HOWTO: Route SMTP traffic from Sendmail to Exchange

Introduction

This guide is aimed at Systems Administrators who wish to implement a GNU Linux/Sendmail gateway to filter email for spam & viri on behalf of a Microsoft Exchange server. You should be comfortable with supporting a GNU Linux system and a Microsoft Active Directory / Exchange system. Familiarity of DNS (both Windows and BIND), SMTP and router port-forwarding is required before you read on. This guide is very old and has not been tested on later versions of Exchange. The DNS-spoofing and delivering to a sub-domain is still relevant. Office 365 uses the same technique.

This method was tried and tested on Fedora 8 with Sendmail 8.14.2 routing to Microsoft Exchange 6.5 (Build 7638.2, Service Pack 2).

In order to apply this method to your systems, you will need the following installed and working:

Remember: If you use a firewall to re-route your SMTP traffic (on port 25), do not forget to set it to route to the GNU Linux/Sendmail server.


1: Sendmail

In this configuration Sendmail will be providing several functions: (i) inbound SMTP filtering for Exchange; (ii) outbound SMTP "Smart Host" for Exchange; (iii) forwarding of 'root' generated email to the SysAdmin. You may also use it to split email for local delivery (accessed via IMAP/POP3) as well as routing to Exchange based mailboxes (accessed via Outlook).

All of Sendmail's configuration files can be found in /etc/mail, with two exceptions. If you find aliases and aliases.db lounging in /etc, move them to /etc/mail. If you have installed sendmail-cf, you will find a host of M4 macro based configuration files in /use/share/sendmail-cf/cf.

Configure the following files (in no particular order) to suite your local system and domain(s).

/etc/mail/local-host-names

The file /etc/mail/local-host-names lists all of the domains Sendmail will accept email for, as in the example below:

# Domains this mail server handles.
#
# Gaztronics
#
# Last update: 9th May 2006

gaztronics.com
gaztronics.co.uk
gaztronics.net

If you make any changes to the local-host-names file, remember to restart sendmail afterwards (service sendmail restart).


/etc/mail/aliases

The file /etc/mail/aliases can be used to direct email to local addresses (such as mailing lists), or to external email addresses. As we are handling email for multiple domains, the aliases file is passed over in favour of a Virtual User Table. That said, you should still un-comment the last line and allow 'root' generated mail to be emailed to you; as in the example below:

root:     me@somedomain.com

You could also have 'root' generated email sent to two people (if two administrators need to keep tabs on a system) as in the example below:

root:     me@somedomain.com,you@anotherdomain.com

Remember to run the command newaliases after changing the aliases file, then restart Sendmail for the changes to take effect.


/etc/mail/access

The access control file is very important - you must set this up correctly to ensure your server does not become an open SMTP relay. If it does, you may well end up blacklisted!

The example below details a working access control file (the domain names have been changed to protect the guilty!).

# Access control file for Sendmail
#
# Gaztronics
#
# Last update: 9th May 2006

#########################################
# SMTP Relay                            #
#########################################

# Relay localhost
#
127.0.0.1                        RELAY

# Relay Exchange server
#
192.168.20.253                   RELAY

# Relay domains
To:gaztronics.com                RELAY
To:gaztronics.co.uk              RELAY
To:gaztronics.net                RELAY


# Allow Spam-blocked domains in
#
hotmail.com                OK

The Relay localhost section is required to allow locally generated email to be routed via Sendmail. Without this setting, you will not receive any 'root' generated or script generated email.

The Relay Exchange server section should be set to the IP address of your Exchange server, otherwise the "Smart Host" routing from Exchange will be unable to route via Sendmail. If you wish to allow other machines on your network to relay, you can either add their IP addresses, or add the line Connect:192.168.20    RELAY which will open relaying for any machine on your network (remember to set the IP addresses to match your network!).

The Relay domains section simply says: any email to these domains, relay it, otherwise deny relaying. This is used as an add-on to the /etc/mail/local-host-names to add finer control of mail handling.

The final section is used in conjuction with FEATURE(`delay_checks') to allow specific addresses or domains to send email even if they are being flagged by the Realtime Blacklists. Please see the Sendmail Anti-Spam Configuration Control page for more information.

If you make any changes to the access file, remember to restart sendmail afterwards (/etc/init.d/sendmail restart).


/etc/mail/virtusertable

The Virtual User Table is used when you need to handle email for multiple domains. The table gives you a finer control over addressing and routing than the aliases file, hence its use in this guide.

The example below handles inbound email for three domains and routes either to an external email address, or to the Exchange server.

