Sunday, December 25, 2011

Configuring Sendmail Webmin

Configuring Sendmail

On this page a basic introduction to email is given, followed by a description of the Sendmail mail server and the Webmin module for configuring it.

Introduction to Internet Email

When you use a mail client program like Outlook or Evolution to send email, the program simply passed the message to a mail server for delivery to the destination. This server (also known as the MTA or Mail Transfer Agent) locates the correct system for the destination address, connects to the MTA on that system and transmits the message. When the other server receives the email, it checks to make sure it is truly destined for this system and if so stores it in a local mail file.
Later when the destination user checks his email, the file is read by a program such as Elm, Pine or Usermin, or by a POP3 server. Mail clients like Evolution and Outlook are usually run on a different system to the mail server, and use the POP3 protocol to download messages for local storage. Once the email has been retrieved in this way, the delivery process is complete and it can be read by a user.
Mail transfer agents use the SMTP (Simple Mail Transfer Protocol) to send email to each other over the Internet. Clients also use SMTP to send mail to servers for onward delivery. Very few MTAs implement the POP3 protocol for mail retrieval - instead, they simple write mail to a file which is read by a separate POP3 server program. Chapter 15 explains how to enable a POP3 server on your system, and chapter 33 explains the protocol in a little more detail.
The mail server that a client contacts to send a message is usually on its local network, at the ISP the client system is connected to, or even the same system. Ideally, this first MTA will directly contact the destination server, but this is not always the case. The destination MTA may be down or unreachable, in which case email will be sent to an alternate server instead. SMTP forwarding rules or per-user mail forwarding settings may cause email messages to be sent to other servers before it is finally delivered into a mailbox file.
If you want your system to be able to receive email, you will need to run a mail transfer agent program. This is only the first step though - to run your own mail domain such as example.com so that mail to foo@example.com is delivered to the mailbox foo on your system, some network and DNS configuration is required. Typically, your system will need a fixed IP address and a permanent connection to the Internet. This means that running a proper mail server on a system connected occasionally via dial-up is impractical.
For other servers on the Internet to know to send mail to your system, appropriate DNS records must be created. Typically, an MX (Mail Server) record is defined for the domain, like example.com, that has the hostname of your system as its value, like server.example.com. This tells other MTAs to connect to your system to deliver email for the example.com domain. If you are running your own DNS server for the domain, chapter 30 explains in detail how to create an MX record. Otherwise, you will have to tell whoever is hosting the domain (for example your ISP) to add the correct record.
In fact, it is possible for any system to receive email addresses to its full Internet hostname, such as jcameron@linuxbox.example.com. As long as there is no MX record matching linuxbox.example.com, other mail servers will do a normal A (address) record lookup for the hostname and connect directly to the system.
Sometimes, it does make sense to run a mail server even if you have a dynamically assigned IP address or ephemeral Internet connection. The Fetchmail program (covered in chapter 33) can be used to download email using the POP3 protocol and deliver it to a local mailbox on your system, which requires that an MTA be running. This local mail server may never accept a direct SMTP connection from another system on the Internet, but it can still deliver mail sent by programs on your system to local mailboxes.
Occasionally it is useful (and even necessary) to run a mail server that only deals with outgoing mail send by local client programs, and not with delivering incoming messages. Instead of configuring mail clients to use a remote MTA (such as the one at your ISP), you can tell them to use your own system's mail server instead. It will accept messages from local clients and try to deliver them to their final destinations, or put them in a queue for later delivery. Some programs that send email can only use a local mail server, which they connect to by running the sendmail program.
Because almost all ISPs and companies run their own mail servers, if you are happy to use an email address at your organization or ISPs domain there is no need to run your own. Instead, you can simply configure your Linux mail client like KMail or Evolution to download mail from and send out email via another server. For most people who just have a single email address and don't need to host their own email domain, there is no need to set up a mail server.

The Sendmail Configuration module

Sendmail is the most popular MTA in use on the Internet today, and has been since it was first developed. It is included as standard with almost all variants of the Unix operating system, and works the same on all of them. It has many useful features for routing and processing email, such as aliases, domain routing and user-creatable forward files.
Sendmail has a one-to-one mapping between Unix users and mailboxes. Each user has his own mail file, typically in the /var/mail or /var/spool/mail directory. Each time a message is delivered to a user, it is appended to the file with the same name as the user in that directory, such as /var/mail/jcameron. Sendmail has no concept of 'mail users' - if you want to create a new mailbox, you will need to add a new Unix user as explained on UsersAndGroups.
Sendmail can accept email in two different ways - either from an SMTP connection, or by another program invoking the sendmail command with the right parameters and feeding the email to it as input. Either way, the message is either delivered to a local user's mailbox or send to another system. As you would expect, if the Sendmail server process is not running then it is impossible for email to be sent to your system via SMTP. In addition, any queued email will not be delivered.
Sendmail's primary configuration file is appropriately named sendmail.cf, and is found in the /etc or /etc/mail directory. In addition, there are separate text and DBM format files for local domains, mail forwarding aliases, address mappings and other features discussed later in this chapter. Almost all of these additional files are actually in the Unix DBM database format, but are built from a corresponding text file that the system administrator (and Webmin) can edit. Sendmail only reads the DBM files though, and re-checks them for every message received so that any change to one of the databases files becomes immediately active.
To set up Sendmail using Webmin you will need to visit the Sendmail Configuration module, which can be found under the Servers category. Assuming you have the server installed, the module's main page will look like the example shown below.

