Hardening Sendmail

Well explained about Sendmail Hardening Basics

Sendmail Command Line Tips and Tricks

# mailq
Prints the mail queue's contents, same as /usr/lib/sendmail –bp

# newaliases 

Rebuilds the aliases database file, same as /usr/lib/sendmail –bi  

# hoststat 

Prints persistent host status info, same as /usr/lib/sendmail -bh  

# purgestat

Purges (zeroes) persistent host status info, same as /usr/lib/sendmail -bH  

# smtpd

Runs in daemon mode, same as /usr/lib/sendmail –bd –q30  

# mailq –OmaxQueueRunSize=1

Quickly print the total number of messages within mail queue

# /usr/lib/sendmail –q –Otimeout.queuereturn=99d 

Purges the mail queue without timing out any messages. Useful if the mail server has been down longer than the queuereturn value set in the cf.

# /usr/lib/sendmail –bv foolist | grep –v deliverable 

Prints only undeliverable addresses from in the mail list foolist. Great for use in a shell script to remove badd addresses from a mailing list.

Command Line Switches  

-B 7bit 
Causes sendmail to clear the high-bit of every incoming byte.
-B 8bitmime 
Causes sendmail to preserve the high-bit or every incoming byte.
-ba
Uses ARPAnet/Grey-Book protocols to transfer mail.
-bD 
Runs as daemon, like –bd, but does not fork and does not detach from controlling terminal.
-bd
Runs as daemon, forks and detaches.
-bH 
Purges (zeroes) persistent host status info.
bh 
Prints persistent host status info.
bi 
Initializes the aliases database.
-bm 
Causes sendmail to read and send message (this is the default)
-bp
Prints the contents of the mail queue.
-bs
Runs sendmail on standard I/O.  
-bt
Runs sendmail in rule testing mode.
-bv

Verifies address.
-C /tmp/different.cf  
Uses different.cf as its configuration file.
-c  
Sets HoldExpensive option to true.

-d  
set debug mode.

• -d0 – Shows general config
• -d0.1 – Prints version
• -d.04 – Prints local hostname and any aliases for it.
• -d0.15 – Prints the list of delivery agents declared
• -d0.20 – Prints address of each network interface
• -d8 – Traces most DNS lookups
• -d8.1 – Prints failure of low level MX searches.
• -d8.2 – Prints calls to getcanonname
• -d8.3 - Traces dropped local hostnames
• -d8.5 – Shows hostnames tried in getcanonname
• -d8.8 – Shows when MX lookups return the wrong type.
• -d11 – Traces delivery agent calls
• -d11.1 – Traces arguments passed to the delivery agent
• -d11.2 - Prints the user ID that the delivery agent is invoked as
• -d21 – Traces rewriting of addresses
• -d21.1- Traces general ruleset rewriting
• -d21.2 – Traces use of $& macro
• -d21.3 – Shows $> subroutines called
• -d21.4 – Displays result of rewrite
• -d21.15 – Shows $digit replacement
• -d21.35 – shows token by token LHS matching
• -d27 – Traces aliasing
• -d27.1 – Traces general aliasing
• -d27.2 – Traces :include: files, alias self-references, and errors on home
• -d27.3 – Traces the ~/.forward path and the alias wait
• -d27.4 – Prints "not safe" when a file is unsafe to trust
• -d27.9 – Shows uid/gid changes when reading :include: files
• -d35 – Traces macros
• -d35.9 shows macro values as they are defined
• -d35.14 – Shows macro names being converted to integer id’s
• -d35.24 – Shows macro expansion
• -d37 – Traces options and class macros
• -d37.1 – Traces the setting of options
• -d37.8 – Traces the adding of words to a class
• -d41 – Traces the queue
• -d41.1 – Traces queue ordering
• -d41.2 – Shows failure to open qf files
• -d41.49 – Shows skipped queue files
• -d41.50 – Show every file in queue

-F  
Set senders full name
-f

Set senders address
-h  
Set minimum hop count
-i  
Set IgnoreDots option to true
-M  
Set macro
-N
Set return DNS notify information

• never – Never return the info
• success – Return on successful delivery
• failure – Return on failure
• delay – Return on delayed delivery

-n 
Supresses aliasing  
-O
Set an option (long name)
-o 
Set an option (short name)
-pUUCP:test 
Sets protocol in $r macro to UUCP and $s macro to test  
-q30m
Sets queue processing to every 30 min  
-qR@here.com 
Processes the queue once delivering only mail to @here.com 
-R hdrs
bounces only the headers  
-R full
Bounces headers and body
-s
Sets SaveFromLine option to true
-T 5d
Sets Timeout.queuereturn option to 5 days  
-t
Gathers a list of recipients from messages headers  
-U 
make this the initial MUA to MTA submission  
-V test123456 
Sets the DSN ENVID string to test123456  
-v 
Runs sendmail in verbose mode  
-X /var/tmp/trace.mail
Logs both sides of smtp transactions to trace.mail file.  

Rule Testing Mode (/usr/lib/sendmail –bt)


?
Prints help .
DrUUCP
Defines macro r as UUCP
=S5
Prints the contents of ruleset 5
=M
Displays list of delivery agents
${name} 
Prints the value of macro name.
$=w 
prints the contents of the class macro w
/mx here.com 
Returns the MX records for here.com in the order they will be utilized  
/parse foo
Parses the value of the address foo, returns the value of crackaddr(), and the final parsed address including the delivery agent.
/try local foo
Rewrites the address foo based on the rules for local delivery
/tryflags HS 
Sets the flags used by /parse and /try to H for header and S for sender, can also use E for envelope and R for recipient
/canon foo
Transforms the hostname foo into its canonical form  
/map aliases foo
Looks up foo in the aliases database  
3,0 – me@foo 
Runs the address me@foo through rulesets 3 and 0

SENDMAIL Notes 14: Sendmail SMTP AUTH

Sendmail SMTP AUTH

      SMTP Auth support allows to relay mails based on the smtp authentication when the client or users IP is getting changed(For a Roaming user).

Inorder to enable the smtp-auth support in sendmail the following packages are needed.

1. cyrus-sasl    
2. cyrus-sasl-plain (For Plain Authentication)
3. cyrus-sasl-devel (Some devel libs are needed by sendmail)
4. cyrus-sasl-crammd5 (For CRAM MD5 auth)
5. cyrus-sasl-digestmd5
6. cyrus-sasl-otp
7. cyrus-sasl-gssapi

      cyrus-libraries are needed for SMTP-AUTH. After installation the above packages the cyrus-libs will be installed in   /usr/lib

Note:-
      If the distribution is not supporting the cyrus package, then we have to download it compile with all the auth mechanism and install.

Now we need to compile the sendmail with cyrus and install the binaries.