# Virtual User Table
#
# Gaztronics
#
# Last updated: 9th May 2006

# RFC2142 Routing
#
abuse@gaztronics.com        me@somedomain.com
abuse@gaztronics.co.uk      me@somedomain.com
abuse@gaztronics.net        me@somedomain.com
postmaster@gaztronics.com   me@somedomain.com
postmaster@gaztronics.co.uk me@somedomain.com
postmaster@gaztronics.net   me@somedomain.com

#################################################################################
# Gaztronics.com                                                                #
#################################################################################

# General addressing
#
info@gaztronics.com       info@mail.gaztronics.com
office@gaztronics.com     info@mail.gaztronics.com

# User addressing
#
orinoco@gazronics.com       orinoco@mail.gaztronics.com
tomsk@gaztronics.com        tomsk@mail.gaztronics.com
bungo@gaztronics.com        bungo@mail.gaztronics.com

#################################################################################
# Gaztronics.co.uk                                                              #
#################################################################################

# General addressing
#
office@gaztronics.co.uk       office@mail.gaztronics.co.uk
info@gaztronics.co.uk         office@mail.gaztronics.co.uk

# User addressing
#
tobermory@gaztronics.co.uk         tobermory@mail.gaztronics.co.uk
madame.cholet@gaztronics.co.uk     madam.cholet@mail.gaztronics.co.uk

#################################################################################
# Gaztronics.net                                                                #
#################################################################################

# General addressing
#
office@gaztronics.net       office@mail.gaztronics.net
info@gaztronics.net         office@mail.gaztronics.net

great_uncle_bulgaria@gaztronics.net      gub
#################################################################################

The RFC addresses in the above example route to another host, as this assumes you are remote from the system and require the email routing to your own mailbox. You can change these addresses to deliver locally if you are drawing your email from the mail server (as opposed to an Exchange server).

The general and user addreses in the above example break down in to two parts: (i) in-bound address on Left Hand Side; (ii) address/user to route to on Right Hand Side. In this example, we are re-routing to 'mail.gaztronic.com' in order to forward to the Exchange server. The DNS configuration (explained below) is set to point at the Exchange server, thus email is routed across the network without creating a mail loop.

The "great_uncle_bulgaria" address is set to deliver to a local account called "gub", but this could also alias an entry in the aliases file (see 'root' example above in the /etc/mail/aliases section) and deliver both locally and forward to an external device, such as a Blackberry.

Remember to restart Sendmail if you make any changes to your virtusertable.


/etc/mail/sendmail.mc

We now move on to the heart of how Sendmail will operate. All of your site configuration details should be loaded into /etc/mail/sendmail.mc.

To help newbies trying to get to grips with the complexities of Linux, the following sendmail.mc file should get you going.

The above example assumes you have clamav-milter, spamass-milter and greylist-milter configured and working.

For a deeper explanation of the above mc file, please see the Sendmail documentation.

Remember to restart Sendmail if you make any changes to your mc file.


2: BIND

In order to route email correctly, we must operate BIND in two modes: cacheing nameserver and local lookup; the latter being the most important. If the re-routed mail 'A' record does not resolve to the Exchange server, email will bounce.

Most distros come with a modular form of BIND, which makes life easier. You should only need "bind", "bind-libs" and "cacheing nameserver". You will not need "bind-chroot", unless you are transfering DNS records around a network of servers.

Before we can route email, we must create zone files in /var/named and add their details to /etc/named.conf. The following example can be modified to fit your domain name(s).

/var/named

The first file to create is a "forward" lookup file. This will resolve names to IP addresses. Feel free to name the files how you see fit, but remember what they are called when you add them to /etc/named.conf. In the example below, I have called the file "com.dns" as this file contains all of the forward lookup details for gaztronics.com.

; DNS Zone file for gaztronics.com
;
; Gaztronics
;
; Last updated: 9th May 2006

$TTL 259200
@    IN    SOA    gaztronics.com. hostmaster.gaztronics.com. (
          2006050901 ; serial, todays data + todays serial #
          28800 ; Refresh
          7200 ; Retry
          604800 ; Expire
          86400) ; Minimum

      NS    dns.gaztronics.com.
      MX    10 mail

gaztronics.com. A 192.168.20.252

mail A 192.168.20.252

mailer A 192.168.20.253

gateway A 192.168.20.254

In the above example, our Exchange server resolves against 'mail' on 192.168.20.252 and our GNU Linux/Sendmail system resolves against 'mailer' on 192.168.20.253. Our router to the outside world (also known as default gateway) resolves against 192.168.20.254. The line MX 10 mail resolves to the mail 'A' record when an MX lookup is performed. Try the command dig MX mydomain.com (substituting 'mydomain.com' for your own domain name) to check your DNS is resolving the correct information.

