As of Sendmail 8.12, sendmail is no longer installed set-user-id root by default. As a result of this, there are now two .cf files: sendmail.cf for the daemon, and submit.cf for the submission program. The source documentation is also somewhat convoluted -- you'll find multi-level references to documents that reference you to other documents that may or may not relate to the original reference. Certainly you could do e-mail a lot easier with other programs; but you won't come out of it with the breadth of experience sendmail will give you.
Drop on over to your favorite on-line bookseller and pick up this very excellent book: It was just re-released January 2002 and is entitled Sendmail Theory & Practice - Second Edition by Paul Vixie and Fred Avolio (ISBN 1-55558-229-X). This is an excellent primer on not just the technical hows but also the theoretical whys. If you get a chance, you can try to also find the same book in the First Edition format just for historical curiousity - it was published in 1995 and a lot of it is amazingly different from today's Internet.
The second recommendation, and always the type that tends to sit atop one's bookshelf gathering dust is the O'Reilly book Sendmail - Second Edition (aka "The Bat Book") by Bryan Costales and Eric Allman (ISBN 1-56592-222-0). It's a bit dated, and somewhat overwhelming for the beginner. Yet in a pinch, the resources it provides are vast, and if you ever take a study weekend to recreate the old school days feeling, it's an excellent companion.
You might also find the Internet Mail Message Header Format webpage of use.
Once downloaded, you'll want to verify the MD5 signature of the file with the one listed on sendmail's website:
$ md5sum sendmail.8.12.x.tar.gz
Sendmail gets blamed for a lot of problems that actually aren't it's fault. This apparently happens frequently enough for the authors to mention this in their own README file for the package. So let's verify some permissions and so forth. If any of the directories below don't exist, you'll have to create them. Also, be sure to first create the user/group "smmsp" with a uid/gid of 25/25 (required!).
$ chmod go-w / /etc /etc/mail /usr /var /var/spool
$ chmod 700 /var/spool/mqueue
$ chmod 770 /var/spool/clientmqueue
$ chown root / /etc /usr /var /var/spool
$ chown root.wheel /var/spool/mqueue /etc/mail
$ chown smmsp.smmsp /var/spool/clientmqueue
You should verify that your /etc/hosts file has the following listed for your own machine. If your machine's fully qualified domain name is not listed before any of its aliases, you will run into trouble. E.g., "mail.fluffygerbils.com" should always be the first entry, not "mail". The first line below is correct, while the second line will instead generate the error message, "Unable to qualify my own domain name (mailhost) -- using short name" when running sendmail:
192.168.1.1 mailhost.fluffygerbils.com mailhost<--- correct!
192.168.1.1 mailhost mailhost.fluffygerbils.com<---wrong!
Edit the source code in sendmail/srvrsmtp.c to prevent
people from determining the version of Sendmail you are running (they can easily
do this by issuing a HELP command to the sendmail daemon, sigh). You might also
want to edit your final sendmail.cf section under "Format of Headers" to change
the Sendmail version string information too.
Change from: message("502 5.3.0 Sendmail %s -- HELP not implemented", Version);
Change to: message("502 5.3.0 Sendmail -- It's always darkest before the storm");
Create the user/group pair "smmsp" with the uid/gid 25, which is the number recommended in the docs.
Create cf/cf/sendmail.mc ( <-- Note the change in filename
for 8.12!). The full list of options are described in the file cf/README.
VERSIONID(`<SCCS or RCS version id>')
The VERSIONID string is entirely unnecessary. It is not the same thing as the version string that is given in the SMTP greeting message.
OSTYPE(linux)
You must specify an OSTYPE to properly configure things such as the pathname of the help and status files, the flags needed for the local mailer, and other important things. If you omit it, you will get an error when you try to build the configuration. Look at the ostype directory for the list of known operating system types.
DOMAIN(`generic')
The generic domain statement inserts the following definitions from cf/domains/generic.m4 into your sendmail.mc file:
define(`confFORWARD_PATH', `$z/.forward.$w+$h:$z/.forward+$h:$z/.forward.$w:$z/.forward')
define(`confMAX_HEADERS_LENGTH', `32768')
FEATURE(`redirect')dnl
Allows you to create addresses in your /etc/mail/aliases file to generate a "551 User has moved, please try <address>" message. The address to use is determined by creating a destination address of <address>.REDIRECT for him/her. Note that the average person does not read, nor comprehend even the most brief SMTP error messages, so this option may ultimately be more trouble for you than it's worth.
FEATURE(`use_cw_file')
This tells sendmail to use the file /etc/mail/local-host-names to get a list of alternate names for this host. You'll need to create this file and enter a list of domain names that your host is recognized as.
EXPOSED_USER(`root')
Ah, this would be a good idea.
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
FEATURE(local_procmail)dnl
Use Procmail for your local mail delivery. It's faster, more efficient, and allows you to generate custom filtering rules down the road if you ever so desire, without needing to recompile sendmail.
FEATURE(smrsh)
If you want to use the sendmail restricted shell (smrsh), which limits the shell commands that can be executed by sendmail, review the
smrsh/README file, create the directory/usr/adm/sm.binand add the above declaration. Otherwise, the system default shell of /bin/sh will be used for mailing to programs. You can then either copy the necessary programs to the restricted directory, or create symbolic links. Again, you should review thesmrsh/READMEfile for full details and implications. If you have local users on your box that are allowed to log into valid shells, and you occasionally redirect e-mail to programs (e.g., "include" alias files) you definately want to use smrsh! Here's an example to get you started with using a program running under a restricted shell environment:
$mkdir /usr/adm/sm.bin
$ln -s /usr/bin/myprogram /usr/adm/sm.bin/myprogram
FEATURE(use_ct_file)
This tells sendmail to use the file /etc/mail/trusted-users to get the names of users that can change the address of their envelope (not just the header) using the -f flag without generating a warning message. You'll have to create this file and populate it with user names that you trust implicitly.
FEATURE(nouucp,reject)
Don't route UUCP addresses; reject them instead. UUCP is old and for the most part dead, so this is probably a good option to use.
FEATURE(always_add_domain)
Include the local host domain even on locally delivered mail. Possibly unnecessary, but in the world of the Internet a fully qualified domain name is always a good thing to use.
FEATURE(`virtusertable', `hash /etc/mail/virtusertable')
Use this to allow multiple e-mail domains to be hosted on your box. You'll need to create the file /etc/mail/virtusertable and refer to cf/README for the format of the file. Once you've created this file, you can activate it with the command: cd /etc/mail ; makemap hash virtusertable < virtusertable
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
Turn on the access database feature, which can be used to flat-out refuse incoming e-mail. This is helpful for filtering out spam from known-bad senders. You'll need to create the file /etc/mail/access and refer to cf/README for the format. Once you've created this file, you can activate it with the command: cd /etc/mail ; makemap hash access < access
FEATURE(relay_entire_domain)
Relay all hosts in your domain, not just those defined by class {m} in the *.cf file. I.e., you will accept mail either to or from any host in your domain.
FEATURE(no_default_msa)
Don't generate the default MSA daemon for SMTP port 587.
define(`confSMTP_LOGIN_MSG', `')dnl
define(`confPRIVACY_FLAGS',`authwarnings noexpn novrfy needmailhelo noetrn')dnl
If you're at all security conscious, these definitions are some good privacy flags to help deter evildoers.
MAILER(smtp)dnl
You'll need this.
MAILER(procmail)dnl
Unless you relay all your mail to another site, you'll need to define a local mailer. Again, I strongly recommend using procmail even if you don't know how to use its mail filtering abilities.
$ cd sendmail-8.12.x
$ sh Build
$ cd cf/cf
$ sh Build sendmail.cf
$ sh Build install-cf
$ cd ../..
$ sh Build install
$ echo "$HOSTNAME" >/etc/mail/local-host-names
You'll need to initialize the aliases database at least once, which has the nifty side effect of generating any error messages that sendmail needs to let you know about first.
