How to set Sendmail on the firewall

Article Title: how to set Sendmail on the firewall. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
　　 Environment:
The company has registered the official domain name company.com. the firewall runs Linux and uses a leased line to access ISP, which is the only channel to the Internet, it is used to process emails sent from within the company and all emails sent to the company's internal users @ company.com. On the internal LAN (only one CIDR block, no subnet), there is a Linux mail server for internal users to send and receive emails. both machines run Sendmail 8.9.3.
　　
　　 New features of Sendmail 8.9.3
Sendmail 8.9.3 contains several new features. if improperly configured, your Sendmail may not work properly. These features mainly help filter out spam and prevent your website from being used as a third-party mail relay host (what is third-party mail relay? Attached), you can configure these parameters according to the policies required by your site.
　　
1. Mail relay
　　
In Sendmail 8.9.3, Relaying is rejected by default. this feature may prevent the Linux mail server running Sendmail from sending emails to it. there are several solutions to this problem.
　　
A. Default
　　
By default, you can simply create the file/etc/mail/relay-domains, which contains the domain name of the system you want to accept relay, such as company.com. If you cannot perform reverse DNS lookup, you should specify the IP address range. if you want to allow all users in the intranet segment to send emails to it, set it to 192.168.11. note: you cannot set this as company.com to allow travel users (local ISPs) on business trips to send emails. Because the dynamic IP address obtained after you dial the local ISP belongs to the local ISP, the domain name after reverse DNS resolution is the domain name of the ISP, and some cannot do reverse DNS. The solution is to set the sending mail server as the server of the local ISP. Advantages: If you only need relay mail from a few system, this may be the simplest solution, it prevents your server from playing as a relayer, but allows emails to pass through.
Disadvantage: you must keep the file updated. if you are an ISP, you must keep the file updated and restart Sendmail (killall-HUP sendmail) after the update)
　　
B. promiscuous_relay
　　
This feature allows you to relay emails from anywhere. (Not recommended)
　　
Advantage: you don't have to worry about email rejection.
　　
Disadvantage: anyone can use your system as mail relay. this parameter cancels the anti-relay feature added in 8.9.3.
　　
C. relay_entire_domain
　　
This feature allows emails from all fields set in class W to be allowed for relay. by default, this will be * .company.com
　　
Advantage: you will not worry about rejection of all emails from your domain, systems outside of your domain cannot be relay mail unless specified in the/etc/mail/relay-domains file or/etc/mail/access file. If you only want to relay hosts in your own domain, you can use this parameter to replace/etc/mail/relay-domains. note: You need to set up reverse DNS. when the host on the internal LAN is connected to the SMTP server, it can be reverse resolved to the local domain. For example, 192.168.11.12 is resolved to sh12.asiansources.com.
　　
Disadvantage: you may not want to allow relay mail to other organizations in your company.
　　
D. relay_hosts_only
　　
This allows you to relay mail based on individual host names. it is not a domain name.
　　
Advantage: fine-tune the relay permission, based on the full name of the host name, not the full name of the domain name.
　　
Disadvantage: you need to specify the/etc/mail/relay-domains file or the system host name in the access database. If you use
　　
/Etc/mail/relay-domains, the file will be
Company.com
Mailgate.company.com
Othername.com
Mailgate.othername.com
　　
2. Mail blocking
A. accept_unresolvable_domains
　　
By default, if the sender's domain name (the domain name after the sender's email address) cannot be resolved by DNS, the email is rejected.
　　
For example:
MAILFrom: wkeys @ nonexistent 501 <wkeys @ nonexistent>... Sender domain must exist
　　
Use the accept_unresolvable_domains parameter to cross this message and receive emails from any domain or IP address.
　　
B. access_db
　　
This feature allows sendmail to search for database files (/etc/mail/access by default. db), determines whether to accept or reject mail or you can even set a custom error message. this feature can also be used to control the relay license.
　　
Advantage: you are allowed to fine-tune the mails from whom you will receive. for example, I do not want to accept emails from domains that cannot be parsed, but there are exceptions for individual domains.
　　
C. accept_unqualified_senders
　　
By default, if the sender's domain is not the full name domain name, sendmail rejects the connection. For example, mail from: 553 .... Domain name required uses this feature to cross the default conditions so that the connection will be accepted.
