Changing the sendmail Configuration

Changing the `sendmail` Configuration

How to Build a New sendmail.cf File shows you how to build the configuration file. Although you can still use older versions of sendmail.cf files, the best practice is to use the new format.

For more details, refer to the following.

/etc/mail/cf/README provides a complete description of the configuration process.
http://www.sendmail.org provides online information about sendmail configuration.
Versions of the Configuration File and sendmail Configuration File, in Chapter 3, Mail Services (Reference), provide some guidance.
Additional and Revised m4 Configuration Macros From Version 8.12 of sendmail is also helpful.

How to Build a New `sendmail.cf` File

The following procedure shows you how to build a new configuration file.

Note - /usr/lib/mail/cf/main-v7sun.mc is now /etc/mail/cf/cf/sendmail.mc.

Become an administrator.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

Stop sendmail.

# svcadm disable -t network/smtp:sendmail

Make a copy of the configuration files that you are changing.
```
# cd /etc/mail/cf/cf
# cp sendmail.mc myhost.mc
```
myhost

Select a new name for your .mc file.
Edit the new configuration files (for example, myhost.mc), as necessary.
For example, add the following command line to enable domain masquerading.
```
# cat myhost.mc
..
MASQUERADE_AS(`host.domain')
```
host.domain

Use the desired host name and domain name.

In this example, MASQUERADE_AS causes sent mail to be labeled as originating from host.domain, rather than $j.
Build the configuration file by using m4.
```
# make myhost.cf
```
Test the new configuration file by using the -C option to specify the new file.
```
# /usr/lib/sendmail -C myhost.cf -v testaddr </dev/null
```
While this command displays messages, it sends a message to testaddr. Only outgoing mail can be tested without restarting the sendmail service on the system. For systems that are not handling mail yet, use the full testing procedure in How to Test the Mail Configuration.

Install the new configuration file after making a copy of the original.

# cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.save
# cp myhost.cf /etc/mail/sendmail.cf

Restart the sendmail service.
```
# svcadm enable network/smtp:sendmail
```

Setting Up a Virtual Host

If you need to assign more than one IP address to a host, see this Web site: http://www.sendmail.org/tips/virtualHosting. This site provides complete instructions about how to use sendmail to set up a virtual host. However, in the “Sendmail Configuration” section, do not perform step 3b, as shown in the following.

# cd sendmail-VERSION/cf/cf
# ./Build mailserver.cf
# cp mailserver.cf /etc/mail/sendmail.cf

Instead, for the Oracle Solaris operating system, perform the following steps.

# cd /etc/mail/cf/cf
# make mailserver.cf
# cp mailserver.cf /etc/mail/sendmail.cf

mailserver: Use the name of the .cf file.

Changing the sendmail Configuration outlines the same three steps as part of the build process.

After you have generated your /etc/mail/sendmail.cf file, you can continue with the next steps to create a virtual user table.

How to Automatically Rebuild a Configuration File

If you have built your own copy of sendmail.cf or submit.cf, the configuration file is not replaced during the upgrade process. The following procedure shows how to configure the sendmail service properties so that the sendmail.cf file is automatically rebuilt for you. For instructions on how to automatically build the submit.cf configuration file, see Example 2-1. You may combine these procedures if you need to build both files.

Become an administrator.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

Set the sendmail properties.

# svccfg -s sendmail
svc:/network/smtp:sendmail> setprop config/path_to_sendmail_mc=/etc/mail/cf/cf/myhost.mc 
svc:/network/smtp:sendmail> quit

Refresh and restart the sendmail service.
The first command pushes the changes into the running snapshot. The second command restarts the sendmail service using the new options.
```
# svcadm refresh svc:/network/smtp:sendmail 
# svcadm restart svc:/network/smtp:sendmail
```

Example 2-1 Establishing Automatic Rebuilding of submit.cf

This procedure configures the sendmail service, such that the submit.mc configuration file is rebuilt automatically.

# svccfg -s sendmail-client:default
svc:/network/smtp:sendmail> setprop config/path_to_submit_mc=/etc/mail/cf/cf/submit-myhost.mc 
svc:/network/smtp:sendmail> exit
# svcadm refresh svc:/network/sendmail-client 
# svcadm restart svc:/network/sendmail-client

How to Use `sendmail` in the Open Mode

The sendmail service has been changed so that it would run in local–only mode by default. The local-only mode means that only mail from the local host is accepted. Messages from any other systems are rejected. Earlier releases were configured to accept incoming mail from all remote systems, which is known as the open mode. To use the open mode, use the following procedure.

