Sendmail installation

From test.coolscript.org
Jump to navigation Jump to search

Mailer installation 2020 at Telehouse, this will replace the inhouse mailer (10.0.3.5), FQDN is mail.hitchhiker.com.
The Mailer supports the typical MTA (Port 25) and IMAP (143) protocols. Optional encryption is available for IMAP (993/SSL/Normal password)
and SMTP (587/STARTTLS/Normal password).

APT Packages[edit]

Mail[edit]

apt-get install libmail-sendmail-perl sendmail sendmail-base sendmail-bin sendmail-cf sendmail-doc dnsutils mailutils libyaml-dev

Imap[edit]

apt-get install dovecot-imapd php-imap

SASL[edit]

apt-get install libauthen-sasl-perl libsasl2-2:amd64 libsasl2-modules:amd64 libsasl2-modules-db:amd64 sasl2-bin

SA[edit]

apt-get install spamass-milter spamassassin spamc

DKIM[edit]

apt-get install libdkim1d libmail-dkim-perl libopendkim11 opendkim opendkim-tools

DMARC[edit]

apt-get install libopendmarc2 opendmarc

Apache2[edit]

apt-get install apache2 libapache2-mod-php

Roundcube[edit]

apt-get install roundcube roundcube-core roundcube-mysql

MTA Configuration[edit]

Sendmail[edit]

  • /etc/mail/sendmail.mc
  • Authentication for MTA,IMAP, allow PLAIN, LOGIN DIGEST-MD5 and CRAM-MD5
define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
  • /etc/mail/sendmail.mc
  • STARTTLS
include(`/etc/mail/tls/starttls.m4')dnl
  • /etc/mail/sendmail.mc
  • Spamassassin
INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass/spamass.sock,T=S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, {auth_type}')dnl
define(`confMILTER_MACROS_ENVFROM',`{auth_type}, i')dnl
  • /etc/mail/sendmail.mc
  • Dkim
INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/opendkim/opendkim.sock,F=,T=C:10m;S:10m;R:20m;E:20m')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl
  • /etc/mail/sendmail.mc
  • Dmarc
INPUT_MAIL_FILTER(`milter-opendkim',`S=unix:/var/run/opendmarc/opendmarc.sock, F=, T=R:2m')
  • /etc/mail/tls/starttls.m4
  • TLS (see also the Letsencrypt configuration further down)
define(`confCACERT',           `/etc/mail/tls/fullchain.pem')dnl   # <= EDIT
  • Full configuration /etc/mail/sendmail.mc
divert(-1)dnl
#-----------------------------------------------------------------------------
# $Sendmail: debproto.mc,v 8.15.2 2016-12-08 18:43:49 cowboy Exp $
#
# Copyright (c) 1998-2010 Richard Nelson.  All Rights Reserved.
#
# cf/debian/sendmail.mc.  Generated from sendmail.mc.in by configure.
#
# sendmail.mc prototype config file for building Sendmail 8.15.2
#
# Note: the .in file supports 8.7.6 - 9.0.0, but the generated
#       file is customized to the version noted above.
#
# This file is used to configure Sendmail for use with Debian systems.
#
# If you modify this file, you will have to regenerate /etc/mail/sendmail.cf
# by running this file through the m4 preprocessor via one of the following:
#       * make   (or make -C /etc/mail)
#       * sendmailconfig
#       * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# The first two options are preferred as they will also update other files
# that depend upon the contents of this file.
#
# The best documentation for this .mc file is:
# /usr/share/doc/sendmail-doc/cf.README.gz
#
#-----------------------------------------------------------------------------
divert(0)dnl
#
#   Copyright (c) 1998-2005 Richard Nelson.  All Rights Reserved.
#
#  This file is used to configure Sendmail for use with Debian systems.
#
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.15.2-8 2016-12-08 18:43:49 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
dnl #
dnl # General defines
dnl #
dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
dnl #   into this directory before writing files.
dnl #   If *all* your user accounts are under /home then use that
dnl #   instead - it will prevent any writes outside of /home !
dnl #   define(`confSAFE_FILE_ENV',             `')dnl
dnl #
dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
dnl # Remove `, Addr=' clauses to receive from any interface
dnl # If you want to support IPv6, switch the commented/uncommentd lines
dnl #
FEATURE(`no_default_msa')dnl
FEATURE(virtusertable)dnl
dnl Allow IPv4
DAEMON_OPTIONS(`Port=submission, M=Ea, Name=MSA, Family=inet')dnl
DAEMON_OPTIONS(`Port=smtp,Name=MTA, Family=inet')dnl