The Sendmail Configuration module
If the module cannot find the Sendmail server program or primary configuration file on your system, an error message to that effect will be displayed instead. Check your Linux distribution CD or website for sendmail package, and install it using the Software Packages module (covered on SoftwarePackages). If other packages whose names start with sendmail- are available (such as sendmail-cf or sendmail-docs), install them as well.
This error can also occur in the unlikely event that you have installed Sendmail or its configuration file in a different location to the one the module expects. By default, it assumes that you will use the packages that come with your operating system, but these are often out of date. For this reason, you may have compiled and install the latest version in a different directory. If so, see the Configuring the Sendmail Configuration module section below for instructions on how to change the program and configuration file paths.
Sendmail has gone through many different releases over the years, and in that time its primary configuration file (usually found at /etc/sendmail.cf) has changed. If you are running a very old version or using an old configuration file, the module's main page will display an error message indicating that the file format is not supported. Configurations older than version 7 trigger this error, but fortunately they are rarely found on modern Unix systems.
If no error message appears on the main page, the table of icons shown in in the image above will be displayed. Each can be clicked on to access one of Sendmail's features, such as mail aliasing, domain routing or the mail queue. The rest of this chapter explains how to use the pages and forms under each of the icons. Next to the name of each icon (such as Address Mapping) is the internal name of the Sendmail configuration feature in brackets that it controls, such as virtuser. These names are mostly useful to experienced administrators who want to know how the icons in the module relate to actual configuration files and directives.
Some of the icons when clicked on may display a message like *Your Sendmail configuration does not have the address mapping (virtuser) feature enabled*. On many operating systems, the primary Sendmail configuration file does not have all the available features activated by default. To make the chosen icon's pages available, follow the instructions in the *Adding Sendmail features with M4* section later in this chapter.
If the Sendmail server process is running, a button labelled Stop Sendmail will appear the bottom of the main page. As its name suggests, clicking on this button will shut down the server so that your system no longer accepts SMTP connections, and no longer scans the mail queue. Conversely, when Sendmail is not running a Start Sendmail button will appear instead, which can be used to start the server process.
If you want Sendmail to run all the time, use the Bootup and Shutdown module (covered on BootupAndShutdown) to have its server process started at boot time. Most packages will include an action script that can be enabled, and may even be enabled by default. Otherwise, you will need to create an action that runs the command /usr/sbin/sendmail -bd -q30m at boot time.

Editing local domains and domain masquerading

When Sendmail receives an email message via an SMTP connection, it needs to work out if it should be delivered locally or forwarded to another server. This is done by looking at the message's To address, specifically the domain part after the @. The domain is compared a list of local domains, and if a match is found the email is delivered to the mailbox of the user whose name is to the left of the @ in the To address. Or if no such user exists, a bounce message is generated and sent back to the original sender.
If the domain is not local, Sendmail will look up the mail server for the domain and attempt to connect to it in order to transfer the message. This is what usually happens when a client on the same network connects to send out email. However, a problem will occur if Sendmail attempts to connect back to itself, which can happen if the DNS says that it is the mail server for a domain which is not on its local domains list. If this happens, a bounce message will be sent back to the sender, containing text like mail loops back to me.
By default, this local domains list contains only the full hostname of your system, such as server.example.com. If you are setting up a server to receive email from the Internet for some domain (like example.com), it will need to be added to the list. The steps to do this are :

  1. On the module's main page, click on the Local Domains icon. A page containing a text box in which all current local domains are listed will be displayed.
  2. Add as many extra domain or hostnames to the list as you like, one per line. It is quite possible for a server to accept mail for several domains, especially if it is going to be used for virtual hosting. As the introduction explains, mail will only be send to your system in the first place if an appropriate MX DNS record exists for each domain.
  3. Click the Save button at the bottom of the page to make them active.

Sendmail will always accept for local delivery email messages in which the To address does not contain a domain, just a username. These are often sent by programs running on the system itself, such as the Cron daemon or the mail command.
The flip side of the local domains list is domain masquerading. This Sendmail feature allows you to set the domain that is added to email send out from your system when none is specified, such as by the mail command. It is also possible to have Sendmail modify the From address domains of messages received via SMTP, such as those send by mail clients.
To set up domain masquerading, the steps to follow are :

  1. On the module's main page, click on the Domain Masquerading icon.
  2. Fill in the Masquerade as domain field with the name of the domain that should be appended to outgoing From addresses that lack one, such as example.com. If the field is left blank, no domain modification will be done by Sendmail.
  3. To have Sendmail re-write the From addresses of messages from other domains, fill in the Domains to be masqueraded field. This can be useful if some of the mail clients that send out messages via your server insist on using the wrong domain.
  4. Click the Save button to make masquerading active.

On most mail servers, you do not need to bother configuring masquerading as all mail is sent by client programs using SMTP. All mail clients allow the user to specify a complete From address, which should include the correct domain.

Managing email aliases

A mail alias specifies that email received by your server for a particular mailbox should be forwarded to a different destination instead. That destination can be another email address, a file of addresses, a local file or even the input to a program. They can be useful for setting up pseudo mailboxes that actually send email to a real person, such as sales@example.com or webmaster@example.com. An alias can have the same name as a Unix user, in which case it will intercept all mail to that user and forward it to a different destination instead.
On most operating systems, Sendmail has several aliases defined by default for system users like bin, nobody and uucp, all of which forward mail to root. There will also be a postmaster alias, which every mail server must have, and which should forward messages to someone responsible for the mail server. Typically, this will be the root user as well.
To create a mail alias of your own using Webmin, the steps to follow are :