Compiling & installing the sendmail for SMTP AUTH:

Got to the following directory

# cd sendmail-8.14.2/devtools/Site

    Note:-
        The Top Level Build Script (which creates the sendmail binaries) while compiling will consult the Site directory and if it finds the site.config.m4 it will include the contents for compiling. So this file is used to include additional variables or modules or extend the features sendmail. For enabling such features we have to include some derivatives in the site.config.m4.

To test the existing sendmail has SMTP-AUTH enabled:

# telnet localhost 25
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 centos.com ESMTP Sendmail 8.14.2/8.14.2; Thu, 1 Oct 2009 17:41:53 +0400
ehlo localhost
250-centos.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-DELIVERBY
250 HELP

    If the SMTP-AUTH was enabled we could see an extra out put of 250-AUTH for the command ehlo localhost

The other way of testing the sendmail for the feature of SMTP-AUTH is

# sendmail -v -d0.10

    This will echo to shell all the feature of sendmail in debug mode. here look for the sasl in output.

Now we will create some derivatives in the site.config.m4 file and compile & install sendmail again to enable the SMTP-AUTH in sendmail.

APPENDDEF(`confENVDEF', `-DSASL=2')
#This will tell sendmail to include the support sasl version 2
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
#This will tell sendmail to use the given libraries that can be found in the lib directory as mentioned in the next derivative
APPENDDEF(`confLIBDIRS', `-L/usr/lib')
APPENDDEF(`conf_INCDIRS',`-I/usr/include/sasl')
#This will tell sendmail the location of the header files

  # Now save the configuration. re-compile the binary.

    Remove the obj.Linux.2.6.18-128.el5.i686 directory before compiling the sendmail again. Now run the build script

# cd sendmail-8.14.2
# ./Build

    Check the build process to find the sasl2 has been including or not. The build process has to complete successfully
Before copying the sendmail binary to /usr/sbin location we will check whether the new compiled binary has the the option of sendmail SMTP-AUTH
To check this navigate to following directory

# cd sendmail-8.14.2/obj.Linux.2.6.18-128.el5.i686/sendmail
# ./sendmail -v -d0.10

    Here we should get an output similar to

Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF USERDB XDEBUG

Now copy this sendmail binary to the path of running sendmail

# cp sendmail /usr/sbin

    Now we have the new binaries. verify the permission of the binaries

# chown root:smmsp /usr/sbin/sendmail
# chmod g+s /usr/sbin/sendmail

    So this will make the sendmail to execute as the user group (smmsp)
To verify

# ls -ltr /usr/sbin
-r-xr-sr-x 1 root smmsp   678197 Oct  1 18:54 sendmail

Now configure the sendmail.mc file to include the smtp-auth

# cd sendmail-8.14.2/cf/cf
# vi sendmail.mc
TRUST_AUTH_MECH(`LOGIN PLAIN GSSAPI DIGEST-MD5')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN GSSAPI DIGEST-MD5')dnl

    TRUST_AUTH_MECH this will tell sendmail to trust the authentication mechanisms can use for relaying.
    configuration auth mechanism tells sendmail that these are the authentication mechanisms that have been configured.
    This will make sendmail to hands over the authentication to cyrus libs.

Note:-
    Sendmail hands over the control to cyrus libraries for authentication. Cyrus-libs will check the passwd file or ldap for authentication.

# cd sendmail-8.14/cf/cf
# m4 ../m4/cf.m4 sendmail.mc > sendmail.cf
# cp sendmail.cf /etc/mail
# restart the sendmail service

         
Testing the SMTP-AUTH support is turned on

[root@centos ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 centos.com ESMTP Sendmail 8.14.2/8.14.2; Fri, 2 Oct 2009 17:18:57 +0400
ehlo localhost     
250-centos.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN DIGEST-MD5
250-DELIVERBY
250 HELP

Here we are looking for the line "250-AUTH LOGIN PLAIN DIGEST-MD5"
Note:-
      If this test fails even if all the configurations have been made correctly, troubleshoot the issue by rechecking configuration files and binaries time stamp as well use netstat command to verify that the sendmail process is bind to the port 25.  

Now have to configure cyrus to accept the request of sendmail

# cd /usr/lib/sasl2
# vi smtp.conf
or
# vim /etc/sasl2/sendmail.conf

pwcheck_method: saslauthd

# mv smtp.conf Sendmail.conf
    We have to rename the smtp.conf to Sendmail.conf . In filename Sendmail.conf S is capital.

Now start the saslauthd service

# service saslauthd start

    Now test the auth mechanism by connecting MUA like evolution,thunder bird or outlook

Note:
If we are getting any errors like -  AUTH failure (PLAIN): user not found (-20) SASL(-13): user not found: Password verification failed
Try uninstalling all the "cyrus" packages and reinstall one bye one will sort out the issues. It worked for me

SENDMAIL Notes 13: Sendmail Content Scanning

SENDMAIL CONTENT SCANNING:

Configuring the full functional content scanning using Mailscanner, Clamav and Spamassassin

Initially we will configure the clamav antivirus.

CLAMAV ANTIVIRUS:

Installation of CLAMAV Antivirus:

Download the Source code of the software

# wget http://sourceforge.net/projects/clamav/files/clamav/0.95.2/clamav-0.95.2.tar.gz/download
# tar -zxvf clamav-0.95.2.tar.gz
# cd clamav-0.95.2

    The clamav relies upon mainly the following packages. So have to install the packages prior to compiling and installation of clamav. so install the following packages prior to compiling.

1. zlibs It needs zlib-1.2.2 atleast
    zlibs-devel
2. bzip2
    bzip2-libs
    bzip2-devel
3. gmp
4. curl
    curl-devel

Add the following user and group.

#groupadd clamav
#useradd -g clamav -s /sbin/nologin clamav

Now Compile the clamav

# ./configure
# make
# make install

    This will copy the binaries to the standard location. Normaly to /usr/local/*. Now type clam can see the new binaries that installed by make-install.

Configuring CLAMAV Antivirus:

#cd /usr/loca/etc

it will contain 2 files clamd.conf (this is read by clamd deamon) and freshclam.conf (Reads by the update tool).

For starting the clamd daemon, have to edit the following parameters in clamd.conf

#vim clamd.conf
#comment out the Example
#Example

#vim freshclam.conf
#comment out the Example
#Example

    Now create the log file to log by freshclam.

#touch /var/log/freshclam.log
#chmod 600 /var/log/freshclam.log
#chown clamav.clamav /var/log/freshclam.log

Now update the virus database and start the freshclam daemon.

#freshclam
#/usr/loca/bin/freshclam -d

    This runs the freshclam as a daemon. Add the freshclam entry to the cron job to update daily twice or thrice. And any update regarding the virus signatures will be logged to /var/log/freshclam.log.