dnl Set Masq and Domain
FEATURE(`masquerade_envelope')dnl
FEATURE(`limited_masquerade')dnl
define(`confDOMAIN_NAME',`hitchhiker.com')dnl



dnl #
dnl # Be somewhat anal in what we allow
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
dnl #
dnl # Define connection throttling and window length
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
dnl #
dnl # Features
dnl #
dnl # use /etc/mail/local-host-names
FEATURE(`use_cw_file')dnl
dnl #
dnl # The access db is the basis for most of sendmail's checking
FEATURE(`access_db', , `skip')dnl
dnl #
dnl # The greet_pause feature stops some automail bots - but check the
dnl # provided access db for details on excluding localhosts...
FEATURE(`greet_pause', `1000')dnl 1 seconds
dnl #
dnl # Delay_checks allows sender<->recipient checking
FEATURE(`delay_checks', `friend', `n')dnl
dnl #
dnl # If we get too many bad recipients, slow things down...
define(`confBAD_RCPT_THROTTLE',`3')dnl
dnl #
dnl # Stop connections that overflow our concurrent and time connection rates
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
 
dnl -------------------------------------------
dnl MK Authentication used for IMAP and Dovecot
dnl -------------------------------------------
define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
 
dnl MK Fix for error messages in debug log
define(`confCRL', `/etc/ssl/revoke/revoke.crl')

dnl ---------------------------
dnl MK Add optional TLS Support
dnl ---------------------------
include(`/etc/mail/tls/starttls.m4')dnl
 
dnl ---------------------------------------------------------
dnl MK Tweaks
dnl #http://heretic.net-ronin.org/~ramune/sysadmin/sendmail/
dnl ---------------------------------------------------------
define(`confSUPER_SAFE',`true')dnl
define(`confMAX_MESSAGES_SIZE',`1000000')dnl
define(`confMIN_FREE_BLOCKS',`3000')dnl
dnl #define(`confTIME_ZONE',`PST8PDT')dnl


dnl MK Procmail support
FEATURE(`local_procmail')dnl

dnl *******************
dnl MK Spamassassin
dnl Tipp: run sa-update
dnl *******************
INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass/spamass.sock,T=S:4m;R:4m;E:10m')dnl

dnl ****
dnl DKIM
dnl ****
INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/opendkim/opendkim.sock,F=,T=C:10m;S:10m;R:20m;E:20m')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl

dnl *****
dnl DMARC
dnl *****
INPUT_MAIL_FILTER(`milter-opendkim',`S=unix:/var/run/opendmarc/opendmarc.sock, F=, T=R:2m')
 
dnl the below eliminates the mesage:
dnl Could not retrieve sendmail macro "b"!.  Please add it to confMILTER_MACROS_ENVRCPT for better spamassassin results
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, {auth_type}')dnl
define(`confMILTER_MACROS_ENVFROM',`{auth_type}, i')dnl
 
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl
 
dnl *********************************
dnl Debug logging on demand only
dnl define(`confLOG_LEVEL', `98')dnl
dnl *********************************
 
dnl *****************
dnl Supported Domains
dnl *****************
Cwflighthaus.net
Cwhitchhiker.com
Cwhitchhiker.de
Cwhitchhiker.travel
Cwhitchhiker.net
Cwhitchhiker.tel
Cwhitchhiker.eu
Cwmail.intern
Cwproduction.local
Cwtemyra.net
Cwflighthaus.net
Cwagentplus.io
Cwflightapi.net
Cwmeingrundrecht.de
Cwflighthaus.com


dnl Add because of poodle attack https://disablessl3.com/ - 28Okt2014
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
O PrivacyOptions=goaway

Sasl[edit]

  • /etc/default/saslauthd
START=yes
MECHANISMS="pam"

Spamd[edit]

  • Add systemuser spamd
useradd -M spamd
usermod -L spamd
  • Modify defaults
  • /etc/default/spamassassin
OPTIONS="-q -x --max-children 10 -u spamd"

Roundcube[edit]

Fix to allow mailsent from roundcube

  • /etc/roundcube/config.inc.php
$config['smtp_user'] = ''

Dovecot (Imap)[edit]

  • Needed for Jira or Clients who wants to use unencrypted IMAP via port 143
  • /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no


DNS Configuration[edit]

