Configuring an email server to not get flagged as spam sender is no small feat, but these small tweaks will help your email server cross the hump. It’s not a complete configuration guide for sendmail but a collection of few healthy tweaks that should put your email server in better light when viewed by Google, Microsoft, Yahoo and others.
Setup STARTTLS for sendmail
STARTTLS is the SMTP command to “Start Transport Layer Security” i.e. to turn on SSL. It it used when authenticating senders.
- Install CA certs
- Download revoke.crl
- Disable TLS for local clients
- Configure and compile sendmail.mc
- Restart sendmail service
# install certs on server su root cd /etc/ssl/certs wget http://www.cacert.org/revoke.crl vi ca-cert-bundle.pem vi cert.pem vi private.key # allow non-TLS connection from localhost; add line vi /etc/mail/access srv_features:127.0.0.1 S # configure certs for sendmail vi /etc/mail/senmail.mc define('confCACERT_PATH', '/etc/ssl/certs')dnl define('confCACERT', '/etc/ssl/certs/ca-cert-bundle.pem')dnl define('confSERVER_CERT', '/etc/ssl/certs/my-cert.pem')dnl define('confSERVER_KEY', '/etc/ssl/certs/my-private.key')dnl define('confCLIENT_CERT', '/etc/ssl/certs/my-cert.pem')dnl define('confCLIENT_KEY', '/etc/ssl/certs/my-private.key')dnl define('confCRL', '/etc/ssl/certs/revoke.crl')dnl # generate sendmail.cf file cd /etc/mail make service sendmail restart telnet localhost 25 ehlo localhost quit
Setup DKIM for sendmail
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators. It uses cryptographic authentication to ascertain the identity of the sender. A very detailed description of DKIM installation can be found on Steve Jenkins website. You can verify if DKIM authentication is working for your mail server using appmaildev.
# install opendkim package su root yum install opendkim # generate keys under /etc/opendkim/keys opendkim-default-keygen # edit /etc/opendkim.conf vi /etc/opendkim.conf - change Mode to 'sv' - change Canonicalization to 'relaxed/simple' - uncomment Domain, set correct domain name - comment out KeyFile - uncomment KeyTable - uncomment SigningTable - uncomment ExternalIgnoreList - uncomment InternalHosts # edit /etc/opendkim/KeyTable vi /etc/opendkim/KeyTable default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private # edit /etc/opendkim/SigningTable vi /etc/opendkim/SigningTable *@example.com default._domainkey.example.com # edit /etc/opendkim/TrustedHosts vi /etc/opendkim/TrustedHosts 127.0.0.1 ::1 #192.168.1.1 #2001:db8::1 # install and start opendkim service service opendkim start chkconfig opendkim on chkconfig --list opendkim # edit /etc/mail/sendmail.mc to use opendkim vi /etc/mail/sendmail.mc # add the following line to the end of file INPUT_MAIL_FILTER('opendkim', 'S=inet:email@example.com')dnl # generate sendmail.cf and restart service make service sendmail restart # create TXT record in DNS # Read name & value from /etc/opendkim/keys/default.txt # Ensure both values are in quotes, separated by spaces Name: default._domainkey.example.com. Type: TXT TTL: 86400 Value: "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB"
Add SPF record in DNS
Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain’s administrators. It is specified using a TXT record in DNS configuration.
# create TXT record in existing DNS record set # Ensure value is in quotes Name: example.com. Type: TXT TTL: 86400 Value: "v=spf1 ip4:18.104.22.168 ip6:2345:2:3:d::abcd include:_spf.google.com ~all"
Add reverse DNS lookup
Reverse DNS lookup is the determination of a domain name associated with an IP address via querying DNS - the reverse of the usual “forward” DNS lookup of an IP from a domain name. The process of reverse resolving an IP address uses the pointer DNS record type (PTR record) and is typical used by mail servers for authentication.
# create new PTR record set in DNS (separate from forward lookup) # NS and SOA records should be added by DNS provider Name: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. Type: PTR TTL: 86400 Value: example.com.