It is time to start the clamd daemon now.

#/usr/local/sbin/clamd
#ps -ef |grep clam

    this will show both (freshclam and clamd) daemon runns.

Adding clamd daemon to init startup(This part is optional).

#cd clamav-ver/contrib/init
#vim clamd

    Change the path parameters to suite the installation. and place it in init directory.

#cp clamd /etc/init.d

Now start configuring the Spamassassin

SPAMASSASSIN:

Installation:
Download the Source code of the software

# wget http://www.bizdirusa.com/mirrors/apache/spamassassin/source/Mail-SpamAssassin-3.2.5.tar.bz2
# tar -jxvf Mail-SpamAssassin-3.2.5.tar.bz2
# cd Mail-SpamAssassin-3.2.5

We need the following packages for compiling the spamassassin:
1. HTML::Parser

Install the pre-requiesties using cpanel.

#cpanel
>install HTML::Parser

or
Download from cpan.org and compile and install

#tar -zxvf HTML-Parser-version.gz
# cd HTML-Parser-version
# perl Makefile.pl
# make
# make install

The spamassassin uses the perl for compiling

#perl Makefile.PL

    This will prompt us certain details.
1.mail address of admin for whom can send mail about the spam report.
2.network test
3.Checks for all the dependencies of modules. if script exits by any failed dependencies install it.

# make
# make install

    This wil setup the spamassassin with all of the rules in /usr/share/spamassassin. The installed bnaries will  be /usr/binspamc(The client binaries) & /usr/bin/spamd(spamassassin daemon binaries).

Now we can install the init scripts from the source code.

#cd Mail-SpamAssassin-3.2.5/spamd
# ./redhat-rc-script.sh start

    This will start the daemon. So copy the file to /etc/init.d/ and rename it if we need to run as init daemon.

Now start the spamd

# spamd -d -c -m5 -H

    This starts the spamassassin daemon and runs in background.

Its time to install and configure the Mailscanner


MAILSCANNER:
Installation:
    mailscanner need not to have clamd or spamassassin running to initialize or run the service.In fact it just need the perl modules that required to start.
Download the source code of the software.

#wget http://www.mailscanner.info/files/4/tar/MailScanner-install-4.75.11-1.tar.gz
#tar -zxvf MailScanner-install-4.75.11-1.tar.gz
# cd MailScanner-install-4.75.11-1
    it contains perl modules and install script
#./install.sh

    This installs the mailscanner in /opt directory. And mailscanner creates a new queue directory struchure in /var/spool (MailScanner, mqueue.in)

/var/spool/MailScanner
    This is a temperory directory userd for processing the msgs.
/var/spool/mqueue.in

    After starting the Mailscanner daemon we need to update the sendmail configuration to reflect the new queue structure. The new queue structure is implemented for the new two sendmail daemons. One for processing the inbound msgs i.e, the standard MTA which will accepts the mail on port 25 process the msgs and places those msgs in to queue in queue only mode. Those msgs are then re-routed in to the directory mqueue.in (we will be altering the sendmail configuration to queue msgs to mqueue.in not to deliver them).From there Mailscanner that had configured to check the mqueue.in for all 5 sec will scan the mqueue.in by consulting clamav, spamassassin and other mailicious contents and then places the msg in to mqueue directory. From here the second instance of the sendmail will deliver the msg to the destination.

    port25 sendmail(1) recieves msg -> Place the msg in mqueue.in -> Mailscanner scans and places in mqueue -> sendmail(2) will deliver the msg from mqueue to destination.

Configuring MailScanner:

#cd /opt/MailScanner
    This is a symbolic link created by for the installed version of MailScanner.
# cd /opt/MailScanner/etc
    This file contains the main configuration of MailScanner.

Edit the main configuration to change some key settings to start the MailScanner.

# vi MailScanner.conf
%org-name% = kiranjith
%org-long-name% = Kiran's School for Linux Lovers
%web-site% = kiranjith83.blogspot.com
Max Children = 5
#by default mailscanner will launch upto 5 process to handle the mails in the mqueue.in. This can be increased according to the msg queue.
Run As User = root
# has to specify the mailscanner to run as.
Queue Scan Interval = 5
# this tells the mailscanner to check the mqueue.in directory in every 5 sec for a new msg.
Incoming Queue Dir = /var/spool/mqueue.in
#This is the directory where the 1st sendmail instance will put the incoming mails for scanning.
Outgoing Queue Dir = /var/spool/mqueue
#This is the directory where the mailscanner will place the scanned mails for 2nd instance of the sendmail to deliver.
Incoming Work Dir = /var/spool/MailScanner/incoming
#This is the directory where mailscanner process the msgs.
Quarantine Dir = /var/spool/MailScanner/quarantine
#In this directory MailScanner places the msgs which is infected by Virus.
Restart Every = 14400
#Every 14400 sec the child process will get restarted
MTA = sendmail
#This specifies the current mta running in the system.
Sendmail = /usr/lib/sendmail
#path to sendmail which used to deliver the error generated on scanning
Max Normal Queue Size = 800
# this tells mailscanner to stop scanning if the mail queue is this much big
#Note:- TNEF Module is needed to scan the content send from MS Outlook.
Virus Scanning = yes
# This enables the virus scanning
Virus Scanners = clamav
#sets the virus scanner to clamav.
Use SpamAssassin = yes
# makes mailscanner to invoke the spamassassin
Always Include SpamAssassin Repot = yes
#this invokes mailscanner to involve the result of spamassassin.
# The SpamAssassin returns a score for the scanned msg and mailscanner will make a decission upon this score. This will invoke both clamav and spamassassin.
Always Include SpamAssassin Report = yes
# This will include the spamassassin repot in the mail header.

/opt/MailScanner/spam.assassin.prefs.conf

            This file consists of the rules for the spamassassin, eg:-,the white list, Black list, Spam score threshold.

/opt/MailScanner/virus.scanners.conf

            This file contains the preferences of Virus scanner.

/opt/MailScanner/mcp

            This Directory is contains the rules of mail contents (rules about the extension of the mail attachment)

/opt/MailScanner/bin

            This directory contains the executables to run and check the mailscanner service.

#./check_mailscanner

            This will launch the mailscanner service

#ps -ef |grep -i mailscanner

            This will show the mailscanner configuration


Sendmail Integrating with MailScanner:

            By default the sendmail will be running as MSP as queue directory /var/spool/cilentmqueue and as MTA that binds to the default port of 25.

#/usr/sbin/sendmail -L sm-msp-queue -Ac -q30m
#/usr/sbin/sendmail -L sm-mta -bd -q30m

            These are the default deamon options that runs sendmail. So we have to change the deamon options or change the init script of sendmail with the following options.

