Configure Sendmail
Configuring an email server to not get flagged as spam sender is no small feat, but these small tweaks will help your email server cross the hump. It’s not a complete configuration guide for sendmail but a collection of few healthy tweaks that should put your email server in better light when viewed by Google, Microsoft, Yahoo and others.
Overview:
Setup STARTTLS for sendmail
STARTTLS is the SMTP command to “Start Transport Layer Security” i.e. to turn on SSL. It it used when authenticating senders.
- Install CA certs
- Download revoke.crl
- Disable TLS for local clients
- Configure and compile sendmail.mc
- Restart sendmail service
# install certs on server
su root
cd /etc/ssl/certs
wget http://www.cacert.org/revoke.crl
vi ca-cert-bundle.pem
vi cert.pem
vi private.key
# allow non-TLS connection from localhost; add line
vi /etc/mail/access
srv_features:127.0.0.1 S
# configure certs for sendmail
vi /etc/mail/senmail.mc
define('confCACERT_PATH', '/etc/ssl/certs')dnl
define('confCACERT', '/etc/ssl/certs/ca-cert-bundle.pem')dnl
define('confSERVER_CERT', '/etc/ssl/certs/my-cert.pem')dnl
define('confSERVER_KEY', '/etc/ssl/certs/my-private.key')dnl
define('confCLIENT_CERT', '/etc/ssl/certs/my-cert.pem')dnl
define('confCLIENT_KEY', '/etc/ssl/certs/my-private.key')dnl
define('confCRL', '/etc/ssl/certs/revoke.crl')dnl
# generate sendmail.cf file
cd /etc/mail
make
service sendmail restart
telnet localhost 25
ehlo localhost
quit
Setup DKIM for sendmail
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators. It uses cryptographic authentication to ascertain the identity of the sender. A very detailed description of DKIM installation can be found on Steve Jenkins website. You can verify if DKIM authentication is working for your mail server using appmaildev .
# install opendkim package
su root
yum install opendkim
# generate keys under /etc/opendkim/keys
opendkim-default-keygen
# edit /etc/opendkim.conf
vi /etc/opendkim.conf
- change Mode to 'sv'
- change Canonicalization to 'relaxed/simple'
- uncomment Domain, set correct domain name
- comment out KeyFile
- uncomment KeyTable
- uncomment SigningTable
- uncomment ExternalIgnoreList
- uncomment InternalHosts
# edit /etc/opendkim/KeyTable
vi /etc/opendkim/KeyTable
default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
# edit /etc/opendkim/SigningTable
vi /etc/opendkim/SigningTable
*@example.com default._domainkey.example.com
# edit /etc/opendkim/TrustedHosts
vi /etc/opendkim/TrustedHosts
127.0.0.1
::1
#192.168.1.1
#2001:db8::1
# install and start opendkim service
service opendkim start
chkconfig opendkim on
chkconfig --list opendkim
# edit /etc/mail/sendmail.mc to use opendkim
vi /etc/mail/sendmail.mc
# add the following line to the end of file
INPUT_MAIL_FILTER('opendkim', 'S=inet:8891@127.0.0.1')dnl
# generate sendmail.cf and restart service
make
service sendmail restart
# create TXT record in DNS
# Read name & value from /etc/opendkim/keys/default.txt
# Ensure both values are in quotes, separated by spaces
Name: default._domainkey.example.com.
Type: TXT
TTL: 86400
Value: "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB"
Add SPF record in DNS
Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain’s administrators. It is specified using a TXT record in DNS configuration.
# create TXT record in existing DNS record set
# Ensure value is in quotes
Name: example.com.
Type: TXT
TTL: 86400
Value: "v=spf1 ip4:123.1.2.3 ip6:2345:2:3:d::abcd include:_spf.google.com ~all"
Add reverse DNS lookup
Reverse DNS lookup is the determination of a domain name associated with an IP address via querying DNS - the reverse of the usual “forward” DNS lookup of an IP from a domain name. The process of reverse resolving an IP address uses the pointer DNS record type (PTR record) and is typical used by mail servers for authentication.
# create new PTR record set in DNS (separate from forward lookup)
# NS and SOA records should be added by DNS provider
Name: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
Type: PTR
TTL: 86400
Value: example.com.