Solved newbie needs help: receiving email and SMTP authentication

Hi, everyone,

I've set up web servers before, but never an email server. My idea is to use the built-in mail as the MUA, sendmail as the MTA, and dovecot as the pop server. Those are the key components, right? Where I'm stuck right now is:

With "mail" on the command line I can send email from one account on the server to another (and check it remotely). But email from elsewhere (for example, this yahoo address) never makes it into my mbox.

Could someone please point me in the right direction? Thanks,

Bob
 
Thank you sir. I have one, and hope it's set up correctly:
Pref Hostname IP Address TTL
10 mail.xxx.org xxx.xxx.xxx.xxx 60 min
 
It is. I xed out the details because I'm a little paranoid about posting them in a public forum (before everything's up and running). Like it's a baby server unable to defend itself yet, lol.
 
Whatever you do PLEASE be sure to carefully go over the documentation for Sendmail (personally I'd advice an easier mail server such as mail/postfix but that's a personal opinion).

Here's the thing: it's not a question if this is going to happen, but when: sooner or later your mail server will be bombarded with remote hosts trying to abuse it as a mail / spam relay. It's a given. So please make 100% sure that you set up your system appropriately and be sure to configure it so that only you (and those you intended) can use it to send e-mail but not the whole world.

The Internet has got enough spam problems as it is ;)
 
I'll do my best! Already there's some degree of bombardment. But since things aren't working yet I don't think I'm (currently) contributing to the spam problem.

Really postfix is easier? I assumed it would be easier to go with something FreeBSD came with.

Are there particular ways I should or shouldn't configure sendmail? Or ways to test how vulnerable an email server is?

Down the line, I get the idea it would help to have spamassassin and clamav in the picture, too.
 
I'll do my best! Already there's some degree of bombardment. But since things aren't working yet I don't think I'm (currently) contributing to the spam problem.

Really postfix is easier? I assumed it would be easier to go with something FreeBSD came with.
Hmm, it's a matter of opinion as well as what you're used to. Sendmail can definitely deliver, but the moment when you want to customize it further then things can become a bit tricky.

For example... SMTP authentication. In other words: allowing users to specify a username/password in order to be allowed to send e-mail using your system. On Sendmail this is perfectly doable, and the advised route (source: chapter 27 of the FreeBSD handbook) is to utilize security/cyrus-sasl.

On Postfix it's very easy to devise another and (IMO!) easier to use approach. You already mentioned mail/dovecot above, which is what led up to my comment. On Postfix it's very easy to allow Postfix to utilize the already available authentication methods provided by Dovecot. In other words: allowing users who can receive / retrieve e-mail (using Dovecot) to authenticate themselves to send mail using the exact same credentials:

(from /usr/local/etc/postfix/main.cf)
Code:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_authenticated_header = yes
Of course some work had to be done on the Dovecot part as well (just mentioning this for completeness sake); I had to set up the socket which Postfix is using above. So from /usr/local/etc/dovecot.conf:
Code:
    client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
    }
But this was more or less all that was too it. The rest consisted of stuff which you'd already do when using Dovecot: making sure the users could actually retrieve their e-mail.

Now, we can discuss this why this could be a good or bad idea, but that's not the point. I'm merely trying to demonstrate the flexibility which Postfix can provide.

But, please don't get me wrong here: Sendmail is an excellent program which is very diverse and flexible as well. It is most definitely not a bad idea to use it also because, as you said yourself, it is a standard on FreeBSD. Simple as that. My LAN server uses it and it has never failed me.

But in some cases things can be a bit easier ;) For example, setting up my LAN server to use my main mail server as relay is relatively easy in Sendmail:
  • Edit /etc/mail/<your host>.mc
  • Uncomment the SMART_HOST definition and add the right address
  • Recompile your configuration
  • Restart Sendmail: # service sendmail restart.
But on Postfix I'd use:
  • Edit /usr/local/etc/postfix/main.cf
  • Uncomment the relayhost option and specify the host.
    • This can even utilize MX records, UUCP, and using different ports is also a no brainer.
  • Refresh Postfix: # postfix reload
And well, I simply prefer the latter myself.

But in the end both environments have their specific way of working and once you get the hang of it then both will be very easy to use. I'm most definitely not calling Sendmail bad or anything, it most certainly is not.

Are there particular ways I should or shouldn't configure sendmail? Or ways to test how vulnerable an email server is?
The one thing you should be very careful with is setting up a relay. As in: allowing others to send e-mail through your system, that is the main culprit which causes a lot of problems on the Net.

Always be sure to check /etc/mail/access and ensure that you're using the right settings (not allowing the whole world to relay). The FreeBSD handbook has a whole chapter on this.

Some external hosts which can help you check are mxtoolbox.com, mailradar.com and spamhelp.org.

Some other tips which really work well for me: be picky about what incoming connections you allow. For example, my MTA only allows fully qualified HELO lines (=an identifier for a remote mailserver). This can help you reduce spam a bit because commonly speaking a regular mailserver has a DNS entry assigned to it. Rogue hosts (think about a compromised machine on a regular internet connection) usually do not. So they'll most likely identify themselves with an IP address. And that's a no no on my end. I'm taking it one step further by also demanding a valid hostname. So if someone makes something up then my MTA refuses to accept e-mail.

I can also recommend looking into SPF (Sender Policy Framework). See the official project website. In short: if you send e-mail then you define in a TXT DNS record which servers are used for that. So if someone else tries to send e-mail on your behalf from a remote location then any mailserver can establish that it's bogus. Just for context: Microsoft, Google, Facebook, Apple... they all use it.

