How to Set Up a Sendmail Server: Step-by-Step GuideSetting up a Sendmail server can be a valuable skill for administrators who need a lightweight, flexible Mail Transfer Agent (MTA) on Unix-like systems. This guide walks through planning, installation, basic configuration, securing, testing, and troubleshooting a Sendmail server. It assumes a Linux environment (CentOS/RHEL/Ubuntu) and root or sudo access.
Overview and prerequisites
Sendmail is a traditional MTA that handles sending and routing email. Although many administrators now prefer Postfix or Exim for ease of configuration, Sendmail remains useful in legacy environments and where its flexibility is needed.
Prerequisites:
- A server running a modern Linux distribution (examples below use RHEL/CentOS and Ubuntu).
- Root or sudo privileges.
- A registered domain name (example: example.com).
- A static public IP address recommended.
- DNS records control (A, MX, PTR).
- Basic familiarity with shell, editors (vi/nano), and systemctl.
Step 1 — Plan your mail flow and DNS
Decide how mail will be handled:
- Will the server accept incoming mail for your domain(s)? (requires MX record)
- Will it only send outbound mail (e.g., for applications)?
- Will it relay mail for internal hosts?
DNS records to prepare:
- MX record pointing to your mail host (mail.example.com).
- A record: mail.example.com → server IP.
- PTR (reverse DNS) for the IP pointing to mail.example.com (set by your provider).
- SPF record in your DNS TXT: a simple example: “v=spf1 a mx ip4:203.0.113.5 -all”
- DKIM (optional but recommended) and DMARC (monitoring/policy).
Step 2 — Install Sendmail and necessary packages
On RHEL/CentOS:
sudo yum install sendmail sendmail-cf m4 sudo systemctl enable sendmail sudo systemctl start sendmail On Ubuntu/Debian:
sudo apt update sudo apt install sendmail sendmail-cf m4 sudo systemctl enable sendmail sudo systemctl start sendmail sendmail-cf provides configuration macros; m4 is used to generate sendmail.cf from sendmail.mc.
Step 3 — Basic configuration: hostname and sendmail.mc
-
Set the server hostname to your mail host:
sudo hostnamectl set-hostname mail.example.comConfirm /etc/hostname and /etc/hosts map correctly (add the A record IP):
127.0.0.1 localhost 203.0.113.5 mail.example.com mail -
Edit the Sendmail macro configuration at /etc/mail/sendmail.mc (path may vary by distro). Key changes:
- Define the domain and MAILER(s).
- Enable SMART_HOST if relaying through an upstream SMTP. Example minimal sendmail.mc edits:
define(`SMART_HOST', `smtp.yourrelay.example')dnl define(`confDOMAIN_NAME', `example.com')dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl MASQUERADE_AS(`example.com')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`masquerade_entire_domain')dnlIf you want Sendmail to accept connections on all interfaces, remove or modify DAEMON_OPTIONS that bind to 127.0.0.1.
- Rebuild sendmail.cf and restart Sendmail:
cd /etc/mail sudo m4 sendmail.mc > sendmail.cf sudo systemctl restart sendmail
Step 4 — Local users and mail delivery
Sendmail delivers to local Unix users by default (procmail/aliases). Key tasks:
-
Set up /etc/aliases to forward root and system accounts:
postmaster: [email protected] root: [email protected]Rebuild aliases database:
sudo newaliases -
For virtual users or mailbox storage (Maildir/Mbox), configure procmail or use an LDA. To deliver to Maildir for a user, add a .procmailrc in their home directing to Maildir.
Step 5 — Authentication and relaying
To allow authenticated SMTP (submission) from remote clients:
- Install and configure Cyrus SASL or Dovecot SASL. Example with cyrus-sasl:
sudo yum install cyrus-sasl cyrus-sasl-plain - Edit /etc/mail/sendmail.mc to enable AUTH and submission port:
define(`confAUTH_OPTIONS', `A p')dnl FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl - Create /etc/mail/authinfo with credentials for a relay or for client auth, then hash:
AuthInfo: "U:root" "I:username" "P:password" sudo makemap hash /etc/mail/authinfo < /etc/mail/authinfo - Rebuild sendmail.cf and restart.
