Creating a sendmail server

Mail service is relatively straight forward, because the protocol has quite some rubust failover/retry mechanisms in place. If a mail exchange host (MX) is not up, another one can be tried. We keep multiple copies of a primary mailserver configured identically, and use the internet standard sendmail as a server.

Sendmail has some quirks, particularly that it is picky about permissions of the /etc/mail directory and we do not want to run things as root. So we create our own directory called /etc/mail/paphosting, owned by the paphosting user, and we have a script called sendmail_genconfig which we run as root using sudo. It's that script's responsibility to rebuild databases (like running the newaliases command) and restart the sendmail(8) daemon if things like class R (relay-domains) or class W (local-host-names) have changed.

We allow the operating system to supply all the bits and pieces it wants for the sendmail(8) system. This setup guide tries to make the used operating systems (Linux Ubuntu and OpenBSD) configure sendmail in the same way. We then overlay our configuration files stored in the RCS into /etc/mail.

A1) Using OpenBSD

(work in progress)

A2) Using Ubuntu

1. Install needed packages

Note that we disable SpamAssassin from inside MimeDEFANG.
sudo su -
echo 'export X_SCANNED_BY="-"' >>/etc/default/minedefang
apt-get install sendmail telnet sasl2-bin libsasl2-modules spamass-milter \
  spamassassin mimedefang libarchive-zip-perl
cd /etc/default
sed -e 's,ENABLED=.*,ENABLED=1,g' -e 's,CRON=.*,CRON=1,g' \
  spamassassin > spamassassin.new && \
  mv -f spamassassin.new spamassassin
sed -i /etc/mail/mimedefang.pl.conf -e \
  's,# DO NOT delete,$Features{"SpamAssassin"} = 0;\n# DO NOT delete,g'
mkdir -p /etc/mail/paphosting
chown -R paphosting:paphosting /etc/mail/paphosting
service spamassassin start
service spamass-milter start
service mimedefang start

2. Configure sendmail with our features

We have a custom sendmail.mc file which includes paphosting.m4 and this turns the default sendmail install on Debian/Ubuntu (and probably others) into a PaPMX.

B) Configuring sendmail

1. Add the machine to config/sendmail.hosts

On your client, add the hostname (any hostname or IPv4 or IPv6 address to which you can connect on the ssh port:
svn update
mkdir -p files/${HOSTNAME}/etc/cron.d
ln -s ../../../common/cron.d/paphosting-spamass-restart \
  files/${HOSTNAME}/etc/cron.d/
# Make sure to svn add these!
echo ${HOSTNAME} >> config/sendmail.hosts
echo ${HOSTNAME} >> config/files.hosts
svn commit

2. Ensure you can SSH into the machine as paphosting

From your client, try to SSH as paphosting into the machine. Once you're there, you should make sure that the paphosting user can run some NSD scripts as root:
sudo su -
cat << EOF >> /etc/sudoers
paphosting ALL = NOPASSWD: /usr/local/sbin/sendmail_genconfig
paphosting ALL = NOPASSWD: /usr/sbin/pkill -x sendmail
EOF
You should now be able to run sudo pkill -x sendmail as the paphosting user.

3. Force a push of the sendmail configs

On your client, try to do a sendmail push
# Copy sendmail_genconfig and cron files
scripts/files-push.sh -f ${HOSTNAME}
scripts/sendmail-push.sh -v -n ${HOSTNAME}
# If this looks good, then:
scripts/sendmail-push.sh -f ${HOSTNAME}

4. Check to make sure it works

If the mail server is up and running, you can telnet to its port 25 and try to deliver mail, for example with the following dialog:
$ telnet $HOSTNAME 25
# This should hang for about 5 seconds and then show you a banner
# Note 'ESMTP PaPMX', which demonstrates our m4 file was included
220 nlams01.paphosting.net ESMTP PaPMX
HELO localhost
# This should respond with a 250 message
MAIL FROM: pim@example.com
250 2.1.0 pim@example.com... Sender ok
RCPT TO: postmaster@paphosting.nl
250 2.1.5 postmaster@paphosting.nl... Recipient ok
RCPT TO: postmaster@example.com
550 5.7.1 postmaster@example.com... Relaying denied.
QUIT
# This should respond with a 221 message
This makes sure that basic acceptance works (class W), virtual user tables work, and forwarding is possible only for our own domains (class R) and we are not an open relay.

EOF :)