Migrating to Sendmail: Planning, Testing, and Common Pitfalls

Sendmail Server Hardening Checklist: SPF, DKIM, DMARC, and Rate Limits

Securing a Sendmail server requires layered controls: proper authentication and anti-spoofing records (SPF, DKIM, DMARC), server configuration hardening, and operational controls such as rate limiting and monitoring. This checklist gives actionable steps, configuration examples, and verification commands to reduce abuse, improve deliverability, and protect your mail infrastructure.

1. Inventory & Baseline

• List domains served and sending IPs.
• Audit open relays: verify no unauthorized relaying.
• Collect current configs: /etc/mail/sendmail.mc and sendmail.cf, MTA logs (maillog/messages).

Verification:

• Test relay with:
  • telnet 25
  • EHLO and attempt MAIL FROM/RCPT TO to an external address.
• Check logs: grep sendmail /var/log/maillog

2. Apply OS & Sendmail Updates

• Keep OS and sendmail packages up-to-date (security patches).
• Use your package manager (yum/apt) or rebuild from source with latest stable release.

Commands (examples):

• yum update sendmail
• apt update && apt upgrade sendmail

3. Restrict Relaying

• In sendmail.mc, ensure FEATURE(access_db')dnl is enabled and access.db has appropriate rules.</li><li>Add to /etc/mail/access: <ul><li>Connect:localhost.localdomain RELAY</li><li>Connect:127.0.0.1 RELAY</li><li>Connect:your.trusted.ip RELAY</li><li>From:@yourdomain.com RELAY</li><li>Otherwise REJECT</li></ul></li></ul><p>Rebuild and restart:</p><ul><li>makemap hash /etc/mail/access.db < /etc/mail/access</li><li>m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf</li><li>systemctl restart sendmail</li></ul><h3>4. Enforce TLS (STARTTLS)</h3><ul><li>Generate or install a valid TLS certificate (Let's Encrypt or commercial CA).</li><li>In sendmail.mc: <ul><li>define(<code>confCACERT_PATH',</code>/etc/ssl/certs')dnl</li><li>define(<code>confCACERT',</code>/etc/ssl/certs/ca-bundle.crt')dnl</li><li>define(<code>confSERVER_CERT',</code>/etc/ssl/certs/mail.example.com.crt')dnl</li><li>define(<code>confSERVER_KEY',</code>/etc/ssl/private/mail.example.com.key')dnl</li><li>define(<code>confCLIENT_CERT',</code>/etc/ssl/certs/mail.example.com.crt')dnl</li><li>define(<code>confCLIENT_KEY',</code>/etc/ssl/private/mail.example.com.key')dnl</li></ul></li></ul><p>Rebuild sendmail.cf and restart. Verify with:</p><ul><li>openssl s_client -starttls smtp -crlf -connect mail.example.com:25</li></ul><h3>5. Implement SPF (DNS)</h3><ul><li>Create a TXT DNS record for each sending domain*</li></ul><p>Example:</p><ul><li>"v=spf1 ip4:203.0.113.45 include:_spf.example.com -all"</li></ul><p>Guidance:</p><ul><li>Start with ~all (softfail) when testing, then move to -all (hard fail).</li><li>Include only trusted mail senders (MTA IPs, third-party services).</li></ul><p>Verify:</p><ul><li>Use dig or online SPF checkers: dig TXT yourdomain.com</li></ul><h3>6. Implement DKIM (signing outbound mail)</h3><ul><li>Install opendkim and integrate with sendmail using Milter.</li></ul><p>High-level steps:</p><ul><li>Install opendkim package.</li><li>Generate a key per domain: opendkim-genkey -s default -d yourdomain.com</li><li>Add public key to DNS as TXT under default._domainkey.yourdomain.com.</li><li>Configure /etc/opendkim.conf with KeyTable, SigningTable, and Socket.</li><li>In sendmail.mc, add: <ul><li>INPUT_MAIL_FILTER(<code>opendkim', </code>S=unix:/var/run/opendkim/opendkim.sock')dnl</li></ul></li></ul><p>Rebuild, restart sendmail and opendkim. Verify signatures on outbound mail headers (DKIM-Signature) and use tools like opendmarc-test or online DKIM checkers.</p><h3>7. Implement DMARC (policy + reporting)</h3><ul><li>Add a DNS TXT record for _dmarc.yourdomain.com.