~ overflow ~

Problem:

How to change sendmail’s outgoing ip?

Solution:

This is the ip that will be used to deliver messages, this ip might get blacklisted if one of your happy clients on a shared server decides to send a mass email.
Sendmail is always a bitch to config, but this time it wasn’t, just change your .m4 file adding:

CLIENT_OPTIONS(`Addr=123.456.789')dnl

rebuild the .cf file, restart sendmail and you’re done. In my case, I had a specific ip on the server that got “temporary” (permanently) blocked by gmail. Although new mail wasn’t being sent after the flood, google never unblocked my server, even after a week i still getting “limit rate exceeded” messages. Since I have many IPs on the server it was easier just to bind sendmail to another IP.

Source:

Server Fault

Problem:

There’s some domains on a server that users a external server to process the emails (eg. google servers, aspmx.l.google.com) those emails are all fine when sent from outside the box but when sent from the box they fail to reach the destination or get delivered to a local user.

Solution:

define(`MAIL_HUB', `example.com.')dnl
define(`LOCAL_RELAY', `example.com.')dnl

For sendmail, this will make the domain’s emails to be delivered to the ip address assigned at the domain’s MX record.

Note:

This seemed promising for me at first look, but it will redirect ALL local domains to this MX record, ruining everything. Nothing new when dealing with sendmail, anyway when i find a better solution for this i will update this post again.

Source:

ServerFault

Problem:
So i noticed a real slow down on my server recently, nothing new was installed, no new sites launched. Investigating it a little further i saw like +100 sendmail processes running in background, WTF!

Solution:

Looking at huge maillogs, i found that there’s a botnet hammering my mail server, trying to authenticate with random strings and send unauthenticated emails, as if my server were configured as a promiscuous email server.

So, i had to put in practice my never used before iptables config skills.

First i added a rule to avoid global hammering:

-N SMTP-BLOCK
-A SMTP-BLOCK -s 127.0.0.1 -j ACCEPT
-A SMTP-BLOCK -s ##YOUR_SERVER_IPS## -j ACCEPT
-A SMTP-BLOCK -m limit --limit 1/m --limit-burst 3 -j LOG --log-level notice --log-prefix "iptables SMTP-BLOCK "
-A SMTP-BLOCK -m recent --name SMTPBLOCK --set -j DROP
-A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTPBLOCK --rcheck --seconds 360 -j SMTP-BLOCK
-A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTP --set
-A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTP --rcheck --seconds 60 --hitcount 10 -j SMTP-BLOCK
-A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

This will avoid hammering on port 25, SMTP, make sure you add your server’s ip here, otherwise it might slowdown your own server from sending emails out. This will ban users for 60 seconds if they send more than 3 packets a minute on port 25, pretty much enough what you need to do.

Now the bot net will still hammering, since they have MANY different ips , 800 so far, they can still hammering and eating up your server resources and bandwidth, since they will not stop i wrote a script to analyze maillogs and ban by ip:

// (c) z3n - R1V1@100605 - www.overflow.biz - rodrigo.orph@gmail.com

if (!isset($argv[2])) die("Usage: ".$_SERVER['PHP_SELF']." <input file> <ip tables>");

function _gii($s,$s_1,$s_2,$st=1) { // what, start string, end string, strip tags bool
	if ((stripos($s,$s_1) !== false) && (stripos($s,$s_2) !== false)) {
		$p=strlen($s_1)+stripos($s,$s_1);
		return ($st == 0) ? substr($s,$p,stripos($s,$s_2,$p)-$p) : strip_tags(substr($s,$p,stripos($s,$s_2,$p)-$p));
	} else {
		return "";
	}
}
function _r($x) { echo $x."\n"; }

