Re: Best practice: sendmail and SMTP auth



Derek Ragona wrote:
At 02:19 PM 3/12/2008, Doug Poland wrote:
Hello,

Not sure if this is the most appropriate place for this question, but
since all my servers are FreeBSD 6.x/7.x, I'll give it a go...

I am considering setting up SMTP auth on a number of sendmail
instances that I control. After much googling and reading, it is not
clear to me that a server with SMTP auth configured/enabled can relay
mail in both auth and non-auth modes.

If one sendmail configuration cannot accommodate both SMTP auth and
access.db, does one setup a dedicated SMTP auth host with a SMART_HOST
option and feed incoming email to an non-auth instance of sendmail?

Sorry if my terminology is ambiguous, I'm not a sendmail professional
by day.

You can set up sendmail to do both auth and non-auth. However best practice is to use auth only to control any spam relaying. Check the sendmail.org website FAQ's for setting this up. You will want to probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail.

A good solution to this is to use port 587 for Authenticated new mail
submission and leave port 25 for the normal MTA-MTA type of (not
authenticated) traffic. Firstly, to enable authentication you need to
compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's
legacy only). Now, you can either do that by installing sendmail
from ports, or you can install the cyrus-sasl port and then make the
base system sendmail link against it by adding this to /etc/make.conf:

SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS+= -L/usr/local/lib
SENDMAIL_LDADD+= -lsasl2

I also like to use these two so that any milters etc. I build from
ports interoperate with the base system sendmail.

SENDMAIL_MILTER_IN_BASE= yes
WITH_SENDMAIL_BASE= yes

In order to do SMTP AUTH most effectively, you should enable STARTSSL
support -- I alway feel better knowing that passwords are sent over an
encrypted connection. This is a guide to what you need in your
$(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted
via port 587, but not provided on port 25:

first: turn off the default MSA setup, which we'll provide our own
settings for later:

FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below

[...]

second: basic configuration for SMTP AUTH -- what mechanisms are supported
Note that LOGIN should only ever be allowed over encrypted connections as it
sends passwords in plain text. You can also authenticate by using SSL
certificates but that is handled directly by sendmail and you don't need to
list EXTERNAL as a SASL mechanism.

dnl ## Set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_REALM', `your.domain.name')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl

[...]

thirdly: insert the IP numbers of your servers into the following rules --
if you don't use IPv6 you can omit the lines for the external address, but
you'll find things seem to work rather smoother if you keep the ::1 entries.

The M=E flag says 'disable ETRN' and the M=Ea flag says 'require authentication
(and disable ETRN)' M=A means 'don't offer authentication here' Note that I'm only
requiring authentication on the external interfaces so I implicitly trust myself
to submit e-mails via localhost:587 without it. You requirements may differ. See http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html
for an explanation of the capabilities of DAEMON_OPTIONS:

dnl
dnl Where the sendmail daemon should listen
dnl
DAEMON_OPTIONS(`Name=IPv4, Addr=12.34.56.78, M=A, Family=inet')dnl
DAEMON_OPTIONS(`Name=IPv4, Addr=127.0.0.1, M=A, Family=inet')dnl
DAEMON_OPTIONS(`Name=IPv6, Addr=::1, M=A, Family=inet6')dnl
DAEMON_OPTIONS(`Name=IPv6, Addr=2000:aa:bb:cc::1, M=A, Family=inet6')dnl
DAEMON_OPTIONS(`Name=MSA, Addr=12.34.56.78, Port=587, M=Ea')dnl
DAEMON_OPTIONS(`Name=MSA, Addr=127.0.0.1, Port=587, M=E')dnl
DAEMON_OPTIONS(`Name=MSA, Addr=2000:aa:bb:cc::1, Port=587, M=Ea, Family=inet6')dnl
DAEMON_OPTIONS(`Name=MSA, Addr=::1, Port=587, M=E, Family=inet6')dnl

fourthly: enable SSL capabilities in sendmail. See http://aput.net/~jheiss/sendmail/tlsandrelay.shtml for a good article on
configuring this stuff (although ignore the section on compiling
sendmail: you get that automatically built into the base system sendmail
already)

dnl
dnl TLS stuff
dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

fifthly: there is no fifthly -- you're done. Build a sendmail.cf and test
that it all works.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature



Relevant Pages

  • Re: Need help configuring smart_host relaying
    ... either the port specification is wrong in the authinfo file or that the ... connection is being refused because it's not SSL/TLS. ... or how to get the SSL/TLS mechanism into sendmail. ... dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net ...
    (comp.mail.sendmail)
  • Re: Need help configuring smart_host relaying
    ... either the port specification is wrong in the authinfo file or that the ... connection is being refused because it's not SSL/TLS. ... or how to get the SSL/TLS mechanism into sendmail. ... dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net ...
    (comp.mail.sendmail)
  • Re: Best practice: sendmail and SMTP auth
    ... I am considering setting up SMTP auth on a number of sendmail ... A good solution to this is to use port 587 for Authenticated new mail ... dnl ## Set SASL options ...
    (freebsd-questions)
  • Re: Cant "telnet mail-host 25"
    ... :>:think it is sendmail) serves the port 25, while in the second form, ... :> loopback address, as in this excerpt from sendmail.mc: ... :> dnl # 127.0.0.1 and not on any other network devices. ...
    (linux.redhat.misc)
  • Re: email server advice
    ... For sendmail, use SMTP AUTH. ... Just install the port and see the docs on ... For imap, I'm personally fond of Cyrus V2.2. ...
    (comp.unix.bsd.freebsd.misc)