Sendmail & DNS Hands-On Training

Introduction to sendmail, named and BIND

  • A short history of sendmail and DNS
  • New features of sendmail
  • New features of BIND version 9

SMTP, addressing, mail routing and DNS

  • Functional rolls of email hosts
  • Simple mail transfer protocol, SMTP
  • Extended SMTP (ESMTP)
  • Functions of addresses in an email message
  • Rule based sendmail delivery
  • Mail routing with MX records

Hands-on lab: Setting up the test bed

  • Setting up a test network using vmware
  • Understanding the test network configuration

Overview of sendmail operation

  • What are the functions of sendmail?
  • Basic sendmail command line flags
  • The sendmail SMTP server daemon
  • Submitting a message to a remote SMTP server
       using the SMTP protocol
  • The sendmail queue daemon
  • Sendmail's queue directory, /var/spool/mqueue
  • Sendmail's non-SUID root operation
  • Format of the sendmail syslog log entries
  • Sendmail's -d debug flags useful for troubleshooting

Hands-on lab

  • Starting and stopping the sendmail daemon
  • Following the delivery of a SMTP mail message
    from the Internet to an internal mailbox host
  • Tracing the delivery in sendmail’ log files

DNS and Bind,
The Naming Service Of The Internet

  • What services does domain name system provide
  • DNS name space
  • Architecture for a DNS zone of authority
  • Delegation of a zone of authority
  • The in-addr.arpa domain
  • DNS lookups: iterative and recursive
  • Configuring /etc/resolv.conf
  • Tools to query DNS:
    dig, host, nslookup
  • Debugging query failures
  • Other query errors

Hands-on lab: Setting up DNS clients

  • Configuring a Linux DNS client
  • Verifying DNS data

Named, the DNS server

  • Syntax of the BIND named.conf file
  • The 4 types of zone statements
  • Defining access control lists (ACLs)
  • Limiting access to the named server
  • Other useful options
  • Configuring a caching-only named server
  • Bind 8 name daemon control, ndc
  • Bind 9 remote name daemon control, rndc
  • Configuring rndc and named
  • rndc's backwards compatibility mode with /etc/rndc.ley

Hands-on lab: Setting up the DNS servers

  • Configuring the master named DNS server
  • Verifying the DNS data on the named server
  • Configuring a slave named DNS server
  • Configuring rndc

DNS zone files and resource records

  • Format of the resource records in the DNS zone data files
  • Writing styles for the zone data files
  • Common zone file syntax errors
  • The resource records for hosts:
  •    A, CNAME and PTR
  • Mail eXchanger (MX) records
  • The resource records for the domain:
  •    SOA and NS
  • Other resource records:
  •    Responsible person (RP), text (TXT), and SeRVice (SRV)
  • DNS debugging tools:
    • doc - check the zone and delegation of the zone
    • nslint - check DNS data in DNS database files
    • dnswalk - check DNS data in remote DNS zone

Hands-on lab: Maintaining the DNS zone files

  • Updating the DNS zone files
  • Verifying the propagation of the new DNS data

Overview of the sendmail.cf file

  • Structure of the sendmail.cf configuration file
  • Rulesets and rule definitions
  • Macros and classes
  • Configuration options
    • File locations
    • Operating modes
    • Timeouts
    • Message text
  • Defining databases
  • Defining header formats
  • Mailers and mailer flags
  • Defining milters (Mail filters)
  • Sendmail's -d debug flags useful for verifying the sendmail.cf file

Hands-on lab: Checking the sendmail.cf file

  • Checking the setting of the sendmail options
  • Checking the setting of sendmail macros and classes
  • Using sendmail's address test mode to check the sendmail.cf file
Sendmail & DNS Hands-On Training

Using m4 to generate sendmail.cf Files

  • A short introduction to m4, the macro language processor
  • A simple host.mc template for a simple mail host
  • Setting options with the define() macro
  • Defining OS specific settings with the OSTYPE() macro
  • Including additional functionality with the FEATUFEATURE() macro
  • Including mailers with the MAILER() macro
  • Including site-Wide defaults with the DOMAIN() macros
  • Order of the m4 file
  • Introduction to make and makefiles

Hands-on lab: Using m4

  • Setting up sendmail's m4 build directory
  • Generating a custom sendmail.cf file
  • Setting sendmail options using m4

