# Sendmail can't start, config problem with Sendmail, Sasl?

## seifn06

...Sendmail won't start...

I am trying to setup an email server with Sendmail with the SMTP AUTH extension (and hopefully TLS too). My machine is running Hardened Gentoo with the 2.6.11-r14 hardened [kernel] sources. The system also runs Apache 2.0.54-r11 web server software with PHP and mod_php (both at version 5.1.0_beta) as well as MySQL 4.1.12 database server/deamon. I've emerged Sendmail 8.13.4 and Cyrus-Sasl 2.1.21-r1 with the hope of using the SMTP AUTH mechanisms and Cyrus-SASL to authenticate/authorize users outside my home network to relay mail through my email server. However, I believe I've run into problems configuring Cyrus-Sasl and Sendmail because I cannot get Sendmail to start properly. 

...Quick question...

Before I continue, could someone recommend a good "howto" or explanation of how SMTP AUTH and TLS mechanisms work with Sendmail? I believe part of my problem is that I don't understand how SMTP authentication happens and how Sendmail and SASL (Cyrus-sasl in this case) work together to accomplish this task.

...Circumstances of problem...

Sendmail and saslauthd (as well as apache, mysql, sshd) are in the default run level and appear to start correctly [ok] at boot up. However, when I telnet into port 25 or 465 to verify that my Sendmail installation is capable of SMTP authentication mechanisms, the sendmail server does not respond and then quickly closes my connection (timeout?). 

I attempt this process again after restarting sendmail (netstat suggests the sendmail daemon died):

```
# netstat -tnlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      6798/mysqld

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6906/apache2

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6892/sshd

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6906/apache2

# run_init /etc/init.d/sendmail restart

Authenticating <my_username>.

Password:

 * Stopping sendmail ...                                                                                                                                                                        [ ok ]

 * Starting sendmail ...                                                                                                                                                                        [ ok ]

# netstat -tnlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      6798/mysqld

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6906/apache2

tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      7786/sendmail

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6892/sshd

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      7786/sendmail

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6906/apache2

# telnet <external_ip_addr> smtp

Trying <external_ip_addr>...

Connected to <external_ip_addr>.

Escape character is '^]'.

EHLO <host_name>

Connection closed by foreign host.

# run_init /etc/init.d/sendmail status

Authenticating <my_username>.

Password:

 * status:  started

# run_init /etc/init.d/saslauthd status

Authenticating <my_username>.

Password:

 * status:  started
```

Yet I have the same problem: Sendmail dies or does not respond when I telnet into either port 25 or 465 on either "localhost" or my network [external] ip address. AND, I get the following error(s) in my auth.log in /var/log:

```

Jul  9 22:21:34 <hostname> sm-mta[7786]: daemon MTA: problem creating SMTP socket

Jul  9 22:21:34 <hostname> sm-mta[7786]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: server SMTP socket wedged: exiting

```

I get the same errors at bootup despite the fact that my kernel thinks Sendmail has started [ok]:

```

Jul  9 21:21:46 <hostname> sendmail[7018]: alias database /etc/mail/aliases rebuilt by root

Jul  9 21:21:46 <hostname> sendmail[7018]: /etc/mail/aliases: 21 aliases, longest 10 bytes, 221 bytes total

Jul  9 21:21:47 <hostname> sm-mta[7080]: starting daemon (8.13.4): SMTP+queueing@00:30:00

Jul  9 21:21:47 <hostname> sm-cm[7083]: starting daemon (8.13.4): queueing@00:30:00

Jul  9 21:21:47 <hostname> sm-mta[7080]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot listen: Address already in use

Jul  9 21:21:47 <hostname> sm-mta[7080]: daemon MTA: problem creating SMTP socket

```

...Relevant config files...