#kill any existing sendmail deamons

Now create a sendmail start script

#vim sendmail_startup.sh
#!/bin/bash
sendmail=/usr/sbin/sendmail
#Run the sendmail as MSP program.
$sendmail -L sm-msp-queue -Ac -q30m
#Run the sendmail MTA for inbound (To accept the mail and keep in /var/spool/mqueue.in directory in queueonly mode)
$sendmail -L sm-mta-inbound -bd   -OprivacyOptions=noetrn   -OdeliveryMode=queueonly   -OqueueDirectory=/var/spool/mqueue.in  -OPidFile=/var/run/sendmail-in.pid  -q30m
#Define the Outbound MTA for delivery msg from /var/spool/mqueue directory,which has been scanned by and placed by MailScanner. The inervel should be short for delivering the mail ASAP.
$sendmail -q1m

Save and execute the script.

#ps -ef |grep sendmail

            This will show the 3 sendmail process running

Check the mail logs

# tail /var/log/maillog

If the sendmail installation is RPM Based. Then follow this

Change Commands That Start Sendmail. Currently, your copy of sendmail will be started by a script such as /etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script will be the command to start sendmail itself. This should look like this:

---------------
sendmail −bd −q15m
--------------
You should change this to the following two lines:
-------------
sendmail −bd  -OprivacyOptions=noetrn   -OdeliveryMode=queueonly   -OqueueDirectory=/var/spool/mqueue.in  -OPidFile=/var/run/sendmail-in.pid -q30m
sendmail -q1m
-------------

This first starts the copy of sendmail that provides SMTP service, building the work queue for MailScanner. It then starts the copy of sendmail that delivers the output from MailScanner. You also might need to change the commands used to shut down sendmail as it now needs to find 2 copies and kill them both.

Note:-
            The spamd and clamd deamons are not needed to be running. It is just to ensure the configuration files working or not.

SENDMAIL Notes 12: Sendmail Mailertable

   
    It is a type of mail relaying. It is useful when using the virtual domains. for example if you want to forward mails to internal protected server in DMZ zone after the content scanning, mailertable can provide a solution rather than using the smarthost or nullclient.

Configuring the Mailer Table:

Configure the following in the server which is configured to recieve the mails through MX record.
Create the /etc/mail/mailertable

#vim /etc/mail/mailertable

(The format is as follows
Left Column                                      
domain name                                       
(To which domian it accepts          
the mail for)

Right Column
Routing Rules:
(Specify the mailer type(smtp or local):
user@domain or FQDN of host))

kiran.com        smtp:internalhost.kiran.com
jithu.com        smtp:jeo@mail1.jithu.com

    Here any mail that comes to domain kiran.com will be forwarded to internalhost.kiran.com and all the mail comes to domain jithu.com will forward to the user jeo at host mail1.jithu.com.

For Example:
This used primarily in the following scenario.
We have the mailertable enabled server facing the internet configured with MX record and all the mail scanning softwares. And other servers will be inside the network. So the mailertable enabled server recieves the mail primarly, scans the mail and forwards to respective servers according to the configuration in mailertable. So all the mails for a domain can be accepted by a single system and after scanning the mails can be redirected to respective sub-domains.

Now create the db file of mailertable

#makemap hash mailertable < mailertable

Now configure the sendmail for the Feature of mailertable. Edit the sendmail.mc file

FEATURE(`mailertable')dnl

    This will enable the mailertable support in sendmail.

# compile configuration file with m4 to create sendmail.cf file and restart the sendmail

SENDMAIL Notes 11: Sendmail Virtual Domains & Vitual Users

Basic Virtual Domains

    Sendmail allows to host multiple domains in single instance. The Basic Virtual Domain can be created using local-host-name file. When sendmail receives mail, it needs a way of determining whether it is responsible for the mail it receives. It uses the /etc/mail/local-host-names file to do this. This file has a list of hostnames and domains for which sendmail responsible for mail.
For example, if this mail server was to accept mail for the domains kiran.com and jithu.com then the file would look like this:

# cat  /etc/mail/local-host-names
kiran.com
jithu.com

In this case, remember to modify the MX record of the jithu.com DNS zonefile point to kiran.com. Here is an example (Remember each "." is important):

jithu.com. MX 10 mail.kiran.com.

    So if we send mail to the user "user1" for both the domain (user1@kiran.com & user1@jithu.com),because of the MX record pointed the mail will reach the same server and as we have configured the local-host-name file sendmail will accept the mail for both the domains. The mail will be delivered to the same user user1 which is a local user.
Note:
    The mail server will default acceptance of mail for its FQDN defined without the entry in local-host-names.

Virtual users and virtual domains:

    This is defined using the virtual user table feature in sendmail configuration.The file used is virtusertable in /etc/mail. While defining the virtusertable the domain name should not exist in local-host-names.
    The /etc/mail/virtusertable file contains a set of simple instructions on what to do with received mail. The first column lists the target email address and the second column lists the local user's mail box, a remote email address, or a mailing list entry in the /etc/aliases file to which the email should be forwarded.
If there is no match in the virtusertable file, sendmail checks for the full email address in the /etc/aliases file.

Defining the virtual domains and users (Keep in mind that the exact MX record has been added to respective domains):

FEATURE(`virtusertable')dnl
VIRTUSER_DOMAIN_FILE(`-o /etc/mail/virtuserdomain')dnl

    FEATURE(`virtusertable')dnl expects to existance of the database  vrtusertable in /etc/mail.
    VIRTUSER_DOMAIN_FILE(`-o /etc/mail/virtuserdomain') it looks up the various domains that supported by sendmail in this given path.

#compile configuration and restart the sendmail service

Now create the virtuserdomain file - this will tell the sendmail a list of domains that sendmail has to recieve mails

#edit /etc/mail/virtuserdomain
kiran.com
jithu.com

Now create the virtusertable database - it contains the mapping of virtual users/domains to mail box or remote mail box

#create/edit    /etc/mail/virtusertable
user1@kiran.com        kiran@someotherdomain
user2@jithu.com        jithu
 
#makemap hash virtusertable < virtusertable

#Now restart the sendmail service

    Now if we sendmail to user1@kiran.com from anywhere it will be redirected to kiran@someotherdomain and mail send to user2@jithu.com will be send to the local mail box of user jithu.

Other options in virtusertable:

@fazi.com    jithu
@jithuki.com    kiran
@mydomain.com    mailuser@remotedomain.com

    This will redirect all the mails that came to @fazi.com to user jithu, and all the mails send to domain jithuki.com to local user kiran. Any mail comes to mydomain.com will be redirected to mailuser@remotedomain.com

SENDMAIL Notes 10: Sendmail SMARTHOST & Null Client

Sendmail Smart Host
      Smarthost is a smtp server that forwards the non local mails to another server that has proper DNS resolution.