Overview and trouble shooting sendmail rules & rulesets

  • Sendmail address tokens and the address workspace
  • Left hand side (LHS) metasymbols for pattern matching
  • Right hand side (RHS) metasymbols for rewriting
       and ruleset control
  • Using the comment field to write or understand a rule
  • Ruleset sequence, "The diagram"
  • Pre-Processing ruleset, canonify (S3)
  • Sendmail address focus, "<" ">"
  • Post-Processing ruleset, final (S4)
  • The delivery ruleset, parse (S0)
  • The mailer specific rulesets
  • The check_* anti-spam rulesets
  • Using sendmail's -bt address test mode to check
  •    rulesets, address rewriting, routing, and mailer rewriting
  • Sendmail -d debug flags for address test mode
  • Sendmail debugging with checksendmail
  • Strategy for using sendmail's address test mode

Hands-on lab: Verifying sendmail's address rewriting

  • Using checksendmail to verify sendmail's address rewriting
  • Using sendmail's address test mode to verify address rewriting
  • Using sendmail debug flags during message delivery

Using Hash-Key Databases In Sendmail

  • Database types supported by sendmail
  • How hashed key databases work
  • Debug flags useful for sendmail databases
  • Database commands in sendmail's address test mode
  • Building databases with makemap and editmap
  • Trouble shooting sendmail database problems
  • Using the domaintable to rewrite domain names
  • Using the mailertable databases to route your mail
  • Using the access database to accept and reject mail
  • Restricting an access lookup key to a specific check

Hands-on lab: The access, mailertable and domaintable databases

  • Creating, maintaining and verifying hash-key databases
  • Using the domaintable to rewrite addresses
  • Using the mailertable to control routing of mail
  • Using the access database to allow relaying of SMTP mail

Masquerading And Host Name Hiding

  • Understanding masquerading and host name hiding
  • MASQUERADE_AS() and masquerading features
  • Masquerading and EXPOSED_USERs
  • How to hide hostnames on the firewall

Hands-on lab: Masquerading and host name hiding

  • Masquerading the host name
  • Increasing the scope of masquerading
  • Hiding internal hostnames on a firewall SMTP relay

Setting Up Sendmail Mail Clients

  • Using the nullclient feature to forward mail on a mail clients
  • Forwarding to a smart host relay using SMART_HOST
  • Forwarding local mail to a mailbox server using MAIL_HUB
  • Using submit.cf on a mail client running sendmail 8.12
  • Running sendmail without a daemon using submit mode

Hands-on lab: Setting up a sendmail client

  • Using the nullclient sendmail.cf file
  • Running sendmail without root privileges using submit.cf
  • Configuring DNS MX records for a sendmail client

Mail Routing

  • What is needed on a simple SMTP relay
  • Mail relays need to enable SMTP relaying
  • Re-enabling limited SMTP relaying
  • Enabling relaying for an entire domain
  • How to forward mail in to internal relay
       using rules or the mailertable
  • Forwarding SMTP mail for internal hosts directly using rules
  • How to forward internal and external mail using the mailertable
Sendmail & DNS Hands-On Training

Sendmail Mailbox Servers And Sendmail Aliasing

  • Using use_cw_file feature to accept mail
       on a mailhub for mail clients
  • Using MX records to route client mail to the mailhub
  • Forwarding mail to a Firewall SMTP relay using SMART_HOST
  • Accepting mail for local delivery
  • The aliases and .forward files
  • Using aliases and .forward files to deliver mail to files and programs
  • Dealing with mail to former users using the redirect feature

Hands-on lab: Local delivery and aliasing

  • Accepting client mail for local delivery
  • Delivering mail to an alternate mailbox using aliases
  • Creating a mailing list using an :include: alias
  • Rejecting mail for ex-users and invalid users

Hosting Virtual Domains

  • Concepts for setting up virtual mail domains
  • The virtusertable databases virtual domain mail delivery
  • Differences between the aliases file and the virtusertable
  • The genericstable database changes email addresses in the headers
  • Apply the generics database to entire domain
  • Building genericstable and virtusertable from a single file

Hands-on lab: Local delivery, aliasing and virtual domains

  • Setting up mail for a virtual domain
  • Using the virtusertable to route mail for multiple virtual domains
  • Using the genericstable to clean up header addresses