Sendmail was compiled with the following use flags:

In /etc/make.conf:

```
USE="pic hardened acl alsa apache2 ssl mpm-worker threads bash-completion fbcon imap innodb javascript maildir milter mime mp3 mysql mysqli php sockets tokenizer x86"
```

On the cmd-line: 

```
USE="-berkdb"
```

I know my Sendmail installation is capable of SMTP AUTH with SASL because /usr/sbin/sendmail -d0.1 -bv root shows SASLv2 as being a compile-time option...:

```
# /usr/sbin/sendmail -d0.1 -bv root

Version 8.13.4

 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7

                NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF

                STARTTLS USERDB XDEBUG

============ SYSTEM IDENTITY (after readcf) ============

      (short domain name) $w = <hostname>

  (canonical domain name) $j = <hostname>.<FQDN>

         (subdomain name) $m = <FQDN>

              (node name) $k = <hostname>

========================================================

root... deliverable: mailer local, user root

```

Cyrus-Sasl was compiled with the same USE flags as Sendmail above but included

```
USE="-mysql"
```

My sendmail.mc file (built with m4 and posted to /etc/mail/sendmail.cf each time I make changes to sendmail.mc):

```
divert(-1)

divert(0)dnl

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl # Copied into this mc file from the default mc file generated when sendmail was compiled on <hostname>

VERSIONID(`$Id: sendmail.mc,v 1.0 2005/07/08 12:14 me Exp $')dnl

OSTYPE(linux)dnl

# DOMAIN(generic)dnl

DOMAIN(<FQDN>)dnl

# Begin Sendmail option definitions

#

#

#

# see "Sendmail, 3rd Ed." page 942

define(`ALIAS_FILE', `/etc/mail/aliases')

# see http://www.falkotimme.com/howtos/sendmail_smtp_auth_tls/index.php -- the AUTH_MECHANISMS and TRUST_AUTCH_MECH are for SSL/TLS stuff to allow secure access to the smtp server

define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl

TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl

dnl ### do STARTTLS

define(`confCACERT_PATH', `/etc/mail/certs')dnl

define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl

define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl

define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl

define(`confCLIENT_CERT', `/etc/mail/certs/sendmail.pem')dnl

define(`confCLIENT_KEY', `/etc/mail/certs/sendmail.pem')dnl

DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl

# see "Sendmail, 3rd Ed." page 951

define(`confBAD_RCPT_THROTTLE', `4')dnl

# see "Sendmail, 3rd Ed." page 960

define(`confCONNECTION_RATE_THROTTLE', `6')dnl

# see "Sendmail, 3rd Ed." page 992

define(`confDONT_PROBE_INTERFACES', `true')dnl

# see "Sendmail, 3rd Ed." page 1010

define(`confMAX_ALIAS_RECURSION', `6')dnl

# see "Sendmail, 3rd Ed." page 1012

define(`confMAX_HEADERS_LENGTH', `16384')dnl

# see "Sendmail, 3rd Ed." page 1015

define(`confMAX_QUEUE_CHILDREN', `4')dnl

# see "Sendmail, 3rd Ed." page 1016

define(`confMAX_RCPTS_PER_MESSAGE', `40')dnl

# see "Sendmail, 3rd Ed." page 1024

define(`confNO_RCPT_ACTION', `add-apparently-to')dnl

# see "Sendmail, 3rd Ed." page 1029

define(`confPRIVACY_FLAGS', ``authwarnings, goaway, noetrn, restrictmailq'')dnl

# see "Sendmail, 3rd Ed." page 1053

define(`confSINGLE_LINE_FROM_HEADER', `true')dnl

# see "Sendmail, 3rd Ed." page 1055

define(`confSMTP_LOGIN_MSG', `$j Sendmail $v   speak friend and enter:')dnl

# see "Sendmail, 3rd Ed." page 1057

define(`confSAFE_QUEUE', `true')dnl

#

#

#

# End Sendmail option definitions

# see "Sendmail, 3rd Ed." page 162-3

MASQUERADE_AS(`<FQDN>')dnl

FEATURE(`masquerade_entire_domain')dnl

FEATURE(`allmasquerade')dnl # page 176

FEATURE(`always_add_domain')dnl # page 176

# FEATURE(`relay_entire_domain')dnl # page 306

FEATURE(`access_db')

FEATURE(`no_default_msa')dnl # page 194

# Begin additions from default mc file

FEATURE(`smrsh',`/usr/sbin/smrsh')dnl

FEATURE(`local_lmtp',`/usr/sbin/mail.local')dnl

FEATURE(`local_procmail')dnl

# End additions from default mc file

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

MAILER(local)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl # added from default mc file
```