The line in the above example gaztronics.com. A 192.168.20.252 provides a domain "Catch-all". The dot (period) after the domain TLD is important; miss this off and your catch-all will not work!

Remember to change these entries to match your own IP configuration.

If you operate more than one domain, copy the example "com.dns" and create a forward lookup file for that domain. The file will need to contain the same lookup information in order to route correctly.


With our forward lookup files created, we need to create a reverse lookup file. The reverse lookup allows resolution of IP addresses to names. You should only need one reverse file as your GNU Linux/Sendmail system will operate with a primary domain, e.g. gaztronics.com. All other forward domains are simply for inbound email handling.

The example listed below is a typical reverse lookup file (called reverse.dns).

; Reverse zone file
;
; Last updated: 9th May 2006
;

$TTL 259200
@     IN     SOA    gaztronics.com. hostmaster.gaztronics.com. (
            2006050901 ; serial, todays data + todays serial #
            28800 ; Refresh
            7200 ; Retry
            604800 ; Expire
            86400) ; Minimum

       NS     dns.gaztronics.com.

252     PTR    exchange.gaztronics.com.
253     PTR    mailer.gaztronics.com.
254     PTR    gateway.gaztronics.com.

/etc/named.conf

In order to use the newly created forward and reverse zone files, you must add their details to the named.conf file and restart the daemon. The example below shows the type of information that should be added to /etc/named.conf to allow the forward and reverse zones to operate.

zone "20.168.192.in-addr.arpa" {
     type master;
     notify no;
     file "reverse.dns";
     allow-update { none; };
     allow-query { any; };
};

zone "gaztronics.com" {
     type master;
     notify no;
     file "com.dns";
     allow-update { none; };
     allow-query { any; };
};

include "/etc/rndc.key";

The line zone "20.168.192.in-addr.arpa" defines the reverse lookup for the IP range 192.168.20.xxx. If you operate on an IP range of 192.168.0.xxx (for example), your entry should read: zone "0.168.192.in-addr.arpa".

The line zone "gaztronics.com" defined the forward lookup for the gaztronics.com domain. If you have created a second (or third) forward lookup file, create an entry for that file using the same details, as in the example below:

zone "gaztronics.co.uk" {
     type master;
     notify no;
     file "couk.dns";
     allow-update { none; };
     allow-query { any; };
};

All of these entries must come before the line include "/etc/rndc.key"; otherwise your BIND configuration will not work.

Remember to restart BIND to load the changes (/etc/init.d/named reload).

For more information on BIND please see the Internet Software Consortium website.


3: Exchange

We will assume that you have a fully operational Active Directory/Exchange system that you wish to modify to operate with the newly intalled GNU Linux/Sendmail gateway. You will need to modify each user's email address and set the Smart Host option as detailed below.

Email addressing

Open the Active Directory management console: Start > Programs > Administrative Tools > Active Directory Users and Computers

Double click on a user and select the "E-mail Addresses" tab. They should already have their primary address (in bold) which Outlook uses as their From: address; ensure this matches the Virtual User Table address, else they will not receive any email. You now need to add another SMTP address to allow email from the GNU Linux/Sendmail system.

Click the 'New' button. Select "SMTP Address". Enter the address in the following style: user@mail.domain.com (e.g. gary@mail.gaztronics.com). This address should match the address used as the redirect address in the Virtual User Table. Click OK to close the dialogue boxes. This user is now ready to accept email from the GNU Linux/Sendmail system.

You will need to repeat the above for all of your users.

Smart Host

To finish, we need to route all outbound email from Exchange to the GNU Linux/Sendmail system. We do this via Exchange's "Smart Host" option.

Open your Exchange System Manager. Expand +Servers, +Protocols, +SMTP. Right click on "Default SMTP Virtual Server". Click on the 'Delivery Tab' and click the 'Advanced' button. In the 'Smart Host' field, enter the DNS name of your GNU Linux/Sendmail system; in this example "mailer.gaztronics.com".

Note: You will need to enter a forward DNS lookup for your GNU Linux/Sendmail system in your Windows' server DNS table as Exchange will not accept an IP address for Smart Host.

Restart your SMTP server service (or reboot the whole server) and you are ready to go!


Page updated: 15th August 2021