$ips=array();
$handle=fopen($argv[1],"r");
while (!feof($handle)) {
	$buf=fgets($handle,4096);
	$x=explode("\n",$buf);
	foreach ($x as $v) {
		if (strpos($v,"Relaying denied") !== false) {
			$ip=_gii($v," [","]",0);
			if (!in_array($ip,$ips))
				$ips[]=$ip;
		}
	}
}

for ($r="",$i=0,$j=count($ips),_r("Found: ".$j." entries, building ban list..."),$ip_tables=file_get_contents($argv[2]);$i < $j;$i++)
	if (strpos($ips[$i],$ip_tables) === false)
		$r.="-A INPUT -s ".$ips[$i]." -j REJECT\n";

if (!empty($r)) {
	file_put_contents("maillog.ban",$r);
	_r("Wrote maillog.ban");
} else {
	_r("No new entries found");
}

..not so good on preg, but it works :P
once you generated the maillog.ban file just paste it on the iptables.

Besides that you may want to tune up your MTA child limit in order to avoid server overloading.

You may also want to keep this:

-A INPUT -p tcp -m tcp --syn -m limit -m state --limit 1/second --limit-burst 5 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --syn -m state --state NEW -j REJECT

on for a while, it will ban ips based on their sync packet usage, let’s say that our unhappy script kiddie who owns the botnet starts to ping the server instead, this will avoid server from having resources wasted, but may also cause issues with legit clients.

I also found this article that shows how to disable ping echoing straight on kernel just by adding net.ipv4.icmp_echo_ignore_all = 1 at /etc/sysctl.conf.

Problem:

You can receive emails with your own mail server, but can’t send to “non-local” domains.

Solution:

You need to setup auth method before sending emails outside the local realm. You can enable ecrypted passwords and such.

Change at sendmail config:

define(`confAUTH_OPTIONS’, `A’)dnl
TRUST_AUTH_MECH(`LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN’)dnl

at ssh:

set auth_options to `A’
service saslauthd restart (don’t forget it’s importaint)
service sendmail restart

Problem:

dovecot: Mmm dd hh:ii:ss Error: POP3(username): mail_location not set and autodetection failed: Mail storage autodetection failed with home=/home/username

Solution:

It looks like your happy username has no `mail` folder created, yes, this is obscure.

You need to create a folder called mail and don’t forget to give ownership to the user:

mkdir /home/username/mail

chown username:usergroup /home/username/mail

Partial Sources:

Nabble (warning do not chmod 777 everything or chown username:mail)

Problem:

So you got a new client on your server who loves to spam, and not only that, he doesen’t know how to do it, and keeps sending over and over to the same people (10,000 emails). You can’t realay on your own server, cuz, surprise! Your noisy subnet neighboors been spamming and the major spam control systems, like spamhaus, thinks that the whole subnet is spamming and will not unblock you unless all your happy russian friends stop spamming, which will never happen.. so you need to relay on a obscure controlled server that your ISP provided you, which surprise! has a mailing limit.

Solution:

Anything related to sendmail tends to be complicated and obscure, although i found it easier to just configure it using webmin, i tend to do it also by editing the raw conf files.

To have the queue implemented you need:

- Set sendmail to work with `queue only` mode, which will NOT delivery messages automatically, it will place them on a queue so you can decide when to send.

- Set `maximum queue size` to how many emails you want to send on a batch (read below)

- Set a cron to send emails, in my case i’ve set a cron to send every minute a batch of 3 emails, so i configurated maximum queue size to 3 and installed a cron:

* * * * * /usr/sbin/sendmail -bd -qp1m
Note the 1m this should match your crontab repeat time.

So, if i send 3 emails every 1 minute, this will be 180 an hour or 4320 a day, being below my ISP limit and calming down the happy spammers.