  1. On the module's main page, click on the Mail Aliases icon. You will be taken to a page listing all existing aliases and their destinations, with a form at the top for adding a new one. The screenshot below shows an example.
  2. In the Address field of the Create Alias form, enter the user or mailbox name for this alias (the part of the address to the left of the @). If your server hosts multiple domains, the alias will forward email sent to the entered name at any of those domains. For example, if your server accepts mail for foo.com and bar.com, then an alias called sales will forward email to both sales@foo.com and sales@bar.com. If you want to be able to forward the same mailbox name at multiple domains differently, see the section below titled Managing virtual address mappings.
  3. Assuming you actually want this alias to be used by Sendmail, leave the Enabled? field set to Yes. Changing it to No will cause the alias to be ignored. This field can be use when editing an alias to temporarily disable rather than totally deleting it.
  4. The Alias to field determines where email to this alias will be sent. The following options are available from the menu :
    • <None> Nothing at all will be done with received email. It makes no sense to select this option when creating a new alias.
    • Email address Email will be forwarded to the user or address entered into the adjacent field. Be careful not to set up a forwarding loop by sending email back to the alias's address again! If you are creating an alias that has the same name as a Unix user and really do want email to be delivered to his mailbox as well as some other destinations, enter the username preceded by a backslash (like \jcameron) into this field. The backslash tells Sendmail to bypass alias checking.
    • Addresses in file Email to the alias will be sent to all the addresses in the text file whose file path is entered into the adjacent text field. Each address must be on a separate line. This option can be useful for creating a simple mailing list, and aliases of this type are used by the Majordomo list manager (covered on MajordomoListManager).
    • Write to file The full text including all headers of email received by the alias will be appended to the file whose path is entered into the text box.
    • Feed to program The program whose path and parameters are entered into the text box will be run, and the full text including all headers of email received by the alias will be fed to it as input. This kind of alias is most useful to programmers who want to perform their own custom processing or filtering of email messages. The program is usually run as the Unix user daemon, not root or the user with the same name as the alias.
    • Autoreply from file When email is sent to the alias, the contents of the file specified in the adjacent text box will be sent back to the original sender. See the Creating autoreply aliases section below for more information on using aliases of this type.
    • Apply filter file Email sent to the alias will be processed according to the rules in the filter file entered into the text box, which can forward to different destinations depending on the message contents. See the Creating filter aliases section later in the chapter for more details. It is possible for an alias to have multiple destinations. To add more than one, you will need to re-edit this alias after saving it and fill in the row with <None> selected at the bottom of the Alias to table.
  5. Click Save to have the alias added to the list, and immediately made active.

The mail aliases list
As is usual in Webmin, you can edit an existing alias by clicking on its name in the list on the Mail Aliases page. This will bring up an editing form that contains all the same fields as the creation form, but has Save and Delete buttons at the bottom instead. The first of these will update the alias with any changes that you have made, while the second will permanently delete it.
If a Unix user has a file named .forward in its home directory, email that would normally be delivered to its mail file will be sent to the addresses listed in the .forward file instead. In many ways, these files are equivalent to aliases that can be created by individual users instead of by the system administrator. It is even possible for a .forward file to contain entries that tell Sendmail to send email to a list of addresses in another file, feed it to a program as input, or append it to a file.
This module does not support the editing of .forward files though. However, Usermin (covered on UserminConfiguration) does allow normal users to edit their own forwarding files using a web-based interface almost identical to the one described in this section.

Configuring relaying

In the early days of the Internet, mail servers could safely deliver mail to local domains and forward all other email to another MTA, regardless of its source. Today, allowing your server to forward any email that it receives is an invitation to spammers to use your system as a relay. A well configured server should only accept email for non-local domains from trusted client hosts, such as those on the company network or home LAN. Email sent to local domains is safe, and can be accepted from anywhere.
If Sendmail on your system is an open relay (one that accepts non-local email from anywhere), people sending out millions of spam email messages can use it to cover their tracks. Even if you are running a small mail server for a tiny company that you think no spammer will ever know about, it is still a very bad idea to leave your system open to relaying.
For this reason, the Sendmail packages that come with modern Linux distributions are configured by default to prevent the server accepting non-local email from anywhere except the same system. If you are setting up a mail server for a company or for your home LAN, you will need to allow other hosts to relay mail as well :

  1. On the module's main page, click on the Relay Domains icon to bring up a form for entering relay networks and domains.
  2. In the Domains to which relaying is allowed field, add the address of the network that you want to allow clients to relay from. It should be entered without any trailing zeros, for example 192.168.1. More than one network can be entered, as can specific IP addresses. You can also enter domain names like foo.com that Sendmail will allow relaying to. Any received email message (no matter what its source) that is destined for a specified domain will be delivered to the appropriate server. This can be useful if your system is a mail gateway for other domains that cannot be reached directly by the rest of the Internet, as explained in the Configuring domain routing section.
  3. Click the Save button to activate the new relay domains list.
One side effect of Sendmail's relaying restrictions is that there is no way to use your system as a server for outgoing email when you are connecting from an un-trusted network - in fact, that is the whole point. Sometimes though it can be annoying, for example if you dial into many different ISPs and don't want to re-configure your mail client to use a different outgoing mail server for each one. In an ideal world, it would be possible to use your own mail server for outgoing email no matter where you are connecting from, but this is normally impossible without turning off relay restrictions altogether.
The best solution to this problem is SMTP authentication, in which clients login to Sendmail before relaying email. Unfortunately, Webmin doesn't yet have any easy way of setting this up.
Another solution involves trusting clients that make a POP3 connection before SMTP, which most mail client programs do. However, this requires co-operation between the POP3 server and Sendmail, which are usually unrelated programs. At the time of writing, Webmin does not support its configuration either.