Caution - Running sendmail in the local–only mode is much more secure than running in the open mode. Make sure that you are aware of the potential security risks if you follow this procedure.

Become an administrator.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

Set the sendmail properties.

# svccfg -s sendmail
svc:/network/smtp:sendmail> setprop config/local_only = false 
svc:/network/smtp:sendmail> quit

Refresh and restart the sendmail service.

# svcadm refresh svc:/network/smtp:sendmail 
# svcadm restart svc:/network/smtp:sendmail

How to Set SMTP to Use TLS

SMTP can use Transport Layer Security (TLS) in version 8.13 of sendmail. This service to SMTP servers and clients provides private, authenticated communications over the Internet, as well as protection from eavesdroppers and attackers. Note that this service is not enabled by default.

The following procedure uses sample data to show you how to set up the certificates that enable sendmail to use TLS. For more information, see Support for Running SMTP With TLS in Version 8.13 of sendmail.

Become an administrator.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

Stop sendmail.

# svcadm disable -t network/smtp:sendmail

Set up the certificates that enable sendmail to use TLS.
1. Complete the following:
```
# cd /etc/mail
# mkdir -p certs/CA
# cd certs/CA
# mkdir certs crl newcerts private
# echo "01" > serial
# cp /dev/null index.txt
# cp /etc/openssl/openssl.cnf .
```
2. Use your preferred text editor to change the dir value in the openssl.cnf file from /etc/openssl to /etc/mail/certs/CA.
3. Use the openssl command-line tool to implement TLS.
  Note that the following command line generates interactive text.
```
# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 \
-config openssl.cnf
Generating a 1024 bit RSA private key
.....................................++++++
.....................................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Menlo Park
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:Oracle
Organizational Unit Name (eg, section) []:Solaris
Common Name (eg, YOUR name) []:somehost.somedomain.example.com
Email Address []:someuser@example.com
```
  req
  
  This command creates and processes certificate requests.
  
  -new
  
  This req option generates a new certificate request.
  
  -x509
  
  This req option creates a self-signed certificate.
  
  -keyout private/cakey.pem
  
  This req option enables you to assign private/cakey.pem as the file name for your newly created private key.
  
  -out cacert.pem
  
  This req option enables you to assign cacert.pem as your output file.
  
  -days 365
  
  This req option enables you to certify the certificate for 365 days. The default value is 30.
  
  -config openssl.cnf
  
  This req option enables you to specify openssl.cnf as the configuration file.
  
  Note that this command requires that you provide the following:
  - Country Name, such as US.
  - State or Province Name, such as California.
  - Locality Name, such as Menlo Park.
  - Organization Name, such as Oracle.
  - Organizational Unit Name, such as Solaris.
  - Common Name, which is the machine's fully qualified host name. For more information, see the check-hostname(1M) man page.
  - Email Address, such as someuser@example.com.

(Optional) If you need a new secure connection, make a new certificate and sign the new certificate with the certificate authority.

Make a new certificate.

# cd /etc/mail/certs/CA
# openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 \
-config openssl.cnf
Generating a 1024 bit RSA private key
..............++++++
..............++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Menlo Park
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:Oracle
Organizational Unit Name (eg, section) []:Solaris
Common Name (eg, YOUR name) []:somehost.somedomain.example.com
Email Address []:someuser@example.com

This command requires that you provide the same information that you provided in step 3c.

Note that in this example, the certificate and private key are in the file newreq.pem.

Sign the new certificate with the certificate authority.