My /etc/pam.d/smtp file is as follows:

```
#%PAM-1.0

auth     required  /lib/security/pam_stack.so service=system-auth

account  required  /lib/security/pam_stack.so service=system-auth

```

I have a Realtek 10/100 ethernet card running with a static ip address, gateway and netmask specified in /etc/conf.d/net

...Questions...

(1) What does the M=s option do in the DAEMON_OPTIONS macro in my sendmail.cf file? 

(2) I assume that I'm trying to make Cyrus-Sasl use pam-login or pam to authenticate users but I'm not sure. How does SMTP AUTH work? Specifically, what does the SASL software do to authenticate users? I'd like (and I thought this was how I had things set up) to use usernames and passwds from the given host for authentication which is why I chose PAM...

(3) What might cause Sendmail to be unable to open a new socket when I try to start it? (See error mentioned above.)

Thanks in advance for any and all help.

----------

## Pete M

seifn06

Here's my Sendmail.mc

You will have to change this section to match your certificates

```
define(`CERT_DIR', `/etc/mail/certs')dnl

define(`confCACERT_PATH', `CERT_DIR')dnl

define(`confCACERT', `CERT_DIR/cacert.pem')dnl

define(`confSERVER_CERT', `CERT_DIR/server2-cert.pem')dnl

define(`confSERVER_KEY', `CERT_DIR/server2-key.pem')dnl

define(`confCLIENT_CERT', `CERT_DIR/server2-cert.pem')dnl

define(`confCLIENT_KEY', `CERT_DIR/server2-key.pem')dnl
```

Go here http://www.technoids.org/starttlstut.html#CertPrep

Follow the tutorial to generate certificates for Sendmail

3. Preparing to Generate Certificates

Change this line

cp /usr/local/openssl/openssl.cnf.sample openssl.cnf

to

cp /etc/ssl/openssl.cnf openssl.cnf

When you 

```
vi openssl.cnf
```

Beware of the "." you will understand when you see it

Then follow the rest as is

Next create a file

/etc/sasl2/Sendmail.conf  (note capital "S")

Place in it

```
pwcheck_method: saslauthd 
```

Now add users to sasl using this command

```
# saslpasswd2 -c user
```

They must be valid users on your system, create the users and when prompted enter the passwords

I suggest you leave the rest of my sendmail.mc as is there are a few anti spam features included which may prove useful

In particular leave 

```
DOMAIN(generic)dnl
```

as is

OK if all the above is in place and your new sendmail.mc is in /etc/mail 

Now it's time to make sendmail.cf

On the command line in the mail directory run

```
 mail #  m4 /usr/share/sendmail-cf/m4 sendmail.mc > sendmail.cf
```

