmail answer on non standard port:

root@myhost:/etc/mail/cf/cf# more usla-utility.mc
divert(-1)
...
divert(0)dnl
VERSIONID(`sendmail.mc (Sun)')
OSTYPE(`solaris11')dnl
DOMAIN(`solaris-generic')dnl
DAEMON_OPTIONS(`Port=10026,Addr=127.0.0.1, Name=MTA')dnl
MASQUERADE_AS(`arbonne.com')
FEATURE(masquerade_envelope)
FEATURE(`mailertable')
MAILER(`local')dnl<br />

root@myhost:/etc/mail/cf/cf# /usr/ccs/bin/m4 ../m4/cf.m4 myhost.mc > /etc/mail/sendmail.cf

I needed some specific transports so I have a mailertable:

root@myhost:/etc/mail# makemap hash mailertable < mailertable

Run a small python smtplib SMTP forwarder on port 25:

More information here: http://docs.python.org/2/library/smtplib.html#smtp-example

Run python in the background:

root@myhost:# nohup python sanitizer.py &

My code snippet to sanitize. Probably need to look at CC and BCC also.

...
allowedDomains = ['domain1.com','domain2.com','domain3.com','domain4.com']
      allowedRecipients = ['user@domain5.com']
      for rcpt in rcpttos[:]:
        user,domain = rcpt.split("@")
        if not (rcpt.lower() in allowedRecipients or domain.lower() in allowedDomains):
          #log.debug("%s not allowed per our policy" % rcpt)
          i = rcpttos[:].index(rcpt)
          del rcpttos[i]
      log.debug("sanitized list %s" % rcpttos)
...

Monitor the custom log:

root@myhost:~# tail -f sanitizer.log 
... DEBUG:__main__:Received message from: ('10.1.11.86', 32841). From: root@myclient | To: ['user1@domain1.com', 'user2@domain2.com', 'user3@domain3.com', 'user4@domain1.com'] DEBUG:__main__:sanitized list ['user3@domain3.com']

Inject a test from client:

root@myclient:/tmp# cat /tmp/test_all.eml
To: user1@domain1.com,user2@domain2.com,user3@domain3.com,user4@domain1.com 
Subject: MAILHOST TEST DL
From: luser@mydomain.com
body...

root@myclient:/tmp# sendmail -d7.99 -d38.99 -vt < /tmp/test_all.eml

Monitor the real maillog of sendmail to see what happened:

Comments Off on Sanitizing Email Recipient List
comments

Dec 29

Sendmail Filter Outbound Email

In some projects I need to block outbound email but still allow email to a select few domains (or even select few addresses).

As Sendmail comes standard on a lot of Unix operating systems I show here how to set this up.  Sendmail handles some of these requirements pretty easy.  Additional options like filtering through procmail as well as using Sendmail milters are also good options but not very easy to configure.   I did not check but I suspect Linux comes with packages that would make installing python or perl Milter modules easy.

Since Milter packages are not readily available on Solaris and I am focusing on Solaris for this particular project I will use Postfix to meet all the requirements instead of Sendmail + procmail / Milters.  I will follow up with a Postfix specific article later since it does better at filtering and relaying than Sendmail.

My use case:

  1. First block ALL outbound email
  2. Allow ALL outbound email to two specific domains
  3. Allow email to very specific email addresses not included in above mentioned two domains

Sendmail handled #1 and #2 pretty easily but it gets overly complicated to allow #1, #2 and #3 at the same time.  Below is the configuration for #1 and #2 on Solaris 11.

# pwd
/etc/mail/cf/cf

# cp sendmail.mc myhost.mc

# cat myhost.mc
divert(-1)
... snip ...
divert(0)dnl
VERSIONID(`sendmail.mc (Sun)')
OSTYPE(`solaris11')dnl
DOMAIN(`solaris-generic')dnl
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=10.1.10.52, Name=MTA')dnl
MASQUERADE_AS(`mydomain.com')
FEATURE(masquerade_envelope)
FEATURE(`access_db')
FEATURE(`mailertable')
MAILER(`local')dnl
MAILER(`smtp')dnl

# /usr/ccs/bin/m4 ../m4/cf.m4 myhost.mc > /etc/mail/sendmail.cf

** You probably don't need the access feature and local mailer above for this specific configuration. But access might provide more granularity around permissions that might help you.

Setup mailertable. Remember use tabs between left and right columns.

# pwd
/etc/mail

# cat mailertable
domain1.com             relay:[mail.domain1.com]
domain2.com             esmtp:%0
.                       local:nobody

# makemap hash mailertable < mailertable

** Note above domain1 needed to be passed off to a specific relay on the internal network and domain2 needed to be passed on direct to the Internet.

On Solaris set local_only to false and start senmdail service.

# svccfg -s svc:/network/smtp:sendmail setprop config/local_only = false
# svcadm disable svc:/network/smtp:sendmail
# svcadm enable svc:/network/smtp:sendmail

From client setup a smarthost poitning to new server we configured and then test as follow:

# cat /tmp/test.eml
To: user@domain1.com
Subject: MAILHOST TEST -&gt; via domain1
From: luser@domain.com

body....

# sendmail -d7.99 -d38.99 -vt &lt; /tmp/test.eml

Monitor var/log/syslog:

Dec 27 14:44:34 myhost sendmail[6774]: [ID 801593 mail.info] rBRJiYFA006774: from=&lt;root@myclient&gt;, size=554,, nrcpts=1, msgid=&lt;201312271946.rBRJkgq8001045@myclient&gt;, proto=ESMTP, daemon=MTA, relay=myclient [10.1.11.62]
Dec 27 14:44:35 myhost sendmail[6776]: [ID 702911 mail.info] STARTTLS=client, relay=mail.arbonne.com., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128/128
Dec 27 14:44:36 myhost sendmail[6776]: [ID 801593 mail.info] rBRJiYFA006774: to=&lt;user@domain1.com&gt;, delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=120554, relay=mail.domain1.com. [10.10.1.130], dsn=2.0.0, stat=Sent (&lt;201312271946.rBRJkgq8001045@usla-psag-ag01.prd.asg.ad&gt; [InternalId=15753532] Queued mail for delivery)

1
comments