# Sendmail



## balanga (Jun 19, 2016)

I believe that Sendmail is included automatically when FreeBSD is installed. If so, what configuring do I need to do to start sending and recieving mail?

I have a FreeBSD VPS so need to be able to configure it remotely and don't want it to crash on me so am a little wary of messing something up.


----------



## Oko (Jun 20, 2016)

balanga said:


> I believe that Sendmail is included automatically when FreeBSD is installed. If so, what configuring do I need to do to start sending and receiving mail?


By default Sendmail will send all your e-mails. The problem is by default nobody will accept them without valid MX record, reverse DNS and static IP. Letting Sendmail listen on an external interface and accepting e-mails is the fastest way to become spam zombie. I would suggest that you firstly better describe what kind e-mails you want to send and to whom and whose e-mails are you supposed to receive. If you can't give very specific answer to that question (for example I am running OpenSMTPd to forward emails generated by daemons like SMART from my internal network to a mailing list) you have no business touching default Sandmail configuration.


----------



## wblock@ (Jun 20, 2016)

We do have a whole Handbook chapter on Sendmail: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/sendmail.html.


----------



## balanga (Jun 20, 2016)

Oko said:


> By default Sendmail will send all your e-mails. The problem is by default nobody will accept them without valid MX record, reverse DNS and static IP.



I've tried sending an email using mail from the cmd line on my VPS to my gmail account just as a test to see what happens.

```
Jun 20 09:09:17 vps31950 sendmail[4976]: u5K79HZ3004976: from=root, size=78, class=0, rcpts=1, msgid=<201606200709.u5K79HZ3004976@vps31950.localdomain>, relay=root@localhost
Jun 20 09:09:17 vps31950 sendmail[4976]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jun 20 09:09:17 vps31950 sm-mta[4977]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jun 20 09:09:17 vps31950 sm-mta[4977]: u5K79HDe004977: from=root@vps31950.localdomain>, size=418, class=0, nrcpts=1, msgid=<201606200709.u5K79HZ3004976@vps31950.localdomain>, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]
Jun 20 09:09:17 vps31950 sendmail[4976]: u5K79HZ3004976: to=****@gmail.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30078, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (u5K79HDe004977 Message accepted for delivery)
Jun 20 09:09:17 vps31950 sm-mta[4979]: STARTTLS=client, relay=gmail-smtp-in.l.google.com.,version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128
Jun 20 09:09:20 vps31950 sm-mta[4979]: u5K79HDe004977: to=<****@gmail.com>, ctladdr=<root@vps31950.localdomain> (0/0), delay=00:00:03, xdelay=00:00:03, mailer=esmtp, pri=30418, relay=gmail-smtp-in.l.google.com. [64.233.161.26], dsn=2.0.0, stat=Sent (OK 1466406561 i188si27202900lfe.82 - gsmtp)
```

Clearly, vps31950.localdomain is unsatisfactory - it's the hostname given by  hosting company, although I do have a static IP address and a resolvable domain name for this host, I'm just not sure where to configure it since sendmail seems to have so many configuration files.

In /etc/mail/access.sample it mentions

```
# Mail relay access control list.  Default is to reject mail unless the
# destination is local, or listed in /etc/mail/local-host-names
```

There is no /etc/mail/local-host-names, not even a sample so I don't know what to put in, so I'm not sure if this is all I need to change to enable sending mail.


----------



## balanga (Jun 20, 2016)

wblock@ said:


> We do have a whole Handbook chapter on Sendmail: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/sendmail.html.



I have a 1000 page book on sendmail, but when I start reading through it I get a headache


----------



## usdmatt (Jun 20, 2016)

Make sure your hostname is set correctly in /etc/rc.conf. This is what Sendmail will use by default.
Then go into /etc/mail and run make.

```
# cd /etc/mail
# make
```
You should now have a file called server.hostname.mc. This is the file you should use to configure any Sendmail settings such as smart hosts, DNSRBL, etc. (Even editing this 'simplified' Sendmail configuration is a bit beyond a forum post but there's lots of info on the net). The defaults should be good enough to get email working though.
When you edit this file, run the following to generate the new configuration:

```
# make install restart
```
Running `make` on its own will generate server.hostname.cf configuration from server.hostname.mc. `make install` will install this file as sendmail.cf. `make restart` restarts Sendmail.

By default it will only accept emails addressed to someuser@server.hostname. If you want to accept for other domains, add them to /etc/mail/local-host-names, one per line. To configure specific addresses add them to /etc/mail/virtusertable. After editing these files run `make install restart` again. (Can't remember 100% if `install` is required here)

local-host-names

```
somedomain.com
otherdomain.com
```
virtusertable

```
user@somedomain.com         localuser
```
You will also want to make sure that server.hostname points to the correct IP address in DNS, and the reverse DNS for the IP address also maps to server.hostname. Clients or MX records can use any hostname you want such as mail.somedomain.com.