Managing virtual address mappings

Address mappings are similar to aliases, except that they apply only to email sent to a specific user and domain, rather than to a user at any domain as aliases do. Another difference is that address mappings can only forward email to a single address, rather than to a program, file or list of addresses. However, this limitation can be overcome by combining both mappings and aliases.
You can use address mappings to have email to sales@foo.com and sales@bar.com sent to different final destinations, even though both domains are hosted by your server. This is particularly useful if you manage a large number of email domains for different customers, many of whom want to have similar addresses (such as sales) in their domains.
Address mappings can also be used to redirect all email to a particular domain to the same users at a different domain, so that for example mail to bob@foo.com and fred@foo.com will be sent to bob@bar.com and fred@bar.com respectively. Better still, you can have all email to any address at a domain sent to a single other address, which is useful for POP3 mail client Fetchmail as chapter 33 explains.
To create a new address mapping, the steps to follow are :

  1. On the module's main page, click on the Address Mappings icon. A page listing all existing mappings will be displayed, with a form at the top labelled Create Mapping for adding a new one.
  2. If you want to create a mapping for email to just a single address, select Address in the Mail for field, and enter the address into the adjacent text box. Unlike an alias, it must be entered in full like fred@example.com. If you are creating a mapping for all email to a domain, select the Domain option and enter the complete domain or hostname into the text field next to it, such as example.com. Either way, the domain in the address or the entered domain must appear in Sendmail's list of local domains, explained in the Editing local domains section earlier in this chapter.
  3. If the destination of the mapping is a single address, in the Send to field select Address and fill in the text box next to it with either a complete address (like jcameron@foo.com) or a mailbox name (like just jcameron). If Domain was selected for the Mail for field, you are allowed to select the Domain option for this field as well. If so, you must enter a domain name (like foo.com) into the adjacent text box to which all email send to the original domain will be forwarded. The final Return error option in the Send to field can be selected if you want a specific error message to be returned to senders instead. If chosen, an error type must be selected from the menu next to it, and a more detailed error message entered into the text box. This option can be useful for sending back bounce messages explaining why a particular address or entire domain is no longer reachable.
  4. Click the Create button to add the address mapping to the list of those shown below the form. It will be made immediately active.

As with aliases, you can edit or delete existing mappings by clicking on their addresses in the list. This will bring up a form identical to the one used for creating a mapping, but with Save and Delete buttons at the bottom.
If a mapping exists for both a domain and an address in that domain, Sendmail will use the second for email to that specific address, and the first for email to any other mailbox in the domain. In effect, more specific address mappings take precedence over those that are more general. Their ordering in the list on the Address Mappings page does not matter at all.
If you want to create a mapping that forwards email to a program, file or list of addresses, you will need to create an alias as well. The address mapping will send email to the alias, and then the alias will forward it on to the real destination. Typically the alias should name a name that is related to the address mapping, such as jcameron-example-com for mapping for the virtual address jcameron@webmin.com.
On a system with many domains and users, it is quite likely that two people will want to have the same mailbox name in different domains, such as bob@foo.com and bob@bar.com. Because Sendmail ultimately only delivers email to Unix users' mail files, and two Unix users cannot have the same name, this can be a problem. The usual solution is to create users named like bob-foo and bob-bar, and set up appropriate address mappings to forward email to them. The only down side is that the users will need to login to the POP3 server as bob-foo or bob-bar instead of just bob.

Configuring domain routing

Sendmail's domain routing feature can be used to forward all email to a particular domain to a different server. It is most useful if the DNS is set up to send email for some domain to your system, which should then be forward to another MTA that is unreachable by the rest of the Internet. Routing can also be used to override the normal method by which Sendmail works out which host to send email to, which can be handy on networks in which connectivity is incomplete or some DNS information is not available to all hosts.
To add a new domain routing rule, follow the steps below :

  1. On the main page of the module, click on the Domain Routing icon. A page listing existing routings (if any) will be displayed, above which is a form for adding a new one.
  2. To have email to just a specific domain or host routed elsewhere, select the Host option in the Mail for field and enter the domain or hostname into the adjacent field. Alternately, if you want email for all hosts within a domain to be routed, select Domain instead and enter the domain name into its field. A routing of this kind for the domain example.com will not effect email send to an address in the domain (like jcameron@example.com), but only email to addresses on hosts under the domain (like jcameron@foo.example.com). Normally, this is not what you want. Any domain or hostname that you enter must be on the list that Sendmail allows relaying for, as explained in the Configuring relaying section earlier in this chapter.
  3. From the Delivery menu, select SMTP. This field tells Sendmail which protocol to use when routing email for the domain. Most of the other options are useless, as they relate to UUCP which is hardly used anymore.
  4. In the Send to field, enter the hostname of the system to which mail should be forwarded. The Ignore MX for SMTP delivery box should be checked as well, so that Sendmail always delivers directly to this host instead of trying another DNS lookup to determine the correct destination.
  5. Hit the Create button to add and active the new domain routing. You should test it to make sure it is really working, as small mistakes (such as selecting Domain instead of Host) can prevent a route from working.

As on other similar pages in the module, an existing routing rule can be edited or deleted by clicking on its domain name in the list on the Domain Routing page. There is no way to temporarily disabling a rule though, as there is with aliases.
Sendmail can also be configured to forward all non-local email to a specific server, rather than just email to particular domains. This is useful if your company or ISP has a central mail server that you want to hand off email to, rather than having your system connect to the real destination server. The next section explains how to set this up.

Editing global Sendmail options

The global options control such things as the maximum message size, number of days to retry email, load average limits and outgoing mail server. The steps below explain how to edit some of the most useful ones :