  • /etc/hosts, the very first record
127.0.0.1       vm-fra01-mail01.hitchhiker.com vm-fra01-mail01
  • Check
# hostname -f
vm-fra01-mail01.hitchhiker.com

On the DNS Server

  • A Record
#  host vm-fra01-mail01.hitchhiker.com
vm-fra01-mail01.hitchhiker.com has address 146.0.228.30
  • PTR Record
# nslookup 146.0.228.30
30.228.0.146.in-addr.arpa       name = vm-fra01-mail01.hitchhiker.com.
  • MX Record
# host -t mx hitchhiker.com
hitchhiker.com mail is handled by 10 vm-fra01-mail01.hitchhiker.com.
  • TXT Record for DKIM
host -t txt mail._domainkey.hitchhiker.com
mail._domainkey.hitchhiker.com descriptive text "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlQCpa4N7LELD6fBhX5BLxUoIqlxkasJ52mMyJR7ZXVXe603mZQ4oUeVDXLPGUPfUxLmG5VPsCO8o5hrj18pwe+F3W9Y5wH8U9HzHNzLmj8HM9oYBKfMIryeUmzuC/uKVrtLGMih9zz67t7iis590U3eYfuLZFdAS6U9wbV1PeTwIDAQAB"
  • TXT Record for DMARC
host -t txt    _dmarc.hitchhiker.com.
_dmarc.hitchhiker.com descriptive text "v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400 ;rua=mailto:mailauth-reports@hitchhiker.com"
  • TXT Record for SPF
host -t txt hitchhiker.com.
hitchhiker.com descriptive text "v=spf1 ip4:212.19.51.160/27 ip4:146.0.228.0/27 include:spf.nl2go.com -all"

DKIM[edit]

Configuration[edit]

  • /etc/opendkim.conf
Syslog           yes
SyslogSuccess    Yes
Mode             sv
SubDomains       yes
Socket           local:/var/run/opendkim/opendkim.sock
PidFile          /run/opendkim/opendkim.pid
OversignHeaders  From
TrustAnchorFile  /usr/share/dns/root.key
UserID           opendkim
LogWhy           yes
Nameservers      85.195.64.10
KeyTable         /etc/opendkim/KeyTable
SigningTable     /etc/opendkim/SigningTable
InternalHosts    /etc/opendkim/TrustedHosts
  • /etc/opendkim/KeyTable
mail._domainkey.hitchhiker.com hitchhiker.com:mail:/etc/opendkim/keys/hitchhiker.com/mail.private
  • /etc/opendkim/SigningTable
hitchhiker.com mail._domainkey.hitchhiker.com
  • /etc/opendkim/TrustedHosts
127.0.0.1
localhost
192.168.100.0/255.255.255.0
146.0.228.30
hitchhiker.com
212.19.51.190

Letsencrypt[edit]

Two sertficates are installed.
vm-fra01-mail01.hitchhiker.com is used for the MTA encryption for sendmail.
mail.hitchhiker.com is used for Imap and Roundcube.

Renew:

/root/certbot-auto certonly --webroot --webroot-path /var/www/html --renew-by-default --text --agree-tos -d mail.hitchhiker.com
/root/certbot-auto certonly --webroot --webroot-path /var/www/html --renew-by-default --text --agree-tos -d vm-fra01-mail01.hitchhiker.com

Copy certs for sendmail:

FQDN=vm-fra01-mail01.hitchhiker.com
cp /etc/letsencrypt/live/$FQDN/privkey.pem  /etc/mail/tls/sendmail-common.key
cp /etc/letsencrypt/live/$FQDN/cert.pem  /etc/mail/tls/sendmail-client.crt
cp /etc/letsencrypt/live/$FQDN/cert.pem  /etc/mail/tls/sendmail-server.crt
cp /etc/letsencrypt/live/$FQDN/fullchain.pem  /etc/mail/tls/fullchain.pem

Run Sendmailconfig and dovecot after:

sendmailconfig
/etc/init.d/dovecot restart

Dovecot[edit]

  • /etc/dovecot/conf.d/10-auth.conf
ssl_cert = </etc/letsencrypt/live/mail.flighthaus.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.flighthaus.net/privkey.pem

Testing[edit]

  • Test cert for sasl
openssl s_client -crlf -connect mail.hitchhiker.com:993
  • Test cert for imap
openssl s_client -starttls smtp -connect mail.hitchhiker.com:587
  • Test TLS
https://www.checktls.com/TestReceiver

Client Configuration Example[edit]

Thunderbird[edit]

Imap Imap

Jira[edit]

Imap