HOWTO: Prevent Sendmail From Using DNS

28Jun06

This HOWTO details disabling DNS in Sendmail 8.12.x and later.

By default, Sendmail 8.12.x and later will always attempt to use MX records if it detects “dns” in the hosts line in the /etc/nsswitch.conf on Solaris. (I believe the same applies on Linux, but I’ve not verified this yet.)

At an ISP this isn’t normally a problem as the ISP has access to reliable DNS servers and will forward DNS requests when necessary, however in the corporate world this can be a real problem with things like firewalls getting in the way, and internal only DNS servers.

In the event Sendmail can’t canonify the recipient domain, it will queue the email and report something along the lines of:

$ echo `date` | mailx -v -s “Test - `date`” bob.smith@domain.com
$ domain.com: Name server timeout
bob.smith@domain.com… Transient parse error — message queued for future delivery
bob.smith@domain.com… queued
$

Now the easiest way is to remove “dns” from the hosts line in /etc/nsswitch.conf, however this also means you can’t use DNS for your local domains.

The better way is to change Sendmail’s configuration and this is what I’ll detail here.

NOTE: This process is demonstrated using Solaris 10, however the configuration changes will apply to all operating systems, just the location of the .mc files, the method of generating the .cf files and restarting Sendmail may vary slightly.

NOTE: Sendmail on Solaris 10 (and OpenSolaris) now runs in “Local Only Mode” by default, ie remote clients will not be allowed to connect to port 25 on this host but outbound delivery will still take place (see sendmail(1M) for more details). If you wish to continue running in “Local Only Mode”, replace all references to subsidiary.mc and sendmail.cf below with local.mc and local.cf respectively.

1. Change into the directory that contains the macro configuration (.mc) files:

# cd /usr/lib/mail/cf

2. Make a copy of the subsidiary.mc and submit.mc files

# cp subsidiary.mc nodns-subsidiary.mc
# cp submit.mc nodns-submit.mc

3. Add the following lines to the new nodns-subsidiary.mc file just above the “confFALLBACK_SMARTHOST” line:

    FEATURE(`nocanonify')dnl
    define(`SMART_HOST', `[mailhost]‘)dnl

4. Ensure you have an entry in your /etc/hosts file for the hostname “mailhost“.

5. Comment out the “confFALLBACK_SMARTHOST” line by placing “dnl” at the beginning of the line in the new nodns-subsidiary.mc file.

6. Add the following line to the new nodns-submit.mc file after all the other “define” lines:

    define(`confDIRECT_SUBMISSION_MODIFIERS', `C')dnl

7. Generate the new .cf files (note the filename used is the same as the file we edited, except the extension is now .cf instead of .mc):

# /usr/ccs/bin/make nodns-subsidiary.cf
test ! -f nodns-subsidiary.cf || /usr/bin/mv nodns-subsidiary.cf nodns-subsidiary.cf.prev
/usr/ccs/bin/m4 ../m4/cf.m4 nodns-subsidiary.mc > nodns-subsidiary.cf
# /usr/ccs/bin/make nodns-submit.cf
test ! -f nodns-submit.cf || /usr/bin/mv nodns-submit.cf nodns-submit.cf.prev
/usr/ccs/bin/m4 ../m4/cf.m4 nodns-submit.mc > nodns-submit.cf
#

8. Make a backup of the current files:

# cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig
# cp /etc/mail/submit.cf /etc/mail/submit.cf.orig

9. Put the new files into place:

# cp /usr/lib/mail/cf/nodns-subsidiary.cf /etc/mail/sendmail.cf
# cp /usr/lib/mail/cf/nodns-submit.cf /etc/mail/submit.cf

10. Restart Sendmail

# svcadm refresh sendmail

Thats it. Sendmail will no longer query DNS and will instead blindly forward all emails destined for users remote to the local machine to the “mailhost“. It’s then up to this machine to query a reliable interface facing DNS server. This is commonly a machine managed by an ISP.

Filed under: HOWTO, Software | . |

4 Responses to “HOWTO: Prevent Sendmail From Using DNS”

1 Ian Campbell on Feb 15th, 2007 said:

Man, thanks for that write up. I needed that, and didn’t want to crack open the sendmail cookbook. Cheers.
2 Alexey Kovalev on Dec 3rd, 2008 said:

Tnank you. it was very usefull
3 Larry Mao on Sep 22nd, 2009 said:

I followed your instruction but still have to disable dns in nsswitch.conf to forward email to relay server support.domain.net. I have sendmail 8.13.8+Sun on Solaris 10. The nodns-subsidiary.mc :

divert(0)dnl
VERSIONID(`@(#)sendmail.mc 1.11 (Sun) 06/21/04′)
OSTYPE(`solaris8′)dnl
DOMAIN(`solaris-generic’)dnl
FEATURE(`accept_unresolvable_domains’)dnl
FEATURE(`accept_unqualified_senders’)dnl
FEATURE(`nocanonify’)dnl
define(`SMART_HOST’, `[support]‘)dnl
MAILER(`local’)dnl
MAILER(`smtp’)dnl

LOCAL_NET_CONFIG
R$* $* $#esmtp $@ $2.$m $: $1 $3

and the nodns-submit.mc:

divert(0)dnl
VERSIONID(`$Id: submit.mc,v 8.6.2.4 2002/12/29 03:54:34 ca Exp $’)
define(`confCF_VERSION’, `Submit’)dnl
define(`__OSTYPE__’,`’)dnl dirty hack to keep proto.m4 from complaining
define(`_USE_DECNET_SYNTAX_’, `1′)dnl support DECnet
define(`confTIME_ZONE’, `USE_TZ’)dnl
define(`confDONT_INIT_GROUPS’, `True’)dnl
define(`confDIRECT_SUBMISSION_MODIFIERS’, `C’)dnl
dnl
dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
FEATURE(`msp’, `[127.0.0.1]‘)dnl

Could you please help me find the problem? Thanks.
4 Colin on Sep 22nd, 2009 said:

Larry: If you’re running a relatively well patched version of Solaris 10, you’ll find Sendmail is running in local-only mode - this is the default for the “Secure By Default” configuration (see sendmail(1M) for more details). Accordingly, you need to make changes to your local.mc file and generate a local.cf file instead of a subsidiary.mc and sendmail.cf file and then restart Sendmail for your changes to take effect.

I’ve added a new note to this effect above.

Speak Your Mind

Search

Recommended Book

Related Entries

Buy Me A Beer

Solaris security Sendmail configuration OpenSolaris DNS Sun network

Col’s Tech Stuff