Lately, all of the spam seems to be pitching N95 masks … which is great if you don’t have any legit need to discuss these things. One filter on my Exchange system, and it all disappears.
Tag: sendmail
Sendmail: Giving everyone else a chance
We will occasionally get slammed with thousands of messages from a specific sender (usually one we’ve engaged to e-mail all of our employees, and of course they do it at 11 in the morning instead of some low volume off-hours time) which delays mail from all recipients. You can use the sendmail command line to flush the mail queue for messages other than those from a specific sender or other than those to a specific sender.
Using sendmail -qSdomain.gTLD will attempt to delivery messages where the sender matches domain.gTLD. Adding a ‘not’ in front of the ‘S’ attempts to deliver messages where the sender is not the specified domain.
sendmail -q\!Sbadguy.gTLD -v
That ensures all of the other mail is cleared through the queue even though ten thousand messages from a single sender still need to be processed. In real life, bypassing everything with the ‘mail from’ of @em-sj-77.mktomail.com is just
sendmail -q\!Sem-sj-77.mktomail.com -v
Git For Configuration Management
I am starting to use git to manage application server configurations — partially to ensure team members are familiarizing themselves with git and thinking about it when they update code (we’ve seen a LOT of tweaks that are not pushed to the git server), but also to reduce the administrative overhead of managing servers.
The best use case thus far has been our sendmail environment — seven servers with three configuration bases. By issuing certificates with SAN values for each host name and the VIP name, we are able to use the same cert and config file on each server in a functional group. Admins can make changes to the config offline (i.e. we’re not live-editing config files on the sendmail servers), there is history to who made the changes {and a quick means of reverting changes), and, using a cron’d pull, we can ensure changes are consistent across the environment.
Load Balance and Failover Sendmail Mailertable Relays
A coworker asked me today how to get the mailertable relays to load balance instead of fail over. Trick is to think beyond sendmail. The square brackets around hosts tell sendmail not to check for an MX record (you’re generally using an A record, so this saves a tiny little bit of time … not to mention *if* there is an MX record there, it creates a whole heap-o confusion). *But* the MX lookup is right useful when setting up load balanced or failover relay targets.
Single host relay in the mailertable looks like this:
yourdomain.gTLD relay:[somehost.mydomain.gTLD]
If you want to fail over between relays (that is try #1, if it is unavailable try #2, and so on), you can stay within the mailertable and use:
yourdomain.gTLD relay:[somehost.mydomain.gTLD]:[someotherhost.mydomain.gTLD]
Or even try direct delivery and fail back to a smart host:
yourdomain.gTLD relay:%1:smart-host
But none of this evenly distributes traffic across multiple servers. The trick to load balancing within the mailertable is to create equal weight MX records in your domain to be used as the relay.
In ISC Bind, this looks like:
yourdomainmailrouting.mydomain.gTLD IN MX 10 somehost.mydomain.gTLD.
yourdomainmailrouting.mydomain.gTLD IN MX 10 somehost.mydomain.gTLD.
Once you have created the DNS records, simply use the MX record hostname in your mailertable:
yourdomain.gTLD relay:yourdomainmailrouting.mydomain.gTLD
By leaving out the square brackets, sendmail will resolve an MX record for ‘yourdomainmailrouting.mydomian.gTLD’, find the equal weight MX records, and do the normal sendmail thing to use both.
Sendmail In CHROOT Jail
Running our sendmail mail relay in a chroot jail, ‘make’ does not update sendmail config files with changes. While I’m certain there’s a way to sort that, it’s a lot easier to go back to the old-school way of updating sendmail.cf and sendmail’s hash files.
Modifying Sendmail Configuration (sendmail.mc) on Servers with CHROOT Jailed Sendmail
- SSH to server using your ID
- Change to the sendmail service account (e.g. sudo /bin/su – sendmail)
- Change directory to the jailed sendmail /etc/mail locatio (e.g. cd /smt00p20/sendmail/etc/mail)
- vi sendmail.mc
- Make requisite changes and save file
- m4 sendmail.mc > sendmail.cf
- Under your ID, restart sendmail using “sudo systemctl stop sendmail stop;sudo systemctl start sendmail”
- Validate changes
Modifying Sendmail Data Files on Servers with CHROOT Jailed Sendmail
- SSH to server using your ID
- Change to the sendmail service account (e.g. sudo /bin/su – sendmail)
- Change directory to the jailed sendmail /etc/mail locatio (e.g. cd /smt00p20/sendmail/etc/mail)
- vi filetoedit
- Make requisite changes and save file
- makemap hash ./filetoedit.db < ./filetoedit
- Under your ID, restart sendmail using “sudo systemctl stop sendmail stop;sudo systemctl start sendmail”
- Validate changes
Where filetoedit is the name of the data file. For example, run “makemap hash ./access.db < ./access” to update the changes to the access file into access.db
Running Sendmail In A CHROOT Jail
My employer’s OS-support model restricts root access to members of the Unix support team. Applications are normally installed into a package directory and run under a service ID. While this model works well for most applications, sendmail is tightly integrated into the OS and is not readily built into an application directory. We attempted to run sendmail as a non-root user with modified permissions on application directories such as /var/spool/mqueue – this worked, until OS patches were applied and permissions reset. We needed a way to run sendmail as a non-root user and allow the OS support team to patch servers without impacting the sendmail application.
Chroot is a mechanism that uses a supplied directory path as the environment’s root directory. The jailed process, and its children, should not be able to access any part of the file hierarchy outside of the new root. As a security mechanism, the approach has several flaws – abridged version of the story is that it’s not terribly difficult to break out of jail here; and there are far more effective security approaches (e.g. SELinux). However, chroot jails have their own copies of system owned directories (such as /var/spool/mqueue), binaries, and libraries. Using a chroot jail will allow us to maintain a sendmail application in the package directory that is not impacted by OS updates.
This approach works on relaying mail servers (i.e. those that queue mail to /var/spool/mqueue and send it on its merry way). If sendmail is hosting mailboxes, there are additional challenges to designing a chroot configuration that actually drops messages into mailbox files that users can access.
Preliminaries: To copy/paste, view the single article. Create a service account under which sendmail will run. The installation directory should be owned by the service account user.
Set up the chroot jail location in the installation directory. In this example, that directory is /smt00p20.
mkdir /smt00p20/sendmail mkdir /smt00p20/sendmail/dev mkdir /smt00p20/opendkim
We need a null and random in the sendmail jail. On a command line, run:
# Create sendmail jail /dev/null mknod /smt00p20/sendmail/dev/null c 1 3 # Create sendmail jail /dev/random mknod /smt00p20/sendmail/dev/random c 1 8
We need an rsyslog socket added under each jail. In /etc/rsyslog.conf, add the following:
# additional log sockets for chroot'ed jail # Idea from http://www.ispcolohost.com/2014/03/14/how-to-get-syslog-records-of-chrooted-ssh-sftp-server-activity/ $AddUnixListenSocket /smt00p20/sendmail/dev/log $AddUnixListenSocket /smt00p20/opendkim/dev/log
Additionally, these instructions assume both sendmail and sendmail-cf have been installed on the server. If they have not, you can download the RPMs, unpack them, and copy the files to the appropriate relative jail locations.
Chrooting Sendmail
Logged in with the sendmail ID, ensure you have a .bash_profile that loads .bashrc
-bash-4.2$ cat ~/.bash_profile if [ -f ~/.bashrc ]; then . ~/.bashrc fi
Edit ~/.bashrc and add the following, where smt00p20 is the appropriate installation directory, to allow copy/paste
export SENDMAILJAIL=/smt00p20/sendmail export OPENDKIMJAIL=/smt00p20/opendkim
Log out of the service account and back in (or just source in the .bashrc file). Verify SENDMAILJAIL and OPENDKIMJAIL are set.