Sendmail queuing, the mqueue directory

  • Queue file types and format of the queue ID
  • Printing and processing the queue
  • Limiting the scope of processing the queue run
  • Persistent queue runners, -qp
  • Queue control process, QCP and work group process, WGP
  • Sendmail options used for the queue
  • Queue time-outs
  • Managing the queue load
  • Controlling number of queue process allowed to run
  • Defining queue groups in m4 with QUEUE_GROUP()
  • Queue group selection
  • Selecting a queue group with queuegroup feature
  • Running the queue for a specific queue group with -qG

Hands-on lab

  • Configuring the queue
  • Checking mqueue and clientmqueue
  • Selectively printing and processing the queue based on sender and recipient
  • Expiring messages from the queue
  • Using split queues

Sendmail Monitoring and logging

  • Tracing an email message in the log files
  • Reading mail headers
  • Sendmail per message logging creates an audit trail
  • Tools to process sendmail's log file:
       ssl, smtpstats and fromto
  • Using the control socket to manage the sendmail daemon
  • Monitoring a mail server

Hands-on lab

  • Monitoring the sendmail daemon
  • Controlling the sendmail daemon with the control socket
  • Printing volume of mail traffic
  • Summarizing the log files
  • Tracing a mail message through the log files

Sendmail Security

  • Why is sendmail a security target?
  • What are the avenues of attack against sendmail
  • How is sendmail compromised?
  • Protecting the local mailer with sendmail restricted shell, smrsh
  • Disabling the program mailer using mailer flags
  • Using RunAsUser option to run SMTP server with minimal root privileges
  • Options relating to security
  • Limiting access to sendmail with the Privacy option
  • DontBlameSendmail loosens sendmail's security checks
  • General UNIX security
  • Required ports
  • Debugging flags useful for security

Hands-on lab

  • Tightening sendmail security
  • Limiting programs sendmail can run with smrsh
  • Running sendmail without root privilege with RunAsUser

DNS And Firewalls

  • Split DNS, using two separate DNS zone
  • Benefits of split DNS
  • Sendmail SMTP delivery and DNS
  • Using multiple MX records which point to SMTP relays
  • Using multiple MX records for mailbox hosts
  • Using MX records for redundant Internet connections
  • Using internal DNS information with split DNS domains
  • Using Bind 9 views for split DNS domains
  • Using forwarders to pass queries to a firewall DNS server
  • Authoritative name server
  • Recursive name server
  • production vs reservation domains
  • Sharing a zone file with multiple domains

Hands-on lab

  • Using rndc to manage a remote named server
  • Setting up and securing a recursive DNS server
  • Setting up and securing an authoritative DNS server
  • Using transaction signatures for allowing zone transfers
  • Hosting multiple domains from one zone files

Sendmail Performance Tuning

  • 3 area of sendmail performance tuning:
    Inbound SMTP connections
    Immediate delivery of mail
    Processing mail waiting in the queue
  • Setting DNS resolver time-outs for sendmail
  • Using the connection caching to enhance SMTP performance
  • Keeping track of hosts with persistent host status information
  • Printing and purging persistent host status information

Hands-on lab

  • Tuning SMTP timeouts
  • Setting up a private caching only name server
  • Tuning queue processing
  • Tuning disk performance

MILTER, sendmail's Mail fILTER API

  • Milter architecture
  • Typical SMTP conversation with milter
  • Defining a milter in the sendmail.cf file
  • Defining milters using m4
  • Common milters:
       Anti-spam, anti-virus and email policy enforcement

Hands-on lab

  • Configuring the graymail milter
Sendmail & DNS Hands-On Training

Dealing with spam

  • A review of the check_relay, check_mail, check_rcpt and check_compat
  • Accepting unresolvable domains
  • Unqualified sender addresses
  • The access database for selective accepting and rejecting
  • Using a dnsbl real-time block list
  • Using discard mailer to silently delete a message
  • Rejection invalid TCP connections with greet_pause
  • Limiting remote SMTP clients with ratecontrol and conncontrol
  • Sendmail macros useful for rejecting SMTP mail
  • How to debug the check_* ruleset in address test mode
  • Debugging check_compat and check_relay which use $|

Hands-on lab

  • Using the access database to reject mail
  • Using a dnsbl to reject SMTP clients
  • Debugging check_* rulesets in address test mode

Pulling It All Together; Configuring A Firewall Sendmail Relay

  • DNS configuration recommendations
  • Mail routing configuration
  • Securing the sendmail daemon
  • Performance tuning

Hands-on lab

  • Configuring a firewall sendmail relay