6

For security reason sendmail is by default configured to accept connection from local system (127.0.0.1), to avoid open mail relay problem. But,

How do I force sendmail to accept mail from the internet?

The article at http://www.cyberciti.biz/tips/sendmail-is-only-accepting-connections-from.html says, to remove the Addr=127.0.0.1 part from 

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

to

DAEMON_OPTIONS(`Port=smtp,Name=MTA')dnl

will "force to accept connection from any host". I've done that:

$ grep smtp /etc/mail/sendmail.mc
dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp')dnl
MAILER(`smtp')dnl

However, looks like I still unable to accept incoming emails from the Internet. So commented it out as suggested by moonpoint:

$ grep smtp /etc/mail/sendmail.mc
dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
dnl DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp')dnl
MAILER(`smtp')dnl

% make
Updating databases ...
Reading configuration from /etc/mail/sendmail.conf.
Validating configuration.
Creating /etc/mail/databases...
Creating /etc/mail/relay-domains
# Optional file...
Updating Makefile ...
Reading configuration from /etc/mail/sendmail.conf.
Validating configuration.
Creating /etc/mail/Makefile...
Updating sendmail.cf ...
The following file(s) have changed:
  /etc/mail/sendmail.cf /etc/mail/local-host-names
** ** You should issue `/etc/init.d/sendmail reload` ** **

% /etc/init.d/sendmail reload
 * Reloading Mail Transport Agent (MTA) sendmail                    [ OK ]

However, I think it is not working as expected, because previously at least I get "Relaying denied" error, but now, when I tried to send email to my system via google, nothing happened for about 10 minutes now. Trying to troubleshoot the problem myself, I refer to http://support.moonpoint.com/blog/blosxom/2015/04/04#smtp-telnet-commands and tried to connect my server using telnet. But immedately, I get "Connection refused" error:

$ telnet xpt.mydomain.org 25
Trying 104.243.xx.xx...
telnet: Unable to connect to remote host: Connection refused

Removing that dnl so as to revert back to what I got before, I am now able to at lest connect:

$ telnet xpt.mydomain.org 25
Connected to xpt.mydomain.org.
Escape character is '^]'.
220 mail.xpt.mydomain.net ESMTP Sendmail 8.14.4/8.14.4/Debian-2.1ubuntu4; Sun, 14 Jun 2015 22:16:13 -0400; (No UCE/UBE) logging access from: my.remote.domain

if I want to accept incoming emails from the Internet, what shall I do?

Update: I have already configured sendmail to be the mail server for my LAN, and thought I have configured sendmail to accept email for the relevant domain name I am using for email on the server, but this is what I got:

% sendmail -bv me@xpt.mydomain.org
me@xpt.mydomain.org... deliverable: mailer relay, host mail.myisp.com, user me@xpt.mydomain.org

Now I know it is not (actually it was configured with another dynamic dns name that I have), so I change it to xpt.mydomain.org. And now it looks OK:

% sendmail -bv me@xpt.mydomain.org
me@xpt.mydomain.org... deliverable: mailer local, user me

However, using an external email account to send email to my system, I got:

Delivery to the following recipient failed permanently:

     me@xpt.mydomain.org

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain xpt.mydomain.org by xpt.mydomain.org. [104.243.xx.xx].

The error that the other server returned was:
550 5.7.1 <me@xpt.mydomain.org>... Relaying denied

----- Original message -----

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=0rLnzRsn....

OK, I'm glad that spammers can't use my Sendmail Server for email Relaying, but I don't get emails either.

So how can I avoid the open mail relay problem, while allowing connections from all LAN hosts to send mails and receive emails from anyone as well?