Copy a whole heap of ‘stuff’ into the jail – this includes some utilities used to troubleshoot issues within the jail which aren’t strictly needed. I’ve also unpacked the strace RPM to the respective directories within the jail.
mkdir $SENDMAILJAIL/bin mkdir $SENDMAILJAIL/etc mkdir $SENDMAILJAIL/etc/alternatives mkdir $SENDMAILJAIL/etc/mail mkdir $SENDMAILJAIL/etc/smrsh mkdir $SENDMAILJAIL/lib64 mkdir $SENDMAILJAIL/lib mkdir $SENDMAILJAIL/lib/tls mkdir $SENDMAILJAIL/tmp mkdir $SENDMAILJAIL/usr mkdir $SENDMAILJAIL/usr/bin mkdir $SENDMAILJAIL/usr/sbin mkdir $SENDMAILJAIL/usr/lib mkdir $SENDMAILJAIL/usr/lib/sasl2 mkdir $SENDMAILJAIL/var mkdir $SENDMAILJAIL/var/log mkdir $SENDMAILJAIL/var/log/mail mkdir $SENDMAILJAIL/var/run mkdir $SENDMAILJAIL/var/spool mkdir $SENDMAILJAIL/var/spool/mqueue mkdir $SENDMAILJAIL/var/spool/clientmqueue cp /etc/aliases $SENDMAILJAIL/etc/ cp /etc/aliases.db $SENDMAILJAIL/etc/ cp /etc/passwd $SENDMAILJAIL/etc/ cp /etc/group $SENDMAILJAIL/etc/ cp /etc/resolv.conf $SENDMAILJAIL/etc/ cp /etc/host.conf $SENDMAILJAIL/etc/ cp /etc/nsswitch.conf $SENDMAILJAIL/etc/ cp /etc/services $SENDMAILJAIL/etc/ cp /etc/hosts $SENDMAILJAIL/etc/ cp /etc/localtime $SENDMAILJAIL/etc/ # If cloning an existing server, scp /etc/mail/* from source to /smt00p20/sendmail/etc/mail # Verify the sendmail.mc has a RUNAS_USER set to the same service account you are using - the account on our servers is named 'sendmail'. Our old servers are not all set up with a runas user, and failing to have one will cause write failures to the jail /var/spool/mqueue cp -r /etc/mail/ $SENDMAILJAIL/etc/etc/mail/ cp /usr/sbin/sendmail.sendmail $SENDMAILJAIL/usr/sbin/sendmail.sendmail cd /smt00p20/sendmail/etc/alternatives ln -s ../../usr/sbin/sendmail.sendmail ./mta cd /smt00p20/sendmail/usr/sbin ln -s ../../etc/alternatives/mta ./sendmail ln -s ./sendmail ./newaliases ln -s ./sendmail ./newaliases.sendmail cd /smt00p20/sendmail/usr/bin ln -s ../sbin/sendmail ./mailq ln -s ../sbin/sendmail ./mailq.sendmail ln -s ../sbin/sendmail.sendmail ./hoststat ln -s ../sbin/sendmail.sendmail ./purgestat ln -s ../sbin/makemap ./makemap ln -s ./rmail.sendmail ./rmail cp /usr/lib64/libssl.so.10 $SENDMAILJAIL/usr/lib64/libssl.so.10 cp /usr/lib64/libcrypto.so.10 $SENDMAILJAIL/usr/lib64/libcrypto.so.10 cp /usr/lib64/libnsl.so.1 $SENDMAILJAIL/usr/lib64/libnsl.so.1 cp /usr/lib64/libwrap.so.0 $SENDMAILJAIL/usr/lib64/libwrap.so.0 cp /usr/lib64/libhesiod.so.0 $SENDMAILJAIL/usr/lib64/libhesiod.so.0 cp /usr/lib64/libcrypt.so.1 $SENDMAILJAIL/usr/lib64/libcrypt.so.1 cp /usr/lib64/libdb-5.3.so $SENDMAILJAIL/usr/lib64/libdb-5.3.so cp /usr/lib64/libresolv.so.2 $SENDMAILJAIL/usr/lib64/libresolv.so.2 cp /usr/lib64/libsasl2.so.3 $SENDMAILJAIL/usr/lib64/libsasl2.so.3 cp /usr/lib64/libldap-2.4.so.2 $SENDMAILJAIL/usr/lib64/libldap-2.4.so.2 cp /usr/lib64/liblber-2.4.so.2 $SENDMAILJAIL/usr/lib64/liblber-2.4.so.2 cp /usr/lib64/libc.so.6 $SENDMAILJAIL/usr/lib64/libc.so.6 cp /usr/lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/usr/lib64/libgssapi_krb5.so.2 cp /usr/lib64/libkrb5.so.3 $SENDMAILJAIL/usr/lib64/libkrb5.so.3 cp /usr/lib64/libcom_err.so.2 $SENDMAILJAIL/usr/lib64/libcom_err.so.2 cp /usr/lib64/libk5crypto.so.3 $SENDMAILJAIL/usr/lib64/libk5crypto.so.3 cp /usr/lib64/libdl.so.2 $SENDMAILJAIL/usr/lib64/libdl.so.2 cp /usr/lib64/libz.so.1 $SENDMAILJAIL/usr/lib64/libz.so.1 cp /usr/lib64/libidn.so.11 $SENDMAILJAIL/usr/lib64/libidn.so.11 cp /usr/lib64/libfreebl3.so $SENDMAILJAIL/usr/lib64/libfreebl3.so cp /usr/lib64/libpthread.so.0 $SENDMAILJAIL/usr/lib64/libpthread.so.0 cp /usr/lib64/libssl3.so $SENDMAILJAIL/usr/lib64/libssl3.so cp /usr/lib64/libsmime3.so $SENDMAILJAIL/usr/lib64/libsmime3.so cp /usr/lib64/libnss3.so $SENDMAILJAIL/usr/lib64/libnss3.so cp /usr/lib64/libnssutil3.so $SENDMAILJAIL/usr/lib64/libnssutil3.so cp /usr/lib64/libplds4.so $SENDMAILJAIL/usr/lib64/libplds4.so cp /usr/lib64/libplc4.so $SENDMAILJAIL/usr/lib64/libplc4.so cp /usr/lib64/libnspr4.so $SENDMAILJAIL/usr/lib64/libnspr4.so cp /usr/lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/usr/lib64/ld-linux-x86-64.so.2 cp /usr/lib64/libkrb5support.so.0 $SENDMAILJAIL/usr/lib64/libkrb5support.so.0 cp /usr/lib64/libkeyutils.so.1 $SENDMAILJAIL/usr/lib64/libkeyutils.so.1 cp /usr/lib64/librt.so.1 $SENDMAILJAIL/usr/lib64/librt.so.1 cp /usr/lib64/libselinux.so.1 $SENDMAILJAIL/usr/lib64/libselinux.so.1 cp /usr/lib64/libpcre.so.1 $SENDMAILJAIL/usr/lib64/libpcre.so.1 cp /usr/lib64/libnss_dns.so.2 $SENDMAILJAIL/usr/lib64/libnss_dns.so.2 cp /usr/lib64/libnss_files.so.2 $SENDMAILJAIL/usr/lib64/libnss_files.so.2 cd $SENDMAILJAIL/lib64 cp /lib64/libnss_dns-2.17.so $SENDMAILJAIL/lib64/libnss_dns-2.17.so ln -s ./libnss_dns-2.17.so ./libnss_dns.so.2 cp /lib64/libresolv-2.17.so $SENDMAILJAIL/lib64/libresolv-2.17.so ln -s ./lib64/libresolv-2.17.so ./libresolv.so.2 cp /lib64/libnss_files-2.17.so $SENDMAILJAIL/lib64/libnss_files-2.17.so ln -s ./lib64/libnss_files-2.17.so ./libnss_files.so.2 cd $SENDMAILJAIL/lib cp /lib64/libnss_dns-2.17.so $SENDMAILJAIL/lib/libnss_dns-2.17.so ln -s ./lib/libnss_dns-2.17.so ./libnss_dns.so.2 cp /lib64/libresolv-2.17.so $SENDMAILJAIL/lib/libresolv-2.17.so ln -s ./lib/libresolv-2.17.so ./libresolv.so.2 cp /lib64/libnss_files-2.17.so $SENDMAILJAIL/lib/libnss_files-2.17.so ln -s ./lib/libnss_files-2.17.so ./libnss_files.so.2 mkdir $SENDMAILJAIL/usr/lib64/sasl2 cp /usr/lib64/sasl2/* $SENDMAILJAIL/usr/lib64/sasl2/ mkdir $SENDMAILJAIL/lib64/sasl2/ cp /lib64/sasl2/* $SENDMAILJAIL/lib64/sasl2/ cp /etc/sasl2/Sendmail.conf $SENDMAILJAIL/usr/lib64/sasl2/ mkdir $SENDMAILJAIL/etc/sasl2 cp /etc/sasl2/Sendmail.conf $SENDMAILJAIL/etc/sasl2/ cp /usr/sbin/makemap $SENDMAILJAIL/usr/sbin/makemap ln -s ../sbin/makemap ./makemap cp /usr/bin/rmail.sendmail $SENDMAILJAIL/usr/bin/rmail.sendmail ln -s ./rmail.sendmail ./rmail cp /usr/sbin/mailstats $SENDMAILJAIL/usr/sbin/mailstats cp /usr/sbin/makemap $SENDMAILJAIL/usr/sbin/makemap cp /usr/sbin/praliases $SENDMAILJAIL/usr/sbin/praliases cp /usr/sbin/smrsh $SENDMAILJAIL/usr/sbin/smrsh cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libcom_err.