----------



## balanga (Jun 20, 2016)

usdmatt said:


> Make sure your hostname is set correctly in /etc/rc.conf. This is what Sendmail will use by default.



As I understand it the hostname in /etc/rc.conf is only read at boot up, and since this is running on a remote VPS I am a bit reluctant to reboot the system. Is there any way to refresh hostname without rebooting?


----------



## usdmatt (Jun 20, 2016)

You could try `# hostname my.hostname` then restart Sendmail.
If you telnet to localhost on port 25, Sendmail should output the hostname it is using. Then just type quit to exit back to the shell.


----------



## balanga (Jun 21, 2016)

usdmatt said:


> You could try `# hostname my.hostname` then restart Sendmail.
> If you telnet to localhost on port 25, Sendmail should output the hostname it is using. Then just type quit to exit back to the shell.



I tried to `telnet localhost 25` on the actual system and it did show 'myhostname' - I believe the system had been rebooted so the hostname may have been changed through that. But when I try `telnet 'myhostname' 25` from my LAN I get


```
Trying 176.122.227.xxx...
telnet: connect to address 176.122.227.xxx: Connection refused
telnet: Unable to connect to remote host
```

So it looks like Sendmail is not accepting incoming mail.


----------



## usdmatt (Jun 21, 2016)

Make sure you have sendmail_enable="YES" in /etc/rc.conf.
I think it only accepts email from localhost by default.


----------



## balanga (Jun 21, 2016)

I did have this in/etc/rc.conf but have now added it, although I have not yet run

`service sendmail start`. Instead I ran `service sendmail status` which showed

```
service sendmail status
sendmail is running as pid 8141.
sendmail_msp_queue is running as pid 8143.
```

So I guess it is already running...


----------



## usdmatt (Jun 21, 2016)

You're best off stopping and restarting it.
It runs by default but is probably only listening on localhost.


----------



## balanga (Jun 21, 2016)

Seems to be OK now - I can telnet from my LAN now, so maybe I can send mail - will give it a try...


----------



## balanga (Jun 21, 2016)

Unfortunately mail doesn't get through... I need to do something with MX records at the ISP hosting my domain.

It's a long time since I dabbled with MX records...


----------



## usdmatt (Jun 21, 2016)

For a start I find the following command extremely useful to make sure Sendmail is configured to do the right thing with a specific email address:

```
# sendmail -bv me@somedomain.com
me@somedomain.com... deliverable: mailer local, user myusername
```
That shows that the email address is configured to be accepted by the local Sendmail mailer, and will be delivered to the local user myusername.

MX records are pretty simple, you just need to point it at your mail server's hostname.

```
somedomain.com IN MX 10 mailserver.hostname.
```

If the mail server is on a LAN, you'll need to forward port 25 through to it from the gateway router.


----------



## balanga (Jun 21, 2016)

usdmatt said:


> For a start I find the following command extremely useful to make sure Sendmail is configured to do the right thing with a specific email address:
> If the mail server is on a LAN, you'll need to forward port 25 through to it from the gateway router.



No, the mail server is on some distant VPS. I'm trying to send mail to it from my local LAN. 

It's weird that I can telnet to port 25, but I can't send mail to it via gmail...


----------



## SirDice (Jun 21, 2016)

Mail is sent to the MX address(es) of the domain. If the domain doesn't have an MX record (or it points to the wrong server) mail cannot be sent to it.

So if you want to send an email to test@example.com the example.com domain must have an MX record pointing to the mail server that can receive for the example.com domain. Just because you have an open port 25 it doesn't mean other mailservers are able to find it.


----------



## drhowarddrfine (Jun 21, 2016)

As you move on, remember to look in /var/log/maillog for messages.


