Mail configuration

Mail config is present in the following files:

1. /etc/mail/linux.mc The "Root" configuration file
2. /etc/mail/access Spam protection
3. /etc/mail/aliases "Nice" names for local users
4. /etc/mail/genericstable "Nice" names for outgoing mail
5. /etc/mail/virtusertable "Nice" names with domain names
6. /etc/mail/mailertable Domains for which we have an MX Record, but whose mail should be delivered elsewhere
7. /etc/mail/relay-domains Domains for which we accept to relay mail
8. /etc/mail/sendmail.cw Domains which are handled locally

This documentation also features the following items:

1. An overview how the various config files of sendmail play together
2. When does sendmail consider two domains to be identical
3. What needs to be done when adding a new mail domain

More documentation can be found on sendmail.org's web site.

Important note for sendmail experts: this document refers to the sendmail configuration as it is used by LLL and LTNB, and is a functional description. I am fully aware that by manually tweaking sendmail.cf, you can obtain different precedences between the various config files. Moreover, this is a functionaly description: the order of checks as performed by the sendmail.cf rules may not be the same as represented, however, the system behaves as if files were checked in the order presented.

Overview

Mail enters at the top left of the figure, and while it travels through the system, the following checks are performed:

1. Access control: spammers (listed by complete mail address or just by their domain) get their mail rejected. Additionnally, this file may also contain lists of addresses which are allowed to relay (skip relay-domains check).
2. DNS canonifying. Using DNS, sendmail transforms all host name parts into their "canonical form". In order to do this, it follows CNAMES chains, until it finds a name which is no longer a CNAME. For instance, if www.hitchhiker.org.lu is a CNAME for hitchhiker.org.lu, then sendmail replaces the address Arthur.Dent@www.hitchhiker.org.lu into Arthur.Dent@hitchhiker.org.lu
3. relay-domains check. The goal of this check is to prevent third parties from abusing our mail server to relay their mails. Any mail where neither the sender nor the destinator is local to the ltnb is considered a third-party mail.
4. Then sendmail checks the mailertable file for any special rules for this destination. These may either be smtp: or esmtp: rules, which specify another mailer to which the mail should be relayed, or local: which specifies that this is local mail, that should bypass the following steps (sendmail.cw and virtusertable)
5. Next, sendmail checks the sendmail.cw file. If the host name of the mail is mentioned here-in, the mail is considered local. Else, it is considered remote, and sendmail checks the DNS for any MX records of this address. If no MX or A record for the destination is found, the mail is returned as undeliverable (domain not known). If the MX or A record points back to itself, a "local configuration error" is returned; indeed, if this mailer was really responsible for that domain, it should have a local: entry in the mailertable or an entry in sendmail.cw for that domain.
6. Next, sendmail checks the virtusertable for any domain-dependant aliases. For instance, if LTNB server mail for both ltnb.lu and estuaires.org.lu, then this file allows to assign a different recipient to webmaster@ltnb.lu and webmaster@estuaires.org.lu (different domain, same username). If a entry is found for the recipient, the recipient gets replaced with its alias, and the mail is reinjected through DNS canonify at mailertable.
7. Next, the alias file is checked for any domain-independant aliases. If an entry is found for the recipient, the recipient gets replaced with its alias, and the mail is reinjected through DNS canonify at mailertable.
8. Last, mail is delivered to the local mailbox of the recipient (or returned as an error, if no such user exists)

Additionnally, general sendmail behavior, as well as the exact location of the above-mentioned config files is specified in linux.mc

linux.mc

This is the "root" configuration file of sendmail, point to the others. It needs the following changes (diff listing: new lines are marked by +, removed lines by -, and unchanged lines are indicated for context).

--- linux.mc.rpmnew	Wed Sep  6 01:17:10 2000
+++ linux.mc	Sat Mar  3 07:52:08 2001
@@ -119,7 +119,7 @@
 dnl  to accept further hostnames as local email, add them here or put
 dnl  them into the `/etc/mail/sendmail.cw' file.
 dnl
-dnl FEATURE(`use_cw_file')dnl
+FEATURE(`use_cw_file')dnl
 dnl
 dnl  This FEATURE enables (open)ldap and requires some arguments. For
 dnl  information see http://www.stanford.edu/~bbense/ldap/.  Note that this

Enable the sendmail.cw file (needed for serving mail to multiple domains).

@@ -159,9 +159,9 @@
 dnl  for rejecting well known spammers
 dnl  (see http://maps.vix.com/ and http://www.orbs.org/).
 dnl
-dnl FEATURE(`dnsbl')dnl
+FEATURE(`dnsbl')dnl
 dnl FEATURE(`dnsbl',`dul.maps.vix.com',` Mail from $&{client_addr} rejected - dul; see http://maps.vix.com')dnl
-dnl FEATURE(`dnsbl',`relays.orbs.org', ` Mail from $&{client_addr} rejected - open relay; see http://www.orbs.org')dnl
+FEATURE(`dnsbl',`relays.orbs.org', ` Mail from $&{client_addr} rejected - open relay; see http://www.orbs.org')dnl
 dnl
 dnl
 dnl  Just add the local domain if the email address doesn't have one

Enable spam filtering features

@@ -188,6 +188,11 @@
 dnl MASQUERADE_DOMAIN(`otherdmain.notused')dnl
 dnl FEATURE(`limited_masquerade')dnl
 dnl
+dnl
+dnl  use procmail for local mail delivery. the exact pathname is given above.
+dnl
+FEATURE(`local_procmail')dnl
+dnl
 dnl  These mailers are available. per default only smtp is used. You have
 dnl  to add entries to /etc/mail/mailertable to enable one of the other
 dnl  mailers.

