MTA Configuration
All of the MTAs featured here are highly configurable. If possible, test changes on a test server and not on a live MTA, and always make a backup of your configuration before making changes. It is possible that you may end up altering the configuration of the MTA in such a way that it does not operate correctly.
Sendmail
Sendmail is the grandfather of all MTAs. Its long heritage implies that it inherits some of the friendliness of the pre-commercial Internet. This means that older installations might relay email. Additionally, installations that were first configured with an old version but have been upgraded may also retain some configuration settings that allow them to relay email.
Sendmail is packaged by most Linux distributions, as well as HP/UX, AIX, Solaris, and other commercial UNIX-based products. Each supplier may place the configuration files in different directories. In this chapter, the default locations and file names are used when discussing configuration files.
Sendmail Versions 8.9 and Above
For Sendmail versions 8.9 or above, the /etc/mail/relay-domains file lists the domains that Sendmail will accept email for. The syntax is a list of domains or IP addresses, one domain on each line:
mydomain.com anotherdomain.com myassociate.com
If the Sendmail configuration has been changed, Sendmail should be restarted and the open relay test described earlier should be performed.
Sendmail Versions Below 8.9
For versions of Sendmail prior to 8.9, the ideal solution would be to upgrade. If this is not possible, follow the following instructions:
- Use
grepwithin an editor to check whether theuse_iporcheck_rcpt4lines exist in the main Sendmail configuration file,sendmail.cf:$ cd /etc/mail $ grep use_ip sendmail.cf $ grep check_rcpt4 sendmail.cf - If
sendmail.cffile does not contain theuse_iporcheck_rcpt4lines, then they should be added to the end of thesendmail.m4file as follows:HACK(\`use_ip',\`/etc/mail/LocalIP')dnl HACK(\`check_rcpt4')dnl - After changing
sendmail.m4, thesendmail.cffile should be recreated:# m4 < sendmail.mc > sendmail.cf - The file listed in the
use_ipline should contain only IP addresses that are permitted to relay email. Each IP address should appear on a separate line. Subnets can be specified efficiently by omitting the last number in the dotted quad.127.0.0.110.100.0This example tells Sendmail to accept incoming emails only from the localhost (
127.0.0.1) or from machines in the10.100.0/24address space.
Postfix
Postfix is a comparatively modern MTA, which was designed to be secure from the outset. It adopts a modular approach and each component typically performs only one task—this greatly enhances security. Postfix is very much like Sendmail and legacy systems using Sendmail can switch to postfix without much trouble.
The default location for the main Postfix configuration file is /etc/postfix/main.cf, but this may vary depending on the distribution. Postfix, by default, will not relay email. Postfix deals with relaying in two places within its configuration file: the mynetworks configuration directive and the relay_domains configuration parameter.
The mynetworks Configuration Directive
The mynetworks line should only list machines that Postfix will relay email for. If it is not specified, it has a default value chosen to include machines with similar IP addresses. However, the default value for mynetworks is sometimes too broad for production systems. It is worthwhile altering this to be stricter, else a partially open relay could be created, which relays messages from hosts with IP addresses in the same subnet.
A typical mynetworks directive would be:
mynetworks = 10.0.100.0, 127.0.0.1, 10.0.100.102
This directive allows access from the server itself via the loopback interface to the localhost and from two other IP addresses. One or both of these might belong to the host system or other systems within the corporate network. This is an example of a strict setting.
The relay_domains Configuration Directive
The other relevant Postfix configuration setting in the main.cf file is relay_domains. This lists domains that the machine will accept email for, even if the sender is not listed in the mynetworks list. An example is shown here:
relay_domains = mycorp.com, mail.mycorp.com, mysiblingcorp.com
The default value for relay_domains is taken from another configuration parameter, mydestination, which in turn typically defaults to the hostname. This is a secure default setting.
After changing the Postfix configuration, the Postfix daemons should be instructed to reload their configuration, using the reload parameter of the postfix command:
# postfix reload
Every time the Postfix configuration is changed and reloaded, the open relay test should be performed.
Exim
Exim is a lightweight and modern MTA, based on a predecessor called SMail. It's operation is different from the modular approach of Postfix or qmail.
By default, Exim does not relay. There are, however, several settings in the configuration file that could result in the inadvertent creation of an open relay. These settings are held in the main Exim configuration file located by default at /etc/exim/exim.conf.
Exim Configuration Parameters
In the exim.conf file, the local_domains configuration parameter lists the domains that are handled by the local instance of Exim. This should be a list of valid and trusted domains:
domainlist local_domains = mycorp.com : myothercorp.com : *.virtualcorp.com
This example lists two domains, and specifies a wildcard for a third. Any email for a user with an email address resembling *.virtualcorp.com will be accepted. Wildcards should be used with caution as they may result in a larger domain list than expected.
The relay_to_domains lists any domains that may be relayed but are not handled locally. The following example lists a single domain (mysiblingcorp.com) for which email is accepted and then relayed.
domainlist relay_to_domains = mysiblingcorp.com
An empty list should be used if email is not to be accepted for other domains. For example:
domainlist relay_to_domains =
The relay_from_hosts directive lists IP addresses that can connect to this instance of Exim and have their email relayed to other domains. This should list only machines that are allowed to send email from this machine:
hostlist relay_from_hosts = 127.0.0.1 10.0.100.0/24
This example lists the loopback interface (localhost) and a subnet of IP addresses that can connect to this instance of Exim and have email relayed to other domains.
Note
Setting it to 0.0.0.0/0 would allow any machine to connect and relay email. This is probably the most dangerous parameter setting for relaying.
When the Exim configuration is changed, a HUP signal should be sent to Exim to force it to read the new settings:
# exiwhat 9999 daemon: -q1h, listening for SMTP # kill -HUP 9999
You need to substitute the value returned by exiwhat instead of 9999 in the kill command.
It also goes without saying that if the Exim configuration changes, the open relay test should be performed after Exim has read the new configuration settings.
qmail
qmail is a modern SMTP server, developed with security as its design goal. qmail uses the modular approach adopted by Postfix. By default, qmail will not relay. However, some distributions may modify this default behavior, so it is best to confirm that an installation is correctly configured.
qmail will only accept mail for domains listed in the rctphosts file. qmail configuration files are normally stored in /var/qmail/ and the full path to the rcpthosts file is /var/qmail/control/rcphosts.
An example rcpthosts file is shown below:
mydomain.com mysiblingcorp.com
After changing the rcpthosts file, there is no need to restart qmail. Its processes are started only when an incoming connection is made, and so always read the latest version of the configuration file. If the qmail configuration is changed, the open relay test should be performed.