File:  [NetBSD Developer Wiki] / wikisrc / tutorials / services / sendmail_auth_tls.mdwn
Revision 1.3: download - view: text, annotated - select for diffs
Sat Nov 12 16:26:45 2011 UTC (8 years, 11 months ago) by imil
Branches: MAIN
CVS tags: HEAD
added more comments

    1: ## Setting up a secure SMTP server with AUTH and TLS enabled in Sendmail
    2: 
    3: While *postfix* is the basesystem's [SMTP](http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) server, it is still possible to use the venerable [Sendmail](http://www.sendmail.com/sm/open_source/) as your mail server of choice.
    4: Securing a *sendmail* SMTP gateway in order to use it from anywhere using your system's credentials is an easy task, here is how to achieve it.
    5: 
    6: ### Enabling Sendmail as the system's SMTP server
    7: 
    8: First thing is to disable *postfix* as the system's SMTP server. This action is controlled by the *postfix* parameter in */etc/rc.conf*:
    9: 
   10: 	postfix=NO
   11: 
   12: We will then Install *sendmail* from *pkgsrc* with [SASL](http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) for the authentication mechanism and [TLS](http://en.wikipedia.org/wiki/Transport_Layer_Security) as the secure transport layer:
   13: 
   14: 	$ grep sendmail /etc/mk.conf
   15: 	PKG_OPTIONS.sendmail=   tls sasl
   16: 	ACCEPTABLE_LICENSES+=   sendmail-license
   17: 
   18: ### AUTH with SASL
   19: 
   20: Enabling *SASL* will build *security/cyrus-sasl*, but this package build failed with the following on my NetBSD 5.0.2 box:
   21: 
   22: 	db_ndbm.c:95: warning: passing argument 3 of 'utils->getcallback' from incompatible pointer type
   23: 
   24: So we will specify that *cyrus-sasl* should use *berkeley* as its database type:
   25: 
   26: 	$ grep SASL /home/bulk/etc/mk.conf
   27: 	SASL_DBTYPE=            berkeley
   28: 
   29: We can now install *sendmail* with *TLS* and *SASL* support the classic way:
   30: 
   31: 	$ cd /usr/pkgsrc/mail/sendmail && sudo make install clean
   32: 
   33: *cyrus-sasl* package does now include any authentication plugin, it's up to us to pick one that will suit our needs. As we want to authenticate over system's login/password, we will use *cy2-login*:
   34: 
   35: 	$ cd /usr/pkgsrc/security/cy2-login && sudo make install
   36: 
   37: In order to use this method, we will have to install the *saslauthd* package. *Saslauthd* is in charge of plaintext authentications on behalf of the SASL library.
   38: 
   39: 	$ cd /usr/pkgsrc/security/cyrus-saslauthd && sudo make install clean
   40: 
   41: Of course, we want this daemon to start at every boot of this mail server:
   42: 
   43: 	# cp /usr/pkg/share/examples/rc.d/saslauthd /etc/rc.d
   44: 	# echo "saslauthd=YES" >> /etc/rc.conf
   45: 	# /etc/rc.d/saslauthd start
   46: 
   47: Now we have to inform the *SASL* library that it should use *saslauthd* whenever *sendmail* asks for an authentication:
   48: 
   49: 	# echo "pwcheck_method:saslauthd" > /usr/pkg/lib/sasl2/Sendmail.conf
   50: 
   51: ### Setting up the secure transport layer
   52: 
   53: As everything is in place for authentication, we will now prepare the *TLS* prerequisites.
   54: Instead of generating a self-signed certificate, I use to rely on [CACert](http://www.cacert.org/), "a community driven, Certificate Authority that issues certificates to the public at large for free." (from CACert.org).
   55: 
   56: In order to generate the certificate signing request (CSR), you can use the [CSRGenerator](http://wiki.cacert.org/CSRGenerator) script from CACert, which is really handy.
   57: 
   58: Once you have generated your server's private key with *CSRGenerator* and received your server certificate from CACert, simply copy them to */etc/mail/certs*, along with [CACert root certificate](http://www.cacert.org/certs/root.crt). Make sure your private key has strict permissions, *sendmail* will refuse to start if it is readable by everyone.