# cd /etc/mail/certs/CA
# openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
Getting request Private Key
Generating certificate request
# openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/mail/certs/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 23 18:44:38 2005 GMT
            Not After : Jun 23 18:44:38 2006 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            localityName              = Menlo Park
            organizationName          = Oracle
            organizationalUnitName    = Solaris
            commonName                = somehost.somedomain.example.com
            emailAddress              = someuser@example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                93:D4:1F:C3:36:50:C5:97:D7:5E:01:E4:E3:4B:5D:0B:1F:96:9C:E2
            X509v3 Authority Key Identifier: 
                keyid:99:47:F7:17:CF:52:2A:74:A2:C0:13:38:20:6B:F1:B3:89:84:CC:68
                DirName:/C=US/ST=California/L=Menlo Park/O=Oracle/OU=Solaris/\
                CN=someuser@example.com/emailAddress=someuser@example.com
                serial:00

Certificate is to be certified until Jun 23 18:44:38 2006 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# rm -f tmp.pem

In this example the file newreq.pem contains the unsigned certificate and private key. The file newcert.pem contains the signed certificate.

x509 utility: Displays certificate information, converts certificates to various forms, and signs certificate requests
ca application: Used to sign certificate requests in a variety of forms and to generate CRLs (certificate revocation lists)

Enable sendmail to use the certificates by adding the following lines to your .mc file.

define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/CAcert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/MYcert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/MYkey.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/certs/MYcert.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/MYkey.pem')dnl

For more information, see Configuration File Options for Running SMTP With TLS.

Rebuild and install your sendmail.cf file in your /etc/mail directory.
For detailed instructions, see Changing the sendmail Configuration.

Create symbolic links from the files you created with openssl to the files you defined in your .mc file.

# cd /etc/mail/certs
# ln -s CA/cacert.pem CAcert.pem
# ln -s CA/newcert.pem MYcert.pem
# ln -s CA/newreq.pem MYkey.pem

For added security, deny read permission to group and others for MYkey.pem.
```
# chmod go-r MYkey.pem
```
Use a symbolic link to install CA certs in the directory assigned to confCACERT_PATH.
```
# C=CAcert.pem
# ln -s $C `openssl x509 -noout -hash < $C`.0
```
For secure mail with other hosts, install their host certificates.
1. Copy the file defined by the other host's confCACERT option to /etc/mail/certs/host.domain.cert.pem.
  Replace host.domain with the other host's fully qualified host name.
2. Use a symbolic link to install CA certs in the directory assigned to confCACERT_PATH.
```
# C=host.domain.cert.pem
# ln -s $C `openssl x509 -noout -hash < $C`.0
```
  Replace host.domain with the other host's fully qualified host name.
Restart sendmail.
```
# svcadm enable network/smtp:sendmail
```

Example 2-2 Received: Mail Header

The following is an example of a Received: header for secure mail with TLS.

Received: from his.example.com ([IPv6:2001:db8:3c4d:15::1a2f:1a2b])
        by her.example.com (8.13.4+Sun/8.13.4) with ESMTP id j2TNUB8i242496
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
        for <janepc@her.example.com>; Tue, 29 Mar 2005 15:30:11 -0800 (PST)
Received: from her.example.com (her.city.example.com [192.168.0.0])
        by his.example.com (8.13.4+Sun/8.13.4) with ESMTP id j2TNU7cl571102
        version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
        for <janepc@her.example.com>; Tue, 29 Mar 2005 15:30:07 -0800 (PST)

Note that the value for verify is OK, which means that the authentication was successful. For more information, see Macros for Running SMTP With TLS.

How to Manage Mail Delivery by Using an Alternate Configuration of `sendmail.cf`

To facilitate the transport of inbound mail and outbound mail, the new default configuration of sendmail uses a daemon and a client queue runner. The client queue runner must be able to submit mail to the daemon on the local SMTP port. If the daemon is not listening on the SMTP port, the mail remains in the queue. To avoid this problem, perform the following task. For more information about the daemon and client queue runner and to understand why you might have to use this alternate configuration, refer to submit.cf Configuration File From Version 8.12 of sendmail.

This procedure ensures that your daemon runs only to accept connections from the local host.

Become an administrator.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
Stop sendmail client service.
```
# svcadm disable -t sendmail-client
```
Make a copy of the configuration file that you are changing.
```
# cd /etc/mail/cf/cf
# cp submit.mc submit-myhost.mc
```
myhost

Select a new name for your .mc file.
Edit the new configuration file (for example, submit-myhost.mc)
Change the listening host IP address to the msp definition.
```
# grep msp submit-myhost.mc
FEATURE(`msp', `[#.#.#.#]')dnl
```
Build the configuration file by using m4.
```
# make submit-myhost.cf
```