If all goes well restart sendmail and test 

```
divert(-1)dnl

divert(0)dnl

dnl #

dnl # This is the sendmail macro config file for m4. If you make changes to

dnl # /etc/mail/sendmail.mc, you will need to regenerate the

dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is

dnl # installed and then performing a

dnl #

dnl #     m4 /usr/share/sendmail-cf/m4 sendmail.mc > sendmail.cf

dnl #  

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

VERSIONID(`setup for Gentoo 2005.0')dnl

OSTYPE(`linux')dnl

DOMAIN(generic)dnl

dnl #

dnl # Uncomment and edit the following line if your outgoing mail needs to

dnl # be sent out through an external mail server:

dnl #

dnl define(`SMART_HOST',`smtp.your.provider')

dnl #

define(`confDEF_USER_ID',``8:12'')dnl

define(`confTRUSTED_USER', `smmsp')dnl

dnl define(`confAUTO_REBUILD')dnl

define(`confTO_CONNECT', `1m')dnl

define(`confTRY_NULL_MX_LIST',true)dnl

define(`confDONT_PROBE_INTERFACES',true)dnl

define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl

define(`ALIAS_FILE', `/etc/mail/aliases')dnl

dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl

define(`UUCP_MAILER_MAX', `2000000')dnl

define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl

define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl

dnl define(`confAUTH_OPTIONS', `A')dnl

dnl #

dnl # The following allows relaying if the user authenticates, and disallows

dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links

dnl #

define(`confAUTH_OPTIONS', `A p y')dnl

dnl # 

dnl # PLAIN is the preferred plaintext authentication method and used by

dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do

dnl # use LOGIN. Other mechanisms should be used if the connection is not

dnl #

dnl define(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl

dnl TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl

dnl # guaranteed secure.

dnl #

TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

dnl #

dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl #

dnl # Rudimentary information on creating certificates for sendmail TLS:

dnl #     make -C /usr/share/ssl/certs usage

dnl #

define(`CERT_DIR', `/etc/mail/certs')dnl

define(`confCACERT_PATH', `CERT_DIR')dnl

define(`confCACERT', `CERT_DIR/cacert.pem')dnl

define(`confSERVER_CERT', `CERT_DIR/server2-cert.pem')dnl

define(`confSERVER_KEY', `CERT_DIR/server2-key.pem')dnl

define(`confCLIENT_CERT', `CERT_DIR/server2-cert.pem')dnl

define(`confCLIENT_KEY', `CERT_DIR/server2-key.pem')dnl

define(`confLOG_LEVEL', `15')dnl

dnl #

dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's

dnl # slapd, which requires the file to be readble by group ldap

dnl #

dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl

dnl #

dnl define(`confTO_QUEUEWARN', `4h')dnl

dnl define(`confTO_QUEUERETURN', `5d')dnl

dnl define(`confQUEUE_LA', `12')dnl

dnl define(`confREFUSE_LA', `18')dnl

define(`confTO_IDENT', `0')dnl

dnl FEATURE(delay_checks)dnl

FEATURE(`no_default_msa',`dnl')dnl

FEATURE(`smrsh',`/usr/sbin/smrsh')dnl

FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl

FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl

FEATURE(redirect)dnl

FEATURE(always_add_domain)dnl

FEATURE(use_cw_file)dnl

FEATURE(use_ct_file)dnl

dnl #

dnl # The -t option will retry delivery if e.g. the user runs over his quota.

dnl #

FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl

FEATURE(`blacklist_recipients')dnl

EXPOSED_USER(`root')dnl

dnl #

dnl # The following causes sendmail to only listen on the IPv4 loopback address

dnl # 127.0.0.1 and not on any other network devices. Remove the loopback

dnl # address restriction to accept email from the internet or intranet.

dnl #

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

dnl #

dnl # The following causes sendmail to additionally listen to port 587 for

dnl # mail from MUAs that authenticate. Roaming users who can't reach their

dnl # preferred sendmail daemon due to port 25 being blocked or redirected find

dnl # this useful.

dnl #

dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

dnl #

dnl # The following causes sendmail to additionally listen to port 465, but

dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed

dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't

dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS

dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps

dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.

dnl #

dnl # For this to work your OpenSSL certificates must be configured.

dnl #

dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

dnl #

dnl # The following causes sendmail to additionally listen on the IPv6 loopback

dnl # device. Remove the loopback address restriction listen to the network.

dnl #

dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires

dnl #       a kernel patch

dnl #

dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl

dnl #

dnl # We strongly recommend not accepting unresolvable domains if you want to

dnl # protect yourself from spam. However, the laptop and users on computers

dnl # that do not have 24x7 DNS do need this.

dnl #

dnl FEATURE(`accept_unresolvable_domains')dnl

dnl #

dnl FEATURE(`relay_based_on_MX')dnl

dnl # 

dnl # Also accept email sent to "localhost.localdomain" as local email.

dnl # 

LOCAL_DOMAIN(`localhost')dnl

dnl #

dnl # The following example makes mail from this host and any additional

dnl # specified domains appear to be sent from mydomain.com

dnl #

dnl MASQUERADE_AS(`mydomain.com')dnl

dnl #

dnl # masquerade not just the headers, but the envelope as well

dnl #

dnl FEATURE(masquerade_envelope)dnl

dnl #

dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well

dnl #

dnl FEATURE(masquerade_entire_domain)dnl

dnl #

dnl MASQUERADE_DOMAIN(localhost)dnl

dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl

dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl

dnl MASQUERADE_DOMAIN(mydomain.lan)dnl

dnl #

FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from " $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP server - see http://www.rfc-ignorant.org/"')

dnl #

FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to OPEN PROXY SERVER "$&{client_name}" by easynet.nl DNSBL  (http://proxies.blackholes.easynet.nl/errors.html)"', `')dnl

dnl #

FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl

dnl #

FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"')

dnl #

FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dnl

dnl #

dnl MASQUERADE_DOMAIN(localhost)dnl

dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl

dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl

dnl MASQUERADE_DOMAIN(mydomain.lan)dnl

MAILER(local)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