  1. On the module's main page, click on the Sendmail Options icon. A form for editing global options (shown below) will be displayed.
  2. When the Send outgoing mail via host field is set to Deliver directly, Sendmail will lookup the correct mail server for non-local messages and connect to it to deliver email. However, if you select the second option and enter a hostname into the text box, all messages except those for local users will be send to that host instead. Typically, this will be a central mail server at your ISP or on your company's network. If a domain routing rule exists for an address, it will take precedence over any server set using in this field.
  3. The Delivery mode field controls how Sendmail processes incoming messages. The available options are : Background or Default *In this mode, email is immediately accepted from clients and then delivered to the destination by a separate background process. This is usually what you want. *Queue only or *Deferred *When one of these modes is chosen, Sendmail will simply add incoming messages to its mail queue. Only when the queue is explicitly flushed will they be send to their destinations. This can be useful if your system is not always connected to the Internet, or if you want explicit control over when the server sends out messages. When a message is received in either of these modes, Sendmail performs no validation of the source or destination address, which would otherwise cause problems if your system is disconnected from the network. *Interactive *This mode is similar to Background, except that email is delivered by the same process that accepts it from the client. This means that clients must wait until Sendmail has transferred their messages to the next or destination server, which may take some time. However, it cuts down the number of processes that Sendmail needs to start.
  4. The SMTP port options field can be used to set the TCP ports that Sendmail listens on for SMTP connections. The actual value that can be entered can be quite complex, but if you want your system to accept connections from anywhere on the standard SMTP port you should enter just Name=MTA. On some operating systems this is not the default, and Sendmail only accepts connections from localhost.
  5. The Max load average for sending field can be used to set a load average above which Sendmail will not send out messages. The load average is a rough estimate of the number of processes running on your system at a moment in time, as explained in chapter 11. This option and the next are useful for limiting the amount of CPU time that Sendmail can use up on your system, although the latter is more useful. If Default is selected, the server will continue to process the mail queue and send messages no matter what the load average is.
  6. To set a load average above which Sendmail will no longer accept new messages, enter a value for the Max load average for receiving field. When this level is reached, the server will close the SMTP port until the load drops back below it again. Typically, whatever you enter should be lower than the limit set for the Max load average for sending field, so that the mail queue is still processed even when the load is high. When Default is selected, Sendmail will accept new connections regardless of the load average.
  7. The Time before giving up field specifies the amount of time that Sendmail will attempt to send an email to an un-contactable remote server for before returning a bounce message to the sender. The value you enter must be a number followed by d for days or h for hours. It should only be changed if your system is likely to be disconnected from the Internet for longer than the default of 5 days, and you don't want messages in the queue to bounce.
  8. The similar Time before sending warning field specifies the time that Sendmail will hold a message in the queue for before sending a warning to the original sender. If your system is a secondary mail server for some domain or is often disconnected from the network, it should be increased to the same time as the previous field.
  9. To change the address that Sendmail sends fatal or double-bounced messages to, enter a new address in the Send error messages to field. When Postmaster is selected, they will be sent to the Postmaster mailbox instead, which is usually an alias for root.
  10. To limit the amount of disk space that Sendmail will use up for queued messages, fill in the Min free disk space field. If the number of free blocks drops below this level, new incoming messages will no longer be accepted. The exact size of a block depends on the type of filesystem in use, but they are typically
  11. kB or 512 bytes in size.
  12. To stop large messages being sent via your mail server, fill in the Max message size field. Any email larger than the number of bytes entered will be rejected when it is received. If you have a slow network connection and un-trusted client users, this option can be useful to save on bandwidth.
  13. Finally, click Save and Apply to save the new global options. Webmin will automatically re-start Sendmail for you to activate them.

The Sendmail options page

Viewing the mail queue

When Sendmail receives a message, it is placed into the mail queue. If it can be send to its destination immediately, then it will be removed from the queue almost at once - however, if some temporary error occurs when sending then it will remain queued for later processing. The Sendmail server process makes periodic checks of messages in the queue, re-trying each one at longer and longer intervals. Finally after a message has been in the queue for too long (usually 5 days), it will be removed and a bounce email sent back to the original sender.
Most messages that are in the queue for a long time are there because the destination mail server is down or unreachable. Another common cause is a temporary error reported by the remote MTA, such as a lack of disk space. Webmin allows you to view messages in the queue and even delete them by following these steps :

  1. On the module's main page, click on the Mail Queue icon to go to a page listing the details of queued messages. The number of emails in the queue is displayed below the icon, so that you can see how long it is at a glance.
  2. On the mail queue page the ID, sender, destination, subject and size of all queued messages are displayed in a table. In the final column is the current status, which indicates what Sendmail is trying to do with the message at the moment. Sending will appear when Sendmail is trying to connect to the remote server, and Deferred will be shown along with a reason when a connection has been tried and failed. If the queue contains more than 20 messages, only the first 20 will be displayed. To page through the rest, use the left and right arrow buttons that appear above the list.
  3. To view the actual contents of an email, click on its ID in the queue listing. All headers, the text body and any attachments will be displayed. To view an attachment, just click on its icon. To remove just this message from the queue, hit the Delete button at the bottom of the page. If the email is locked because it is currently being sent, Webmin will display an error message along with a button labelled Force deletion anyway that you can click to override the lock. This may cause the message to be only partially sent though, and so is not recommended.
  4. To remove multiple messages from the queue, first select them using checkboxes next to their IDs and the Select all and Invert selection links on the queue list page. Then click the Delete selected messages button to get rid of those that you have chosen. To override any locks on the selected emails, check the Even if locked box first. After you hit the Delete button, a page listing the ID and deletion result of each chosen message will be displayed. Deletion can fail if the message is no longer in the queue, or if it is currently locked.

Even though Sendmail will re-try messages in the queue automatically, you can force it to attempt delivery of all queued messages immediately using Webmin. This can be useful if you have a dial-up Internet connection and have queued up several emails while disconnected. The steps to flush the queue are :

  1. On the module's main page, click on the Mail Queue icon to bring a list of queued messages.
  2. As long as the queue is not empty, a button labelled Flush Mail Queue will be visible at the bottom of the page. Click it begin immediate processing of all waiting messages.
  3. A page showing the output from Sendmail as it attempts to deliver queued email will be displayed. If you have a large queue containing messages for down remote servers, it may take a long time to completely appear.


