Annotation of wikisrc/tutorials/services/sendmail_auth_tls.mdwn, revision 1.1

1.1     ! imil        1: ## Setting up a secure SMTP server with AUTH and TLS enabled in Sendmail
        !             2: 
        !             3: While *postfix* is the basesystem's (SMTP)[http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol] server, it is still possible to use the venerable (Sendmail)[http://www.sendmail.com/sm/open_source/] as your mail server of choice.
        !             4: Securing a *sendmail* SMTP gateway in order to use it from anywhere using your system's credentials is an easy task, here is how to achieve it.
        !             5: 
        !             6: ### Enabling Sendmail as the system's SMTP server
        !             7: 
        !             8: First thing is to disable *postfix* as the system's SMTP server. This action is controlled by the *postfix* parameter in */etc/rc.conf*:
        !             9: 
        !            10:        postfix=NO
        !            11: 
        !            12: We will then Install *sendmail* from *pkgsrc* with (SASL)[http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer] for the authentication mechanism and (TLS)[http://en.wikipedia.org/wiki/Transport_Layer_Security] as the secure transport layer:
        !            13: 
        !            14:        $ grep sendmail /etc/mk.conf
        !            15:        PKG_OPTIONS.sendmail=   tls sasl
        !            16:        ACCEPTABLE_LICENSES+=   sendmail-license
        !            17: 
        !            18: ### AUTH with SASL
        !            19: 
        !            20: Enabling *SASL* will build *security/cyrus-sasl*, but this package build failed with the following on my NetBSD 5.0.2 box:
        !            21: 
        !            22:        db_ndbm.c:95: warning: passing argument 3 of 'utils->getcallback' from incompatible pointer type
        !            23: 
        !            24: So we will specify that *cyrus-sasl* should use *berkeley* as its database type:
        !            25: 
        !            26:        $ grep SASL /home/bulk/etc/mk.conf
        !            27:        SASL_DBTYPE=            berkeley
        !            28: 
        !            29: We can now install *sendmail* with *TLS* and *SASL* support the classic way:
        !            30: 
        !            31:        $ cd /usr/pkgsrc/mail/sendmail && sudo make install clean
        !            32: 
        !            33: *cyrus-sasl* package does now include any authentication plugin, it's up to us to pick one that will suit our needs. As we want to authenticate over system's login/password, we will use *cy2-login*:
        !            34: 
        !            35:        $ cd /usr/pkgsrc/security/cy2-login && sudo make install
        !            36: 
        !            37: In order to use this method, we will have to install the *saslauthd* package. *Saslauthd* is in charge of plaintext authentications on behalf of the SASL library.
        !            38: 
        !            39:        $ cd /usr/pkgsrc/security/cyrus-saslauthd && sudo make install clean
        !            40: 
        !            41: Of course, we want this daemon to start at every boot of this mail server:
        !            42: 
        !            43:        # cp /usr/pkg/share/examples/rc.d/saslauthd /etc/rc.d
        !            44:        # echo "saslauthd=YES" >> /etc/rc.conf
        !            45:        # /etc/rc.d/saslauthd start
        !            46: 
        !            47: Now we have to inform the *SASL* library that it should use *saslauthd* whenever *sendmail* asks for an authentication:
        !            48: 
        !            49:        # echo "pwcheck_method:saslauthd" > /usr/pkg/lib/sasl2/Sendmail.conf
        !            50: 
        !            51: ### Setting up the secure transport layer
        !            52: 
        !            53: As everything is in place for authentication, we will now prepare the *TLS* prerequisites.
        !            54: Instead of generating a self-signed certificate, I use to rely on (CACert)[http://www.cacert.org/], "a community driven, Certificate Authority that issues certificates to the public at large for free." (from CACert.org).
        !            55: 
        !            56: In order to generate the certificate signing request (CSR), you can use the (CSRGenerator)[http://wiki.cacert.org/CSRGenerator] script from CACert, which is really handy.
        !            57: 
        !            58: Once you have generated your server's private key with *CSRGenerator* and received your server certificate from CACert, simply copy them to */etc/mail/certs*, along with (CACert root certificate)[http://www.cacert.org/certs/root.crt]. Make sure your private key has strict permissions, *sendmail* will refuse to start if it is readable by everyone.