DEFINING THE SMARTHOST:

    Define this derivative in the Host mail configuration where we have to forward the mail to another server.

define(`SMART_HOST', `192.168.1.30')
or
define(`SMART_HOST', `isp.mailserver.com')

      The Smart host entry can be either IP address or with Hostname

#recompile the sendmail.cf and restart the sendmail service in hosts

Now go to main mailserver (isp.mailserver.com):
Permit the host in Relay

#vi /etc/mail/access
add the ip address of the smarthost
#makemap hash acess < access

Now if we send mail from the Host to internet the message will be Relayed through isp.mailserver.com to internet.Verify the logs on each servers. All the details of the mail relays will be found in the msg headers(through which hosts the mail has be relayed).

NULL CLIENT CONFIGURATION:

      In contrast with SMARTHOST, NULL CLIENT CONFIGURATION will redirect all mails including local msgs, not just the remote mails to the defined server.This is used where in the situation that need to make the server to just send the msgs and not to receive any msgs.

Define the Following in the HOST that needed to be configured as NULL CLIENT.
first comment the SMART_HOST definition. Add the following in sendmail.mc

FEATURE(`nullclient', `isp.mailserver.com')
#recompile the sendmail.cf and restart the mail service

      This will make the host to forward all the mails to the server isp.mailserver.com. Test this by running sendmail in debugging mode

#sendmail -d -i

Note:- In server (isp.mailserver.com) has to define the access to relay this host.
       Now try sending msgs from host, this will make all the mail to relay through isp.mailserver.com.
Note:
      As we are defining the Null client, since it is not setup to receive mail we have to make sure that the mail envelop will be re-written.Because in case of any reply or bouncing the host will not be accepting the mail.

SENDMAIL Notes 9: Sendmail Relay

Default configuration of the sendmail Denies the Relay from other hosts.
But the following option makes the sendmail to run as open relay

FEATURE(`promiscuous_relay')

    This option allows for any clients to connect to our SMTP and can send mail to any destination.

Testing a Open relay:
Try to connect to the Server from outside of the network and follow the procedure.
The Following Example shows the server that denies the Open Relay:

[root@kiran ~]# telnet 192.168.10.2 25
Trying 192.168.10.2...
Connected to fazi.com (192.168.10.2).
Escape character is '^]'.
220 centos.com ESMTP Sendmail 8.14.2/8.14.2; Wed, 23 Sep 2009 06:35:20 +0400
Mail from: kiran@domain.com
250 2.1.0 kiran@domain.com... Sender ok
Rcpt To: kiran@anotherdomain.com
550 5.7.1 kiran@anotherdomain.com... Relaying denied
quit
221 2.0.0 centos.com closing connection
Connection closed by foreign host.
[root@kiran ~]#

The Follwoing Example Shows the server that allows Open relay:

[root@kiran ~]# telnet 192.168.10.2 25
Trying 192.168.10.2...
Connected to fazi.com (192.168.10.2).
Escape character is '^]'.
220 centos.com ESMTP Sendmail 8.14.2/8.14.2; Wed, 23 Sep 2009 06:43:14 +0400
Helo domain.com
250 centos.com Hello mail1.kiran.com [192.168.10.1], pleased to meet you
Mail From:kiran@domain.com
250 2.1.0 kiran@domain.com... Sender ok
Rcpt To:kiran@anydomain.com
250 2.1.5 kiran@anydomain.com... Recipient ok
Data
354 Enter mail, end with "." on a line by itself
This is to test the Open relay
.
250 2.0.0 n8N2hEOp009181 Message accepted for delivery
Quit
221 2.0.0 centos.com closing connection
Connection closed by foreign host.
[root@kiran ~]#

    The destination of the mail should be resolvable to sendmail for any kind of relay.

Relay in Sendmail:
    Relay in sendmail can be achieved by 2 common ways

1. Using the Relay-domains.
2. Using the access database.

1. Using relay-domains file:
    This is very easy way to implementing the relay access.
Edit sendmail.mc

RELAY_DOMAIN_FILE(`/etc/mail/relay-domains')

    The file path to the relay-domains can be any where. Sendmail refer this while getting a new mail from any host.
/etc/mail/relay-domains file can contain each IP Address of the hosts on each line (Hostname of FQDN is permissible here and this has to be resolved properly).
Example:-

192.168.1.1
10.0.0.1
172.16.0.1
    Compile and Restart the sendmail service

RELAY_DOMAIN_FILE(`-o /etc/mail/relay-domains')

    Here the "-o" option makes the sendmail to loading the Relay Domain File as optional. This means if the file is not present still the sendmail starts the daemon.

2. Using the Access DB:
    It extends the functionality of relay domains, defined by two columns.
Left Hand Side Column:
Users
Hosts
Ip Address
Right hand Side Column:
Relay
Reject
Discard
To enable this have to turn on the following feature.

FEATURE(`access_db', `hash -o -T /etc/mail/access')dnl

    The Feature enables the access db for Relay. hash is the type of database, "-o" makes the sendmail to run even if the access db file is not found, i.e makes the file optional. -T this allows access db to return the smtp errors to client and next to this we have the database location.

Now Create the access_db file:

#vi /etc/mail/access
connect:192.168.1.2    RELAY
connect:192.168.10.9    REJECT
#makemap hash access < access

    If any errors are generated re-compile the makemap by ./Bulid && ./Build install from the source directory.

    Here from the ip 192.168.1.2 sendmail will relay mail to outer world and from 192.168.10.9 will reject the relay to outer world This will make the sendmail to reject all the inbound mail traffic from the host 192.168.10.9.
Any update to the access doesn't need sendmail reload to take effect. Because for each query sendmail makes query to the access.db file.

Other rules in access file:

From:kiran@mail1.kiran.com    REJECT
To:jithu@    RELAY

    As defined in this rule the msg send from user kiran@mail1.kiran.com will be rejected.We can specify in the second column REJECT,RELAY,OK or 550 errors too.
    In To:jithu@ REJECT any mail send to user jithu will be REJECTED.
    To parse this rule in access db file by sendmail we have to enable the following Macro Feature in the sendmail.cf file.

FEATURE(`relay_mail_from')

    This FEATURE has to define after the FEATURE(`access_db').This will enable the sendmail to parse the access.db to check the permission of Relay in user basis.i.e, it checks the mail envelop for relay.

    Now compile the sendmail.cf file and restart the service.

    This will show the warning about the open relay. so use this option carefully.

