Providing E-mail Services for a Small Office
Let's get the Sun/Linux mail passing out of the way first, so if you don't need the second server, you can ignore it and move on.
The Sun box's /etc/mail/sendmail.cf is standard. When I set this up, I was still new to Solaris and hesitant to fool too much with a system running our whole plant, so I did this to pass mail out /etc/mail/sendmail.cf entry:
188.8.131.52 linuxserver mailhostBefore I made the change, /etc/hosts had the mailhost entry after the Sun's IP address:
184.108.40.206 mrpserver mailhostThis seemed to do the trick to get outgoing mail over to the Linux box.
On the Linux box, we want all local mail to go to the Sun box, where the users' mail folders reside. None of my users, aside from me, directly log in to the Linux box. They use files shared through Samba. Telnet and FTP access is closed off:
The exceptions to this are root and the thriftycompany user, whom I'd like to stay on this box:
CL root thriftycompanyThat about covers the interaction between the two local UNIX boxes. Local mail stays on the Sun, internet mail gets passed to Linux and then queued for the next connection. Incoming internet mail will get re-addressed to local users and then relayed to the Sun box. The root and thriftycompany accounts on the Linux box stay put, and I check those as part of my daily routine.
Some of this setup was taken from various HOWTOs over the years; other parts I gleaned from scouring Usenet and the O'Reilly sendmail book.
sendmail startup: for a demand dial scenario, we don't want sendmail initiating the connection each time there is mail in the queue, so you need to edit your sendmail startup line to hold off on “expensive” mail:
old entry: /usr/sbin/sendmail -bd -q15m new entry: /usr/sbin/sendmail -bd -os
On a Red Hat-based system, this would be set up in /etc/sysconfig/sendmail and/or /etc/rc.d/init.d/sendmail.
You'll be defining which mail is expensive within the /etc/sendmail.cf file in Listing 1, as well as telling sendmail to hold this type of mail.
Notice the “e” in the “F=” portion for smtp, esmtp and smtp8. This is the “expensive” flag, and we leave it off the local relay. Also the Mlocal and Mprog should not have this flag so that local system mail gets delivered immediately.
A cron job connects to the Internet twice an hour, and as part of that job, we will send out all the queued mail once the internet connection is in place:
/usr/sbin/sendmail -q -v
Now to get the outgoing mail delivered and not rejected by domains on the Internet. Since we do not have a valid domain name, we need to do some work on the return address. We need to masquerade the return address, as well as the envelope, and to get any replies back to the original sender, we need to rewrite the “From:” address.
If you are building up your sendmail.cf from m4 sources, then your local .mc file needs to contain the following:
MASQUERADE_AS(someisp.com) FEATURE(masquerade_envelope) FEATURE(limited_masquerade) FEATURE(genericstable)
We are using limited masquerading so only hosts defined in CM get masquerade. If you are just editing /etc/sendmail.cf, then the following lines need to be modified as shown:
# who I masquerade as (null for no masquerading) (see also $=M) DMsomeisp.comYou will probably also want to relay the mail through your ISP so that any downstream mail servers see the mail as coming from a valid domain:
# "Smart" relay host (may be null) DSsmtp:smtp.someisp.comDefine the domain names that should be converted to the masqueraded address:
CG mrpserver.thriftycompany.com CM mrpserver.thriftycompany.com(If you've got just the one box, this would be linuxserver.thriftycompany.com.)
Now, the sendmail.cf lines to masquerade the contents and the envelope get a bit messy. You would probably be better off building a sendmail.cf from the m4 sources as shown in Listing 2.
The final piece of the outgoing puzzle is to get the user's return address rewritten. If I were to compose a message on the Sun box, Pine would put together a return address that looks something like this:
Stew Benedict <email@example.com>
Looks good enough, except that it is not a real address out on the Internet, and I would never get a reply to my message. Plus, most mail systems would reject it coming in as a nonexistent domain address.
What I want it to look like is this:
Stew Benedict <firstname.lastname@example.org>
This is where sendmail's “genericstable” feature will finish up the job. Again, if you are building up your sendmail.cf from m4 sources, the following line will do the trick:
FEATURE(genericstable)In the sendmail.cf file, if you are hand editing it:
# Generics table (mapping outgoing addresses) Kgenerics hash -o /etc/genericstable(The -o means “optional”, so sendmail will not halt on startup for lack of the file.) This addition to your local .mc file generates the block shown in Listing 3 in sendmail.cf.
The genericstable.db file is built up from a text file of the following format:
stew email@example.com joe firstname.lastname@example.org
This file is then fed to the makemap program to create the db file:
makemap hash genericstable.db < genericstableThat does it for outgoing mail. Once you have finished creating/modifying sendmail.cf and creating the genericstable.db file, you will need to restart sendmail. On a Red Hat-based system, this is done with:
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems
Join editor Bill Childers and Bit9's Paul Riegle on April 27 at 12pm Central to learn how to keep your Linux systems secure.
Free to Linux Journal readers.Register Now!
|diff -u: What's New in Kernel Development||Aug 20, 2014|
|Security Hardening with Ansible||Aug 18, 2014|
|Monitoring Android Traffic with Wireshark||Aug 14, 2014|
|IndieBox: for Gamers Who Miss Boxes!||Aug 13, 2014|
|Non-Linux FOSS: a Virtualized Cisco Infrastructure?||Aug 11, 2014|
|Linux Security Threats on the Rise||Aug 08, 2014|
- diff -u: What's New in Kernel Development
- Security Hardening with Ansible
- NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance
- Tech Tip: Really Simple HTTP Server with Python
- Monitoring Android Traffic with Wireshark
- New Products
- [<Megashare>] Watch Mrs Brown's Boys Movie Online Full Movie HD 2014
- RSS Feeds
- Linux Systems Administrator
- Technical Support Rep