　　
Advantage: I recommend that you always use the full name domain name address. However, on the internal mail gateway, you may not control how other local systems send emails to you, this will allow you to accept emails with a non-full name sender address.
　　
Disadvantage: you have lost some capabilities to track where emails come from. do not use them on the firewall.
　　
D. blacklist_recipients
　　
This allows you to block emails sent from unwanted email accounts. You need to set it in/etc/mail/access.
　　
E. relay_based_on_MX
　　
If a host has an MX record pointing to your site, this feature allows you to receive emails from them.
　　
Advantage: if they have MX records pointing to you, you do not need to add any hosts to the access database.
　　
Disadvantage: This will allow third-party mail relay without your permission.
　　
3. third-party mail relay
　　
Appendix: another article (meta-article) ---- introduction to sendmail 8.9.3 mail relay rules
　　
Example of sendmail configuration on the company firewall
Divert (-1)
Include ('/usr/lib/sendmail-cf/m4/cf. m4 ')
Dnl let's define our OS type. This one is mandatory.
OSTYPE ('Linux ') dnl
Define ('confdef _ USER_ID ', ''8: 12 '')
Define ('Alias _ file', '/etc/mail/aliases') dnl
Define ('confprivacy _ FLAGS ', 'authwarnings, needmailhelo, noexpn, novrfy') dnl
Define ('confto _ queuereturn', '4D ') dnl
Define ('confto _ queuewarn', '4h ') dnl
Define ('procmail _ MAILER_PATH ','/usr/bin/procmail') dnl
Undefine ('ucp _ RELAY ') dnl
Undefine ('bitnet _ RELAY ') dnl
FEATURE ('redirect') dnl
FEATURE ('ways _ add_domain ') dnl
FEATURE ('use _ cw_file ') dnl
FEATURE ('Local _ procmail') dnl
FEATURE ('noucp') dnl
FEATURE ('mailertable', 'hash-o/etc/mail/mailertable') dnl
FEATURE ('your usertable', 'hash-o/etc/mail/your usertable') dnl
FEATURE ('domaintable', 'hash-o/etc/mail/domaintable ')
FEATURE ('Access _ db', 'hash-o/etc/mail/access') dnl
FEATURE ('Blacklist _ recipients ') dnl
MAILER (procmail) dnl
MAILER (smtp) dnl
　　
Use_cw_file
The default value is the/etc/sendmail. cw file, indicating the domain name to be processed in the local region. The mail sent to this domain is a local mail. Do not set company.com to sendmai. cw on the firewall, and set it on the email server on the intranet segment. You do not need to restart sendmail to update this file.
　　
* How do I make all my addresses appear to be from a single host?
　　
Using the V8 configuration macros, use:
　　
MASQUERADE_AS (my. dom. ain)
　　
This will cause all addresses to be sent out as being from the indicated domain.
If you're using version 8.7 sendmail, and you want to hide this information in the envelope
As well as the headers, use:
　　
FEATURE (masquerade_envelope)
　　
If you also want to masquerade the recipients, use
　　
FEATURE (allmasquerade)
　　
Mailertable
This feature can be used to relay mail over DNS and dns mx records. It can also span the Smart_host (DSxxxx) item.
　　
For example, company.com relay: [192.168.11.1]
　　
Relay emails sent to company.com received from the firewall to 192.168.11.1
　　
Include a "mailer table" which can be used to override
Routing for particle domains. The argument of
FEATURE may be the key definition. If none is specified,
The definition used is:
　　
Hash-o/etc/mailertable
　　
Keys in this database are fully qualified domain names
Or partial domains preceded by a dot -- for example,
"Vangogh. CS. Berkeley. EDU" or ". CS. Berkeley. EDU ".
Values must be of the form:
Mailer: domain
Where "mailer" is the internal mailer name, and "domain"
Is where to send the message. These maps are not
Reflected into the message header. As a special case,
The forms:
Local: user
Will forward to the indicated user using the local mailer,
Local:
Will forward to the original user in the e-mail address
Using the local mailer, and
Error: code message
Will give an error message with the indicated code and
Message.
Domaintable
　　
Domain replacement.
　　
If an error occurs, write the email sent to company.com as compayn.com by mistake and add a line.
Compayn.com company.com
Access. db
The database record contains the key and the action:
The key can be a user name, domain name, or IP address.
The action can be OK, relay, reject discard, or and RFC821 message
For example:
Cyber