Reading users' email

As the introduction explains, Sendmail stores messages received by users in files in the /var/mail or /var/spool/mail directory. These are read and emptied by the POP3 server, command-line mail clients like pine or elm, or web-based mail clients like Usermin. However, this Webmin module can also act as a simple mail client, allowing you the system administrator to read any user's email.
This feature is useful for deleting large messages is user mailboxes that would otherwise take a long time to download over a dialup POP3 connection. It also allows you to read email for system users such as root without needing to telnet in or run a separate mail client. More controversially, on a multi-user system you can even invade people's privacy by reading their personal email - assuming they have not downloaded and deleted it via POP3 yet.
The steps to check the contents of a user's mailbox are :

  1. On the module's main page, click on the User Mailboxes icon. A page listing all of the users on your system and the sizes of their mailboxes will be displayed, unless you have more than 200 users. In that case, a small form for entering a username will appear instead.
  2. Click on the name of a user to bring up a list of messages in his mailbox, an example of which is shown in Figure 37-4. By default, the most recent messages are shown first, even though they are actually at the end of the actual mail file. If the mailbox contains more than 20 emails, only the first 20 will be displayed. To page though the rest, use the left and right arrow buttons above the list.
  3. To view an actual message, click on the sender's name in the From column. A page showing the important headers, body text and attachments will appear. Click on an attachment icon to view it, assuming that the data type is supported by your browser or some external program. To remove just this email from the user's mailbox, click the Delete button at the bottom of the page. This can take quite some time if the mailbox is extremely large (over 10 MB) or contains lots of messages, as Webmin needs to re-write the entire mail file.
  4. To delete multiple messages, first select them using the checkboxes and Select all and Invert selection links on the mail list page. Then click the Delete button above or below the list - once again, this can take a while for large mailboxes.
  5. To search the user's mailbox for messages matching some criteria, use the Find messages where form below the list. The following types of search can be selected from the menu : From: matches,
Subject
matches, To: matches or Cc: matches Finds messages in which the From, Subject, To or Cc field contains the text entered into the adjacent text box. The comparison is case-insensitive, but regular expression characters cannot be used. Date: matches Finds messages in which the sending date header contains the entered text. This header will not be converted to local format, so whatever you enter must match the date format used by the sender. Body matches Finds messages whose body contains the entered text. The body includes all attachments in their un-encoded form, not just the text that is shown when you read an email. Size is greater than Finds messages whose total size is greater than the number of bytes entered into the adjacent field. For each of the above search types, an inverse type is also available, such as From: doesn't match or Size is less than. After choosing your search type and entering text to match, hit the Search button. A page listing all matching messages will be displayed, from which you can view the contents of emails or select some or all to delete, just like in the normal mail list.

The contents of a user's mailbox
The mail reading section of the module actually allows you to compose new messages and reply to or forward existing ones. In fact, it can be used as a full-featured email client, although it is not the best program for the job. The default From address for sent messages is determined from the mailbox user's name and the system hostname, but this can be changed on the module access control page on a per-Webmin user basis. It is even possible to create Webmin users who can use this module to read only their own mailbox and send email from only their address. However, you should really use a program like Usermin if you want to give the same mail-reading web interface to a large number of users on your system.
By default, the module assumes that that mail for each user will be stored in a file with the user's name in the /var/mail or /var/spool/mail directory. It is possible to configure Sendmail to use a different file path instead though, such as the mbox file in each user's home directory. If this is the case on your system, you will need to re-configure the module, as explained in the section *Configuring the Sendmail Configuration module*. Otherwise all the mailbox will show up empty, because Webmin is looking in the wrong place for them.

Adding Sendmail features with M4

The primary Sendmail configuration file sendmail.cf is extremely complex, and almost impossible to edit manually. Fortunately, it is usually built from a series of M4 macro files that are much simpler and can be modified using this module or by manual editing. M4, for those who have not heard of it before, is a program that parses text files and expands macros in them. These macros can include other text files, define variables and functions or exclude text based on certain conditions. M4 is very similar to the pre-processor used by the C programming language which handles #include and #define statements. Fortunately, this module hides most of the complex details from you.
Often, the default Sendmail configuration that comes with your operating system will not have some features enabled, such as address mapping or domain routing. Webmin can detect this, and will display an error message if you try to use a module page for a Sendmail feature that is not enabled in the primary configuration file. To turn on a missing feature, an entry must be added to the primary M4 configuration file, from which sendmail.cf is re-built. Then Sendmail will be able to use it, and this module will be able to configure it.
Before you can manage your Sendmail M4 configuration, this module must know where to find the M4 files. To check if it has the correct paths and to set them if not, follow these steps :

  1. On the module's main page, click on the Sendmail M4 Configuration icon.
  2. If an error message like The Sendmail M4 configuration file /etc/sendmail.mc was not found or The locations of the Sendmail M4 base directory and M4 config* files have not been set* is displayed, then module cannot find the M4 files. However, if a table of entries from the file is displayed instead then everything is configured OK and you can skip the rest of these steps.
  3. If you are running Linux, check your distribution CD or website to make sure that all the packages whose names start with sendmail are installed. Sometimes the M4 files are in a separate package named something like sendmail-cf. If you do find and install such as package, go back to step 1 and check again to see if the module has found the configuration files.
  4. If you are using the Sendmail package that came with your version of Unix and cannot find any M4 files on your system, then this feature of the module cannot be used. This is unfortunately the case on some operating systems.