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libcrypt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libcrypto.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libdb-5.3.so $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libfreebl3.so $SENDMAILJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libhesiod.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libidn.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3: $SENDMAILJAIL/lib64/ cp /lib64/libkeyutils.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5support.so.0 $SENDMAILJAIL/lib64/ cp /lib64/liblber-2.4.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libldap-2.4.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libnsl.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libnspr4.so $SENDMAILJAIL/lib64/ cp /lib64/libnss3.so $SENDMAILJAIL/lib64/ cp /lib64/libnssutil3.so $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libplc4.so $SENDMAILJAIL/lib64/ cp /lib64/libplds4.so $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/librt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libsasl2.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libsmime3.so $SENDMAILJAIL/lib64/ cp /lib64/libssl.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libssl3.so $SENDMAILJAIL/lib64/ cp /lib64/libwrap.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /usr/lib64/libk5crypto.so.3 $SENDMAILJAIL/usr/lib64/ cp /lib64/libdns.so.100 $SENDMAILJAIL/lib64/ cp /lib64/liblwres.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libbind9.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisccfg.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisccc.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisc.so.95 $SENDMAILJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libcom_err.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libcrypto.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libGeoIP.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libxml2.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libm.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libidn.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5support.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libkeyutils.so.1 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/liblzma.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /bin/dig $SENDMAILJAIL/bin/ cp /lib64/libtinfo.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /bin/bash $SENDMAILJAIL/bin/ cp /bin/ls $SENDMAILJAIL/bin/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libacl.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /bin/vi $SENDMAILJAIL/bin/ cp /usr/sbin/pidof $SENDMAILJAIL/usr/sbin/pidof cp /lib64/libprocps.so.4 $SENDMAILJAIL/lib64/ cp /lib64/libsystemd.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libm.so.6 $SENDMAILJAIL/lib64/ cp /lib64/librt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/liblzma.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libgcrypt.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libgpg-error.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libdw.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libgcc_s.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libelf.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libbz2.so.1 $SENDMAILJAIL/lib64/ cp /bin/rm $SENDMAILJAIL/bin/
Under your ID, ensure the proper permissions are set on the chroot jail
sudo chown -R sendmail:mail /smt00p20/sendmail/ sudo chown sendmail /smt00p20/sendmail/var/spool/mqueue sudo chmod 0700 /smt00p20/sendmail/var/spool/mqueue sudo chmod -R go-w /smt00p20/sendmail sudo chmod 0400 /smt00p20/sendmail/etc/mail/*.cf
Now verify it works – still under your ID as you have sudo permission to run chroot.
sudo /sbin/chroot /smt00p20/sendmail /bin/ls # You should see a directory listing like this, not an error bin dev etc lib lib64 tmp usr var
Assuming there are no problems, run sendmail:
sudo /sbin/chroot /smt00p20/sendmail /usr/sbin/sendmail -bd -q5m
Test sending mail through the server to verify proper functionality.
Unit Config: Edit the systemd unit file and add the “RootDirectory” directive
sudo vi /etc/systemd/system/multi-user.target.wants/sendmail.service
[Unit] Description=Sendmail Mail Transport Agent After=syslog.target network.target Conflicts=postfix.service exim.service Wants=sm-client.service [Service] RootDirectory=/smt00p20/sendmail Type=forking StartLimitInterval=0 # Known issue – pid causes service hang/timeout that bothers Unix guys # https://bugzilla.redhat.com/show_bug.cgi?id=1253840 #PIDFile=/run/sendmail.pid Environment=SENDMAIL_OPTS=-q15m EnvironmentFile=-/smt00p20/sendmail/etc/sysconfig/sendmail ExecStart=/usr/sbin/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG [Install] WantedBy=multi-user.target Also=sm-client.service
Then run “systemctl daemon-reload” to ingest the changes.
You can now use systemctl to start and stop the sendmail service.
Chrooting opendkim
Create the chroot jail and lib64 directory, create the base directories, then add a few core Linux files so you have a bash shell:
mkdir $OPENDKIMJAIL mkdir $OPENDKIMJAIL/lib64 mkdir $OPENDKIMJAIL/usr/lib64 mkdir $OPENDKIMJAIL/bin mkdir $OPENDKIMJAIL/etc cp /lib64/libtinfo.so.5 $OPENDKIMJAIL/lib64/ cp /lib64/libdl.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libc.so.6 $OPENDKIMJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $OPENDKIMJAIL/lib64/ cp /bin/bash $OPENDKIMJAIL/bin/ cp /lib64/libstdc++.so.6* $OPENDKIMJAIL/lib64 cp /lib64/libm.so.6 $OPENDKIMJAIL/lib64 cp /lib64/libgcc_s.so.1 $OPENDKIMJAIL/lib64 cp /lib64/libnss_files* $OPENDKIMJAIL/lib64/
Unpack the following RPMs:
rpm2cpio opendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv rpm2cpio libopendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv rpm2cpio sendmail-milter-8.14.7-5.el7.x86_64.rpm | cpio -idmv rpm2cpio opendbx-1.4.6-6.el7.x86_64.rpm | cpio -idmv rpm2cpio libmemcached-1.0.16-5.el7.x86_64.rpm | cpio -idvm rpm2cpio libbsd-0.6.0-3.el7.elrepo.x86_64.rpm | cpio -idvm
Then move the unpacked files into the corresponding location in the $OPENDKIMJAIL directory.