   59: 
   60: ### Configuring sendmail
   61: 
   62: It is now time to write our *sendmail* configuration. Create a *mc* file corresponding to your needs in */usr/pkg/share/sendmail/cf*, for example:
   63: 
   64: 	# cat > /usr/pkg/share/sendmail/cf/korriban.mc << EOF
   65: 	divert(0)dnl
   66: 	VERSIONID(`Mustafar')
   67: 	OSTYPE(bsd4.4)dnl
   68: 	DOMAIN(generic)dnl
   69: 
   70: 	FEATURE(access_db, `hash -T<TMPF> /etc/mail/access')
   71: 	FEATURE(blacklist_recipients)
   72: 	FEATURE(mailertable, `hash -o /etc/mail/mailertable')
   73: 	FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
   74: 	FEATURE(genericstable, `hash -o /etc/mail/genericstable')
   75: 	FEATURE(local_procmail)
   76: 
   77: 	dnl ### I use procmail as my MDA
   78: 	define(`PROCMAIL_MAILER_PATH',`/usr/pkg/bin/procmail')
   79: 	dnl ### and dspam as my antispam
   80: 	define(`LOCAL_MAILER_PATH', `/usr/pkg/bin/dspam')
   81: 	define(`LOCAL_MAILER_ARGS', `dspam -t -Y -a $h "--deliver=innocent" --user $u -d %u')
   82: 
   83: 	define(`confMAX_MESSAGE_SIZE', 5000000)
   84: 
   85: 	dnl ### here begins the secure SMTP gateway parameters
   86: 	dnl ###
   87: 	dnl ### enable SMTP AUTH with LOGIN mechanism
   88: 	define(`confAUTH_MECHANISMS', `LOGIN')dnl
   89: 	TRUST_AUTH_MECH(`LOGIN')dnl
   90: 	dnl ### enable STARTTLS
   91: 	define(`confCACERT_PATH',`/etc/mail/certs/')dnl
   92: 	define(`confCACERT', `/etc/mail/certs/cacert.crt')
   93: 	define(`confSERVER_CERT',`/etc/mail/certs/korriban_server.pem')dnl
   94: 	define(`confSERVER_KEY',`/etc/mail/certs/korriban_privatekey.pem')dnl
   95: 	dnl ### end of secure SMTP gateway parameters
   96: 
   97: 	MAILER(local)dnl
   98: 	MAILER(smtp)dnl
   99: 	MAILER(procmail)
  100: 	EOF
  101: 
  102: Once your configuration is ready, build and install it using the following:
  103: 
  104: 	# make install-cf CF=korriban
  105: 	rm -f korriban.cf
  106: 	m4 ../m4/cf.m4 korriban.mc > korriban.cf || ( rm -f korriban.cf && exit 1 )
  107: 	echo "### korriban.mc ###" >>korriban.cf
  108: 	sed -e 's/^/# /' korriban.mc >>korriban.cf
  109: 	chmod 444 korriban.cf
  110: 	/usr/bin/install -c -o root -g wheel -m 0444 korriban.cf /etc/mail/sendmail.cf
  111: 	/usr/bin/install -c -o root -g wheel -m 0444 korriban.cf /etc/mail/submit.cf
  112: 
  113: Now that *sendmail* is configured, fire it up by invoking:
  114: 
  115: 	# /etc/rc.d/sendmail start
  116: 
  117: And test that the features we've added are working:
  118: 
  119: 	# sendmail -d0.1 -bv root | grep SASL
  120: 		SASLv2 SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB XDEBUG
  121: 	$ telnet localhost 25
  122: 	Trying 127.0.0.1...
  123: 	Connected to localhost.
  124: 	Escape character is '^]'.
  125: 	220 korriban.imil.net ESMTP Sendmail 8.14.5/8.14.5; Sat, 12 Nov 2011 16:43:40 +0100 (CET)
  126: 	ehlo localhost
  127: 	250-korriban.imil.net Hello localhost [127.0.0.1], pleased to meet you
  128: 	250-ENHANCEDSTATUSCODES
  129: 	250-PIPELINING
  130: 	250-EXPN
  131: 	250-VERB
  132: 	250-8BITMIME
  133: 	250-SIZE 5000000
  134: 	250-DSN
  135: 	250-ETRN
  136: 	250-AUTH LOGIN
  137: 	250-STARTTLS
  138: 	250-DELIVERBY
  139: 	250 HELP
  140: 
  141: There you go! now configure your [MUA](http://en.wikipedia.org/wiki/Mail_user_agent) so it always tries *TLS* for sending mail, using the *LOGIN* authentication method.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb