Thursday, October 1, 2015

How to setup an E-Mail Relay Host with Sendmail ?

Very old but still informative ..

How to setup an E-Mail Relay Host with Sendmail ? 
In a high security internet environment it may be necessary to put all user mailboxes behind the corporate firewall into the HSZ (High Security Zone). The mailbox server cannot be directly accessed from the internet, a mail relay host in the DMZ (Demilitarized Zone) is needed. This mail relay host provides the following tasks:
  • All incoming SMTP-Mail will be processed by the relay host. Mail to internal recipients will be forwarded to the mailbox host.
  • Mail from the internet to other internet recipients will not be forwarded, except for certain clearly defined domains.
  • Mail from all hosts in the HSZ or DMZ will be sent to the relay host, which will deliver the email directly to the recipients in the internet using MX-records from the DNS Server.

In this example, we show the configuration for the well known MTA (Message Transfer Agent)sendmail
on RedHat Linux 7.0.
DNS Configuration on DNS-Server
The relay host, the mailbox host and all hosts in DMZ must be inserted in the DNS for the domain ARKUM.CH. Besides this, it's very important to insert the Firewall (NAT Address) in the DNS, or Sendmail will complain about relay problems. As a rule of thumb, all Hosts or IP-Adresses which will use the Relay-Host must be inserted in Sendmail's DNS or you may encounter relaying problems. The configuration files for DNS can be found in /var/named for RedHat Linux.
;---------------------------------------------------------
; arkum-ch.zone -- Name-to-Address Mapping
;---------------------------------------------------------
;
; Start Of Authority marker, indicates that this server is
; the master for the following addresses.
;

@   IN  SOA rabbit.arkum.ch. postmaster.arkum.ch. (
    2000091001    ; Serial (YYYYMMDDnn)
    10800         ; Refresh after 3 hours
    3600          ; Retry after 1 hour
    604800        ; Expire after one week
    86400         ; Minimum Time to Live of 1 day
    )
;
; --------------------------------------------
; Descriptions of Name Servers for this domain
; --------------------------------------------
;

            IN  NS  rabbit.arkum.ch.
            IN  NS  opal.arkum.ch.
;
; Descriptions of Primary and Secondary Mail Servers
; (This tells sendmail where to send mail that is addressed to
; someone@arkum.ch, namely too rabbit.arkum.ch first, then
; to the secondary mail handler opal.arkum.ch)
;

            IN  MX  10  ux-mail1.arkum.ch.
;
; --------------------------------------------
; Arkum's Hosts
; --------------------------------------------
;

localhost   IN  A       127.0.0.1
;
rabbit      IN  A       193.247.121.196
            IN  MX  10  ux-mail1.arkum.ch.
dns         IN  CNAME   rabbit.arkum.ch.
            IN  TXT     "DNS Server"
;
ux-mail1    IN  A       193.247.121.205
smtp        IN  CNAME   ux-mail1.arkum.ch.
mail        IN  CNAME   ux-mail1.arkum.ch.
            IN  TXT     "Mail Relay Host"
;
paragon     IN  A       192.168.138.20
            IN  MX  10  paragon.arkum.ch.
            IN  TXT     "Mailbox Server"
Please note, that the MX record for the mailbox host paragon points to itself.
DNS Configuration on Relay Host
The sendmail MTA on the relay host needs access to the DNS Server. This must be setup in the file/etc/resolv.conf
search arkum.com arkum.ch
nameserver 193.247.121.196
Firewall Configuration
Port 25 (SMTP) must be opened between the Relay Host on the DMZ and the Mailbox Host in the HSZ. Ask your firewall administrator to accomplish this task.
Enable Relaying for all hosts in ARKUM.CH
Relaying (transmission of messages from a site outside your domain to another site outside your domain) is denied by default. Note that this changed in sendmail 8.9; previous versions allowed relaying by default. Relaying is a feature (not a bug) to prevent E-Mail spamming. You have to configure relaying or you will get the error message: 550 Requested action not taken: relaying denied.
Configure Relaying
Using /etc/mail/relay-domains
You need to add the fully-qualified host name and/or IP address of each client to class R, the set of relay-allowed domains. For version for 8.9.X, it is typically /etc/mail/relay-domains Note: if your DNS is problematic, you should list the IP address (e.g., 1.2.3.4); in general, however, this should not be necessary. Here is the content of the file relay-domains:
akadia.com
akadia.ch
arkum.ch
Using /etc/mail/access
An "access'' database can be created to accept or reject mail from selected domains. For example, you may choose to reject all mail originating from known spammers. To enable such a database, use the file /etc/mail/access. Remember, since /etc/mail/access is a database, after creating the text file as described below, you must use makemap to create the database map. 
For example:
makemap hash /etc/mail/access < /etc/mail/access
The table itself uses e-mail addresses, domain names, and network numbers as keys.
For example:
spammer@aol.com     REJECT
cyberspammer.com    REJECT
192.168.212         REJECT
would refuse mail from spammer@aol.com, any user from cyberspammer.com
(or any host within the cyberspammer.com domain), and any host on the
192.168.212.* network.
The value part of the map can contain:
OKAccept mail even if other rules in the running ruleset would reject it, for example, if the domain name is unresolvable
RELAYAccept mail addressed to the indicated domain or received from the indicated domain for relaying
through your SMTP server. RELAY also serves as an implicit OK for the other checks
REJECT Reject the sender or recipient with a general purpose message
DISCARD Discard the message completely using the $#discard mailer. This only works for sender addresses (i.e., it indicates that you should discard anything received from the indicated domain).
Error TextAny text where ### is an RFC 821 compliant error code and "any text" is a message to return for the command.
For example:
cyberspammer.com        550 We don't accept mail from spammers
okay.cyberspammer.com   OK
sendmail.org            OK
128.32                  RELAY
Would accept mail from okay.cyberspammer.com, but would reject mail from all other hosts at cyberspammer.com with the indicated message.It would allow accept mail from any hosts in the sendmail.org domain, and allow relaying for the 128.32.*.* network.
We use the following entries in /etc/mail/access, so all hosts within the domain ARKUM.CH or within the HSZ 192.168.138.x can use the Relay Host without "550 Requested action not taken: relaying denied."
localhost     RELAY
127.0.0.1     RELAY
arkum.com     RELAY
arkum.ch      RELAY
192.168.138   RELAY
Compile the entries with:
makemap hash /etc/mail/access < /etc/mail/access
More information can be found in the README.cf file of sendmail.
How to deliver local mails if DNS- and Mail-Server is the same machine ?
If your DNS-Server and E-Mail Relay Host is the same machine you may encounter the following error message:
554 MX list for akadia.ch points back to rabbit.akadia.ch
554 <root@akadia.ch> ... Local configuration error
The Mail Exchanger (MX Records) in the DNS configuration is just an ordered list of destinations that tells mailers where to send messages if they want to reach a given domain. The preference value tells them how desirable it is to use that destination. That's the basic idea behind MX records and mail exchangers, but there are a few more wrinkles you should know about. Here is the output of a typical MX entry in the DNS configuration for ARKUM.CH
What happens if a mailer finds itself at the highest preference, and has to discard the whole MX list as shown below ?
IN MX 10 rabbit.arkum.ch.
IN MX 20 opal.arkum.ch.
Some mailers attempt delivery directly to the destination host's IP address, as a last-ditch effort. In most mailers however , it's an error. It may indicate that DNS thinks the mailer should be processing (not just forwarding) mail for the destination, but the mailer hasn't been configured to know that. Or it may indicate that the administrator has ordered the MX records incorrectly by using the wrong preference values. Then it will bounce the mail with the familiar error
Many versions of sendmail use class w or file class w as the list of local destinations. The sendmail configuration on RedHat Linux offers the file /etc/sendmail.cw. Enter the local domains in this file and the local delivery together with MX records will work.
arkum.ch
arkum.com
Note again, that this task must not be done, if the DNS Server and Mail Server are two different machines.
Enable local Mail Forwarding from the DMZ to the HSZ
Local Mail must be forwarded from the Relay Host on the DMZ to the Mailbox Host on the HSZ. Sendmail offers this feature using the Macros DR and DM in /etc/sendmail.cf. Enter the Mailbox Host for both Macros, besides this the domain name ARKUM.CH must be masqueraded with the macro DM. 
Here are the necessary entries in /etc/sendmail.cf
# Who I send unqualified names to (null means deliver locally)
DRparagon.arkum.ch

# Who gets all local email traffic
# ($R has precedence for unqualified names)
DHparagon.arkum.ch# Class M: domains that should be converted to $M
CMarkum.com# Who I masquerade as (null for no masquerading) (see also $=M)
DMarkum.ch
Test the Configuration
Stop and Start Sendmail Daemon
/etc/rc.d/init.d/sendmail stop
/etc/rc.d/init.d/sendmail start
Test the internet delivery
Create a testfile to_internet for internet delivery with the following content:
To: martin.zahn@plenaxx.ch
From: martin.zahn@arkum.ch
Subject: Ein Test

Dies ist ein Header Test
(empty line)
Test the internet delivery
cat to_internet | /usr/lib/sendmail -bm -t -v
martin.zahn@plenaxx.ch. Connecting to nt-mail1.plenaxx.ch. esmtp...
220 nt-portal2.plenaxx.ch ESMTP Service (Lotus Domino Release 5.0.2c
(Intl)) ready at Sat, 4 Nov 2000 10:25:28 +0100
>>> EHLO rabbit.akadia.com
250-nt-portal2.plenaxx.ch Hello rabbit.akadia.com ([193.247.121.196]), pleased to
meet you
250-HELP
250-SIZE
250 PIPELINING
>>> MAIL From:<root@rabbit.akadia.com> SIZE=100
250 root@rabbit.akadia.com... Sender OK
>>> RCPT To:<martin.zahn@plenaxx.ch>
250 martin.zahn@plenaxx.ch... Recipient OK
>>> DATA
354 Enter message, end with "." on a line by itself
>>> .
250 Message accepted for delivery
martin.zahn@plenaxx.ch... Sent (Message accepted for delivery)
Closing connection to nt-mail1.plenaxx.ch.
>>> QUIT
221 nt-portal2.plenaxx.ch SMTP Service closing transmission channel
If you get an output similar to the above, your internet delivery is working perfectly !
Test the Mail Forwarding
Create a testfile to_arkum for local delivery with the following content:
To: martin.zahn@arkum.ch
From: root@plenaxx.ch
Subject: Ein Test

Dies ist ein Header Test
(empty line)
Test the local delivery
cat to_internet | /usr/lib/sendmail -bm -t -v
martin.zahn@arkum.ch... Connecting to paragon.arkum.ch. via relay...
220 SMTP service ready
>>> EHLO ux-mail1.arkum.ch
250-Requested mail action okay, completed
250-8BITMIME
250-SIZE
250-ETRN
250 HELP
>>> MAIL From:<root@ux-mail1.arkum.ch> SIZE=93
250 Requested mail action okay, completed
>>> RCPT To:<martin.zahn@paragon.arkum.ch>
250 Requested mail action okay, completed
>>> DATA
354 Start mail input; end with <CRLF>.<CRLF>
>>> .
250 Requested mail action okay, completed
martin.zahn@arkum.ch... Sent (Requested mail action okay, completed)
Closing connection to paragon.arkum.ch.
>>> QUIT
221 SMTP server closing transmission channel
If you get an output similar to the above, your local delivery is working perfectly !
Debug the Configuration
If you encounter troubles with the sendmail configuration, here are some tests to find out what happens.
Show Delivery Agent (Mailer)
/usr/lib/sendmail -d0.12 -bt < /dev/null
Version 8.9.3
Compiled with: LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND NETINET
NETUNIX NEWDB NIS QUEUE SCANF SMTP USERDB
OS Defines: HASFLOCK HASGETDTABLESIZE HASINITGROUPS HASLSTAT
HASSETREUID HASSETRLIMIT HASSETSID HASSETVBUF HASSNPRINTF
HASUNAME HASUNSETENV HASWAITPID IDENTPROTO USE_SIGLONGJMP
Def Conf file: /etc/sendmail.cf
Pid file: /var/run/sendmail.pid
canonical name: ux-mail1.arkum.ch
a.k.a.: ux-mail1
UUCP nodename: ux-mail1.arkum.ch
a.k.a.: ux-mail1.arkum.ch
a.k.a.: [193.247.121.205]

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = ux-mail1
(canonical domain name) $j = ux-mail1.arkum.ch
(subdomain name) $m = arkum.ch
(node name) $k = ux-mail1.arkum.ch
========================================================
Show Macros without $u, $M which will be set when mail is already delivered
/usr/lib/sendmail -d35.9 -bt
define(* as $*)
define(+ as $+)
define(- as $-)
define(= as $=)
define(~ as $~)
define(# as $#)
define(@ as $@)
define(: as $:)
define(> as $>)
define(? as $?)
define(| as $|)
define(. as $.)
define([ as $[)
define(] as $])
define(( as $()
define() as $))
define(& as $&)
define(0 as $0)
define(1 as $1)
define(2 as $2)
define(3 as $3)
define(4 as $4)
define(5 as $5)
define(6 as $6)
define(7 as $7)
define(8 as $8)
define(9 as $9)
define(n as MAILER-DAEMON)
define(v as 8.9.3)
define(w as ux-mail1.arkum.ch)
define(j as ux-mail1.arkum.ch)
define(m as arkum.ch)
define(k as ux-mail1.arkum.ch)
define(b as Sat, 4 Nov 2000 13:44:49 +0100)
define(opMode as t)
redefine(w as ux-mail1)
define(S as )
define(R as paragon.arkum.ch)
define(H as paragon.arkum.ch)
define(M as arkum.ch)
redefine(n as MAILER-DAEMON)
define(Z as 8.9.3)
define(deliveryMode as b)
define(_ as root@localhost)
redefine(deliveryMode as i)
Show Sendmail Queue
/usr/lib/sendmail -bp
Mail Queue (2 requests)
--Q-ID-- --Size-- -----Q-Time----- ------------Sender/Recipient------------
RAA01002 27 Fri Nov 3 17:13 root
(martin.zahn@plenaxx.ch... reply: read error from nt-mail1.pl)
martin.zahn@plenaxx.ch
RAA01088 27 Fri Nov 3 17:18 root
(Deferred: Connection reset by nt-mail1.plenaxx.ch.)
martin.zahn@plenaxx.ch
Test the MX-Record readed by Sendmail from DNS
/usr/lib/sendmail -bt
> /mx arkum.ch
  getmxrr(arkum.ch) returns 1 value(s):
  ux-mail1.arkum.ch.
> /mx plenaxx.ch
  getmxrr(plenaxx.ch) returns 1 value(s):
  nt-mail1.plenaxx.ch.
> /mx glue.ch
 
 getmxrr(glue.ch) returns 2 value(s):
  ns.glue.ch.
  chsun.eunet.ch.
If you have still troubles consult our sendmail guide or visit http://www.sendmail.org


source: http://www.akadia.com/services/sendmail_relay.html

No comments:

Post a Comment