Copy host configuration ‘stuff’ from /etc
cp /etc/aliases $OPENDKIMJAIL/etc/ cp /etc/aliases.db $OPENDKIMJAIL/etc/ cp /etc/passwd $OPENDKIMJAIL/etc/ cp /etc/group $OPENDKIMJAIL/etc/ cp /etc/resolv.conf $OPENDKIMJAIL/etc/ cp /etc/host.conf $OPENDKIMJAIL/etc/ cp /etc/nsswitch.conf $OPENDKIMJAIL/etc/ cp /etc/services $OPENDKIMJAIL/etc/ cp /etc/hosts $OPENDKIMJAIL/etc/ cp /etc/localtime $OPENDKIMJAIL/etc/
Copy some more files:
cp /lib64/libcom_err.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libcrypt.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libcrypto.so.10 $OPENDKIMJAIL/lib64/ cp /lib64/libdb-5.3.so $OPENDKIMJAIL/lib64/ cp /lib64/libfreebl3.so $OPENDKIMJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libk5crypto.so.3 $OPENDKIMJAIL/lib64/ cp /lib64/libkeyutils.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libkrb5.so.3 $OPENDKIMJAIL/lib64/ cp /lib64/libkrb5support.so.0 $OPENDKIMJAIL/lib64/ cp /lib64/liblber-2.4.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libldap-2.4.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libnspr4.so $OPENDKIMJAIL/lib64/ cp /lib64/libnss3.so $OPENDKIMJAIL/lib64/ cp /lib64/libnssutil3.so $OPENDKIMJAIL/lib64/ cp /lib64/libpcre.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libplc4.so $OPENDKIMJAIL/lib64/ cp /lib64/libplds4.so $OPENDKIMJAIL/lib64/ cp /lib64/libpthread.so.0 $OPENDKIMJAIL/lib64/ cp /lib64/libresolv.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/librt.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libsasl2.so.3 $OPENDKIMJAIL/lib64/ cp /lib64/libselinux.so.1 $OPENDKIMJAIL/lib64/ cp /lib64/libsmime3.so $OPENDKIMJAIL/lib64/ cp /lib64/libssl.so.10 $OPENDKIMJAIL/lib64/ cp /lib64/libssl3.so $OPENDKIMJAIL/lib64/ cp /lib64/libz.so.1 $OPENDKIMJAIL/lib64/ cp /usr/lib64/libssl.so.10 $OPENDKIMJAIL/usr/lib64/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0 $OPENDKIMJAIL/usr/lib/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0.1 $OPENDKIMJAIL/usr/lib/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0 $OPENDKIMJAIL/lib64/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0.1 $OPENDKIMJAIL/lib64/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0 $OPENDKIMJAIL/usr/lib/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0.1 $OPENDKIMJAIL/usr/lib/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0 $OPENDKIMJAIL/lib64/ cp $OPENDKIMJAIL/usr/lib64/libmilter.so.1.0.1 $OPENDKIMJAIL/lib64/
Configure OpenDKIM ($DKIMJAIL/etc/opendkim.conf) and populate keys (copy from server being replaced or generate new keys). Then, under your ID, run:
sudo /sbin/chroot /smt00p20/opendkim /usr/sbin/opendkim -u sendmail -v
The systemd unit file, /usr/lib/systemd/system/opendkim.service, needs to contain:
# If you are using OpenDKIM with SQL datasets it might be necessary to start OpenDKIM after the database servers. # For example, if using both MariaDB and PostgreSQL, change "After=" in the "[Unit]" section to: # After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service [Unit] Description=DomainKeys Identified Mail (DKIM) Milter Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html After=network.target nss-lookup.target syslog.target [Service] RootDirectory=/smt00p20/opendkim Type=forking PIDFile=/smt00p20/opendkim/var/run/opendkim/opendkim.pid EnvironmentFile=-/etc/sysconfig/opendkim ExecStart=/usr/sbin/opendkim -u sendmail -v $OPTIONS ExecReload=/bin/kill -USR1 $MAINPID User=sendmail Group=mail [Install] WantedBy=multi-user.target
Upgrading Sendmail – After Unix Applies Patches
This process grabs a new copy of sendmail, associated diagnostic utilities, and their dependencies from the OS installation. If you want to apply patches prior to Unix support doing so, you can stage a sendmail build (everything up to ‘make install’) and copy the files out or, if an updated RPM is in the repo but just not installed, download the RPMs, unpack them, and copy the files in. I would do that in addition to (and after) this process to ensure library updates are reflected in our jailed sendmail installation (i.e. if there’s an update to the crypto libraries, we get those updates).
cp /usr/sbin/sendmail.sendmail $SENDMAILJAIL/usr/sbin/sendmail.sendmail cp /usr/lib64/libssl.so.10 $SENDMAILJAIL/usr/lib64/libssl.so.10 cp /usr/lib64/libcrypto.so.10 $SENDMAILJAIL/usr/lib64/libcrypto.so.10 cp /usr/lib64/libnsl.so.1 $SENDMAILJAIL/usr/lib64/libnsl.so.1 cp /usr/lib64/libwrap.so.0 $SENDMAILJAIL/usr/lib64/libwrap.so.0 cp /usr/lib64/libhesiod.so.0 $SENDMAILJAIL/usr/lib64/libhesiod.so.0 cp /usr/lib64/libcrypt.so.1 $SENDMAILJAIL/usr/lib64/libcrypt.so.1 cp /usr/lib64/libdb-5.3.so $SENDMAILJAIL/usr/lib64/libdb-5.3.so cp /usr/lib64/libresolv.so.2 $SENDMAILJAIL/usr/lib64/libresolv.so.2 cp /usr/lib64/libsasl2.so.3 $SENDMAILJAIL/usr/lib64/libsasl2.so.3 cp /usr/lib64/libldap-2.4.so.2 $SENDMAILJAIL/usr/lib64/libldap-2.4.so.2 cp /usr/lib64/liblber-2.4.so.2 $SENDMAILJAIL/usr/lib64/liblber-2.4.so.2 cp /usr/lib64/libc.so.6 $SENDMAILJAIL/usr/lib64/libc.so.6 cp /usr/lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/usr/lib64/libgssapi_krb5.so.2 cp /usr/lib64/libkrb5.so.3 $SENDMAILJAIL/usr/lib64/libkrb5.so.3 cp /usr/lib64/libcom_err.so.2 $SENDMAILJAIL/usr/lib64/libcom_err.so.2 cp /usr/lib64/libk5crypto.so.3 $SENDMAILJAIL/usr/lib64/libk5crypto.so.3 cp /usr/lib64/libdl.so.2 $SENDMAILJAIL/usr/lib64/libdl.so.2 cp /usr/lib64/libz.so.1 $SENDMAILJAIL/usr/lib64/libz.so.1 cp /usr/lib64/libidn.so.11 $SENDMAILJAIL/usr/lib64/libidn.so.11 cp /usr/lib64/libfreebl3.so $SENDMAILJAIL/usr/lib64/libfreebl3.so cp /usr/lib64/libpthread.so.0 $SENDMAILJAIL/usr/lib64/libpthread.so.0 cp /usr/lib64/libssl3.so $SENDMAILJAIL/usr/lib64/libssl3.so cp /usr/lib64/libsmime3.so $SENDMAILJAIL/usr/lib64/libsmime3.so cp /usr/lib64/libnss3.so $SENDMAILJAIL/usr/lib64/libnss3.so cp /usr/lib64/libnssutil3.so $SENDMAILJAIL/usr/lib64/libnssutil3.so cp /usr/lib64/libplds4.so $SENDMAILJAIL/usr/lib64/libplds4.so cp /usr/lib64/libplc4.so $SENDMAILJAIL/usr/lib64/libplc4.so cp /usr/lib64/libnspr4.so $SENDMAILJAIL/usr/lib64/libnspr4.so cp /usr/lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/usr/lib64/ld-linux-x86-64.so.2 cp /usr/lib64/libkrb5support.so.0 $SENDMAILJAIL/usr/lib64/libkrb5support.so.0 cp /usr/lib64/libkeyutils.so.1 $SENDMAILJAIL/usr/lib64/libkeyutils.so.1 cp /usr/lib64/librt.so.1 $SENDMAILJAIL/usr/lib64/librt.so.1 cp /usr/lib64/libselinux.so.1 $SENDMAILJAIL/usr/lib64/libselinux.so.1 cp /usr/lib64/libpcre.so.1 $SENDMAILJAIL/usr/lib64/libpcre.so.1 cp /usr/lib64/libnss_dns.so.2 $SENDMAILJAIL/usr/lib64/libnss_dns.so.2 cp /usr/lib64/libnss_files.so.2 $SENDMAILJAIL/usr/lib64/libnss_files.so.2 cp /lib64/libnss_dns-2.17.so $SENDMAILJAIL/lib64/libnss_dns-2.17.so cp /lib64/libresolv-2.17.so $SENDMAILJAIL/lib64/libresolv-2.17.so cp /lib64/libnss_files-2.17.so $SENDMAILJAIL/lib64/libnss_files-2.17.so cp /lib64/libnss_dns-2.17.so $SENDMAILJAIL/lib/libnss_dns-2.17.so cp /lib64/libresolv-2.17.so $SENDMAILJAIL/lib/libresolv-2.17.so cp /lib64/libnss_files-2.17.so $SENDMAILJAIL/lib/libnss_files-2.17.so cp /usr/lib64/sasl2/* $SENDMAILJAIL/usr/lib64/sasl2/ cp /lib64/sasl2/* $SENDMAILJAIL/lib64/sasl2/ cp /etc/sasl2/Sendmail.conf $SENDMAILJAIL/usr/lib64/sasl2/ cp /etc/sasl2/Sendmail.conf $SENDMAILJAIL/etc/sasl2/ cp /usr/sbin/makemap $SENDMAILJAIL/usr/sbin/makemap cp /usr/bin/rmail.sendmail $SENDMAILJAIL/usr/bin/rmail.sendmail cp /usr/sbin/mailstats $SENDMAILJAIL/usr/sbin/mailstats cp /usr/sbin/makemap $SENDMAILJAIL/usr/sbin/makemap cp /usr/sbin/praliases $SENDMAILJAIL/usr/sbin/praliases cp /usr/sbin/smrsh $SENDMAILJAIL/usr/sbin/smrsh cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libcom_err.