SENDMAIL Notes 8: Sendmail Macro File Derivatives

Derivatives in Sendmail.mc Configuration file:

#grep -i ^O sendmail.cf

    It returns the "options" that enabled in the sendmail.cf file

Options & Features in sendmail.mc:
Editing the sendmail.mc file:
    Any Options that enables inside the sendmai.mc or submit.mc should be specified after the DOMAIN(generic)dnl option
    Any rules that defines should come after the MAILER option inside the sendmail.mc/submit.mc file

Increasing the verbositry of Log Level of sendmail:
  Default level is 9.

define(`confLOG_LEVEL', `10')dnl

Now export the sendmail.cf file from sendmail.mc

#./Build install-cf
or
#m4  ../m4/cf.m4 sendmail.mc > sendmail.cf
Restart the sendmail
# kill -HUP `head -1 /var/run/sendmail.pid`

Maximun msg size:
Default is undefined

define(`confMAX_MESSAGE_SIZE', `4096')dnl
    Recompile the sendmail.cf file
    Restart the sendmail service

    This will resize the maximum msg size to 4K

Configuring the Maximum Recipients for MSG:

define(`confMAX_RCPTS_PER_MESSAGE', `1')dnl
    Recompile the sendmail.cf file
    Restart the sendmail

Editing the sendmail.cf file directly for maximum recipients per msg by enabling the following option

O MaxRecipientsPerMessage=1

    If client tries more than given number of recipients in the mail address it throws error
": Too many recipients". The msgs are queued for later delivery

Masquerading in sendmail:
    Masquerading changes the mail headers.A message header is the part of the message that contains information about a specific aspect of the message. This option should define prior to the mailer derivative.

MASQUERADE_AS(`mail1.jithu.com')
or
MASQUERADE_AS(`jithu.com')

    MASQUERADE_AS option is used to rewrite the host part of the mail address.  This will masquerade the msgs originated from the host to reflect as mail1.jithu.com
    For example:- mail send from host1.domain.com will be masqueraded as
    From:- kiran@mail1.jithu.com
    So if the recipient replies to msg will send to the host mail1.jithu.com

Masquerade the envelope:
    This will masquerade the mail envelope.Envelope is what appears initially.The sender and recipient addresses used in the SMTP transaction are called the Message Envelope. In other words A message envelope is the structure that encapsulates the component parts of a message: the message body and the message headers.

FEATURE(`masquerade_envelope')

    Now the m4 will search for the masquerade_envelope.m4 inside the features directory in source folder while compiling to create the sendmail.cf. This will change the envelope address to mail1.jithu.com as defined in MASQUERADE_AS.
But the message coming from root will not be masqueraded as for other normal users.
   
Exposed users to exclude the masquerade:
    This will exclude a given user from masquerading. root user is excluded by default from masquerading.

EXPOSED_USER(`jithu kiran joe paul')dnl
Or
EXPOSED_USER(`jithu')dnl
Or
EXPOSED_USER_LIST(`path to user list')dnl # user list should be one user per line

    So here the mail  for the users defined will be having the exact host details in the mail Headres as well as mail envelop.

Enabling the mail server to relay mails from any where:

FEATURE(`promiscuous_relay')
#compile and restart the sendmail service

    This option will allows to relay mails from anywhere, i.e, configures our system as open relay. This option should not be enabled in the production environment. If this is enabled any one can send mail using this sendmail server. Spammers will exploit this option certainly.This will make m4 to find the file named promiscuous_relay.m4 in features folder and will add the contents in to the sendmail.cf file

Masquerade Domains:
    Default masquerading behavior of sendmail is, only masquerading the host part of the mail generated locally and it won't masquerade the mails that generated from other systems.So including the option of masquerade domains will masquerade the hostname part of the mail for all other hosts that sendmail relays.

FEATURE(`masquerade_entire_domain')

    This will enable the masquerading of mails send by all the servers/hosts that sendmail relays. The host part of the mail address is now re-written to the address as mentioned in MASQUERADE_AS(`jithu.com'). The exposed users are excluded in this option, that means the root user mail will not be masqueraded.

MASQUERADE_DOMAIN(`mail1.fazi.com')

    This derivative says that any mail coming form host mail1.fazi.com should be masqueraded as defined in MASQUERADE_AS(`jithu.com'). We can add 'n' number of hosts seperated by in this derivative.
This option is valid upon the position of FEATURE(`masquerade_entire_domain'), which masquerades entire mails send by any hosts.

For Example:-  
          If FEATURE(`masquerade_entire_domain') is set Before to MASQUERADE_AS(`jithu.com') then all the hosts are masqueraded.
If FEATURE(`masquerade_entire_domain') is set after MASQUERADE_AS(`jithu.com') then the undefined hosts will not be masqueraded.

Masquerading Options Explained:

FEATURE(always_add_domain)dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`allmasquerade')dnl
MASQUERADE_AS(`my-site.com')dnl
MASQUERADE_DOMAIN(`my-site.com.')dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl

• The MASQUERADE_AS directive makes all mail originating on bigboy appear to come from a server within the domain my-site.com by rewriting the email header.
• The MASQUERADE_DOMAIN directive makes mail relayed via bigboy from all machines in the another-site.com and localdomain domains appear to come from the MASQUERADE_AS domain of my-site.com. Using DNS, sendmail checks the domain name associated with the IP address of the mail relay client sending the mail to help it determine whether it should do masquerading or not.
• FEATURE masquerade_entire_domain makes sendmail masquerade servers named *my-site.com, and *another-site.com as my-site.com. In other words, mail from sales.my-site.com would be masqueraded as my-site.com. If this wasn't selected, then only servers named my-site.com and my-othersite.com would be masqueraded. Use this with caution when you are sure you have the necessary authority to do this.
• FEATURE allmasquerade makes sendmail rewrite both recipient addresses and sender addresses relative to the local machine. If you cc: yourself on an outgoing mail, the other recipient sees a cc: to an address he knows instead of one on localhost.localdomain.                 

Note: Use FEATURE allmasquerade with caution if your mail server handles email for many different domains and the mailboxes for the users in these domains reside on the mail server. The allmasquerade statement causes all mail destined for these mailboxes to appear to be destined for users in the domain defined in the MASQUERADE_AS statement. In other words, if MASQUERADE_AS is my-site.com and you use allmasquerade, then mail for peter@another-site.com enters the correct mailbox but sendmail rewrites the To:, making the e-mail appear to be sent to peter@my-ste.com originally.

• FEATURE always_add_domain always masquerades email addresses, even if the mail is sent from a user on the mail server to another user on the same mail server.
• FEATURE masquerade_envelope rewrites the email envelope just as MASQUERADE_AS rewrote the header.

