Jun 10 2007

OpenBSD Sendmail + SMTP AUTH Mini-HOWTO [local]

Tag:tepezcuintle @ 15:03

with thanks to Craig Outcalt for
pointing out the original
"http://www.backwatcher.org/writing/howtos/obsd-sendmail+sasl.html">OpenBSD
Sendmail + SMTP AUTH Mini-HOWTO [ "backwatcher.html">local]

This howto will detail how to (durh) set up the version of sendmail included
with OpenBSD 3.3 to accept authentication via Cyrus SASL.

these instructions work just fine with 3.6, and you do NOT need to re-compile
sendmail to enable SSMTP.

  1. install cyrus sasl v2
    # pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/`uname -r`/packages/`machine`/cyrus-sasl-2.1.11.tgz
  2. enable SASL in sendmail
    # echo WANT_SMTPAUTH= yes >> /etc/mk.conf
  3. set up a “proper” libsasl2
    # cd /usr/local/lib; ln -s libsasl2.so.2.11 libsasl2.so
  4. # cd /usr/src/gnu/usr.sbin/sendmail
  5. edit cf/cf/openbsd-proto.mc
    after the FEATURE(`no_default_msa’) line, add: "c1">LOCAL_DOMAIN(`fqdn.of.machine.org‘)
    LOCAL_DOMAIN(`domain.org‘)
    define(`confAUTH_MECHANISMS’,`PLAIN LOGIN CRAM-MD5 DIGEST-MD5′)dnl
    TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5′)dnl
    define(`confAUTH_OPTIONS’,`p,y’)dnl
    define(`confPRIVACY_FLAGS’,`authwarnings,goaway’)

    notes:

    • if you want to recieve mail for other domains you can add
      LOCAL_DOMAIN directives as needed
    • the confAUTH_OPTIONS entry is optional, but since it
      blocks PLAIN and LOGIN attempts on unsecured channels (i.e. port 25 w/o
      a STARTTLS command issued first) it adds a beneficial bit of security.
      thanks, Zyl!
    • the confPRIVACY_FLAGS setting “goaway” simply disables
      EXPN VRFY and VERB, denying information to the malicous. authwarnings
      is part of the default ruleset, so I added it for
      completeness.
  6. build sendmail
    # make clean obj depend && make && make
    install
  7. install the new config file
    # cp cf/cf/obj/openbsd-proto.cf /etc/mail/sendmail.cf
  8. add the SASL config file
    we’ll be using the sasl auth daemon, so…
    # echo pwcheck_method: saslauthd >
    /usr/local/lib/sasl2/Sendmail.conf
  9. add users with /usr/local/sbin/saslpasswd2
    username
    saslpasswd2 may complain about kerberos, it may be helpful to
    # touch /etc/kerberosIV/srvtab
    to silence some of the warnings
  10. edit /etc/rc.conf
    remove -C/etc/mail/localhost.cf from sendmail_flags
  11. give sasl a directory to play in
    # mkdir /var/sasl2
  12. start saslauthd
    # /usr/local/sbin/saslauthd -a getpwent
  13. configure saslauthd to start at boot.
    add the following to /etc/rc.local

    if [ -x /usr/local/sbin/saslauthd ]; then
  echo -n ‘ saslauthd’; /usr/local/sbin/saslauthd -a getpwent
fi
  14. kill the existing sendmail
    # kill `head -n1 /var/run/sendmail.pid`

    STARTTLS
    if you want STARTTLS support, add the following to your .mc file:

    define(`confCACERT_PATH',`/etc/mail/certs')
define(`confCACERT',`/etc/mail/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/mail/certs/sendmail.pem')
define(`confSERVER_KEY',`/etc/mail/certs/sendmail.pem')

    then run the following commands to generate your self-signed
    certificates (unless you ponied up $300 to Thatwe)..