Deliver local mail via procmail. Allows users more customization options via their .procmailrc file.

@@ -218,3 +223,20 @@
 dnl
 dnl Cw localhost www.domain.notused
 dnl
+
+dnl LTNB specific stuff
+define(`confCONNECTION_RATE_THROTTLE', `3')dnl
+dnl
+dnl Settings recommended by http://sendmail.net/?feed=dostips
+dnl
+define(`confMIN_FREE_BLOCKS', `4000')dnl
+define(`confMAX_MESSAGE_SIZE', 1000000)dnl
+define(`confAUTO_REBUILD', False)dnl
+define(`confREFUSE_LA', 8)dnl
+dnl
+dnl MAX_DAEMON_CHILDREN recommended is 40 for 128MB of Ram: take half of
+dnl it, as lots of other stuff is running on Pollux too
+define(`confMAX_DAEMON_CHILDREN', 12)dnl
+dnl define(`confMAX_HEADERS_LENGTH', 32)dnl Not supported yet
+define(`confMAX_MIME_HEADER_LENGTH', 1024)dnl
+define(`confMAX_RCPTS_PER_MESSAGE', 100)dnl

Set resource limits (number of connections, minimum available disk space, max spawned processed, ...) in order to prevent sendmail from crashing under unusual load. Such unusual load may happen as a result of a deliberate cracking attempts (some student had attempted to set up a mail loop to do this last year), or inadvertantly (when reconnecting network after a week long outage, some computers have a huge amount of mail to postmaster piled up, which they unload at once when reconnecting).

Linux.mc is not directly read by sendmail. Rather, it has to be convered into /etc/sendmail.cf using the following command:

m4 </etc/mai/linux.mc >/etc/sendmail.cf

access

This file is mostly used to block access from spammers. Each line has the following format:

address code message

address	This is the e-mail address of the spammer to be blocked. Either the complete address (just4me17@usa.net), or just the domain (usa.net). If only the domain is indicated, all mails from that domain are rejected.
code	an error code to return to the sending mailer, usually 550
message	an error message to return to the sending mailer. Chose any witty comment that you like.

Code and message may also be replaced with the word REJECT which returns a code 550 with a boring "Access denied" message. Example:

susan@bfg.com   550 Please keep your spam to yourself
s431@aol.com    550 Please keep your spam to yourself
excte.com       550 Please keep your spam to yourself
doctor.com      550 Doctor, whenever I eat Hormel products, I feel a strong urge to throw up violently.  What can I do about this?

aliases

Defines mail aliases. When manually editing this file, make sure not to set any aliases that are also set by webmin (anything that goes into the mail alias field of webmin). However, you may redirect login names (if they are not also webmin aliases).

Aliases may have more than one target, and may be spread over several lines (each line having a blank in the first column is considered as a continuation) Example:

pe: Jean-Paul.Gedgen,
        Alain.Rassel,
        Alain.Knaff,
        Ramon.Kirsch,
        Charles.Lopes,
        Michel.Stoltz,
        Pierre.Fattebene,
        Marc.Teusch
        Mike.Borschette

Targets themselves are expanded. If you don't want to further expand targets, prepend with a backslash (\). Example:

root:          joe, \root

genericstable

This is more or less the contrary of the aliases file. In certain conditions, From addresses in outgoing mails are replaced according to genericstable. Example:

jpg      Jean-Paul.Gedgen
mstoltz  Michel.Stoltz
arassel  Alain.Rassel
aknaff   Alain.Knaff
rkirsch  Ramon.Kirsch
ejpg     Eleve.Jpg
emstoltz Stoltz.Michel
mteusch  Marc.Teusch
mborsche Mike.Borschette

This means that mails sent from jpg have their From address replaced by Jean-Paul.Gedgen, etc. Be sure to have the reverse mapping in aliases or virtusertable, or else those users won't receive replies to their mails. Automatically maintained by webmin, but it should be ok to edit manually if you avoid both login names and aliases covered by webmin.

N.B. When sending mail from a browser, this is actually not used, as the browser himself already sets the long name as sender. As far as I know, this file only comes into play when sending mail from the command line.

virtusertable

This is like aliases, but allows to redirect names depending on domains. This is useful especially for virtual webhosting, so that for instance webmaster@estuaires.ltnb.lu will be redirected to a different person than webmaster@bommel.ltnb.lu . Note: it is not possible in virtusertable to redirect to multiple recipients. However, it is possible to redirect to an alias (defined in /etc/aliases) which itself is redirected to multiple recipients. Example:

francois@knaff.linux.lu                 fknaff
melie@knaff.linux.lu                    mknaff
alain@rassel.lu                         alain
sylvie@rassel.lu                        speters
alainsylvie@rassel.lu                   speters
michel@rassel.lu                        mrassel
david@rassel.lu                         dbelardi
david.belardi@rassel.lu                 dbelardi

mailertable

This is used to define paths to other mailers, for situations where the nameserver (MX Records) cannot be used for some reason.