Configuring sendmail could be a real nightmare, not only because it depends on what linux distro you’re using but because there are many different terms that comes up when you do a search, so i’m keeping it simple. Before anything i’m configuring sendmail as MTA on a machine with fedora, i will be using dovecot to transfer the emails over pop3, so first all you gotta install this stuff on your machine, by using yum:

yum install dovecot sendmail system-switch-mail

to make sure you’re using sendmail as your MTA, run system-switch-mail and set it as the MTA, about dovecot, you need to start it by service dovecot start – i forgot if there’s any relevant configuration that you need to change on it, but i don’t think so.

after that you need to configure your hostname,

hostname yourhappyhostname.com

and edit the file /etc/sysconfig/network and change the hostname there too,
now we’re going to edit sendmail config file, at /etc/mail/sendmail.mc

enable this:

FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl


* if you want more info about configuring and masquerading stuff on sendmail, search for man sendmail

and for EACH domain you want to have emails into, add those weird lines on the same sendmail.mc file:

Cwyourdomain.com
Cwmail.yourdomain.com

note that it’s Cwyourdomain.com and Cwmail.yourdomain.com — ALSO note, that you need to ask your DNS provider, probably your host, to add the mx record for you, it should be:

domain.com. IN MX 10 mail.domain.com.

you can’t do that unless you run the DNS server, there are some hosts that set it automatically, to know if your mx record is right, you should do this command on shell:

dig domain.com mx +noall +answer

so continuing configuring sendmail, after saving the file, you need to compile it, by this command:

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

after that we need to do a new user for the email (no you can’t use your email as root you stupid!) to do that so you need to have root access to the server, you add a new user :

useradd -d /path/to/user/home/dir username;passwd username

this will add and prompt for the new user password, and then you can add aliases for that user at /etc/aliases wich could help you to address multiple emails with the same name, like webmaster@site1.com , webmaster@dumbfuck.com, webmaster@yomama.com and so on, basically you will put this:

alias: user,user2,userx

where alias is the email name, in that example it would be webmaster: site1,dumbfuck,yomama (if the users were site1, dumbfuck and yomama). Now that you’re done with the aliases, you need to update them on the system by:

newaliases

Now, you need to setup the emails in here: /etc/mail/virtusertable this is very simple, you just add the email you want and the username for example:

webmaster@site1.com site1
webmaster@dumbfuck.com dumbfuck
webmaster@yomama.com yomama
@idiotic.com idiotic

note that the last entry has nothing before @, wich means that anything@idiotic.com will fall into the same login, wich is very helpfull when only you own the domain and stupid people can’t type your username right. After editing this file you need to update the .db one by:

makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable

and THEN… THEN!!!! you restart sendmail by:

service sendmail restart

now you’re ready, you can put on your happy email client the user login and password you did with useradd and as server you will use mail.yourdomain.com (this depends on your mx record, set by your host as explained).

you can even build a little .sh script to setup emails quickly for you, the commands you will need to give are the following:


useradd -d /home $1;passwd $1;
vi /etc/mail/sendmail.mc;m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf;
vi /etc/aliases;newaliases;vi /etc/mail/virtusertable;makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable;service sendmail restart;


and that’s it (not really a full .sh script cuz i’m tired of you) – so that’s how you configure a mail server WITHOUT Exim or CPanel gayness, all hail the holy bash!

Note: After configuring the emails you need to setup a Reverse DNS, due the spam, some big servers, like yahoo, do a reverse dns check to know if your server is really a server or just some spammy script kid, to know if your server has a reverse DNS working, give a:

nslookup 1.1.1.1

where 1.1.1.1 is obviously your server ip — don’t use a domain or it will not work — if you get an error here you will need to setup a reverse dns by named or contact your host to set it for you – it’s best contact your host first so you don’t loose time configuing named for nothing.

Usefull links:
http://cbl.abuseat.org/lookup.cgi – a place to know if your server is black listed due misconfig or malusage and how to remove it
http://www.linuxselfhelp.com/quick/sendmail.html – the only relevant page on the many searchs i did on this.
http://www.linuxmail.info/ – a spammy site with a little usefull info about mail servers and postfix.
http://www.google.com – a useless place to go when you have no answers and seek for more questions and confusion about this matter.

— 080813 Update —
You might want to change the line at sendmail.cf :
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA’)dnl

replacing 127.0.0.1 with your machine’s ip that way sendmail will work right (this fix the issue of not being able to receive emails due connection refused, you can also test if it’s working by telnet mail.yourserver.com 25 or by netstat -nl to list the listening connections)