```

If everything is OK you can remove this line or put "dnl" in front of it

```
define(`confLOG_LEVEL', `15')dnl
```

This will reduce the amount of information placed in your mail log

Pete

----------

## seifn06

Thanks for the howto and tips, Pete. Sendmail starts and appears to work properly now. 

I think part of the problem was in my original sendmail.mc file where I had two DAEMON_OPTION lines. I think I either hadn't configured Sendmail properly to use two daemon option lines or I simply shouldn't have had two daemon option lines....

In any case, thanks again for the info. I followed the instructions on setting up the certificates as well as your tips for the sendmail.mc file and things work correctly now.

----------

## Pete M

seifn06

Glad to help not many Gentoo people use Sendmail so I don't get much chance to share my knowledge

What you need now is anti-virus how about a tutorial for clamav ?

Enjoy Gentoo

Pete

----------

## seifn06

Pete - My goal is to add antivirus (i.e. clamav) and some spam filters to my box soon. If you've got a howto on clamav and don't mind posting it - I would definitely use it! And perhaps some other Gentoo users would too. I'm thinking of writing my own spam filters using the Milter library(ies?) though that will take a bit of time. May I ask if you're running any spam filters and if so - which ones? (And what kind of experience (i.e. good/positive or bad) have you had with said filters? Are they accurate in IDing and trashing spam?)

Hehe, and you're right - it seems very few Gentoo folks use Sendmail judging by the popularity of exim/qmail/courier/etc in the forums. Perhaps the ones who do just don't post to the forums!

Thanks again.

----------

## Pete M

Hi seifn06

Will post a howto for clamav, it will be after work today

As for spam filters I use 

http://www.spambouncer.org/

It's not very well known on this forum, in fact I have never see a reference to it

Uses procmail, very configurable

Only problem is I use mbox format Sendmail and Procmails default is mail dir so any howto I could give you would involve recompiling Sendmail

For clamav to work you will need milter support in Sendmail which I doubt you currently have compiled in so that may involve re-emerging

I assume it works with mail dir format, just never used it that way

Pete

----------

## Pete M

Ok seifn06

A sendmail clamav howto

First thing you need to do is check that you have milter support in sendmail, use this command

```
sendmail -d0.1 -bv root
```

Here's my result

```
Version 8.13.3

 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7

                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB PIPELINING SASLv2

                SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

```

If you don't see "MILTER" listed it's time to re-emerge Sendmail

To get milter support in clamav and sendmail you will have to modify /etc/portage/package.use

If this file does'nt exist create it and add

```
app-antivirus/clamav milter

mail-mta/sendmail milter
```

You may have already modified /etc/portage/package.use to get sasl support in sendmail, if that's the case just add milter to mail-mta/sendmail

Now re-emerge sendmail if you have to, and emerge clamav

Edit /etc/conf.d/clamd to enable milter, should look like

```
START_CLAMD=yes

START_FRESHCLAM=yes

START_MILTER=yes

MILTER_SOCKET="/var/run/clamav/clmilter.sock"

MILTER_OPTS="-m 10"
```