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libcrypt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libcrypto.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libdb-5.3.so $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libfreebl3.so $SENDMAILJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libhesiod.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libidn.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3: $SENDMAILJAIL/lib64/ cp /lib64/libkeyutils.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5support.so.0 $SENDMAILJAIL/lib64/ cp /lib64/liblber-2.4.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libldap-2.4.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libnsl.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libnspr4.so $SENDMAILJAIL/lib64/ cp /lib64/libnss3.so $SENDMAILJAIL/lib64/ cp /lib64/libnssutil3.so $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libplc4.so $SENDMAILJAIL/lib64/ cp /lib64/libplds4.so $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/librt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libsasl2.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libsmime3.so $SENDMAILJAIL/lib64/ cp /lib64/libssl.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libssl3.so $SENDMAILJAIL/lib64/ cp /lib64/libwrap.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /usr/lib64/libk5crypto.so.3 $SENDMAILJAIL/usr/lib64/ cp /lib64/libdns.so.100 $SENDMAILJAIL/lib64/ cp /lib64/liblwres.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libbind9.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisccfg.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisccc.so.90 $SENDMAILJAIL/lib64/ cp /lib64/libisc.so.95 $SENDMAILJAIL/lib64/ cp /lib64/libgssapi_krb5.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libk5crypto.so.3 $SENDMAILJAIL/lib64/ cp /lib64/libcom_err.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libcrypto.so.10 $SENDMAILJAIL/lib64/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libGeoIP.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libxml2.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libm.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libidn.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libkrb5support.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libkeyutils.so.1 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/liblzma.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /bin/dig $SENDMAILJAIL/bin/ cp /lib64/libtinfo.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /bin/bash $SENDMAILJAIL/bin/ cp /bin/ls $SENDMAILJAIL/bin/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libacl.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /bin/vi $SENDMAILJAIL/bin/ cp /usr/sbin/pidof $SENDMAILJAIL/usr/sbin/pidof cp /lib64/libprocps.so.4 $SENDMAILJAIL/lib64/ cp /lib64/libsystemd.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libdl.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libc.so.6 $SENDMAILJAIL/lib64/ cp /lib64/libcap.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libm.so.6 $SENDMAILJAIL/lib64/ cp /lib64/librt.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libselinux.so.1 $SENDMAILJAIL/lib64/ cp /lib64/liblzma.so.5 $SENDMAILJAIL/lib64/ cp /lib64/libgcrypt.so.11 $SENDMAILJAIL/lib64/ cp /lib64/libgpg-error.so.0 $SENDMAILJAIL/lib64/ cp /lib64/libdw.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libgcc_s.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpthread.so.0 $SENDMAILJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $SENDMAILJAIL/lib64/ cp /lib64/libattr.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libpcre.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libelf.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libz.so.1 $SENDMAILJAIL/lib64/ cp /lib64/libbz2.so.1 $SENDMAILJAIL/lib64/ cp /bin/rm $SENDMAILJAIL/bin/
Under your ID, ensure the proper permissions are set on the chroot jail
sudo chown -R sendmail:mail /smt00p20/sendmail/ sudo chown sendmail /smt00p20/sendmail/var/spool/mqueue sudo chmod 0700 /smt00p20/sendmail/var/spool/mqueue sudo chmod -R go-w /smt00p20/sendmail sudo chmod 0400 /smt00p20/sendmail/etc/mail/*.cf
Then start sendmail and verify functionality.
Updating OpenDKIM
cp /lib64/libtinfo.so.5 $OPENDKIMJAIL/lib64/ cp /lib64/libdl.so.2 $OPENDKIMJAIL/lib64/ cp /lib64/libc.so.6 $OPENDKIMJAIL/lib64/ cp /lib64/ld-linux-x86-64.so.2 $OPENDKIMJAIL/lib64/ cp /bin/bash $OPENDKIMJAIL/bin/ cp /lib64/libstdc++.so.6* $OPENDKIMJAIL/lib64 cp /lib64/libm.so.6 $OPENDKIMJAIL/lib64 cp /lib64/libgcc_s.so.1 $OPENDKIMJAIL/lib64 cp /lib64/libnss_files* $OPENDKIMJAIL/lib64/
If there is an update to the opendkim packages, unpack the updated RPM files and move the new files into the corresponding jail locations.
rpm2cpio opendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv rpm2cpio libopendkim-2.11.0-0.1.el7.x86_64.rpm | cpio -idmv rpm2cpio sendmail-milter-8.14.7-5.el7.x86_64.rpm | cpio -idmv rpm2cpio opendbx-1.4.6-6.el7.x86_64.rpm | cpio -idmv rpm2cpio libmemcached-1.0.16-5.el7.x86_64.rpm | cpio -idvm rpm2cpio libbsd-0.6.0-3.el7.elrepo.x86_64.rpm | cpio -idvm
DMARC and DKIM
Microsoft’s latest security newsletter included the fact that more than 90% of Fortune 500 companies have not fully implemented DMARC. Wow — that’s something I do at home! Worse still, the Fortune 500 company for which I work is in that 90% … a fact I hope to rectify this week. SPF is just some DNS entries that indicate the source IPs that are expected to be sending email from your domain. Lots of SPF record generators online.
DKIM is a little more involved, but it’s a lot easier now that packages for DKIM are available on Linux distro repositories. You still *can* build it from source, but it’s easier to install the OpenDKIM package.
Once the package is installed, generate the key(s) to be used with your domain(s).
cd /etc/opendkim/keys/ openssl genrsa -out dkim.private 2048 openssl rsa -in dkim.private -out dkim.public -pubout -outform PEM # secure private key file chown opendkim:opendkim dkim.private chmod go-r dkim.private
Decide on the selector you are using — I use ‘mail’ as my selector. At work, I use ‘2017Q3Key’ — this allows us to change to a new key without in-transit mail being impacted. Old mail was sent with the 2017Q2 selector and *that* public key is in DNS. New mail comes across with 2017Q3 and uses the new DNS record to verify. I do *not* share these keys – anyone else sending mail from our domain needs to generate their own key (or I make one for them), use their own unique selector, and I will create the DNS records for their selector. When marketing engages a third party to send e-mails on our behalf, we have a 2017VendorName selector too.
Edit /etc/opendkim.conf. The socket line is not necessary – I just tend away from default ports as a habit. Since it’s bound to localhost, not such a big deal.
Mode sv Socket inet:8895@localhost Selector mail KeyFile /etc/opendkim/keys/dkim.private KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable InternalHosts refile:/etc/opendkim/TrustedHosts
There’s a config option to “SendReports” — it’s a boolean that indicates if you want your system to send failure reports when the sender indicates they want such reports and provide a reporting address. Especially for testing purposes, I recommend indicating your domain wants reports — it is helpful in case you’ve got something configured not quite right and are failing delivery on some messages. As such, configure my installation to send reports. It’s additional overhead in cases where verification fails; I don’t see all that many failures, and it isn’t a lot of extra load. Since I know my installation will send detailed failure information, I can use my domain when testing new implementations.
Once you have the base configuration set, edit /etc/opendkim/SigningTable and add your domain(s) and the appropriate selector
*@rushworth.us mail._domainkey.rushworth.us *@lisa.rushworth.us mail._domainkey.lisa.rushworth.us *@scott.rushworth.us mail._domainkey.scott.rushworth.us *@anya.rushworth.us mail._domainkey.anya.rushworth.us
Edit /etc/opendkim/KeyTable and map each selector from the SigningTable to a key file
mail._domainkey.rushworth.us rushworth.us:default:/etc/opendkim/keys/dkim.private mail._domainkey.lisa.rushworth.us lisa.rushworth.us:default:/etc/opendkim/keys/lisa.dkim.private mail._domainkey.scott.rushworth.us scott.rushworth.us:default:/etc/opendkim/keys/scott.dkim.private mail._domainkey.anya.rushworth.us anya.rushworth.us:default:/etc/opendkim/keys/anya.dkim.private
Edit /etc/opendkim/TrustedHosts and add the internal IPs that relay your domain’s mail through the server (IP addresses or subnets)
Create DNS TXT records – the part after p= is the content of the public key file for that selector. When you are first setting up DKIM, use t=y (yes, we are just testing this). Once you confirm everything is functional, you can change to y=n (nope, really pay attention to our DKIM signature and policy). The policy is an individual preference. I use ‘all’ (all mail from my domain will be signed) and “o=-” (again all mail from my domain will be signed). You can use “o=~” (some mail from my domain is signed, some isn’t … who knows) and “dkim=unknown” (again, some is signed). You can use “dkim=discardable” (don’t just consider the message as more likely to be spam if it is not signed … you can outright drop the message). As a business, I don’t use this *just in case*. Something crazy happens – the dkim service falls over, your key gets mangled – and receiving parties can start dropping your messages. Using “dkim=all” means they are more apt to quarantine them as spam, but someone can go and get the messages. And hopefully notice something odd is happening.
mail._domainkey.domain.tld TXT k=rsa;t=y;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzTnpc7tHfyH1zgT3Jx/JHmGSz8WCy1jvzu5QsYvDBmimKEHRY4Kz4mya5bOYsDQuJ/sz+BJo6xDwsUXCuyEkykIlgqP+7E9oK2EcW0dZms87SGmNEnNBN5iTe0pdzk1lXx2js3QdOWswO+cmA9F1Z8OzSR+2u79huugPFBHl79zFvOEHbigrmeHEfo0KHWpeNomf/xKx+wyYr1n3R5gS+28CeC3abSyKgmaYYRLoZsjrCLbEM0m2YPJRKd1ZGOObBMa4PZWj7pT07ISEjoNnXQ27BtcL/QjKKeLkbJ0UGEOSdPEJKuEpAUvYU9lA5hbtzrqiwdlPxWYocDVPrcqAHwIDAQAB _adsp._domiankey.domain.tld TXT dkim=all _domainkey.rushworth.us TXT t=y;o=-;r=dkim@lisa.rushworth.us _ssp._domainkey.rushworth.us TXT t=y;dkim=all
Edit /etc/mail/sendmail.mc (using the port defined in /etc/opendkim.conf
INPUT_MAIL_FILTER(`dkim-filter’, `S=inet:8895@localhost’)
Make your sendmail.mc to sendmail.cf and verify that you’ve got the dkim-filter line
Xdkim-filter, S=inet:8895@localhost
Start opendkim, then restart sendmail. Now test it — inbound mail should have *their* DKIM signatures verified, outbound mail should be signed with the appropriate key.
Once you have verified your DKIM is functioning properly — well, first of all you can update your DNS records to remove testing mode. Then create your DMARC record:
_dmarc.rushworth.us v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:dmarc-rua@lisa.rushworth.us!10m; ruf=mailto:dmarc-ruf@lisa.rushworth.us!10m; rf=afrf; pct=100; ri=172800
Again, you don’t need to use quarantine — ‘reject’ would recommend mail be dropped or ‘none’ recommends no action (good for testing). The rua (aggregate reporting email address) and ruf (address to recieve failing samples for analysis) should be in your domain.
You could add either/both “adkim=s” or “aspf=s” to indicate your DKIM or SPF adhere to strict standards. I use relaxed (default, do not need to specify it in the TXT record).
If you want the reports delivered to an address outside of your domain, that domain needs to publish a DNS record authorizing receipt of the reports:
rushworth.us._report._dmarc.lisa.rushworth.us v=DMARC1
Sendmail VirtUserTable
Some mail systems support sub-addressing (i.e. user+ignoredstring@example.com), but Exchange is not one of them. Even if/when it gets supported, it’s really easy to figure out the real e-mail address in that sub-address. Instead, we use sendmail’s virtusertable to map entire subdomains (i.e. @lisa.example.com) over to our primary e-mail addresses. If an address becomes compromised, we can blacklist the particular something@subdomain.rushworth.us address in the access table).
Virtual Domain Aliases
These aliases allow changes to be made to intended recipient addresses. There are two files required for an address to be aliased. An entry for “VIRTUSER_DOMAIN_FILE” will exist in the sendmail.mc specifying the file listing the domains to be included for aliasing. For us, this is /etc/mail/virtuser-domains. This is a text file containing the name of each domain to be virtualized for aliasing, one domain per line. Please note, the domains included herein need only be the recipient domains, not the domains to which aliases are mapped. E.G. our virtuser-domains file contains just:
example.com
And yet we can alias test.addy@example.com to someotheraddy@example.net … it is only the source address that needs to be defined in virtuser-domains.
Aliases for the virtual domains are contained in /etc/mail/virtusertable. The left-hand entry is the recipient address and the right-hand entry is what that recipient will be translated to. Left-hand entries can be an email address (testaddy@example.com) or a domain (@lisa.example.com)
Right-hand entries can be an alternate address. If the address should remain the same, an exclamation point can be used:
myfakeaddress@example.com external.email@example.net myaddress@example.com !
The right-hand entry can also be an action, like error which will return an error code
compromised.address@lisa.example.com error:nouser User unknown
To commit changes to the virtusertable:
makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable
Testing Virtual Aliases:
You can test the results of the virtual address space aliasing using sendmail –bt. From within the new prompt (a greater than sign on a blank line) type3,0 followed by the address you would like to test. E.G.:
[uid@NEOHTWNLX821 ~]# sendmail -bt ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> > 3,0 llanders@example.com canonify input: llanders @ example . com Canonify2 input: llanders < @ example . com > Canonify2 returns: llanders < @ example . com . > canonify returns: llanders < @ example . com . > parse input: llanders < @ example . com . > Parse0 input: llanders < @ example . com . > Parse0 returns: llanders < @ example . com . > ParseLocal input: llanders < @ example . com . > ParseLocal returns: llanders < @ example . com . > Parse1 input: llanders < @ example . com . > Recurse input: llanders @ example . net canonify input: llanders @ example . net Canonify2 input: llanders < @ example . net > Canonify2 returns: llanders < @ example . net . > canonify returns: llanders < @ example . net . > parse input: llanders < @ example . net . > Parse0 input: llanders < @ example . net . > Parse0 returns: llanders < @ example . net . > ParseLocal input: llanders < @ example . net . > ParseLocal returns: llanders < @ example . net . > Parse1 input: llanders < @ example . net . > Mailertable input: < example . net > llanders < @ example . net . > Mailertable input: example . < com > llanders < @ example . net . > Mailertable returns: llanders < @ example . net . > Mailertable returns: llanders < @ example . net . > MailerToTriple input: < > llanders < @ example . net . > MailerToTriple returns: llanders < @ example . net . > Parse1 returns: $# esmtp $@ example . net . $: llanders < @ example . net . > parse returns: $# esmtp $@ example . net . $: llanders < @ example . net . > Recurse returns: $# esmtp $@ example . net . $: llanders < @ example . net . > Parse1 returns: $# esmtp $@ example . net . $: llanders < @ example . net . > parse returns: $# esmtp $@ example . net . $: llanders < @ example . net . >
Use ctrl-d to exit the test.
Sendmail Mailertable
Mailertable (/etc/mail/mailertable)
Routing information for external delivery. Functionally, these are like the SMTP Connectors within Exchange. The mailertable entries can override everything including smarthost definitions. This is required for internal mail routing – our sendmail servers should not transmit email for @windstream.com to the MX records but rather the destination we intend. We also use mailertable entries to force B2B communication over internal secured channels.
If a server is unable to deliver mail to a specific domain (e.g. one of our public IP addresses gets blacklisted), a mailertable entry can be used to direct all mail destined for the domain through one of our servers still able to make delivery.
The file contains two columns, domains and actions. Domains can be ends-with substring matches:
.anythingfromthisdomain.com
Will match @thishost.anythingfromthisdomain.com as well as @thathost.anythingfromthisdomain.com. Domains can also be a full match of the right-hand side of the email address:
justthisemaildomain.com
Which will match @justthisemaildomain.com. The most “accurate” match will win, not just the first match in line. So if your file contains the following:
.mysampledomain.com relay:[10.10.10.10]
thishost.mysampledomain.com relay:[20.20.20.20]
Mail destined for thishost.mysampledomain.com will be sent to 20.20.20.20
Actions contain both a mailer and a host. The mailer can redirect messages to local users:
.egforlocaldelivery.com local:username
Or it can force an error response:
Baddomain.com error:5.3.0:Unknown User
Our use of the mailertable, though, is to redirect mail destined for the domain:
windstream.com relay:[twnexchinbound.windstream.com]
newacquisition.com relay:[theirinternalhost.theirdomain.com]
In these cases, the square brackets around the destination override the MX record. To reroute a domain’s delivery destination, then, it is imperative that the host be enclosed in square brackets.
To commit changes to the file, either use “make” from within /etc/mail to commit all changes or the following command to commit just the changes to mailertable:
makemap hash /etc/mail/mailertable < /etc/mail/mailertable
Sendmail Configuration
Sendmail Configuration Files – sendmail.cf and sendmail.mc
Sendmail configuration files are located by default in /etc/mail/. PureMessage uses /opt/pmx4/sendmail/etc/mail/
The main configuration file is sendmail.cf. This is a rather cryptic file which we will not configure directly. If you want to know the syntax for sendmail.cf, read the doc at http://www.sendmail.org or get the O’Reily book. This information is specific to the MC file from which a macro builds the CF file..
sendmail.mc contains instructions to allow the M4 macro processor to build sendmail.cf. Very important, before you can use a macro to create a sendmail.cf file, you need to have the macro installed. This is the sendmail package sendmail-cf. To ascertain if the package has been installed on RedHat:
[root@LJLLX001 mail]# rpm -qa | grep sendmail
sendmail-8.13.1-2
sendmail-cf-8.13.1-2
Both sendmail and sendmail-cf packages should appear in the results. If you do not have the CF package, install it.
The text “dnl” within sendmail.mc denotes a comment – like a tic in VisualBasic or a hash in perl. Many lines end with dnl, or dnl with some type of commentary. Lines beginning with dnl are not processed.
Common instructions within a sendmail.mc file:
include(`/usr/share/sendmail-cf/m4/cf.m4′)dnl
This line refers the m4 utility to the correct “translation” to build the sendmail.cf file. Important that the line is at the top of the mc file, but nothing to do with sendmail configuration specifically
VERSIONID(`setup for Red Hat Linux’)dnl
This line is not required, and we have ‘junk’ in it frequently. It records the version of sendmail in the cf file for administrative reference.
OSTYPE(`linux’)dnl
More instructions for m4, different OS’s have different locations for sendmail files and the OS defined here identifies which parameters to use. This line again needs to be at the top of the mc file
define(`confDEF_USER_ID’,“8:12”)dnl
Defines which user and group sendmail will run as – do NOT pick root here. User id 8 (mail) and group id 12 (mail) from /etc/passwd and /etc/groups respectively.
define(`confTO_CONNECT’, `1m’)dnl
Time limit for SMTP connection timeout, set to one minute normally. This is how long your server will wait for an initial connect() to complete.
define(`confTRY_NULL_MX_LIST’,true)dnl
Email is normally routed by MX records. This instruction means the ‘domain’ can also be a host name with no MX defined. E.G. sending email to @windstream.com will return the MX records, as they exist. Attempting to email @neohtwnlx810.windstream.com will return no MX records, but LX810 will be contacted directly to attempt delivery. This is a most useful instruction for return delivery to system mailers.
define(`confDONT_PROBE_INTERFACES’,true)dnl
The sendmail class w lists the host and IP addresses for which sendmail accepts and takes local delivery. This class can be automatically populated, or using this directive not automatically populated. We configure this information manually in other files.
You can use a sendmail command line to determine what is set to various system variables:
[root@LJLLX001 ~]# sendmail -d0.1 -bv
Version 8.13.1
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS
USERDB USE_LDAP_INIT
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = LJLLX001
(canonical domain name) $j = LJLLX001.vibiant.dnsalias.com
(subdomain name) $m = vibiant.dnsalias.com
(node name) $k = LJLLX001.vibiant.com
========================================================
define(`PROCMAIL_MAILER_PATH’,`/usr/bin/procmail’)dnl
Exactly what it says – the location of procmail
define(`ALIAS_FILE’, `/etc/aliases’)dnl
Location of the file for local delivery aliases – not something we use often as there are few local delivery accounts. In the ISP, this file can be used to give someone additional addresses which deliver to the same mailbox. This file can also be used to direct delivery of a local account to a program – in PureMessage for example, /opt/pmx4/sendmail/etc/mail/aliases directs the pmx-auto-approve address to the application which releases user messages.
define(`confBIND_OPTS’, `WorkAroundBrokenAAAA’)dnl
This is a resolver option, it instructs sendmail to ignore SERVFAIL errors during an IPv6 lookup. We had a few domains for which we could not deliver mail without this directive.
define(`SMART_HOST’, `[192.168.1.53]’)
A smart host can be used instead of direct mail delivery. For a server which is not meant to deliver mail to the internet (neohtwnlx824 for instance) the smart_host directive sends all mail to the defined destination. The destination can be a hostname or an IP address. Note, the mailertable will override the smarthost.
define(`STATUS_FILE’, `/var/log/mail/statistics’)dnl
Retains statistical information on server – use the command mailstats to output the statistics, the file created here is not text
define(`UUCP_MAILER_MAX’, `2000000′)dnl
Maximum size for messages relayed by UUCP mailers
define(`confPRIVACY_FLAGS’, `authwarnings,novrfy,noexpn,restrictqrun’)dnl
Disables unwanted commands – usually for security reasons. EXPN expands groups into component members, for instance, so NOVRFY is used to disable the command. Some of these are more important if local delivery is handled by the sendmail server.
define(`confAUTH_OPTIONS’, `A’)dnl
What kinds of authentication are supported by the server. Useful if you are requiring authentication to relay mail, we do not do this. Some UNIX hosts get confused if AUTH is an option made available, and you need to remark this line out of the mc file.
define(`confTO_QUEUEWARN’, `6d’)dnl
If you ever see an email from a destination mail server saying it is still trying to deliver your message and just wanted to let you know – that is what this interval defines. To truly adhere to RFC specifications, a sendmail server should continue to attempt delivery for at least four to five days. As a “nice” feature, the server can send periodic notifications to the sender that delivery has been delayed. This standard comes from a time when circuits were smaller and quite lossy. It could reasonably take days to establish a connection to the destination and transmit a message.
We are rogue and just return mail as undeliverable after a shorter period. No reason to notify users, but to ensure that a notification is not sent, we put the warning interval at something higher than the expiration interval.
define(`confTO_QUEUERETURN’, `12h’)dnl
Related to the QUEUEWARN interval – this is the period after which the sendmail server considers the message undeliverable and returns it to the sender. By default, this is five days so we make sure to define something more reasonable. Otherwise there would be no way to identify “high” mail queue counts for alerting.
define(`confQUEUE_LA’, `16′)dnl
Load average at which queue only functionality is engaged
define(`confREFUSE_LA’, `48′)dnl
Load average at which SMTP connections are refused
define(`confDELAY_LA’, `30′)dnl
Load average at which sendmail will delay one second on SMTP commands
define(`confMIN_QUEUE_AGE’, `5m’)dnl
Minimum time a message has to sit in the queue before it is retried
define(`confTO_HOSTSTATUS’, `2m’)dnl
If a host has been denoted as unavailable, the status will be cached for this duration. After the interval expires, connection to the host will be retried
define(`confMAX_DAEMON_CHILDREN’, 2000)
Maximum number of children processes permitted. Sendmail will reject subsequent connections once this number has been reached. Very important to have something defined on the DMZ servers. Default is infinite and it is possible for a server to become unresponsive and need to be rebooted with out of memory errors when too many processes are spawned.
define(`confTO_IDENT’, `0′)dnl
Timeout for responses to IDENT
FEATURE(`no_default_msa’,`dnl’)dnl
The default MSA options are not used, but rather explicitly defined in the DAEMON_OPTIONS directive
FEATURE(`smrsh’,`/usr/sbin/smrsh’)dnl
Shell used for command line mailing programs, not really pertinent in our case
FEATURE(`mailertable’,`hash -o /etc/mail/mailertable.db’)dnl
This file will be discussed in more detail later, this directive specifies the use of a mailertable and the location of the file.
VIRTUSER_DOMAIN_FILE(/etc/mail/virtuser-domains)dnl
This file will be discussed in more detail later, this directive specifies the location of the file containing virtualised domains
FEATURE(`virtusertable’,`hash -o /etc/mail/virtusertable.db’)dnl
This file will be discussed in more detail later, this directive specifies the use of virtual user mapping and the location of the file containing said mappings
FEATURE(always_add_domain)dnl
Appends the local host domain to even locally delivered mail.
FEATURE(use_cw_file)dnl
Alternate host names are in /etc/mail/local-host-names – machine aliases
FEATURE(use_ct_file)dnl
Users who can set alternate envelope from addresses without generating a warning message. File is /etc/mail/trusted-users
FEATURE(local_procmail,`’,`procmail -t -Y -a $h -d $u’)dnl
Specifies program to use as the local mailer, and command options
FEATURE(`access_db’,`hash -T<TMPF> -o /etc/mail/access.db’)dnl
This file will be discussed in more detail later, this directive specifies the use of an access restriction table and the location of the file.
EXPOSED_USER(`root’)dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA’)dnl
This is where the settings for the MSA are defined. Port=smtp uses the default port of 25, or an alternate port can be used. Addr=# can be included to bind sendmail to a specific address (including 127.0.0.1 for localhost access only).
INPUT_MAIL_FILTER(`vamilter’,`S=inet:3333@localhost,F=R,T=S:10m;R:10m;E:10m’)
Defines a “milter” – mail filter. The port and destination of the milter must be included with S=. S=inet is a IPv4 socket, S=inet6 is an IPv6 socket, and S=local is a Unix-domain socket (/var/run/)
F= defines an action to take on failure, R (reject), T (tempfail), or if no option is included just pass the message through sendmail and ignore the milter
T= defines timeouts for sendmail’s communication with the milter:
C Connect timeout
S Sending timeout (sendmail transmission of data to milter)
R Reading timeout (for reply from milter)
E Overall timeout (between sending end of message and final ack)
MASQUERADE_AS(`vibiant.dnsaliascom’)dnl
FEATURE(`masquerade_envelope’)dnl
FEATURE(`allmasquerade’)dnl
MASQUERADE_DOMAIN(`arlitljl.com’)dnl
MASQUERADE_DOMAIN(`homedomain.local’)dnl
This group of directives are all interrelated. Masquerading is basically replacement – MASQUERADE_AS is the domain which will be used in place of the domains identified in MASQUERADE_DOMAIN lines. In this case, both @arlitljl.com and @homedomain.local will be overwritten with @vibiant.dnsalias.com. The directive FEATURE(masquerade_entire_domain) could be included to replace any subdomain of the masquerade domains (e.g. @secured.arlitljl.com, @public.arlitljl.com, and @restricted.arlitljl.com in addition to @arlitljl.com)
Masquerade envelope applies the masquerade to the envelope information and allmasquerade applies the masquerade to everything in the envelope, including cc:, from: and to: — this directive is important when we mask an acquired company’s email domain with our own.
FEATURE(`accept_unresolvable_domains’)dnl
Allows the use of domains in the MAIL FROM command to be invalid network and sender domains. Since some people do not manage to configure their mail servers properly, we are less restrictive here to avoid complaints.
LOCAL_DOMAIN(`localhost.localdomain’)dnl
Domain(s) for which the server will accept local delivery – since our servers do not really deliver mail the domain should include the localdomain to prevent accidental misdirection of mail
MAILER(smtp)dnl
MAILER(procmail)dnl
Defines mailers to be used in addition to local – these should be the last lines of the mc file
When you make changes to the sendmail.mc file, you will need to run the macro processor to update the CF file. You can see the results by running:
m4 sendmail.mc | less
The text which will be used in sendmail.cf will be displayed on the screen. To actually commit the changes, use:
m4 sendmail.mc > sendmail.cf
or just type
make
Make will update all of the files in /etc/mail, so ensure you like all the changes you have made, not just the changes to sendmail.mc