Baldeep Hira's Blog

 Home
About

Configure Sendmail

Configuring an email server to not get flagged as spam sender is no small feat, but these small tweaks will help your email server cross the hump. It’s not a complete configuration guide for sendmail but a collection of few healthy tweaks that should put your email server in better light when viewed by Google, Microsoft, Yahoo and others.

Overview:

Setup STARTTLS for sendmail

STARTTLS is the SMTP command to “Start Transport Layer Security” i.e. to turn on SSL. It it used when authenticating senders.

  • Install CA certs
  • Download revoke.crl
  • Disable TLS for local clients
  • Configure and compile sendmail.mc
  • Restart sendmail service
# install certs on server
su root
cd /etc/ssl/certs
wget http://www.cacert.org/revoke.crl
vi ca-cert-bundle.pem
vi cert.pem
vi private.key

# allow non-TLS connection from localhost; add line
vi /etc/mail/access
    srv_features:127.0.0.1                  S

# configure certs for sendmail
vi /etc/mail/senmail.mc
    define('confCACERT_PATH', '/etc/ssl/certs')dnl
    define('confCACERT', '/etc/ssl/certs/ca-cert-bundle.pem')dnl
    define('confSERVER_CERT', '/etc/ssl/certs/my-cert.pem')dnl
    define('confSERVER_KEY', '/etc/ssl/certs/my-private.key')dnl
    define('confCLIENT_CERT', '/etc/ssl/certs/my-cert.pem')dnl
    define('confCLIENT_KEY', '/etc/ssl/certs/my-private.key')dnl
    define('confCRL', '/etc/ssl/certs/revoke.crl')dnl

# generate sendmail.cf file
cd /etc/mail
make
service sendmail restart
telnet localhost 25
    ehlo localhost
    quit

Setup DKIM for sendmail

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators. It uses cryptographic authentication to ascertain the identity of the sender. A very detailed description of DKIM installation can be found on Steve Jenkins website. You can verify if DKIM authentication is working for your mail server using appmaildev .

# install opendkim package
su root
yum install opendkim

# generate keys under /etc/opendkim/keys
opendkim-default-keygen

# edit /etc/opendkim.conf
vi /etc/opendkim.conf
  - change Mode to 'sv'
  - change Canonicalization to 'relaxed/simple'
  - uncomment Domain, set correct domain name
  - comment out KeyFile
  - uncomment KeyTable
  - uncomment SigningTable
  - uncomment ExternalIgnoreList
  - uncomment InternalHosts

# edit /etc/opendkim/KeyTable
vi /etc/opendkim/KeyTable
    default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private

# edit /etc/opendkim/SigningTable
vi /etc/opendkim/SigningTable
    *@example.com default._domainkey.example.com

# edit /etc/opendkim/TrustedHosts
vi /etc/opendkim/TrustedHosts
    127.0.0.1
    ::1
    #192.168.1.1
    #2001:db8::1

# install and start opendkim service
service opendkim start
chkconfig opendkim on
chkconfig --list opendkim

# edit /etc/mail/sendmail.mc to use opendkim
vi /etc/mail/sendmail.mc

# add the following line to the end of file
INPUT_MAIL_FILTER('opendkim', 'S=inet:8891@127.0.0.1')dnl

# generate sendmail.cf and restart service
make
service sendmail restart

# create TXT record in DNS
# Read name & value from /etc/opendkim/keys/default.txt
# Ensure both values are in quotes, separated by spaces
Name:    default._domainkey.example.com.
Type:    TXT
TTL:     86400
Value:   "v=DKIM1; k=rsa; "  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB"

Add SPF record in DNS

Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain’s administrators. It is specified using a TXT record in DNS configuration.

# create TXT record in existing DNS record set
# Ensure value is in quotes
Name:    example.com.
Type:    TXT
TTL:     86400
Value:   "v=spf1 ip4:123.1.2.3 ip6:2345:2:3:d::abcd include:_spf.google.com ~all"

Add reverse DNS lookup

Reverse DNS lookup is the determination of a domain name associated with an IP address via querying DNS - the reverse of the usual “forward” DNS lookup of an IP from a domain name. The process of reverse resolving an IP address uses the pointer DNS record type (PTR record) and is typical used by mail servers for authentication.

# create new PTR record set in DNS (separate from forward lookup)
# NS and SOA records should be added by DNS provider
Name:    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
Type:    PTR
TTL:     86400
Value:   example.com.
Posted on Jun 30, 2014 at 19:08