ASMTP setup on 4.8
Chris Boyd
cboyd at gizmopartners.com
Sat Jul 19 16:51:50 PDT 2003
Thanks to Hajimu UMEMOTO, Sergey Dorokhov and Josh Tolbert for helping
me get this figured out.
What follows is a very terse procedure for getting ASMTP, IMAP and POP
over SSL running.
--Chris
See http://puresimplicity.net/~hemi/freebsd/sendmail.html
for original procedures.
cd /usr/ports/mail/cclient
make -DWITH_SSL_AND_PLAINTEXT=yes install
cd /usr/ports/mail/imap-uw
make -DWITH_SSL_AND_PLAINTEXT=yes install
Put these in /etc/inetd.conf
imaps stream tcp nowait root /usr/local/libexec/imapd
imapd
pop3s stream tcp nowait root /usr/local/libexec/ipop3d
ipop3d
kill -HUP <inetd's PID>
cd /usr/ports/security/cyrus-sasl2
make install
cd /usr/ports/security/cyrus-sasl2-saslauthd/
make install
Add these lines to /etc/rc.conf
########## Start SASLAUTHD and look at local passwds
sasl_saslauthd_enable="YES"
sasl_saslauthd_flags="-a getpwent"
Add these line to /etc/make.conf
# SASL (cyrus-sasl v2) sendmail build flags...
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
# Adding to enable alternate port (smtps) for sendmail...
SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL
Build sendmail from the source tree. (Does /etc/make.conf work if
building from ports?)
cd /usr/src/usr.sbin/sendmail
make clean
make depend
make
(My make stopped at
cc: /usr/src/usr.sbin/sendmail/../../lib/libsmutil/libsmutil.a: No such
file or directory
cc: /usr/src/usr.sbin/sendmail/../../lib/libsm/libsm.a: No such file or
directory
I remedied by doing
cd ../../lib/libsmutil/
make
cd /usr/src/usr.sbin/sendmail
cd ../../lib/libsm
make
and then continuing
cd /usr/src/usr.sbin/sendmail
make
)
make install
Do the SSL cert creation. Don't forget to put the hostname in when it
asks for the common name.
mkdir /etc/mail/certs
cd /etc/mail/certs
openssl dsaparam 1024 -out dsa1024.pem
openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem
-keyout mykey.pem
rm dsa1024.pem
chmod -R 600 /etc/mail/certs/*
Tell sendmail to use saslauthd to check passwords
vi /usr/local/lib/sasl2/Sendmail.conf
and change the line to read
pwcheck_method: saslauthd
Set up sendmail by editing the host's mc file and adding these just
above
the MAILER(local) line
define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
Rebuild the cf files
make all install restart
Probably ought to do a good reboot about now to make sure everything
gets started
correctly (mainly saslauthd).
More information about the freebsd-security
mailing list