Note: exact auth config varies by distro and SASL backend; consult SASL docs for secure password storage.
Step 6 — Secure the server (TLS/SSL, firewall)
TLS:
- Obtain a certificate (Let’s Encrypt recommended).
- Configure Sendmail to use it by adding to sendmail.mc:
define(`CERT_DIR', `/etc/letsencrypt/live/mail.example.com')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/chain.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnlRebuild and restart.
Firewall:
- Allow ports 25 (SMTP), 587 (submission), and 465 (if using SMTPS) as needed:
sudo firewall-cmd --add-service=smtp --permanent sudo firewall-cmd --add-port=587/tcp --permanent sudo firewall-cmd --reload
Reduce open relaying:
- Configure access rules in /etc/mail/access and generate access.db:
Connect:localhost RELAY Connect:192.0.2 RELAY Connect:all REJECTThen:
sudo makemap hash /etc/mail/access < /etc/mail/accessAdd FEATURE(`access_db’)dnl in sendmail.mc if not present.
Step 7 — Deliverability: SPF, DKIM, DMARC
- SPF: Add TXT record as in Step 1.
- DKIM: Install OpenDKIM, generate keys, configure milter in sendmail.mc:
INPUT_MAIL_FILTER(`opendkim', `S=local:/var/run/opendkim/opendkim.sock')dnlConfigure OpenDKIM with SigningTable, KeyTable, and add public key to DNS.
- DMARC: Add TXT _dmarc.example.com: “v=DMARC1; p=quarantine; rua=mailto:[email protected]”
Step 8 — Testing
Basic send test from the server:
echo "Test message" | sendmail -v [email protected] Check logs:
- /var/log/maillog or /var/log/mail.log
Test SMTP from another host:
telnet mail.example.com 25 EHLO client.example.com MAIL FROM:<[email protected]> RCPT TO:<[email protected]> DATA . QUIT Use online tools to check MX, SPF, DKIM, and blacklists.
Step 9 — Monitoring and maintenance
- Monitor mail queue:
mailq sendmail -bp - Flush queue:
sendmail -q -v - Rotate logs and watch for bounces, deferred messages.
- Keep software updated and periodically review /etc/mail/sendmail.mc for required changes.
Troubleshooting common issues
- “Connection refused” — check sendmail is running and binds to correct interface (DAEMON_OPTIONS).
- Bounces with “Relay access denied” — check relay rules and auth configuration.
- TLS errors — verify certificate paths and permissions; ensure proper cert chain.
- Mail marked as spam — check SPF/DKIM/DMARC and PTR; monitor content and sending rates.
- High queue buildup — inspect logs for repeated delivery errors (DNS, recipient server rejections, rate limits).
Alternatives and when to choose them
Sendmail is powerful but complex. Consider:
- Postfix: easier configuration, fast adoption.
- Exim: flexible routing with simpler config than sendmail.
- For small-scale sending from applications, consider using authenticated SMTP relays (SendGrid, Mailgun) or Postfix as a submission-only MTA.
Example minimal sendmail.mc (full)
divert(-1)dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`setup for example.com')dnl define(`confDOMAIN_NAME', `example.com')dnl define(`confDEF_USER_ID', `8:12')dnl MASQUERADE_AS(`example.com')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`access_db')dnl FEATURE(`authinfo')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl MAILER(smtp)dnl MAILER(local)dnl After editing:
cd /etc/mail sudo m4 sendmail.mc > sendmail.cf sudo systemctl restart sendmail This guide covers end-to-end setup, basic security, and testing. If you want, I can generate exact configuration files for your distribution (CentOS 8/Stream, RHEL ⁄9, Ubuntu 22.04/24.04), or walk through DKIM/OpenDKIM setup and example DNS records.
Leave a Reply