----------



## balanga (Jun 22, 2016)

```
Jun 22 00:00:00 mydomain newsyslog[21367]: logfile turned over
Jun 22 03:08:30 mydomain sendmail[22896]: u5M18UWt022896: from=root, size=17738, class=0, nrcpts=1, msgid=<201606220108.u5M18UWt022896@mydomain.org>, relay=root@localhost
Jun 22 03:08:30 mydomain sendmail[22896]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jun 22 03:08:30 mydomain sm-mta[22927]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jun 22 03:08:31 mydomain sm-mta[22927]: u5M18UAK022927: from=<root@mydomain.org>, size=18064, class=0, nrcpts=1, msgid=<201606220108.u5M18UWt022896@mydomain.org>, proto=ESMTP, daemon=IPv4, relay=localhost [127.0.0.1]
Jun 22 03:08:31 mydomain sendmail[22896]: u5M18UWt022896: to=root, ctladdr=root (0/0),delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=47738, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (u5M18UAK022927 Message accepted for delivery)
Jun 22 03:08:31 mydomain sm-mta[22945]: u5M18UAK022927: to=<root@mydomain.org>, ctladdr=<root@mydomain.org> (0/0), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=48399, relay=local, dsn=2.0.0, stat=Sent
Jun 22 03:08:45 mydomain sendmail[22953]: u5M18jC4022953: from=root, size=1550, class=0, nrcpts=1, msgid=<201606220108.u5M18jC4022953@mydomain.org>, relay=root@localhost
Jun 22 03:08:45 mydomain sendmail[22953]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jun 22 03:08:45 mydomain sm-mta[22955]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jun 22 03:08:45 mydomain sm-mta[22955]: u5M18jQR022955: from=<root@mydomain.org>, size=1876, class=0, nrcpts=1, msgid=<201606220108.u5M18jC4022953@mydomain.org>, proto=ESMTP, daemon=IPv4, relay=localhost [127.0.0.1]
Jun 22 03:08:45 mydomain sendmail[22953]: u5M18jC4022953: to=root, ctladdr=root (0/0),delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31550, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (u5M18jQR022955 Message accepted for delivery)
Jun 22 03:08:45 mydomain sm-mta[22956]: u5M18jQR022955: to=<root@mydomain.org>, ctladdr=<root@mydomain.org> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=32211, relay=local, dsn=2.0.0, stat=Sent
Jun 22 06:40:35 mydomain sm-mta[24397]: u5M4eZh9024397: mail.ndscorp.vn [203.171.31.60] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
```

I assume most of these entries are just as a result of admin tasks which are done automatically, although I'm not sure what triggers them.

I don't have an MX record setup yet so am not sure what brought about the last entry - I guess it was just a random spammer.


----------



## SirDice (Jun 22, 2016)

balanga said:


> I don't have an MX record setup yet so am not sure what brought about the last entry - I guess it was just a random spammer.


Yeah, although you don't have an MX record yet as soon as you open port 25 (or any other port) bots are going to find it and will try to abuse it. So, especially with mailservers, make sure your server is configured correctly as it is really easy to get abused as a spam relay.


----------



## balanga (Jun 22, 2016)

SirDice said:


> Yeah, although you don't have an MX record yet as soon as you open port 25 (or any other port) bots are going to find it and will try to abuse it. So, especially with mailservers, make sure your server is configured correctly as it is really easy to get abused as a spam relay.



What do I need to ensure to prevent being used as a spam relay?


----------



## SirDice (Jun 22, 2016)

Since you're not actually using it (as you don't have an MX record for it) I would suggest simply taking it off the internet. To _send_ email you don't require a port listening on the internet. What's not open can never be abused.


----------



## ShelLuser (Jun 23, 2016)

There's one thing puzzling me here. When looking at the originally shared log snippet then I can't help notice this one:



balanga said:


> ```
> Jun 20 09:09:17 vps31950 sm-mta[4979]: STARTTLS=client, relay=gmail-smtp-in.l.google.com.,version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128
> Jun 20 09:09:20 vps31950 sm-mta[4979]: u5K79HDe004977: to=<****@gmail.com>, ctladdr=<root@vps31950.localdomain> (0/0), delay=00:00:03, xdelay=00:00:03, mailer=esmtp, pri=30418, relay=gmail-smtp-in.l.google.com. [64.233.161.26], dsn=2.0.0, stat=Sent (OK 1466406561 i188si27202900lfe.82 - gsmtp)
> ```


That last line is a clear indication that your MTA offered the e-mail up to Google which then accepted it. As such your e-mail did get through. Did you check your spam folders and such?


----------



## balanga (Jun 23, 2016)

SirDice said:


> Since you're not actually using it (as you don't have an MX record for it) I would suggest simply taking it off the internet. To _send_ email you don't require a port listening on the internet. What's not open can never be abused.



I am intending to receive mail, I just want to ensure I'm not creating a spam gateway before creating an MX record and that I don't get bombarded with unwanted mail.


----------



## balanga (Jun 23, 2016)

ShelLuser said:


> There's one thing puzzling me here. When looking at the originally shared log snippet then I can't help notice this one:
> 
> 
> That last line is a clear indication that your MTA offered the e-mail up to Google which then accepted it. As such your e-mail did get through. Did you check your spam folders and such?



I was able to send from my VPS and the mail did get through. I'm just looking at what I need to do to be able to receive...
...apart from getting an MX record in place.


----------



## usdmatt (Jun 23, 2016)

Sendmail shouldn't be an open relay by default, although the diagnostic check at mxtoolbox.com is useful to test it.


----------



## SirDice (Jun 24, 2016)

usdmatt said:


> although the diagnostic check at mxtoolbox.com is useful to test it.


Definitely recommended to use.


----------