Code:
$ dig TXT apple.com | grep spf
apple.com.              3561    IN      TXT     "v=spf1 ip4:17.0.0.0/8 -all"

Also consider looking into Greylisting. That seriously reduced spam on my end. There are several options for this, on Postfix I rely on Postgrey which is quite easy to set up. I have no clue how to set this up on Sendmail but I'm sure Google knows ;)

In short: any incoming e-mail gets rejected the first time and the connection is logged and cut. Only after a few minutes will the delivery be allowed. The theory is that every mailserver will retry a delivery when it fails the first time. Spammers on the other hand, especially those using compromised boxes, usually do not.

Seriously: using Greylisting has cut our spam amounts easily in half, without using any other spamfilter.

And that brings me to: also consider looking into spamfilters. There are plenty and they'll help you reduce a lot of nasty stuff. You mentioned Spamassasin and I can definitely recommend that one. Same for ClamAV.

Hope this can help a bit.
 
Wow, what a generously informative reply. Thanks so much. It'll take me some time to digest it all. One thing I gather is with sendmail I should have a /etc/mail/<your host>.mc file. Maybe that should be my next step.
 
Thank you sir. Is it sendmail I want to listen to port 25? I get:
Code:
% sockstat -l4p 25
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
root     sendmail   662   4  tcp4   127.0.0.1:25          *:*
but maybe I want that to be *:25 instead of 127.0.0.1:25?

How's this for a basic question: Do I need to configure sendmail? I was thinking that since it came installed, I didn't, but maybe it's not that easy.
 
I have not used sendmail for ages. But I believe that you need to add the following in your rc.conf:
Code:
sendmail_enable="YES"
 
Note that Sendmail is notoriously difficult to configure. The macro scripts are helpful but it's still quite error-prone and it's really easy to end up with an open relay. You may want to switch to mail/exim or mail/postfix instead. Both are commonly used on Linux so there's plenty of documentation on the internet.
 
Sendmail delivered with FreeBSD does not relay by default.

To get a template configuration to edit do :
Code:
# cd /etc/mail
# make
This will create a hostname.domain.tld.mc file using /etc/mail/freebsd.mc as a template.
See /etc/mail/Makefile for further information.
 
gkontos, ευχαριστώ, that was all it took. And I see now:

Code:
%   sockstat -l4p 25
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
root     sendmail   662   4  tcp4   *:25                  *:*

I love the sense of humor computer people sometimes have. Testing this out:

Code:
ESMTP Sendmail 8.15.2/8.15.2; Tue, 7 Feb 2017 11:57:14 -0600 (CST) [1516 ms]
EHLO PWS3.mxtoolbox.com
250-xxx Hello pws3.mxtoolbox.com [64.20.227.134], pleased to meet you

That testing also turned up "SMTP Reverse DNS Mismatch". I assume that's something I talk to my DNS provider about?

Then my next step is sending emails. From my laptop, not from the command line. Which means relay? So the trick is to keep it authenticated relay and not open relay?
 
Last edited:
Here is my configuration files, replace yourdomain.tld and users names with yours.
 

Attachments

  • sendmail_config.zip
    4.3 KB · Views: 160
That testing also turned up "SMTP Reverse DNS Mismatch". I assume that's something I talk to my DNS provider about?

Then my next step is sending emails. From my laptop, not from the command line. Which means relay? So the trick is to keep it authenticated relay and not open relay?
It's important to get the right SMTP Reverse DNS, otherwise you will be rejected by others SMTP servers or in the worst case blacklisted.
You should also add a SPF record in your DNS.
 
dlegrand, merci, but i'm paranoid about .zip files. Talked with my DNS provider, should be getting that mismatch fixed.
 
OK, installed security/cyrus-sasl2 and security/cyrus-sasl2-saslauthd. Unsure about my next step. Found differing instructions online:

At 27.9. SMTP Authentication:

Code:
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

At FreeBSD - How to setup Mail Server:

Code:
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

Since this is sasl2, I assume it should be -DSASL=2. I do have a /usr/local/include/sasl directory, and since that one is from the Handbook, I think I'll go with that. Crossing my fingers...

Note that Sendmail is notoriously difficult to configure. The macro scripts are helpful but it's still quite error-prone
 
I could use some help again. Ran into an unexpected roadblock. The next step was to recompile Sendmail, which already made me nervous. Then my two guides above again differed on the exact steps. I can't follow the Handbook instructions, because:

Code:
#   ls -l /usr/src
total 0

And Hostik says:

Code:
# cd /usr/src/
# make buildworld                     # this may take about an hour to compile

An hour?! Do I really need to rebuild world?

Do I need to install mail/sendmail? The Handbook didn't say anything about that.

Have you considered using postfix instead?

I was hoping not to have to install and configure yet another component, but maybe that should be my Plan B.
 
I think it's working! :) For the record:

I was directed to How do you install the FreeBSD10 kernel sources? and installed devel/subversion. freebsd-version said I had 10.3-RELEASE-p16, so:

Code:
# svn checkout https://svn.FreeBSD.org/base/releng/10.3 /usr/src
# svn up /usr/src
# cd /usr/src; make clean

Also, it turned out Hostik was right as far as /etc/make.conf, see: question about SMTP-authentication (2nd ). So it seems to me the first configuration option in step 4 of 27.9. SMTP Authentication in the Handbook should be corrected.

Then I was able to go ahead with the remaining steps in the Handbook.

Thanks for your help, everyone.

Bob
 
Back
Top