SENDMAIL Notes 7: Sendmail Macros and Basic Configurations

M4 configuration in Sendmail
    M4 is a Macro program which allows to define key value pairs i.e names with values, such as configuration options with values and responsible for expanding the values to syntax that sendmail that recognizes.
eg:- sendmail.mc(Human readable config file) file is the input taken by M4 to create sendmail.cf(sendmail readable) file.

Generation Of Sendmail Configuration Files:
    If u are installing the sendmail from the source code all the configuration examples and M4 files that needed while converting the "*.mc" file will be present inside the directory /sendmail-8.14.2/cf. and if you are using the rpm based binaries all the configurations example and M4 files that needed while converting the "*.mc" file will be present inside /usr/share/sendmail-cf
The following is the basic configurations that needed by sendmail in sendmail.mc file to start with

divert(-1)
divert(0)dnl
VERSIONID(`$Id: generic-linux.mc,v 8.1 1999/09/24 22:48:05 gshapiro Exp $')
OSTYPE(linux)dnl
DOMAIN(generic)dnl
MAILER(local)dnl
MAILER(smtp)dnl

/sendmail-8.14.2/cf or /usr/share/sendmail-cf directory:
    m4/:  directory contains the files that is used for compiling M4 with sendmail config file while running the Build script from the sub-directory cf/ (or #m4 sendmail.mc > sendmail.cf)
    README.txt: file contains all the derivatives that can be understood ( M4 preprocessor )by sendmail inside this directory.
    cf/:  In /sendmail-8.14.2/cf or /usr/share/sendmail-cf "cf/" is the sub-directory which contains the M4 configuration files. generic-linux.mc & generic-linux.cf are the two config files that is used for generation of sendmail.cf file. These configuration file is enough to create a minimum level of sendmail server on Linux distros.
    sendmail.mc file is used by MTA and submit.cf file is used by MSP.

Basic Derivatives and struchure of sendmail.mc:
dnl = delete through new line
    This tells the M4 deamon to delete any superfluous or excessive new lines after creation of subsequent derivatives for mc files to cf file.

VERSIONID(`$Id: generic-linux.mc,v 8.1 1999/09/24 22:48:05 gshapiro Exp $')

    Using this derivative M4 creates the version information of the sendmail as well the OS.

OSTYPE(linux)dnl

    It says to the m4 program to navigate to the ostype directory and find the file called linux.m4 and include the contents while generating the sendmail.cf file.M4 expands this session and produces the sendmail.cf. linux.m4 contains the basic path to sendmail binaries, other utilities like procmail-the local mailer and version of OS

DOMAIN(generic)dnl

    sendmail-8.14.2/cf/domain is the directory which contains the generic.m4 file.This file is included by M4 while the generation of the "*.cf" file. The domain folder contains the basic configurations of domain examples. The generic.m4 file is used, if we have any domain routing needs such as how to handle the msgs based on a domian or a sub-domain, masqurading etc. It contains the derivatives for
    .forward file path
    maximum mail Header Length.
    use of cw file etc.

MAILER(local)dnl   &
MAILER(smtp)dnl

    sendmail-8.14.2/cf/mailer is the directory which contains the M4 for local,smtp as well as procmail.
    Here every mailer has their own defnitions. inlcudes the path of program and the rules.
    local mailer permits the redirection of the msgs in to programs.

Running

`./Build install-cf`

inside the cf directory to create the configuration file is equal to
In source:

[root@centos cf]# pwd
/root/sendmail/sendmail-8.14.2/cf/cf
[root@centos cf]# m4  ../m4/cf.m4 sendmail.mc

In RPM based:

#m4 sendmail.mc > sendmail.cf

SENDMAIL Notes 6: Sendmail with DNS FQDN & MX records

    Remote mail involves the usage of SMTP thus sendmail needs the name resolution to route the mails. For this sendmail uses DNS or uses /etc/hosts.
Find the FQDN of a host

 # hostname -f

    If the FQDN (which can retrieve the ip to query) is used to send the mail, then sendmail bypasses the MX record.

Sendmail DNS Usage:
Using FQDN:
    Sendmail performs the DNS lookup for the defined host address and gets the IP address and then delivers the msg to the destination.Remote hosts either accepts the mail or Routes the mail using any local mailer or Relays to another destination upon the configuration.
For example:

#sendmail -v kiran@mail1.india.mydomain.com

In this above example sendmail will use the 'A' record for the given address. Because the exact address of the mail server is given here for the "domain mydomain.com"

Using MX:
    MX is a special type of DNS record called as Mail Exchanger Record.When mail server actualy query a Domain for direct mail, they query the dns server for the MX record and once found sendmail will attempt to direct the mail to destination according to the priority of MX record.
   
Normally an "A" record is enough to get the IP address of the host for sendmail to send the mail.But MX is used because to distinguish/identify the  mail servers in the given domain
For Example:-

#sendmail -v kiran@mydomain.com

    In this case sendmail has to get the ip address of the mail server for the domain "mydomain.com" to route the mail. So sendmail does a "MX" record query upon the given domain.
(So in nameserver the MX record entry for mail1.india is added to the domain mydomain.com; Make sure that we have a 'A' record created for the same MX record)
    This means any the mail comes to kiran@mydomain.com will be routed to mail1.india.mydomain.com to process with.

Backup MX & Priority in MX:

    mydomain.com.    14000    IN    MX    20    mail2.india.mydomain.com.
    mydomain.com.    14000    IN    MX    10    mail1.india.mydomain.com.

    In this entry in dns with respect to the MX record the host which primarily contacts the server which has priority 10. Incase of unavailable of server which has priority 10 then the MTA will contact the server which has priority 20.
If a backup MX server is running make sure that the user mail box is located in the backup mail server as well.

SENDMAIL Notes 5: Sendmail - Aliases

    Aliases is used to handle mails to a non existing address. This will allow to redirect the msgs destined to a given name to a real user.
eg:-

postmaster: kiran@domain.com,jrkiran@domain.com

    So when a mail comes in sendmail will check the aliases db for the aliases defined for new msgs, and according to the aliases defined sendmail attempts to deliver the msgs to the delivery agent by adding or modifying the headers of the msg with aliases defined in aliase db.

The Aliases File:
Default Aliases in system:

MAILER-DAEMON:  postmaster
postmaster:    root

When a msg is bounced or problem delivering a msg the destination of the msg will be MAILER-DAEMON.
i.e, if a mail is send to a non existing user then the mail header is modified to MAILER-DAEMON as user.
This means the problem msg or bounced msg has to go some where, and sendmail delivers it to MAILER-DAEMON.
MAILER-DAEMON is aliased to postmaster, and postmaster aliased to root - hence the mail is delivered to root.

Aliases File is case insensitive:
The aliases defined in sendmail is case insensitive.
After changing the aliases no need to restart or reload the sendmail  service because in each and every request sendmail consults the db of aliases.