Edit /etc/freshclam.conf to add your country code

```
# Uncomment the following line and replace XY with your country

# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.

# Default: There is no default, which results in an error when running freshclam

DatabaseMirror db.GB.clamav.net
```

Obviously this is mine because I'm in GB

Edit /etc/mail/sendmail.mc and add these lines

```
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl

define(`confINPUT_MAIL_FILTERS', `clmilter')dnl
```

Put them exactly as this

```
dnl MASQUERADE_DOMAIN(localhost)dnl

dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl

dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl

dnl MASQUERADE_DOMAIN(mydomain.lan)dnl

INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl

define(`confINPUT_MAIL_FILTERS', `clmilter')dnl

MAILER(local)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl
```

Ok remake sendmail.cf as before

Add clamd to default run level

```
rc-update add clamd default
```

Get clamd up and running

```
rc default
```

Restart sendmail

```
/etc/init.d/sendmail restart
```

You should now have sendmail with clamav antivirus

Send yourself some mail from say Gmail and check the headers, should look  like

```
X-Virus-Scanned: ClamAV 0.86.1/976/Mon Jul 11 10:09:22 2005 on server.mydomain.com

X-Virus-Status: Clean
```

If you do get a virus event, providing you have redirected root's mail to yourself in /etc/mail/aliases clamav will send you an email  

Check /var/log/freshclam.log make sure the virus definitions are being updated

Check /var/log/clamav/clamd.log make sure everything looks ok

That's about it

Hope it works as well as my sendmail howto

Pete

----------

## seifn06

Thanks again for your help, Pete - I got clamav up and running in short order this afternoon using your instructions. One thing I'll add for any other Hardened Gentoo users (or Gentoo SELinux users) is that I ran into a snag with SELinux security labels when trying to compile clamav. If your emerge app-antivirus/clamav (or one of its dependencies) fails with an error akin to 

```
!!! ERROR: dev-libs/gmp-4.1.4 failed.

!!! Function dyn-preinst, Line 1246, Exitcode 1

!!! Failed to set SELinux security labels.
```

remember to update your kernel policy doing something like the following:

```
cd /etc/security/selinux/src/policy

make clean && make && make load
```

If these commands fail as mine did this afternoon and give an error akin to "spamd is an unknown object on Line <number>" or something - you might try looking up the line number <number> in /etc/security/selinux/src/policy/domains/program/clamav.te file and commenting that line out by placing a "#" (pound sign) in front of it. Then try running the make commands I listed above again in /etc/security/selinux/src/policy. This worked for me.

Thanks again for the howto's, Pete - they worked well for me and I'm able to scan incoming email for virii. [/code]

----------

## Pete M

seifn06

Pleased it worked out for you

Couple of things I've added to clamav may be of interest to you /etc/conf.d/clamd now looks like this

```
START_CLAMD=yes

START_FRESHCLAM=yes

START_MILTER=yes

MILTER_SOCKET="/var/run/clamav/clmilter.sock"

MILTER_OPTS="-m 10 --force-scan --signature-file=/home/peter/.clam"
```

Now all mail incoming, outgoing and local gets scanned plus a signature is added 

In my case I just copied the header and placed it in /home/peter/.clam

```
X-Virus-Scanned: ClamAV version 0.86.1, clamav-milter version 0.86 on server.mydomain.com 
```

I know scanning all mail is a little over kill but I did it more just to see if it was possible plus the sig looks reassuring to recipients of outgoing mail

Pete

----------

## trossachs

Does anyone know how to run clamav-milter with Postfix?

----------

## jeffgman

 *Pete M wrote:*   

> seifn06
> 
> Here's my Sendmail.mc
> 
> You will have to change this section to match your certificates
> ...

 

I used the above procedures to set up Sendmail with STARTTLS.  Everything is working great, except for one thing.  I am using MS Outlook as my e-mail client.  When I first send an e-mail, it tells me the certificate could not be authenticated, do I want to continue anyway.  I select yes and it does not alert me again in that session.  But, once I close and open Outlook again, it tells me the same thing.  How can I get Outlook to accept a self-signed certificate without the error message?

Thanks,

Jeff

----------

## Pete M

Sorry Jeff

I don't use Outlook so never had the problem

Will see what I can dig up for you

Pete

----------

## jeffgman

 *Pete M wrote:*   

> Sorry Jeff
> 
> I don't use Outlook so never had the problem
> 
> Will see what I can dig up for you
> ...

 

Great.  Thank you.

----------

## trossachs

Anyone had any experiences with Postfix?

----------

## patrix_neo

Hi, Jeff. You seems like a very good 'sendmail configurer' ...so I hope to clarify if I have some fw problem or sendmail.mc are missconfigured

Here is my sendmail.mc:

```

divert(-1)

#

# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers.

#       All rights reserved.

# Copyright (c) 1983 Eric P. Allman.  All rights reserved.

# Copyright (c) 1988, 1993

#       The Regents of the University of California.  All rights reserved.

#

# By using this file, you agree to the terms and conditions set

# forth in the LICENSE file which can be found at the top level of

# the sendmail distribution.

#

#

divert(0)dnl

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

define(`confDEF_USER_ID',``8:12'')dnl

VERSIONID(`$Id: sendmail.mc,v 1.2 2002/07/04 04:55:29 g2boojum Exp $')dnl

OSTYPE(`linux')dnl

DOMAIN(`generic')dnl

undefine(`UUCP_RELAY')dnl

undefine(`BITNET_RELAY')dnl

dnl define(`confAUTO_REBUILD')dnl

define(`confTO_CONNECT',`1m')dnl

define(`confTRY_NULL_MX_LIST',`true')dnl

define(`confDONT_PROBE_INTERFACES',`true')dnl

define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl

define(`ALIAS',`/etc/mail/aliases')dnl

define(`STATUS_FILE',`/etc/mail/statistics')dnl

define(`UUCP_MAILER_MAX',`20000000')dnl

define(`confUSERDB_SPEC',`/etc/mail/userdb.db')dnl

define(`confPRIVACY_FLAG',`authwarnings,novrfy,noexpn,restrictqrun')dnl

define(`confAUTH_OPTIONS',`A')dnl

FEATURE(`no_default_msa',`dnl')dnl

FEATURE(`smrsh',`/usr/sbin/smrsh')dnl

FEATURE(`mailertable')

FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl

FEATURE(`redirect')dnl

FEATURE(`always_add_domain')dnl

FEATURE(`local_lmtp',`/usr/sbin/mail.local')dnl

FEATURE(`local_procmail',`/usr/bin/procmail')dnl

define(`PROCMAIL_MAILER_FLAGS',`procmail -Y -m $h $g $u')dnl

define(`PROCMAIL_MAILER_ARGS',`procmail -Y -m $h $g $u')dnl

FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access.db')

dnl DAEMON_OPTIONS(`Port=25,Addr=127.0.0.1, Name=MTA')dnl

MAILER(`procmail')dnl

MAILER(`local')dnl

MAILER(`smtp')dnl

Cwlocalhost.localdomain

```

I can receive mails, I can send mails to the queue, but when flushing the queue I get "Deferred no route to host".

I can see it has resolved the addresses in the /var/log/mail.log:

```

Dec  4 10:33:32 overlord sendmail[1266]: jB48phZu032723: to=<workuser@myworkdom.se>, ctladdr=<patrix_neo@myhost.shacknet.nu> (1000/1000), delay=00:41:49, xdelay=00:01:00, mailer=esmtp, pri=660265, relay=gate.domain.se. [212.214.82.xxx], dsn=4.0.0, stat=Deferred: gate.dom.se.: No route to host

```

This is my route -rn output:

```

overlord mail # netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1

83.248.40.0     0.0.0.0         255.255.248.0   U         0 0          0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo

0.0.0.0         83.248.40.1     0.0.0.0         UG        0 0          0 eth0

```

I have the iptable for smtp as follows:

```

/sbin/iptables  -A INPUT -i $INETIF -d $INETIP -p tcp --dport 25 -s 0/0 -j ACCEPT

/sbin/iptables -A INPUT -i $INETIF -d $INETIP -p udp --dport 25 -s 0/0 -j ACCEPT

```

Can you, or anyone else explain this behaviour?

