Best practice: sendmail and SMTP auth

Doug Poland doug at
Thu Mar 13 12:10:41 UTC 2008

On Thu, Mar 13, 2008 at 01:43:11AM +0000, Matthew Seaman wrote:
> Derek Ragona wrote:
> >At 02:19 PM 3/12/2008, Doug Poland wrote:
> >>Hello,
> >>
> >>Not sure if this is the most appropriate place for this question,
> >>but since all my servers are FreeBSD 6.x/7.x, I'll give it a go...
> >>
> >>I am considering setting up SMTP auth on a number of sendmail
> >>instances that I control.  After much googling and reading, it is
> >>not clear to me that a server with SMTP auth configured/enabled can
> >>relay mail in both auth and non-auth modes.
> >>
> >>If one sendmail configuration cannot accommodate both SMTP auth and
> >>access.db, does one setup a dedicated SMTP auth host with a
> >>SMART_HOST option and feed incoming email to an non-auth instance of
> >>sendmail?
> >>
> >>Sorry if my terminology is ambiguous, I'm not a sendmail
> >>professional by day.
> >You can set up sendmail to do both auth and non-auth.  However best
> >practice is to use auth only to control any spam relaying.  Check the
> > website FAQ's for setting this up.  You will want to
> >probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail.
> A good solution to this is to use port 587 for Authenticated new mail
> submission and leave port 25 for the normal MTA-MTA type of (not
> authenticated) traffic.  Firstly, to enable authentication you need to
> compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's
> legacy only).  Now, you can either do that by installing sendmail from
> ports, or you can install the cyrus-sasl port and then make the base
> system sendmail link against it by adding this to /etc/make.conf:
> SENDMAIL_CFLAGS+=       -I/usr/local/include -DSASL=2
> SENDMAIL_LDFLAGS+=      -L/usr/local/lib
> SENDMAIL_LDADD+=        -lsasl2
> I also like to use these two so that any milters etc. I build from
> ports interoperate with the base system sendmail.
> In order to do SMTP AUTH most effectively, you should enable STARTSSL
> support -- I alway feel better knowing that passwords are sent over an
> encrypted connection.  This is a guide to what you need in your
> $(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted
> via port 587, but not provided on port 25:
> first: turn off the default MSA setup, which we'll provide our own
> settings for later:
> FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below
> [...]
> second: basic configuration for SMTP AUTH -- what mechanisms are
> supported Note that LOGIN should only ever be allowed over encrypted
> connections as it sends passwords in plain text.  You can also
> authenticate by using SSL certificates but that is handled directly by
> sendmail and you don't need to list EXTERNAL as a SASL mechanism.
> dnl ## Set SASL options
> define(`confAUTH_REALM', `')dnl
> define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl
> [...]
> thirdly: insert the IP numbers of your servers into the following
> rules -- if you don't use IPv6 you can omit the lines for the external
> address, but you'll find things seem to work rather smoother if you
> keep the ::1 entries.
> The M=E flag says 'disable ETRN' and the M=Ea flag says 'require
> authentication (and disable ETRN)' M=A means 'don't offer
> authentication here' Note that I'm only requiring authentication on
> the external interfaces so I implicitly trust myself
> to submit e-mails via localhost:587 without it.  You requirements may
> differ.  See
> for an explanation of the capabilities of DAEMON_OPTIONS:
> dnl
> dnl Where the sendmail daemon should listen
> dnl
> DAEMON_OPTIONS(`Name=IPv4, Addr=, M=A, Family=inet')dnl
> DAEMON_OPTIONS(`Name=IPv4, Addr=, M=A, Family=inet')dnl
> DAEMON_OPTIONS(`Name=IPv6, Addr=::1, M=A, Family=inet6')dnl
> DAEMON_OPTIONS(`Name=IPv6, Addr=2000:aa:bb:cc::1, M=A, Family=inet6')dnl
> DAEMON_OPTIONS(`Name=MSA, Addr=, Port=587, M=Ea')dnl
> DAEMON_OPTIONS(`Name=MSA, Addr=, Port=587, M=E')dnl
> DAEMON_OPTIONS(`Name=MSA, Addr=2000:aa:bb:cc::1, Port=587, M=Ea, 
> Family=inet6')dnl
> DAEMON_OPTIONS(`Name=MSA, Addr=::1, Port=587, M=E, Family=inet6')dnl
> fourthly: enable SSL capabilities in sendmail.  See
> for a good article
> on configuring this stuff (although ignore the section on compiling
> sendmail: you get that automatically built into the base system
> sendmail already)
> dnl
> dnl TLS stuff
> dnl
> define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
> define(`confCACERT_PATH', `CERT_DIR')dnl
> define(`confCACERT', `CERT_DIR/cacert.pem')dnl
> define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
> define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
> define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
> define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
> fifthly: there is no fifthly -- you're done.  Build a and
> test that it all works.
> 	Cheers,
> 	Matthew 
Thank you very much for that comprehensive explanation.


More information about the freebsd-questions mailing list