Update2: Trying to further troubleshoot the problem myself, I pushed it further, to test the full SMTP protocol using telnet. What's strange is that I didn't get "Relaying denied" error when using telnet:

...
mail from: testing@example.com
250 2.1.0 testing@example.com... Sender ok
rcpt to: testing2@example.com
550 5.7.1 testing2@example.com... Relaying denied
rcpt to: me@xpt.mydomain.org
250 2.1.5 me@xpt.mydomain.org... Recipient ok
Data
354 Enter mail, end with "." on a line by itself
This is a test message.
.
250 2.0.0 t5F2ItI0008331 Message accepted for delivery
quit
221 2.0.0 mail.xpt.mydomain.net closing connection
Connection closed by foreign host.

So now everything is working fine now. Thanks a lot moonpoint!!!

Thanks

$ lsb_release -a 
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 13.10
Release:        13.10
Codename:       saucy

$ apt-cache policy sendmail-bin
sendmail-bin:
  Installed: 8.14.4-2.1ubuntu4
  Candidate: 8.14.4-2.1ubuntu4
  Version table:
 *** 8.14.4-2.1ubuntu4 0
        500 http://us.archive.ubuntu.com/ubuntu/ saucy/universe amd64 Packages
        100 /var/lib/dpkg/status

PS. A bit more on why I want to do that -- all I want to do is to enable my sendmail server to accept mail from the internet, for my personal use. I had tried to follow these 5 easy steps several times,

How to set up a simple mail server on Debian in 5 easy steps
http://cnedelcu.blogspot.ca/2014/01/how-to-set-up-simple-mail-server-debian-linux.html

But in the end, they never worked, and I don't even know what went wrong. So I think the easiest way is to enable my sendmail server instead.

xpt
  • 9,385
  • 44
  • 120
  • 178

1 Answers1

5

Have you configured sendmail to accept email for the relevant domain name you are using for email on the server? E.g., if your domain name is example.com and a valid email address on the system should be xpt@example.com, if you run the command sendmail -bv xpt@example.com from the root account on the system, does it indicate that the email is deliverable and reference "mailer local" and a local account? E.g., do you see something similar to the following?

# sendmail -bv xpt@example.com
xpt@example.com... deliverable: mailer local, user xpt

If you have sendmail configured to accept email for the relevant domain name, it will reference "mailer local" and a local account.

Update: The output you provided from the sendmail -bv command indicates to me that you don't have sendmail configured to accept email addressed to xpt.mydomain.org. To have sendmail accept email for a domain name, you need to add that domain name, xpt.mydomain.org, to /etc/mail/local-host-names then you need to issue the command makemap hash /etc/mail/local-host-names < /etc/mail/local-host-names. Don't worry about any "no RHS for LHS" messages you may see when you issue the command. Try that and then rerun the same sendmail -bv me@xpt.mydomain.org command. When you rerun the sendmail -bv me@xpt.mydomain.org command, you should then see a reference to "mailer local" rather than "mailer relay" and "user" should then be followed by a local account, rather than "me@xpt.mydomain.org". See Getting sendmail to accept email for a domain for an example of output from the makemap and sendmail -bv commands.

Update 2: You referenced the Sendmail is only accepting connections from localhost (127.0.0.1 IP) article, but perhaps you didn't make the change needed for the line below in /etc/mail/sendmail.mc:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

You need to comment out that line by putting "dnl" at the beginning of it. It should look like the following line:

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

I don't add the line the article suggests be put in place of the original line, I just comment it out and then rebuild the sendmail.cf file from the sendmail.mc file with the following command in order to have sendmail accept email sent by email clients outside of the server on which sendmail is running.

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Once you've rebuilt the file with the m4 command, you need to restart sendmail. The article suggests doing so with /etc/init.d/sendmail restart If that command doesn't restart sendmail on your system, e.g., if it produces a No such file or directory message, try service sendmail restart or systemctl restart sendmail, instead. Once you've restarted sendmail, it should then accept email for valid email addresses on the system, i.e, for domains you've listed in the local-host-names file.