        !            59: 
        !            60: ### Configuring sendmail
        !            61: 
        !            62: It is now time to write our *sendmail* configuration. Create a *mc* file corresponding to your needs in */usr/pkg/share/sendmail/cf*, for example:
        !            63: 
        !            64:        # cat > /usr/pkg/share/sendmail/cf/korriban.mc << EOF
        !            65:        divert(0)dnl
        !            66:        VERSIONID(`Mustafar')
        !            67:        OSTYPE(bsd4.4)dnl
        !            68:        DOMAIN(generic)dnl
        !            69: 
        !            70:        FEATURE(access_db, `hash -T<TMPF> /etc/mail/access')
        !            71:        FEATURE(blacklist_recipients)
        !            72:        FEATURE(mailertable, `hash -o /etc/mail/mailertable')
        !            73:        FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
        !            74:        FEATURE(genericstable, `hash -o /etc/mail/genericstable')
        !            75:        FEATURE(local_procmail)
        !            76: 
        !            77:        dnl ### I use procmail as my MDA
        !            78:        define(`PROCMAIL_MAILER_PATH',`/usr/pkg/bin/procmail')
        !            79:        dnl ### and dspam as my antispam
        !            80:        define(`LOCAL_MAILER_PATH', `/usr/pkg/bin/dspam')
        !            81:        define(`LOCAL_MAILER_ARGS', `dspam -t -Y -a $h "--deliver=innocent" --user $u -d %u')
        !            82: 
        !            83:        define(`confMAX_MESSAGE_SIZE', 5000000)
        !            84: 
        !            85:        dnl ### do SMTPAUTH
        !            86:        define(`confAUTH_MECHANISMS', `LOGIN')dnl
        !            87:        TRUST_AUTH_MECH(`LOGIN')dnl
        !            88:        dnl ### do STARTTLS
        !            89:        define(`confCACERT_PATH',`/etc/mail/certs/')dnl
        !            90:        define(`confCACERT', `/etc/mail/certs/cacert.crt')
        !            91:        define(`confSERVER_CERT',`/etc/mail/certs/korriban_server.pem')dnl
        !            92:        define(`confSERVER_KEY',`/etc/mail/certs/korriban_privatekey.pem')dnl
        !            93: 
        !            94:        MAILER(local)dnl
        !            95:        MAILER(smtp)dnl
        !            96:        MAILER(procmail)
        !            97:        EOF
        !            98: 
        !            99: Once your configuration is ready, build and install it using the following:
        !           100: 
        !           101:        # make install-cf CF=korriban
        !           102:        rm -f korriban.cf
        !           103:        m4 ../m4/cf.m4 korriban.mc > korriban.cf || ( rm -f korriban.cf && exit 1 )
        !           104:        echo "### korriban.mc ###" >>korriban.cf
        !           105:        sed -e 's/^/# /' korriban.mc >>korriban.cf
        !           106:        chmod 444 korriban.cf
        !           107:        /usr/bin/install -c -o root -g wheel -m 0444 korriban.cf /etc/mail/sendmail.cf
        !           108:        /usr/bin/install -c -o root -g wheel -m 0444 korriban.cf /etc/mail/submit.cf
        !           109: 
        !           110: Now that *sendmail* is configured, fire it up by invoking:
        !           111: 
        !           112:        # /etc/rc.d/sendmail start
        !           113: 
        !           114: And test that the features we've added are working:
        !           115: 
        !           116:        # sendmail -d0.1 -bv root | grep SASL
        !           117:                SASLv2 SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB XDEBUG
        !           118:        $ telnet localhost 25
        !           119:        Trying 127.0.0.1...
        !           120:        Connected to localhost.
        !           121:        Escape character is '^]'.
        !           122:        220 korriban.imil.net ESMTP Sendmail 8.14.5/8.14.5; Sat, 12 Nov 2011 16:43:40 +0100 (CET)
        !           123:        ehlo localhost
        !           124:        250-korriban.imil.net Hello localhost [127.0.0.1], pleased to meet you
        !           125:        250-ENHANCEDSTATUSCODES
        !           126:        250-PIPELINING
        !           127:        250-EXPN
        !           128:        250-VERB
        !           129:        250-8BITMIME
        !           130:        250-SIZE 5000000
        !           131:        250-DSN
        !           132:        250-ETRN
        !           133:        250-AUTH LOGIN
        !           134:        250-STARTTLS
        !           135:        250-DELIVERBY
        !           136:        250 HELP
        !           137: 
        !           138: There you go! now configure your (MUA)[http://en.wikipedia.org/wiki/Mail_user_agent] so it always tries *TLS* for sending mail, using the *LOGIN* authentication method.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb