How I configured sendmail

This will describe how I configured sendmail, concentrating on the way that I can accept any email sent to something like andrewFromYourName at greatcactus.org. This can be used as an anti-spam technique - you can give a different email address to everyone, and if one address ends up in the hands of evil spammers, you can just block it, and not have to tell everyone else that your email address has changed. It has worked very well for me, although it has sometimes been hard explaining to people that you really have to replace YourName with your actual name. This is not a full sendmail configuration description, and I assume you are familiar with standard Sendmail setup things like MX records.

The following documentation assumes that your domain is greatcactus.org. Of course your should change this to your real domain.

I assume here that you have the following set up:

A Linux server on 24 hours a day which you administer. The following is tested in Fedora Core 2 to 5; it will probably be similar on other systems.
An internet connection that is always on and provides you with a static IP address
Your domain registered, with DNS provided, and an MX record pointing to your static IP address
More than one person whom you want to redirect email to, based upon the prefix on the email address. If you just want all email addresses at some domain going to one mailbox, there are simpler solutions than this.
A way of reading the email once it has gotten to your mailbox

Setup

Ensure that sendmail and sendmail-cf are installed on your system. sendmail-cf is the fedora core package that allows you to configure sendmail reasonably

Keys

If you want to be able to use TLS for encryption of the email transport, you need to get yourself some keys. You can make them yourself, or get someone else to make them. You should make a private ket and public certificate for

CN=greatcactus.org

and then (as root)

cp greatcactusKey.pem /etc/pki/tls/certs
cp greatcactusCertificate.pem /etc/pki/tls/certs
chmod 444 /etc/pki/tls/certs/greatcactusCertificate.pem
chmod 400 /etc/pki/tls/certs/greatcactusKey.pem

You will then need to edit /etc/mail/sendmail.mc, and edit the following lines (there are similar ones already in the file; replace them with these) :

define(`confAUTH_OPTIONS', `A p y')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH',`/etc/pki/tls/certs')
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/pki/tls/certs/greatcactusCertificate.pem')
define(`confSERVER_KEY',`/etc/pki/tls/certs/greatcactusKey.pem')

Normal Configuration

The following things are normal sendmail configuration. You may want to do something slightly differently. I edited the following lines in sendmail.mc:

GENERICS_DOMAIN(greatcactus.org cactus cactus.greatcactus.org)dnl
FEATURE(virtuser_entire_domain)dnl
FEATURE(masquerade_entire_domain)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(allmasquerade)dnl
MASQUERADE_AS(greatcactus.org)dnl
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Note that in the GENERICS_DOMAIN you list whatever domain(s) you have that you want dealt with. You will also need to set up the following conficuration files in /etc/mail:

access
local-host-names List the names (e.g. greatcactus.org) of all aliases you expect your machine to respond to.

Special Configuration

Here is the interesting thing. here we write a simple shell script that renames incoming and outgoing addresses. Make the following changes to sendmail.mc:

FEATURE(`genericstable',`program /bin/sh /etc/mail/outgoingaddress.sh')dnl
FEATURE(`virtusertable',`program /bin/sh /etc/mail/mailalias.sh')dnl

You will need to install these programs, and of course edit them to your preferences.

outgoingaddress.sh This makes each outgoing address different by time-stamping it. Edit it by adding your users.
mailalias.sh This is where the main work is done, interpreting incoming addresses. Note that the second line is for debugging purposes, and should be removed when you have it working. You need to edit this with your own users. Note that this is case sensitive - thus the duplication. Note that this gets called several times by sendmail for each email address which is the reason for the first lines - so that already translated addresses do not get retranslated.
You should also make a file /etc/mail/SpammerList that contains a list of email addresses to be blocked. This can start off blank, created by the touch command below

Give these the correct permissions via

cp mailalias.sh /etc/mail/mailalias.sh
cp outgoingaddress.sh /etc/mail/outgoingaddress.sh
chmod 755 /etc/mail/*.sh
touch SpammerList
chmod 666 /etc/mail/SpammerList

Making it all work

Run make
```
cd /etc/mail
make
```

Make sure sendmail and saslauthd is enabled in runlevels 3 and 5.

/sbin/chkconfig --level 35 sendmail on
/sbin/chkconfig --level 35 saslauthd on
/sbin/service saslauthd start
/sbin/service sendmail restart

Test it!

Administration

If you have a web server that handles Java Server Pages (JSP), such as tomcat, you can use the following programs to help.

killSpam.jsp Adds a line to the SpammerList file
deobfuscateEmail.jsp Given an outgoing address, works out a human readable time. Timezones are not handled properly here

Note on security - I am not aware of any security holes in this. Please tell me if you see any.

This is provided on an as-is basis with no guarantees. I've found it useful and non-obvious, and I hope you do too.