Best practice: sendmail and SMTP auth
Doug Poland
doug at polands.org
Thu Mar 13 12:10:41 UTC 2008
On Thu, Mar 13, 2008 at 01:43:11AM +0000, Matthew Seaman wrote:
> Derek Ragona wrote:
> >At 02:19 PM 3/12/2008, Doug Poland wrote:
> >>Hello,
> >>
> >>Not sure if this is the most appropriate place for this question,
> >>but since all my servers are FreeBSD 6.x/7.x, I'll give it a go...
> >>
> >>I am considering setting up SMTP auth on a number of sendmail
> >>instances that I control. After much googling and reading, it is
> >>not clear to me that a server with SMTP auth configured/enabled can
> >>relay mail in both auth and non-auth modes.
> >>
> >>If one sendmail configuration cannot accommodate both SMTP auth and
> >>access.db, does one setup a dedicated SMTP auth host with a
> >>SMART_HOST option and feed incoming email to an non-auth instance of
> >>sendmail?
> >>
> >>Sorry if my terminology is ambiguous, I'm not a sendmail
> >>professional by day.
>
> >You can set up sendmail to do both auth and non-auth. However best
> >practice is to use auth only to control any spam relaying. Check the
> >sendmail.org website FAQ's for setting this up. You will want to
> >probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail.
>
> A good solution to this is to use port 587 for Authenticated new mail
> submission and leave port 25 for the normal MTA-MTA type of (not
> authenticated) traffic. Firstly, to enable authentication you need to
> compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's
> legacy only). Now, you can either do that by installing sendmail from
> ports, or you can install the cyrus-sasl port and then make the base
> system sendmail link against it by adding this to /etc/make.conf:
>
> SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2
> SENDMAIL_LDFLAGS+= -L/usr/local/lib
> SENDMAIL_LDADD+= -lsasl2
>
> I also like to use these two so that any milters etc. I build from
> ports interoperate with the base system sendmail.
>
> SENDMAIL_MILTER_IN_BASE= yes
> WITH_SENDMAIL_BASE= yes
>
> In order to do SMTP AUTH most effectively, you should enable STARTSSL
> support -- I alway feel better knowing that passwords are sent over an
> encrypted connection. This is a guide to what you need in your
> $(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted
> via port 587, but not provided on port 25:
>
> first: turn off the default MSA setup, which we'll provide our own
> settings for later:
>
> FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below
>
> [...]
>
> second: basic configuration for SMTP AUTH -- what mechanisms are
> supported Note that LOGIN should only ever be allowed over encrypted
> connections as it sends passwords in plain text. You can also
> authenticate by using SSL certificates but that is handled directly by
> sendmail and you don't need to list EXTERNAL as a SASL mechanism.
>
> dnl ## Set SASL options
> TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
> define(`confAUTH_REALM', `your.domain.name')dnl
> define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
> define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl
>
> [...]
>
> thirdly: insert the IP numbers of your servers into the following
> rules -- if you don't use IPv6 you can omit the lines for the external
> address, but you'll find things seem to work rather smoother if you
> keep the ::1 entries.
>
> The M=E flag says 'disable ETRN' and the M=Ea flag says 'require
> authentication (and disable ETRN)' M=A means 'don't offer
> authentication here' Note that I'm only requiring authentication on
> the external interfaces so I implicitly trust myself
> to submit e-mails via localhost:587 without it. You requirements may
> differ. See
> http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html
> for an explanation of the capabilities of DAEMON_OPTIONS:
>
> dnl
> dnl Where the sendmail daemon should listen
> dnl
> DAEMON_OPTIONS(`Name=IPv4, Addr=12.34.56.78, M=A, Family=inet')dnl
> DAEMON_OPTIONS(`Name=IPv4, Addr=127.0.0.1, M=A, Family=inet')dnl
> DAEMON_OPTIONS(`Name=IPv6, Addr=::1, M=A, Family=inet6')dnl
> DAEMON_OPTIONS(`Name=IPv6, Addr=2000:aa:bb:cc::1, M=A, Family=inet6')dnl
> DAEMON_OPTIONS(`Name=MSA, Addr=12.34.56.78, Port=587, M=Ea')dnl
> DAEMON_OPTIONS(`Name=MSA, Addr=127.0.0.1, Port=587, M=E')dnl
> DAEMON_OPTIONS(`Name=MSA, Addr=2000:aa:bb:cc::1, Port=587, M=Ea,
> Family=inet6')dnl
> DAEMON_OPTIONS(`Name=MSA, Addr=::1, Port=587, M=E, Family=inet6')dnl
>
> fourthly: enable SSL capabilities in sendmail. See
> http://aput.net/~jheiss/sendmail/tlsandrelay.shtml for a good article
> on configuring this stuff (although ignore the section on compiling
> sendmail: you get that automatically built into the base system
> sendmail already)
>
> dnl
> dnl TLS stuff
> dnl
> define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
> define(`confCACERT_PATH', `CERT_DIR')dnl
> define(`confCACERT', `CERT_DIR/cacert.pem')dnl
> define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
> define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
> define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
> define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
>
> fifthly: there is no fifthly -- you're done. Build a sendmail.cf and
> test that it all works.
>
> Cheers,
> Matthew
>
Thank you very much for that comprehensive explanation.
--
Regards,
Doug
More information about the freebsd-questions
mailing list