Configure Sendmail

Configuring an email server to not get flagged as spam sender is no small feat, but these small tweaks will help your email server cross the hump. It's not a complete configuration guide for sendmail but a collection of few healthy tweaks that should put your email server in better light when viewed by Google, Microsoft, Yahoo and others.


Setup STARTTLS for sendmail

STARTTLS is the SMTP command to "Start Transport Layer Security" i.e. to turn on SSL. It it used when authenticating senders.

  • Install CA certs
  • Download revoke.crl
  • Disable TLS for local clients
  • Configure and compile
  • Restart sendmail service
# install certs on server
su root  
cd /etc/ssl/certs  
vi ca-cert-bundle.pem  
vi cert.pem  
vi private.key

# allow non-TLS connection from localhost; add line
vi /etc/mail/access  
    srv_features:                  S

# configure certs for sendmail
vi /etc/mail/  
    define(`confCACERT_PATH', `/etc/ssl/certs')dnl
    define(`confCACERT', `/etc/ssl/certs/ca-cert-bundle.pem')dnl
    define(`confSERVER_CERT', `/etc/ssl/certs/my-cert.pem')dnl
    define(`confSERVER_KEY', `/etc/ssl/certs/my-private.key')dnl
    define(`confCLIENT_CERT', `/etc/ssl/certs/my-cert.pem')dnl
    define(`confCLIENT_KEY', `/etc/ssl/certs/my-private.key')dnl
    define(`confCRL', `/etc/ssl/certs/revoke.crl')dnl

# generate file
cd /etc/mail  
service sendmail restart  
telnet localhost 25  
    ehlo localhost

Setup DKIM for sendmail

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. It uses cryptographic authentication to ascertain the identity of the sender. A very detailed description of DKIM installation can be found on Steve Jenkins website. You can verify if DKIM authentication is working for your mail server using appmaildev

# install opendkim package
su root  
yum install opendkim

# generate keys under /etc/opendkim/keys

# edit /etc/opendkim.conf
vi /etc/opendkim.conf  
  - change Mode to 'sv'
  - change Canonicalization to 'relaxed/simple'
  - uncomment Domain, set correct domain name
  - comment out KeyFile
  - uncomment KeyTable
  - uncomment SigningTable
  - uncomment ExternalIgnoreList
  - uncomment InternalHosts

# edit /etc/opendkim/KeyTable
vi /etc/opendkim/KeyTable

# edit /etc/opendkim/SigningTable
vi /etc/opendkim/SigningTable  

# edit /etc/opendkim/TrustedHosts
vi /etc/opendkim/TrustedHosts

# install and start opendkim service
service opendkim start  
chkconfig opendkim on  
chkconfig --list opendkim

# edit /etc/mail/ to use opendkim
vi /etc/mail/

# add the following line to the end of file
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@')dnl

# generate and restart service
service sendmail restart

# create TXT record in DNS
# Read name & value from /etc/opendkim/keys/default.txt
# Ensure both values are in quotes, separated by spaces
Type:    TXT  
TTL:     86400  
Value:   "v=DKIM1; k=rsa; "  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB"  

Add SPF record in DNS

Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. It is specified using a TXT record in DNS configuration.

# create TXT record in existing DNS record set
# Ensure value is in quotes
Type:    TXT  
TTL:     86400  
Value:   "v=spf1 ip4: ip6:2345:2:3:d::abcd ~all"  

Add reverse DNS lookup

Reverse DNS lookup is the determination of a domain name associated with an IP address via querying DNS - the reverse of the usual "forward" DNS lookup of an IP from a domain name. The process of reverse resolving an IP address uses the pointer DNS record type (PTR record) and is typical used by mail servers for authentication.

# create new PTR record set in DNS (separate from forward lookup)
# NS and SOA records should be added by DNS provider 
Type:    PTR  
TTL:     86400  

Baldeep Hira

bay area programmer working on mobile/tablet/web apps and enterprise cloud apps; ui/ux, html5 and everything else for a prettier web and world

  • San Francisco Bay Area
comments powered by Disqus