ASMTP setup on 4.8

Chris Boyd cboyd at gizmopartners.com
Sat Jul 19 16:51:50 PDT 2003 

Thanks to Hajimu UMEMOTO, Sergey Dorokhov and Josh Tolbert for helping 
me get this figured out.

What follows is a very terse procedure for getting ASMTP, IMAP and POP 
over SSL running.

--Chris

See http://puresimplicity.net/~hemi/freebsd/sendmail.html
for original procedures.


cd /usr/ports/mail/cclient
make -DWITH_SSL_AND_PLAINTEXT=yes install

cd /usr/ports/mail/imap-uw
make -DWITH_SSL_AND_PLAINTEXT=yes install

Put these in /etc/inetd.conf
imaps   stream  tcp     nowait  root    /usr/local/libexec/imapd        
imapd
pop3s   stream  tcp     nowait  root    /usr/local/libexec/ipop3d       
ipop3d

kill -HUP <inetd's PID>

cd /usr/ports/security/cyrus-sasl2
make install

cd /usr/ports/security/cyrus-sasl2-saslauthd/
make install

Add these lines to /etc/rc.conf

########## Start SASLAUTHD and look at local passwds
sasl_saslauthd_enable="YES"
sasl_saslauthd_flags="-a getpwent"


Add these line to /etc/make.conf
# SASL (cyrus-sasl v2) sendmail build flags...
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
# Adding to enable alternate port (smtps) for sendmail...
SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL

Build sendmail from the source tree.  (Does /etc/make.conf work if 
building from ports?)

cd /usr/src/usr.sbin/sendmail
make clean
make depend
make

(My make stopped at
cc: /usr/src/usr.sbin/sendmail/../../lib/libsmutil/libsmutil.a: No such 
file or directory
cc: /usr/src/usr.sbin/sendmail/../../lib/libsm/libsm.a: No such file or 
directory

I remedied by doing
cd ../../lib/libsmutil/
make
cd /usr/src/usr.sbin/sendmail
cd ../../lib/libsm
make

and then continuing
cd /usr/src/usr.sbin/sendmail
make
)

make install




Do the SSL cert creation.  Don't forget to put the hostname in when it 
asks for the common name.

mkdir /etc/mail/certs
cd /etc/mail/certs
openssl dsaparam 1024 -out dsa1024.pem
openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem 
-keyout mykey.pem
rm dsa1024.pem
chmod -R 600 /etc/mail/certs/*




Tell sendmail to use saslauthd to check passwords
vi /usr/local/lib/sasl2/Sendmail.conf

and change the line to read
pwcheck_method: saslauthd





Set up sendmail by editing the host's mc file and adding these just 
above
the MAILER(local) line

define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

Rebuild the cf files
make all install restart



Probably ought to do a good reboot about now to make sure everything 
gets started
correctly (mainly saslauthd).

More information about the freebsd-security mailing list