This is useful if our mailer is itself an MX record for another domain, but doesn't handle the mail itself. Without the mailertable, our mailer would look up the target domain using its MX record, which would point to itself, leading to an error.

Example:

ltnb17.ltnb.lu          smtp:ltnb17.ltnb.lu
hitchhiker.ltnb.lu      smtp:[158.64.28.42]
nemo.ltnb.lu            smtp:[158.64.29.225]

This means for instance that mail sent to ltnb17.ltnb.lu will be delivered via SMTP to host ltnb17.ltnb.lu (this is actually not a redundant information: DNS considers mail addresses (MX Records) and IP hosts (A Records) to be distinct. The left hand side refers to the mail address, whereas the right hand side refers to a host).

Mailertable can also be used to specify mail to be delivered local, in addition to sendmail.cf. The advantage is that it allows a more flexible syntax (specifying only domain names rather than full names):

.ltnb.lu                local:

This says that all mail sent to an address ending in .ltnb.lu is to be considered local. The disadvantage of this approach are the following:

• This short-circuits virtusertable and thus does not allow to distinguish webmaster@ltnb0.ltnb.lu from webamster@ltnb17.ltnb.lu
• This approach is less known than sendmail.cw, and many people might not know to look for this kind of rules in sendmail.cw

In mailertable, if an entry is prefixed with a dot (such as .ltnb.lu), it matches all domains ending with that string. If no leading dot is present, only exact matches are accepted. If several lines match (for instance, if both a .ltnb.lu and an ltnb17.ltnb.lu entry is present), the most specific match (longest string) is taken.

relay-domains

This is a list of hosts for which we relay.

Explanation: Sendmail normally refuses mail where neither the sender nor the recipient is a local user. For example, our sendmail would refuse to relay mails which are sent from a user @www.digital.com to a user at @www.ibm.com. This is done in order to avoid that spammers abuse our mailer to relay their meat products. Obviously mail where either the sender or the recipient is local is accepted, or else we would not be able to communicate. For instance, if an ltnb user sends to ibm.com, the mail is relayed all right. If a digital.com user sends to an ltnb.lu user it is relayed too.

The relay-domains file defines which hosts are considered local. It can contain both domains (mail.ltnb.lu), IP addresses (158.64.28.254), or shorthands thereof (158.64.28.). Two kinds of domains need to be included (which often overlap):

• Any hosts which are allowed to use the mailer to send anywhere in the world. Typically, these are all the machines in the LTNB, which can be expressed by the two following lines:

  
  158.64.28.
  158.64.29.
  

  These match any IP address which start with 158.64.28. or 158.64.29.
• Any hosts which are allowable as recipients for senders connecting from outside. Theoretically, these would be all local names for the LTNB, however sendmail already includes automatically those names that are mentioned in sendmail.cw. Domains in /etc/mail/mailertable are not automatically allowed, and must be explicitly included: Example:

  
  ltnb.lu
  

  This matches any domain which ends in ltnb.lu

sendmail.cw

List of domains which are considered "local" by sendmails for delivery purposes. Any mail addressed to one of those domains will be delivered locally.

N.B. Addresses used in virtusertable must also be set in sendmail.cw . Addresses relayed using mailertable should not be set in sendmail.cw. In summary, if an MX record point to our mailer, the corresponding address should be either in sendmail.cw or in mailertable.

Unlike relay-domains, domains listed in sendmail.cw are interpreted as exact matches; for example ltnb17.ltnb.lu would not match ltnb.lu.

When are two domains identical for sendmail?

If an address A is a CNAME for another name B, all occurrences of A are considered by sendmail to be equivalent to B. A does in that case not be mentioned separately in sendmail.cw, mailertable or virtusertable.

However, if an address C is an MX Record pointing to D, both are considered different, and C should definately be set either in sendmail.cw or in mailertable. In that case, it doesn't even matter whether D is a CNAME for something else or not.

When setting domains equivalent via CNAMES, be careful though that it cuts both ways: If you set for instance www.estuaires.ltnb.lu to be a CNAME for www.ltnb.lu, this means that sendmail will have no way of distinguishing between webmaster@www.estuaires.ltnb.lu and webmaster@www.ltnb.lu !

Adding a new domain for sendmail

When adding a new domain for sendmail, the following actions need to be performed:

• Add the domain to DNS. If this is a website, preferably have all aliases representing the same website also be DNS CNAMEs. That way, you only need to handle one canonical name in DNS.
• Add the domain name to the /etc/mail/sendmail.cw and /etc/mail/sendmail.cw files.
• Add any number of virtual users for the domain to /etc/mail/virtusertable.
• if necessary, add any needed aliases to /etc/aliases
• run make in /etc/mail to activate the changes.

  ---