sendmail
I would like to think that it is a common need for a straightforward mail relaying service on our local area networks. There could be many devices such as cameras, security systems, IoT gagets, etc, that need a simple MTA to dump and forget, no credentials wanted. Of course, these devices could connect directly to the final MTA, say SendGrid or Gmail, but that would mean coding important passwords in those devices. There are reasons why this might not even be possible sometimes:
- The device you have may be too ancient to perform TLS or some modern security protocol required by the MTA.
- The device's mail software has a short length limit for the password, when an MTA like SendGrid requires a super long password.
- The device is so old that it doesn't even have authentication options to send mail.
All the recommendations out there suggest to use something like Postfix or Exim and avoid Sendmail. But I see no reason to solve a simple requirement with more added complexities. We are not talking about operating an email service here. What I need is a simple mail transport service, where we can dump a mail and forget. Sendmail is already a gross overkill for such a requirement, if only the necessary configuration can be easily set up. This page hopes to tell you how.
Basic Sendmail
The environment in use is a Raspberry Pi with some recent Raspbian OS.
First, install sendmail:
sudo apt-get install sendmail
In case you missed them, these are some of the messages during the installation process:
I am creating a safe, default sendmail.mc for you and you can run sendmailconfig later if you need to change the defaults.
To enable sendmail SASL2 support at a later date, invoke "/usr/share/sendmail/update_auth"
Everything you need to support STARTTLS (encrypted mail transmission and user authentication via certificates) is installed and configured but is *NOT* being used.
To enable sendmail to use STARTTLS, you need to:
1) Add this line to /etc/mail/sendmail.mc and optionally to /etc/mail/submit.mc:
include(`/etc/mail/tls/starttls.m4')dnl
2) Run sendmailconfig
3) Restart sendmail
After installing, you should be able to connect (to localhost
port 25) and send a mail directly from the installed machine itself. However, today, it is unlikely to be successfully received unless the destination server is that lax to allow unencrypted transmission and not care about the unknown reputation of your mail server.
Sendmail is operating as a server when you are using it to send out mail for you.
The sendmail.mc
file has a very strict and unconventional syntax. You cannot use the "#" character to add a comment line. Use dnl (delete through new line) instead. At this point, it might be a good idea to make a backup copy of /etc/mail/sendmail.mc
, as mistakes can be easily made with a subtle wrong keystroke and the error messages are too cryptic making identifying the cause tough.
Note: sendmail.mc
parameters are quoted with an opening Grave Accent U+0060 ` and a closing Apostrophe U+0027 '.
In the rest of this page, three tasks are required many times and to avoid repetition they are defined as below: (run these under sudo su
, and not merely prefixing the command with sudo
)
- make:
make -C /etc/mail
- build:
m4 sendmail.mc > sendmail.cf
- restart:
/etc/init.d/sendmail restart
All commands should be run from, and all files mentioned are located in, /etc/mail
unless otherwise specified.
Allowing remote use of Sendmail
To allow connections from other than localhost aka 127.0.0.1, two additional steps are required:
First, remove the addr
field in the appropriate DAEMON_OPTIONS
ipv4 (or inet) line so that it becomes:
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl
Then, in /etc/mail/access
, add a connect
line for the appropriate subnet your devices are in. I find it most convenient to simply uncomment this existing line already in the file (if my network is on 192.168.x.x):
Connect:192.168 RELAY
For the changes in the access
file to take effect, run the make task.
Run build and restart for the sendmail.mc
changes to take effect. Test sending a mail from another machine. The Pi by default has no firewall or other settings blocking port 25 traffic.
At this point, if you issue a EHLO
command, the response will be:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
Note that there is no AUTH LOGIN
yet.
Using a smarthost
To set up a smarthost, that is, a remote SMTP server where all mail sent via my server will be forwarded to, additional steps are needed. Note that when Sendmail is going through a smarthost to forward out mail, Sendmail is operating as an SMTP client.
First, add these lines to sendmail.mc
to reflect the smarthost and the port number to use. In my case it is smtp.sendgrid.net
on port 25.
FEATURE(`authinfo')
define(`SMART_HOST', `smtp.sendgrid.net')dnl
define(`RELAY_MAILER_ARGS',`'TCP $h 25')dnl
The FEATURE
line should be before the MAILER
line in the file.
Next, create /etc/mail/authinfo
to contain the credentials for the smarthost:
AuthInfo:smtp.sendgrid.net "U:userid" "P=password_in_base64" "I:userid" "R:smtp.sendgrid.net" "M:LOGIN PLAIN"
The parameters take either plain text values if you use the colon : separator, or Base64 encoded values if you use the equals sign = separator.
Run build and restart and the following to create the /etc/mail/access.db
file:
makemap hash authinfo < authinfo
At this point, if you try sending a mail, you will get a Temporary AUTH failure
error. This is because Sendmail still has not been set up to use authentication.
To use authentication, SASL2 is needed. Install the following:
sudo apt-get install sasl2-bin libsasl2-modules
Then in sendmail.mc
add:
define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS',`A')dnl
Run build and restart. The response to the EHLO
command will now include:
AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
and as a client when relaying Sendmail will now be able to use AUTH
options.
Tip: Always check /var/log/mail.log
for any error messages after restarting or sending mail.
Comments
Post a Comment