Thanks for any answer at all.  :Very Happy: 

----------

## patrix_neo

Sorry for my long post, but it seems like my ISP is blocking outgoing smtp messages. Can that be it???

----------

## gmtl3

patrix_neo, can your sendmail machine talk to gate.domain.se?  Seems more like a simple routing/connectivity problem to me.  Try "telnet gate.domain.se 25" or better yet "nc6 gate.domain.se 25".  If these aren't working, you have a routing problem.

----------

## patrix_neo

Thanks for sending me a thought  :Smile: 

Yes I think so too, now when I get a second thought. I have no restriction whatsoever to my gateway, etc...

Doing a  telnet gate.domain.se 25 got a reply:  No route to host

This works when trying to reach my own mailserver though.

I did read about haveing ICMP service 3 available in your firewall, which I had switched off, then 'things' started to appear about routing to own host and such..A way in the right direction, me thinks.

So, yes, I think I have this baby misconfigured somewhere. The sendmail.mc file worked fine in earlier versions of sendmail..

Last errors from /var/log/mail.log:

```

Dec 15 19:57:34 overlord sendmail[28669]: jBFIvYU8028669: from=root, size=2033,

class=0, nrcpts=1, msgid=<200512151857.jBFIvYU8028669@overlord.nerull.com>, rela

y=root@localhost

Dec 15 19:57:34 overlord sendmail[28669]: jBFIvYU8028669: to=linuxpat (at)hootmail (punkt) com,

 ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32033,

 relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by

[127.0.0.1]

```

This is a reply from mail-header found in /var/spool/mqueue:

```

MDeferred: gate.partille.se.: No route to host

Fbs

$_localhost [127.0.0.1]

$rESMTP

$soverlord.nerull.com

${daemon_flags}

${if_addr}127.0.0.1

S<patrich@overlord.nerull.com>

MDeferred: gate.domain.se.: No route to host <--domain.se = mywork-domain.se

rRFC822; tkpb@domain.se

RPFD:<tkpb@domain.se>

H?P?Return-Path: <?g>

H??Received: from overlord.nerull.com (localhost [127.0.0.1])

        by overlord.nerull.com (8.13.4/8.13.4) with ESMTP id jBLCNRk4005689

        for <tkpb@domain.se>; Wed, 21 Dec 2005 13:23:28 +0100

H??Received: (from patrich@localhost)

        by overlord.nerull.com (8.13.4/8.12.10/Submit) id jBLCNRfC005685

        for tkpb@domain.se; Wed, 21 Dec 2005 13:23:27 +0100

H??Date: Wed, 21 Dec 2005 13:23:27 +0100

H??From: patrich@overlord.nerull.com

H??Message-Id: <200512211223.jBLCNRfC005685@overlord.nerull.com>

H??To: tkpb@domain.se

H??Subject: comhem

```

my /etc/host file:

```

127.0.0.1       localhost    localhost.localdomain

192.168.1.2    overlord    overlord.nerull.com

192.168.1.3    nightshade    nightshade.nerull.com

```

my firewall log tells me nothing special....

...It would be _so_ much greater having my own mail working from my own linux-server.

I will do an attempt to mail without the firewall for a quick tryout. tryout done, and no change there.

----------

## Robert S

Re getting Outlook (express) to stop putting up warning messages:

Create a .DER file out of your sendmail.pem - see http://www.openssl.org/support/faq.html#USER12.  Briefly:

```
# openssl x509 -in sendmail.pem -outform DER -out ~/sendmail.der
```

Browse to sendmail.der in Explorer and double click on it.  Follow the instructions.

You need to enter a FQDN that matches what you enter in the "Server" field in Outlook.

----------

## patrix_neo

After a long tinkering with different sendmail.mc settings and firewalling, I've found my ISP to really blocking port 25 for outgoing mails. All because of spammed user's mail servers lagging the traffic.

It's not bad. 100 mails / 10 minutes are accepted.

Still, can I go around this somehow?

----------