Types of aliases defined

There are 5 types of aliases:

1. 1-to-1 Aliases.(1 alias map to one local username)
eg:-

postmaster:    root
bin:    root
support:    kiran

    2. 1-to-many or 1-to-lists
eg:-

info:    kiran,jithu,rinz
sales:    hr,joe,nick

    3. using include directive in aliases file.
This will allow aliases to include the list from separate file
eg:-

finance:    :include:/full/path/to/list.list

"users or mail address in the list file can be separated by comma."
    4. File Redirection Aliases - Re-route the message to file
eg:-

abuse:    root,/var/log/abuse/mail
help:    /var/log/help

    All mail send to the user abuse will be re - routed in to /var/log/abuse/mail. This will help to collect the evidences of mail that is routed for given aliases. The file should not have the execute permission. Else sendmail will fail to write to this file
5.Redirecting the E-mail to PIPE (redirecting the output to an application)
    when a mail comes we can send the output to certain commands. for example if mail comes for the user john and the is in vacation then we can redirect the mail to the program "vacation" to send the automated reply.
eg:-

kiran:    "|/usr/bin/vacation kiran"

Creating a aliases
Add entry

#vim /etc/mail/aliase
support:    kiran

Update db

#newaliases

Test the aliase file

#sendmail -bi

Test the aliase

# sendmail -bv support
kiran... deliverable: mailer local, user kiran

    This means aliases support is deliverable, and it uses mailer local, and user who ultimately get msg.

Vacation Program
To enable the vacation program for an user called fazi install the vacation program that comes along with the sendmail binary.

Create a forward file

# vim ~/.forward
\fazi, "|/usr/bin/vacation -t0 fazi"

Now create the msg that needed to be auto reply.

# vim ~/.vacation.msg
Hi Thanks for you mail !
hai i am on vacation
will ping you once i'm back

This will invoke an automated reply to the sender including the msg body from the file .vacation.msg.

SENDMAIL Notes 4 : Sendmail Logs Analyze

Mail logging configuration in syslog.conf

#grep -i mail /etc/syslog.conf
# Log anything (except mail) of level info or higher.
*.info;mail.none;authpriv.none;cron.none            /var/log/messages
# Log all the mail messages in one place.
mail.*          ;     -/var/log/maillog

logging format of syslog.conf

#facility.severity    destination

    facility      = mail, kern etc
    severity    =  info,err,warn,debug
    destination = /var/log/messages, /var/log/maillog

/var/log/messages will be logged other than all mail logs, i.e no maillogs will be logged to /var/log/messages and /var/log/maillog will be logged with all the mail activities.

To log the mail activities separately use the following option in /etc/syslog.conf

mail.*        -/var/log/mail
mail.info    -/var/log/mail.info
mail.warning    -/var/log/mail.warn
mail.err    -/var/log/mail.err

This will log separately to each files

MailLog format:

Ack Log for msg received in MTA:

Sep 13 09:08:36 centos sendmail[6265]: n8D58YWM006265: from=, size=640, class=0, nrcpts=1, msgid=<200909130508.n8D58Y1x006264@centos.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

explore:
Daily Time stamp: message came from server: Daemon: Process ID: queue ID: From Server: size of message: class: number of recipient: msg id: relay=root@localhost (who has send the message from which host)

MSG Delivery Log:

Sep 13 09:08:36 centos sendmail[6268]: n8D58YWM006265: to=, ctladdr= (502/502), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=30830, dsn=2.0.0, stat=Sent

explore:
Time stamp:hostname:daemon:PID:queue ID: to=recipient:ctladdr=is the local user who sends the msg (ctladdr user ID /& Group ID):delay=is expressed the amount of time between the msg recieved and delivered:xdelay=amount of time taken to transfer the msg (from user to user or host to host):mailer=the type of the mailer used in sendmail:pri=priority:dsn= Delivery Status Notification(Email Delivery Error Codes ):status=status of msg delivery 

Email Delivery Codes: Errors (Delivery Status Notification: DSN)
   

How many times you got your outgoing emails back and wondered what is wrong with it? Every time when your email can not be delivered, the SMTP server sends you a notification, which includes a standard error message, associated with the real problem.
     Each code is composed of three digits (X.X.X). The first digit gives the status of the email message:

2 means the email was succesfully sent; 4 means there was a temporary problem while sending the email (your email server may try to send it again or you have to resend it, depending on your server settings). Such error messages are using codes like 4.X.X, where X.X are used in order to give more precise information about the error; 5 means there is a permanent/fatal error related to the email (the email address of the receiver does not exist, it doesn't accept emails from you, etc). Such error messages are using codes like 5.X.X, where X.X are used in order to give more precise information about the error. Here is a complete list of email delivery error codes, based on the Extended SMTP (ESMTP) standards, where X can be 4 or 5, depending on the error type (Persistent Transient or Permanent): X.1.0 Other address status X.1.1 Bad destination mailbox address X.2.0 Bad destination system address X.1.3 Bad destination mailbox address syntax X.1.4 Destination mailbox address ambiguous X.1.5 Destination mailbox address valid X.1.6 Mailbox has moved X.1.7 Bad sender's mailbox address syntax X.1.8 Bad sender's system address X.2.0 Other or undefined mailbox status X.2.1 Mailbox disabled, not accepting messages X.2.2 Mailbox full X.2.3 Message length exceeds administrative limit. X.2.4 Mailing list expansion problem X.3.0 Other or undefined mail system status X.3.1 Mail system full X.3.2 System not accepting network messages X.3.3 System not capable of selected features X.3.4 Message too big for system X.4.0 Other or undefined network or routing status X.4.1 No answer from host X.4.2 Bad connection X.4.3 Routing server failure X.4.4 Unable to route X.4.5 Network congestion X.4.6 Routing loop detected X.4.7 Delivery time expired X.5.0 Other or undefined protocol status X.5.1 Invalid command X.5.2 Syntax error X.5.3 Too many recipients X.5.4 Invalid command arguments X.5.5 Wrong protocol version X.6.0 Other or undefined media error X.6.1 Media not supported X.6.2 Conversion required and prohibited X.6.3 Conversion required but not supported X.6.4 Conversion with loss performed X.6.5 Conversion failed X.7.0 Other or undefined security status X.7.1 Delivery not authorized, message refused X.7.2 Mailing list expansion prohibited X.7.3 Security conversion required but not possible X.7.4 Security features not supported X.7.5 Cryptographic failure X.7.6 Cryptographic algorithm not supported X.7.7 Message integrity failure

Note:
For checking the mail log - Better to grep the queue id from maillog to check the msg status:

# grep queueid /var/log/maillog
# grep "Aug 15" /var/log/maillog