    # mkdir /etc/mail/certs
# cd /etc/mail/certs
# PEM1=`mktemp /tmp/openssl.XXXXXX`
# PEM2=`mktemp /tmp/openssl.XXXXXX`
# openssl req -newkey rsa:1024 -keyout $PEM1 \
    -nodes -x509 -days 365 -out $PEM2
# cat $PEM1 >  sendmail.pem
# echo ""   >> sendmail.pem
# cat $PEM2 >> sendmail.pem
# cp $PEM2 ca-bundle.crt
# rm $PEM1 $PEM2
# chmod 400 sendmail.pem
# chmod 400 ca-bundle.crt

    and, of course, recreate /etc/mail/sendmail.cf and restart
    sendmail.

    thanks to Richard Harms for pulling this information out of a RedHat 8.0
    install. see "http://flint.kitiara.com/Lists-Archives/l-cialug-0306/msg00023.html">http://flint.kitiara.com/Lists-Archives/l-cialug-0306/msg00023.html
    [local] and "http://flint.kitiara.com/Lists-Archives/l-cialug-0306/msg00025.html">http://flint.kitiara.com/Lists-Archives/l-cialug-0306/msg00025.html
    [local]

    SSMTP
    ssmtp (on port 465) is the other half-assed hack to get encryption on an smtp
    connection. there’s a _FFR (for future release) option you can compile into
    sendmail to enable this feature.

    compile _FFR_SMTP_SSL into sendmail

    1. patch /usr/src/gnu/usr.sbin/sendmail/sendmail/Makefile 
      --- gnu/usr.sbin/sendmail/sendmail/Makefile     Sun Jun  8 15:43:33 2003
+++ gnu/usr.sbin/sendmail/sendmail/Makefile     Sun Jun  8 15:05:56 2003
@@ -9,7 +9,7 @@
 WANT_LIBSMUTIL=1

 # For TLS/SSL support
-ENVDEF+= -DSTARTTLS
+ENVDEF+= -DSTARTTLS -D_FFR_SMTP_SSL
 LDADD+= -lssl -lcrypto
 DPADD= ${LIBSSL} ${LIBCRYPTO}
    2. re-build sendmail
      # cd /usr/src/gnu/usr.sbin/sendmail
      # make clean && make
      # make install

    enable ssmtp in
    /usr/src/gnu/usr.sbin/sendmail/cf/cf/openbsd-proto.mc

    1. # cd /usr/src/gnu/usr.sbin/sendmail/cf/cf
    2. add the following line to openbsd-proto.mc
      DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s’)dnl
    3. rebuild and install the config
      # make
      # cp obj/openbsd-proto.cf /etc/mail/sendmail.cf

    restart sendmail

    1. kill the existing sendmail
      kill `head -n1 /var/run/sendmail.pid`
    2. start the new sendmail
      # . /etc/rc.conf
      # /usr/sbin/sendmail $sendmail_flags

    thanks to David Magda for pointing out a "http://groups.google.com/groups?selm=3D9C2B4C.EEC98054%40Andrzej.Adam.Filip">
    post to comp.mail.sendmail     [local] from
    Andrzej Filip (originally from Krzysztof Oledzki on
    pl.comp.mail.mta) to enable this feature

    MILTER-REGEX
    this milter regects mail based on regular expressions. written by Daniel
    Hartmeier of PF fame, it’s pretty brain-dead easy to use. i just use it for
    blocking Swen for now, but it looks like it has great potential. see "http://www.benzedrine.cx/milter-regex.html">http://www.benzedrine.cx/milter-regex.html
    for details on installation and use.

    SPAMHAUS XBL+SBL
    i’ve been using the spamhaus sbl+xbl dnsbl for a while now, and it seems to
    be pretty effective. to make it happen, just add the following to your
    openbsd-proto.mc, recompile the .mc, install the resulting .cf, and restart
    sendmail.

    FEATURE(`dnsbl', `sbl-xbl.spamhaus.org',
        `"571 ACCESS DENIED to <"$&f"> thru "$&{client_name}"by /spamhaus/ ;Please see http://www.spamhaus.org/sbl/"')dnl

    CYRUS-IMAPD

    if you’d like an imap and pop3 server, i suggest reading this: "http://www.monkey.org/openbsd/archive/ports/0302/msg00266.html">http://www.monkey.org/openbsd/archive/ports/0302/msg00266.html
    [local] … a port of cyrus-imapd 2.1.12
    for openbsd. makes life easier (but make sure you install
    /usr/ports/databases/db first). also note that if you remove libotp.* from
    /usr/local/lib/sasl2 OTP secrets will not be created and *-MD5
    authentication will fail.

    if anything breaks, it’s not my fault. this should work, but i offer no
    warranty for the usability, etc, etc, of this document.
    #include <standardDisclaimer.h>