Best practice: sendmail and SMTP auth

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Mar 13 01:43:35 UTC 2008 

Derek Ragona wrote:
> At 02:19 PM 3/12/2008, Doug Poland wrote:
>> Hello,
>>
>> Not sure if this is the most appropriate place for this question, but
>> since all my servers are FreeBSD 6.x/7.x, I'll give it a go...
>>
>> I am considering setting up SMTP auth on a number of sendmail
>> instances that I control.  After much googling and reading, it is not
>> clear to me that a server with SMTP auth configured/enabled can relay
>> mail in both auth and non-auth modes.
>>
>> If one sendmail configuration cannot accommodate both SMTP auth and
>> access.db, does one setup a dedicated SMTP auth host with a SMART_HOST
>> option and feed incoming email to an non-auth instance of sendmail?
>>
>> Sorry if my terminology is ambiguous, I'm not a sendmail professional
>> by day.

> You can set up sendmail to do both auth and non-auth.  However best 
> practice is to use auth only to control any spam relaying.  Check the 
> sendmail.org website FAQ's for setting this up.  You will want to 
> probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail.

A good solution to this is to use port 587 for Authenticated new mail
submission and leave port 25 for the normal MTA-MTA type of (not
authenticated) traffic.  Firstly, to enable authentication you need to
compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's
legacy only).  Now, you can either do that by installing sendmail
from ports, or you can install the cyrus-sasl port and then make the
base system sendmail link against it by adding this to /etc/make.conf:

SENDMAIL_CFLAGS+=       -I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS+=      -L/usr/local/lib
SENDMAIL_LDADD+=        -lsasl2

I also like to use these two so that any milters etc. I build from
ports interoperate with the base system sendmail.

SENDMAIL_MILTER_IN_BASE=        yes
WITH_SENDMAIL_BASE=     yes

In order to do SMTP AUTH most effectively, you should enable STARTSSL
support -- I alway feel better knowing that passwords are sent over an
encrypted connection.  This is a guide to what you need in your
$(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted
via port 587, but not provided on port 25:

first: turn off the default MSA setup, which we'll provide our own
settings for later:

FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below

[...]

second: basic configuration for SMTP AUTH -- what mechanisms are supported
Note that LOGIN should only ever be allowed over encrypted connections as it
sends passwords in plain text.  You can also authenticate by using SSL
certificates but that is handled directly by sendmail and you don't need to
list EXTERNAL as a SASL mechanism.

dnl ## Set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_REALM', `your.domain.name')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl

[...]

thirdly: insert the IP numbers of your servers into the following rules --
if you don't use IPv6 you can omit the lines for the external address, but
you'll find things seem to work rather smoother if you keep the ::1 entries.

The M=E flag says 'disable ETRN' and the M=Ea flag says 'require authentication
(and disable ETRN)' M=A means 'don't offer authentication here' Note that I'm only
requiring authentication on the external interfaces so I implicitly trust myself
to submit e-mails via localhost:587 without it.  You requirements may differ.  See http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html
for an explanation of the capabilities of DAEMON_OPTIONS:

dnl
dnl Where the sendmail daemon should listen
dnl
DAEMON_OPTIONS(`Name=IPv4, Addr=12.34.56.78, M=A, Family=inet')dnl
DAEMON_OPTIONS(`Name=IPv4, Addr=127.0.0.1, M=A, Family=inet')dnl
DAEMON_OPTIONS(`Name=IPv6, Addr=::1, M=A, Family=inet6')dnl
DAEMON_OPTIONS(`Name=IPv6, Addr=2000:aa:bb:cc::1, M=A, Family=inet6')dnl
DAEMON_OPTIONS(`Name=MSA, Addr=12.34.56.78, Port=587, M=Ea')dnl
DAEMON_OPTIONS(`Name=MSA, Addr=127.0.0.1, Port=587, M=E')dnl
DAEMON_OPTIONS(`Name=MSA, Addr=2000:aa:bb:cc::1, Port=587, M=Ea, Family=inet6')dnl
DAEMON_OPTIONS(`Name=MSA, Addr=::1, Port=587, M=E, Family=inet6')dnl

fourthly: enable SSL capabilities in sendmail.  See 
http://aput.net/~jheiss/sendmail/tlsandrelay.shtml for a good article on
configuring this stuff (although ignore the section on compiling
sendmail: you get that automatically built into the base system sendmail
already)

dnl
dnl TLS stuff
dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

fifthly: there is no fifthly -- you're done.  Build a sendmail.cf and test
that it all works.

	Cheers,

	Matthew 

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080313/c901f0a3/signature.pgp

More information about the freebsd-questions mailing list