Once the Sendmail M4 Configuration page displays the contents of your primary M4 file, you can use it to add new features such as address mapping or domain routing. The page can in fact be used to modify any of the M4 macros in the file, but unless you are any experienced Sendmail administrator it is best to stick to these instructions for adding features :

  1. From the menu next to the Add new entry of type button at the bottom of the page, select Feature and then hit the button to go to the feature creation form.
  2. Select the one that you want to add from the Feature menu. The most commonly used features have names next to them in brackets that correspond to their icons on the module's main page.
  3. In the Parameters field, enter hash -o followed by the path that should be used for the feature's text and DBM files. For example, if adding a virtusertable feature you should enter hash -o /etc/mail/virtusertable (assuming your system has an /etc/mail directory).
  4. Login to your system as root via SSH, telnet or at the console and create the empty text file with a command like touch /etc/mail/virtusertable. Naturally, this is not necessary if it already exists.
  5. Click the Create button to update the M4 file and be returned to the previous page.
  6. At the very bottom of the M4 file contents list, click the Rebuild Sendmail Configuration button. A confirmation page showing the exact changes that will be made to your sendmail.cf file will be displayed - typically they will be limited to directives for the new feature. If the confirmation form indicates that a huge number of lines are going to be changed, it is likely that the M4 file being edited was not originally used to built your current sendmail.cf file, and so should not be used in future.
  7. To go ahead and use the newly rebuilt Sendmail configuration, click the Yes, replace it now button. Your sendmail.cf file will be updated and the server process re-started to immediately activate it.
  8. Go back to the module's main page, and click on the icon for the feature that you have just enabled. You will not be able to add and edit address mappings or whatever it was that you added support for.
As you can see from looking at the existing M4 file entries, editing or adding to it can still be quite complex. For this reason, the book does not cover all of the possible features or other macro types that you can add. However, for most people the defaults will work just fine - at most, all you should need to do is add a feature or two as explained above. If you want to learn more about editing the M4 configuration, you should buy a book dedicated to Sendmail administration.
One problem with using the M4 page to re-build your Sendmail configuration is that any changes that have been made directly to sendmail.cf will be overwritten. The module's Sendmail Options page unfortunately does precisely this, so if you follow the instructions above to add a new feature any changes made on that page will be lost! The only real solution is to edit the entries in the M4 file that correspond to those on the Sendmail Options page - for example, the Send outgoing mail via host field is set by the SMART_HOST define.

Creating autoreply aliases

The Sendmail Configuration module lets you easily create an alias that triggers an automatic reply to anyone who sends email to it. When you do this, Webmin creates a simple script that is run from the alias and receives the contents of email sent to it as input, just like a command specified using the Feed to program alias type.
To set up an autoreply alias, follow these steps :

  1. On the module's main page, click on the Mail Aliases icon.
  2. In the Create Alias form, enter a name for the alias and select Autoreply from file from the type menu. The name can be that of an existing Unix user if you want to set up an automatic reply to any message send to him, for example if he is on holidays.
  3. In the field next to the type menu, enter the path to a file that will contain the autoreply message, such as /home/someuser/autoreply.txt. The file does not have to exist yet.
  4. Click the Create button to add the alias, and then click on its name in the list to edit again.
  5. Follow the Edit link next to the autoreply filename field. This will bring up a page containing a large text box for entering the contents of the reply message.
  6. After entering the text that you want sent back to any sender, click Save at the bottom of the page. The autoreply alias is now fully active.

The reply text can contain several special macros that start with $, such as $SUBJECT, $TO, $FROM, $DATE and $BODY. When the reply is sent, these will be replaced with the original message's subject, destination address, sender address, sending date or body respectively. Be careful using the $BODY macro though, as it will be replaced with the entire un-encoded contents of the email being replied to.
You can also add to or override the headers used in the reply message by starting the autoreply text with one or more lines in standard SMTP header format, followed by a blank line. For example, to set the subject of the automatic reply you could enter _Subject: This is an automatic reply_ at the top of the text box, with an empty line after it.
One problem with Webmin's autoreply script is its inability to reliably determine the From address to use when sending the reply. Normally this is just taken from the To address of the original message, but this is not possible when replying to a message that was sent to multiple people. Even though the code attempts to find the right address automatically, it can sometimes get the wrong one and send an automatic reply that appears to be from the wrong person. For this reason, you should include a header line like From: Jamie Cameron <jcameron@example.com> at the top of your reply text to set the correct address.
If you are setting up an automatic reply alias for a Unix user, it is usually a good idea to have a copy of all email sent to the user stored in his mailbox as well. To do this, re-edit the alias and select Email address from the second type menu. Then enter the user's name preceded by a backslash into the text field next to it (like \jcameron) and hit Save.

Creating filter aliases

Sendmail aliases normally forward email messages to their destinations regardless of their content. However, it is possible to use this Webmin module to create an alias that forwards to different addresses or files depending on the headers or body of a message send to it. When you create an alias like this, the module internally creates a script that is passed the contents of email to the alias as input, just like a command specified using the Feed to program alias type.
A filter consists of a series of rules, each of which has a condition and action. The condition specifies a header to check and text to check if the header contains, while the action specifies an address to forward to or a file to append the message to. When a message is received by the filter, it is checked against the rules in order until one that matches is found and its action performed. At the end of the list is a default action, which determines where to forward email that does not match any of the conditions.
Compared to other mail filtering or classification programs like Procmail and SpamAssassin? , Webmin's filters are limited in their functionality and flexibility. However, they are easy to create and require no additional software. To create one, the steps to follow are :

  1. On the module's main page, click on the Mail Aliases icon.
  2. In the Create Alias form, enter a name for the alias and select Apply filter file from the type menu. The alias name can be that of an existing Unix user if you want to filter his email before delivery.
  3. In the field next to the type menu, enter the path to a file that will contain the filter rules, such as /home/someuser/filter.rules. Because the file format is fairly complex, you should not enter the name of any existing file unless it was created by following these same steps.
  4. Click the Create button to add the alias, and then click on its name in the list to edit again.
  5. Follow the Edit link next to the filter rules file field. This will take you to the form shown in Figure 37-5, which contains a table of empty rows for entering new rules and a text field for the default action address.
  6. In the first row, select the header that you want to filter on from the menu next to If the. Or to check the entire un-decoded email body, select body from the list instead. To have the action performed if some text is found in the header or body, select matches from the second menu. Alternately, to perform the action only when some text is not found, choose doesn't match instead. In the field next to this menu, enter the text that the filter should check the header or body for. The comparison will always be case-insensitive, and Perl regular expression characters like [, ., + and * can be used. In the then forward to field, enter the email address or mailbox name to which messages matching the condition that you specified will be sent. It is also possible to enter an absolute file path like /home/someuser/mail/somefolder to which email will be appended instead. This could be another user's mail file, or a mail folder - however, it must be writable by the Unix user daemon that Sendmail runs as.
  7. To enter another rule, fill in the second blank row by repeating the instructions in the previous step again. Only five empty rows are displayed, but you can create more than five rules by saving and re-editing the filter file.
  8. In the Otherwise forward to field at the bottom of the table, enter an address or filename to which messages that do no match any of the rules will be sent or appended. If this is left blank, unmatched email will be thrown away!
  9. Finally, click the Save button to activate the new filter rules. To make sure they are really working, you should send a few text messages to the alias and check that they are delivered correctly.