</li></ul><p>Example:</p><ul><li>"v=DMARC1; p=quarantine; rua=mailto:<a href="mailto:[email protected]" rel="noopener noreferrer" target="_blank">[email protected]</a>; ruf=mailto:<a href="mailto:[email protected]" rel="noopener noreferrer" target="_blank">[email protected]</a>; pct=100; aspf=r; adkim=s"</li></ul><p>Guidance:</p><ul><li>Start with p=none for monitoring, then move to quarantine or reject after validating.</li><li>Configure rua/ruf addresses to collect aggregate and forensic reports; use an address that can accept large volumes or a third-party report processor.</li></ul><p>Verify:</p><ul><li>dig TXT _dmarc.yourdomain.com</li></ul><h3>8. Rate Limits & Throttling</h3><ul><li>Prevent abuse and backscatter by limiting outbound/inbound message rates and concurrent connections.</li></ul><p>Options:</p><ul><li>Sendmail built-in: use conncontrol (if available) and rulesets.</li><li>Use external tools/proxies (postfwd is for Postfix — for sendmail, consider policyd or custom milter).</li><li>Implement per-IP or per-domain throttling at firewall (iptables, nftables) or SMTP proxy.</li></ul><p>Suggested targets:</p><ul><li>Connections per IP: 10–20/hour for general users; lower for shared environments.</li><li>Messages per hour per user: 100–500 depending on use case.</li><li>Concurrent SMTP connections: limit to 20–50.</li></ul><p>Monitoring + action:</p><ul><li>Monitor logs and flow; if thresholds exceeded, temporarily reject with 4xx or rate-limit via milter.</li></ul><h3>9. Anti-abuse Controls</h3><ul><li>Enable recipient verification to reduce backscatter.</li><li>Maintain an updated RBL/blacklist checking in access.db (e.g., zen.spamhaus.org).</li><li>Use spam filters (SpamAssassin, rspamd) with proper integration.</li><li>Reject invalid HELO/EHLO, malformed envelopes, and verify reverse DNS for incoming connections.</li></ul><h3>10. Logging, Monitoring & Alerting</h3><ul><li>Centralize logs (rsyslog/syslog-ng) and parse maillog.</li><li>Track metrics: bounce rate, deferred queue size, rate of outgoing emails, and successful deliveries.</li><li>Alert on spikes in outbound mail (possible compromise).</li></ul><p>Commands:</p><ul><li>tail -F /var/log/maillog</li><li>logwatch or custom scripts + alerting (PagerDuty/email).</li></ul><h3>11. Access Controls & Authentication</h3><ul><li>Require authenticated SMTP (AUTH) for submission on port 587; disable plain-text auth on port 25.</li><li>In sendmail.mc, enable SASL (e.g., cyrus-sasl or dovecot SASL).</li><li>Require submission port (587) with STARTTLS + AUTH.</li></ul><p>Example:</p><ul><li>DAEMON_OPTIONS(Port=submission, Name=MSA, M=Ea’)dnl

12. Backup & Incident Response

• Regularly back up config (/etc/mail), keys (DKIM), and certificates.
• Maintain an incident playbook: revoke keys, rotate creds, block compromised accounts/IPs, notify stakeholders, and review logs.

13. Testing & Verification Checklist

• SPF: dig TXT and SPF checkers.
• DKIM: send test email to Gmail or use command-line tools to inspect header.
• DMARC: verify DNS entry and review aggregate reports.
• TLS: openssl s_client -starttls smtp -connect mail.example.com:25
• Relay: attempt external relay from untrusted IP (should be rejected).
• Rate limiting: simulate sending to confirm throttles trigger.

14. Example Minimal sendmail.mc Snippets

• Enforce access_db: FEATURE(access_db')dnl</li><li>Enable MSA submission: DAEMON_OPTIONS(Port=submission, Name=MSA, M=Ea’)dnl
• Add milter (opendkim): INPUT_MAILFILTER(opendkim’, S=unix:/var/run/opendkim/opendkim.sock’)dnl

Conclusion Follow this checklist to secure Sendmail against spoofing and abuse while improving deliverability. Implement SPF, DKIM, and DMARC in stages (monitor then enforce), enable TLS and authenticated submission, apply rate limits, and maintain monitoring and incident procedures.*