Do you have an external email account that you can use to send email to an address on your system, e.g., a Hotmail, Gmail, or other email account? If so, what do you see in a bounced email message now, if you send to a valid email address on your system? What is the error referenced in a bounced email?

Even, if you have sendmail configured properly, there are other matters that you may need to address to be able to receive email from the Internet. You stated that your firewall rules are configured properly. You may need appropriate firewall rules both on the system running sendmail and any external router/firewall on the Local Area Network (LAN) on which your sendmail server resides. For external email servers to communicate with your email server, if the router/firewall on your LAN is using Network Address Translation (NAT), you need to configure that device for port forwarding connections to port 25, the Simple Mail Transfer Protocol (SMTP) port used to deliver email from one email server to another, from the firewall/router to your sendmail server.

If you have the required firewall rules and any required port forwarding set appropriately, then an external system should be able to successfully connect to port 25 on your sendmail server. You can test whether that is possible, which will help narrow down the source of the problem, by using one of the many port checking services provided for free by a number of websites. E.g., you could use the Port Forwarding Tester. If you aren't running the test from your server, you may need to provide the IP address that external systems will see when attempting to communicate with your server, which will differ from the IP address you have assigned to it, if there is a firewall or router on the network on which your server resides employing NAT that separates your server from the Internet. To find the address that external systems will see, you can use any of a number of free services that will show you the externally visible IP address for a device if you visit a website of the entity providing that service. E.g., you could use a web browser to visit whatismyip.com from your sendmail server. Then at the Port Forwarding Tester site you would use that IP address for the "Remote Address" and 25 for the port number. When you click on "Check", you should then see "Port 25 is open on" followed by the IP addres your provided, if you have the requisite firewall rules and any needed port forwarding configured correctly.

You can also use telnet on a system outside of your network to attempt to connect to port 25 on your sendmail server. You should see a response from sendmail on your server, if you have the required firewall rules and any needed port forwarding in place. If you can establish a connection to port 25 on your sendmail server, you can then issue SMTP commands that will allow you to attempt to send a test message to an account on your server. E.g., see Testing email delivery with SMTP commands.

If you are able to successfully deliver email by that method, then perhaps you don't have an appropriate mail exchanger (MX) record for your email server. Let's suppose the fully qualified domain name for your sendmail server is example.com. If someone using a Hotmail, Gmail, or any email server other than your email server sends email to you, let's say using xpt@example.com, the other email server will check to see what email server or servers are designated to handle email for example.com. It doesn't necessarily have to be example.com. For instance, you could use an email service provided by an external email provider, let's say bigemailprovider.com.

You can use the MX Lookup service to check the MX records for your domain. Just put in your domain name and click on "MX Lookup". E.g., this link will show you the results for gmail.com. If you attempt to send an email message from your sendmail server to a gmail.com address, your server will perform a similar check and will see similar results. Google has many email servers that can accept email from other servers for Gmail users. You will see a list of such servers with varying preferences and IP addresses. Your server and others will first try the server with the lowest preference. E.g., a Gmail server with a preference of 5 will be tried before one with a preference of 10. If your server couldn't communicate with the Gmail server with the preference of 5 it would then try one with a preference of 10, perhaps trying many Gmail servers before giving up.

If you don't see any MX records for your domain, that is ok. If you were using example.com and no MX record exists for example.com, another email server would then assume that the IP address for example.com is where it should attempt to deliver the email. If you see MX records pointing to other IP addresses than the one for your sendmail server, then you may need to modify the MX record(s) for your domain through the Domain Name System (DNS) settings web page provided by your domain name registrar, e.g., the company through which you registered the domain name for your server. Some registrars will, by default, create MX records pointing to their email servers when you register a domain. You can perform the same check yourself manually from a command line prompt on a Unix, Linux, OS X, or Microsoft Windows system using the nslookup command to check MX records. E.g., nslookup -querytype=mx gmail.com

moonpoint
  • 5,268
  • 2
  • 21
  • 22