The filter creation form
To have email forwarded to multiple addresses by a single rule or the default action, just enter them separated by commas into one of the forward to fields. Or enter the name of another alias as the destination, which can then send messages to multiple files, addresses and/or programs.
When creating a filter alias with the same name as a Unix user, it is often useful to specify that messages matching some rule be delivered to the user's normal mailbox. However, just entering the user's name as the destination would be a big mistake, as this would trigger an endless loop through the filter! Instead, you should prepend a backslash to the username, like \jcameron. As with aliases, this tells Sendmail to ignore any aliases for this mailbox.
Because it can often be difficult to work out what a filter alias is doing and why it is doing it, the filter script creates a log file in the same directory as the rules file. The log has the same name as the filter file, but with .log appended. Every message received by the alias and delivered to some destination by the filter causes a line to be added to the log, containing the date, time, sender, destination and rule matched. The log file will only be created if the directory or log itself is writable by the daemon user though.

Module access control

The Sendmail Configuration module probably has the most powerful access control features of any module in Webmin. You can use them to limit the aliases and virtual addresses a Webmin user can edit, or restrict him to reading only the mailboxes of certain Unix users. These features are most useful in a virtual hosting environment, where customers own email domains and the user accounts. On this kind of system, you can create one Webmin user per customer who can only manage the address mappings, aliases and mailboxes for his own domains, while not being able to use other features of the module or touch other customers' information.
Once you have created a Webmin user who has access to the module (as explained in WebminUsers), follow these steps to restrict what he can do :

  1. In the Webmin Users module, click on Sendmail Configuration next to the name of the user that you want to restrict.
  2. Change the Can edit module configuration? field to No, so that he cannot modify paths to Sendmail programs and files.
  3. Set all of the Yes/No fields in the second section to No, which will prevent the user from seeing most of the module's icons.
  4. Select No from the Can manage mail queue? menu, or View only if you just want the module user to be able to see the contents of the queue. Selecting Yes would be a bad idea, as it would allow him to delete queued email belonging to other domains.
  5. For the Address mappings this user can edit field, select the Matching option and enter a Perl regular expression for allowable mapping sources into the text field next to it. For example, to let him create and edit mappings in the domains foo.com and example.com, you should enter (@foo.com|@bar.com)$.
  6. It is safe to select all of the checkboxes in the Address mapping types this user can edit field.
  7. To limit the number of mappings that the user can create, select the second radio button in the Maximum number of address mappings field and enter a number into the box next to it. This can be useful for preventing a single customer from more address mappings than he has paid for.
  8. In the Aliases this user can edit field, select Matching and enter a regular expression that only lets him modify or create aliases starting with the customer's domain names. For example, if the user owns the domains foo.com and example.com you should enter ^(foo|example)- to limit him to aliases like foo-jcameron or example-fred. This naming convention ensures that users cannot step on each others' aliases.
  9. In the Alias types this user can edit field, de-select the checkboxes for types of aliases that the Webmin user should not be allowed to create. Good candidates to deny access to are Write to file, Feed to program, Autoreply and Filter file, as they use the permissions of the Sendmail daemon user and thus may be a security risk.
  10. To limit the number of aliases that the customer can create, select the second radio button in the Maximum number of aliases field and enter the maximum into the box next to it.
  11. To stop the Webmin user creating aliases that run programs, append to files or use address files outside a certain directory, enter it into the Limit files and program to directory field. Unfortunately, this can be subverted by the clever use of symbolic links and so is not a very strong security measure.
  12. In the Outgoing addresses this user can edit field, select Matching and enter the same regular expression as in the Address mappings this user can edit field. This will limit the user to re-writing addresses for only his own domains. Or to prevent the editing of outgoing addresses at all, select None - in most cases, there is no need for a Sendmail administrator to edit them anyway.
  13. In the Users whose mail can be read field, select one of the last five options to limit the customer to only those Unix users who belong to him. If he has been given limited access to the Users and Groups module as well, then you should allow him to read the email of the same users that he can create an edit in that module.
  14. Leave the rest of the fields on the form set to their defaults - they are only really useful if you are setting up the module as a web- based mail reading interface. Although this is possible, there are much better alternatives such as Usermin (covered on UserminConfiguration).
  15. Click the Save button to make the restrictions for the user active.

Even though it is possible to configure this module to limit a user to certain domains, the module's interface is not particularly friendly compared to products like Plesk or Cpanel. These are web-based virtual server management interfaces that have been designed from the ground up for that purpose, unlike Webmin which was design to allow the management of everything on a system.

Configuring the Sendmail Configuration module

The Module Config link on the main page takes you to a form seen in many other modules for editing settings that apply to the operation of the module itself. Those listed under Configurable options relate to its user interface, while those under System configuration define the paths to the Sendmail programs and files.
Settings in the latter group do not usually need to be changed, as by default they are set to match the Sendmail package supplied with your operating system. However, if you have compiled and installed the MTA yourself from the source code, then it is quite possible that they will be incorrect.

0 comments:

Post a Comment

 
Design by sutoday | Bloggerized by storesu - suvachai | laikeng