$ touch /etc/mail/aliases
$ /usr/sbin/sendmail -v -bi
For SMTP connections to port 25 and 587, using /var/spool/mqueue and relying on /etc/mail/sendmail.cf, you'll need to have this daemon running:
/usr/sbin/sendmail -L sm-mta -bd -q1h
It's best to run these from your startup files, and not from inetd. If you grep your logfile for specific activity like I do, you can modify your scripts to search for the regex string s(m-mta|endmail) instead. The -L flag indicates the logging name that should be used via syslogd, and doesn't appear to be strictly necessary. The .cf file used by sendmail during normal operation is chosen based on the operation mode. For -bm (default), -bs, and -t it is submit.cf (if it exists) for all others it is sendmail.cf.
Personally, I find this option extremely useful on paper, and sucks in real life. I won't go into details here. If SMTP traffic security is a high concern for you, go ahead and send your e-mail via a SSH tunnel, however keep in mind that this will not keep your e-mail private once it leaves your SMTP machine, destined for your recipient(s)!
The generated sendmail.cf file states: "DO NOT EDIT THIS FILE! Only edit
the source .mc file". On the other hand, this instruction is being read
by someone who uses pictures of squirrels on his webpage -- so let's begin editing!
;-)
Rejecting e-mail based on sender's IP address to a particular e-mail address or group. Credit for this solution goes to Michael Moore. Assuming that you have an e-mail address/group for "mylist", and your IP address for the "authorized" host to send e-mail is 192.168.1.1, you can add the following to sendmail.cf. For Sendmail 8.11, add to the SBasic_check_rcpt section; for Sendmail 8.12, add to the SRcpt_ok section. Either way, add it after the "strip relayable hosts" comment line.
# You must use tabs; don't just cut and paste
Rmylist $* < $&{client_addr} > mylist $1
# If the IP address matches this, just send it on it's way
R < 192.168.1.1 > $* $1
# Otherwise, return an error message
R < $* > $* $#error $@ 5.2.1 $: "550 Rejected: Go away"
There are lots of places on the web to search for this. So here's my basic bit of advice:
If you are making changes to your sendmail.cf file, they won't take effect until you send a HUP signal to the sendmail daemon.
If you are making changes to your sendmail.cf file and sending a HUP signal, and your changes appear to not be working, make sure you're using the relevant *.cf file to make changes in! (i.e., sendmail.cf and submit.cf are called depending on where the command originates).
This ruleset should be added to your sendmail.cf file right after the lines beginning with H. Make sure that if you cut and paste, you put at least one tab between $* and $# on each line, or it won't work.
HSubject: $>Check_Subject
D{MPat}FluffyGerbils
D{MMsg}This message may be spam.
SCheck_Subject
R$* ${MPat} $* $#error $: 553 ${MMsg}
RRe: $* ${MPat} $* $#error $: 553 ${MMsg}
$* match zero or more tokens $+ match one or more tokens $- match exactly one token RULESETS (* means built in to sendmail)
0 * Parsing
1 * Sender rewriting
2 * Recipient rewriting
3 * Canonicalization
4 * Post cleanup
5 * Local address rewrite (after aliasing)
1x mailer rules (sender qualification)
2x mailer rules (recipient qualification)
3x mailer rules (sender header qualification)
4x mailer rules (recipient header qualification)
5x mailer subroutines (general)
6x mailer subroutines (general)
7x mailer subroutines (general)
8x reserved
90 Mailertable host stripping
96 Bottom half of Ruleset 3 (ruleset 6 in old sendmail)
97 Hook for recursive ruleset 0 call (ruleset 7 in old sendmail)
98 Local part of ruleset 0 (ruleset 8 in old sendmail)CLASSES
B domains that are candidates for bestmx lookup
E addresses that should not seem to come from $M
F hosts this system forward for
G domains that should be looked up in genericstable
L addresses that should not be forwarded to $R
M domains that should be mapped to $M
N host/domains that should not be mapped to $M
O operators that indicate network operations (cannot be in local names)
P top level pseudo-domains: BITNET, DECNET, FAX, UUCP, etc.
R domains this system is willing to relay (pass anti-spam filters)
U locally connected UUCP hosts
. the class containing only a dot
[ the class containing only a left bracket
Important RFCs for electronic mail, available at http://www.ietf.org, are: