sendmail

I would like to think that it is a common need for a straightforward mail relaying service on our local area networks. There could be many devices such as cameras, security systems, IoT gagets, etc, that need a simple MTA to dump and forget, no credentials wanted. Of course, these devices could connect directly to the final MTA, say SendGrid or Gmail, but that would mean coding important passwords in those devices. There are reasons why this might not even be possible sometimes:

  • The device you have may be too ancient to perform TLS or some modern security protocol required by the MTA.
  • The device's mail software has a short length limit for the password, when an MTA like SendGrid requires a super long password.
  • The device is so old that it doesn't even have authentication options to send mail.

All the recommendations out there suggest to use something like Postfix or Exim and avoid Sendmail. But I see no reason to solve a simple requirement with more added complexities. We are not talking about operating an email service here. What I need is a simple mail transport service, where we can dump a mail and forget. Sendmail is already a gross overkill for such a requirement, if only the necessary configuration can be easily set up. This page hopes to tell you how.

Basic Sendmail

The environment in use is a Raspberry Pi with some recent Raspbian OS.

First, install sendmail:

sudo apt-get install sendmail

In case you missed them, these are some of the messages during the installation process:

I am creating a safe, default sendmail.mc for you and you can run sendmailconfig later if you need to change the defaults.


To enable sendmail SASL2 support at a later date, invoke "/usr/share/sendmail/update_auth"


Everything you need to support STARTTLS (encrypted mail transmission and user authentication via certificates) is installed and configured but is *NOT* being used.


To enable sendmail to use STARTTLS, you need to:

1) Add this line to /etc/mail/sendmail.mc and optionally to /etc/mail/submit.mc:

  include(`/etc/mail/tls/starttls.m4')dnl

2) Run sendmailconfig

3) Restart sendmail

After installing, you should be able to connect (to localhost port 25) and send a mail directly from the installed machine itself. However, today, it is unlikely to be successfully received unless the destination server is that lax to allow unencrypted transmission and not care about the unknown reputation of your mail server.

Sendmail is operating as a server when you are using it to send out mail for you.

The sendmail.mc file has a very strict and unconventional syntax. You cannot use the "#" character to add a comment line. Use dnl (delete through new line) instead. At this point, it might be a good idea to make a backup copy of /etc/mail/sendmail.mc, as mistakes can be easily made with a subtle wrong keystroke and the error messages are too cryptic making identifying the cause tough.

Note: sendmail.mc parameters are quoted with an opening Grave Accent U+0060 ` and a closing Apostrophe U+0027 '.

In the rest of this page, three tasks are required many times and to avoid repetition they are defined as below: (run these under sudo su, and not merely prefixing the command with sudo)

  • make: make -C /etc/mail
  • build: m4 sendmail.mc > sendmail.cf
  • restart: /etc/init.d/sendmail restart

All commands should be run from, and all files mentioned are located in, /etc/mail unless otherwise specified.

Allowing remote use of Sendmail

To allow connections from other than localhost aka 127.0.0.1, two additional steps are required:

First, remove the addr field in the appropriate DAEMON_OPTIONS ipv4 (or inet) line so that it becomes:

DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl

Then, in /etc/mail/access, add a connect line for the appropriate subnet your devices are in. I find it most convenient to simply uncomment this existing line already in the file (if my network is on 192.168.x.x):

Connect:192.168 RELAY

For the changes in the access file to take effect, run the make task.

Run build and restart for the sendmail.mc changes to take effect. Test sending a mail from another machine. The Pi by default has no firewall or other settings blocking port 25 traffic.

At this point, if you issue a EHLO command, the response will be:

250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP

Note that there is no AUTH LOGIN yet.

Using a smarthost

To set up a smarthost, that is, a remote SMTP server where all mail sent via my server will be forwarded to, additional steps are needed. Note that when Sendmail is going through a smarthost to forward out mail, Sendmail is operating as an SMTP client.

First, add these lines to sendmail.mc to reflect the smarthost and the port number to use. In my case it is smtp.sendgrid.net on port 25.

FEATURE(`authinfo')
define(`SMART_HOST', `smtp.sendgrid.net')dnl
define(`RELAY_MAILER_ARGS',`'TCP $h 25')dnl

The FEATURE line should be before the MAILER line in the file.

Next, create /etc/mail/authinfo to contain the credentials for the smarthost:

AuthInfo:smtp.sendgrid.net "U:userid" "P=password_in_base64" "I:userid" "R:smtp.sendgrid.net" "M:LOGIN PLAIN"

The parameters take either plain text values if you use the colon : separator, or Base64 encoded values if you use the equals sign = separator.

Run build and restart and the following to create the /etc/mail/access.db file:

makemap hash authinfo < authinfo

At this point, if you try sending a mail, you will get a Temporary AUTH failure error. This is because Sendmail still has not been set up to use authentication.

To use authentication, SASL2 is needed. Install the following:

sudo apt-get install sasl2-bin libsasl2-modules

Then in sendmail.mc add:

define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_OPTIONS',`A')dnl

Run build and restart. The response to the EHLO command will now include:

AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN

and as a client when relaying Sendmail will now be able to use AUTH options.

Tip: Always check /var/log/mail.log for any error messages after restarting or sending mail.


Comments

Popular posts from this blog

Things that go missing