Sendmail TLS SASL SMTP-AUTH

From SlackWiki
Revision as of 23:22, 6 June 2009 by Erik (talk | contribs) (Copy from old)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Sendmail TLS SMTP-AUTH - A Quick and Dirty howto

Reliable, flexible, and configurable enough to solve any mail routing needs, sendmail has withstood the test of time, but has become no less daunting in its complexity. Even the most experienced system administrators have found it challenging to configure and difficult to understand. We cut through the chase and describe how to setup sendmail with industry standard encryption and discourage spam in less than an hour. Although described as a Slackware specific howto, the actual setup is similar for all UNIX's.

This HOWTO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Copyright (C) 2006 Strykar: s_at_hackerzlair_dot_org

  • NOTE: I hate wiki markup and the latest and much more readable version of this howto can always be found at [1]

Sendmail server configuration achieved by this howto:

  • SMTP-AUTH based relay for authorized users only.
  • Encrypted SMTP-AUTH client/server transaction preventing sniffing of username and passwords.
  • Configure and use Cyrus SASL to verify user credentials against the UNIX shadow file.
  • Create and use your own SSL certificates. Get them signed at no charge by cacert.org and use their CRL.
  • Disable using the old SSLv2 protocol and support SSLv3 and TLSv1.
  • Enable/Disable use and verification of client certificates for user identification.
  • Throttle the number of connections sendmail will accept and limit the number of child processes it spawns.
  • Use features like delay checks to make full use of the versatile access_db.
  • Enable blacklisting recipients and use DNSBL for real-time blackisting of known spam hosts.
  • Use regular expressions and the MAP_REGEX feature to ease complicated header processing and re-writing. -- TBD
  • The ability to add any missing/desired sendmail feature to itself by mailing the author a postcard with pictures of mountains in your area.

Prerequisites:

  • Untouched Slackware 12 or updated to Slackware-current install Sendmailwise.
  • Latest version of sendmail - v 8.14.1 at the time of writing. You can check your version by sendmail -d0.1 -bt < /dev/null
  • Just wget && upgradepkg the latest version from your favorite Slackware mirror.
  • Make sure the output of the command above at least includes:

    Compiled with: DNSMAP LOG MAP_REGEX SASLv2 STARTTLS USERDB

  • Ensure you have the latest version of Cyrus-SASL - v 2.1.22 at the time of writing. See that our required password mechanisms are allowed by doing:

root@john:~# saslauthd -v saslauthd 2.1.22 authentication mechanisms: getpwent rimap shadow
shadow is what we will use.

  • A real hostname that is available when you: host myhost.org
  • Reset any configurations you may have played with for Cyrus-SASL and sendmail. Keep your pack of smokes and mug of coffee handy. Figure out why your system won't play nice if it doesn't meet any of the above prerequisites.
  • Call that friend who told you to move to Postfix and ask him to call you back in an hour.


Diving right in:

For the purpose of this HOWTO, we will assume the FQDN of the host is john.doe.org.

First, start by creating your private key and Certificate Signing Request (CSR) as shown in the much easier than before steps below. The only field in you need to fill is the Common Name (CN). Put your mailserver hostname there when prompted, like mail.doe.org


root@john:~# openssl genrsa 1024 > smtp.key.pem
root@john:~# openssl req -new -key smtp.key.pem > newreq.csr

Get the CSR signed by CAcert.org. That will give you the server certificate, paste it into a file named smtp.cert.pem


1. Make sure you have the user smmsp, sendmail will not start up unless it has it's own userid:

root@john::~# cat /etc/passwd | grep smmsp smmsp:x:25:25:smmsp:/var/spool/clientmqueue:


If not, create one:

root@john:~# groupadd -g 25 smmsp
root@john:~# useradd -u 25 -g 25 -c smmsp -d /var/spool/clientmqueue -s /usr/bin/true smmsp
root@john:~# mkdir -p /var/spool/clientmqueue /var/spool/mqueue
root@john:~# chmod 770 /var/spool/clientmqueue
root@john:~# chown smmsp /var/spool/clientmqueue
root@john:~# chgrp smmsp /var/spool/clientmqueue
root@john:~# chmod 700 /var/spool/mqueue
root@john:~# chown root /var/spool/mqueue
root@john:~# chgrp daemon /var/spool/mqueue


2. Now edit /etc/mail/access and make sure your hostname is in there:

root@john:~# cat /etc/mail/access
john.doe.org RELAY
doe.org RELAY


3. Now edit /etc/hosts and make sure 127.0.0.1 points to localhost:

root@john:~# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain
1.2.3.4 john.doe.org john

Replace 1.2.3.4 with the actual public IP address of your mailserver.


4. Now edit /etc/resolv.conf and make sure the DNS settings your ISP provided you are in there:

root@john:~# cat /etc/resolv.conf search doe.org nameserver 1.2.3.4

Replace 1.2.3.4 with the IP address of your ISP's DNS box.


5. Create a directory where sendmail will read your certificates for TLS from: root@john:~# mkdir /etc/mail/certs

Download the CAcert root certificate and their CRL from http://www.cacert.org/index.php?id=3 and name them CA.cert.pem and revoke.crl Copy all three (including the private key file) into /etc/mail/certs

These need strict permissions as they shouldn't be world-readable:

root@john:~# chmod -R 700 /etc/mail/certs root@john:~# chown -R root:sys /etc/mail/certs


6. Whip up your favorite editor (mine's joe) and edit /usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc

Make sure it includes all the options below. CAREFULLY READ the notes after the end of the configuration, denoted by dnl# EOF to understand the additions I have made to the default sendmail-slackware-tls-sasl.mc file. Ensure you know what you're doing if you modify anything. root@john:~# cat /usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc

dnl# This is the a sendmail .mc file for Slackware with TLS support.
dnl# To generate the sendmail.cf file from this (perhaps after making
dnl# some changes), use the m4 files in /usr/share/sendmail/cf like this:
dnl#
dnl# cp sendmail-slackware-tls.mc /usr/share/sendmail/cf/config.mc
dnl# cd /usr/share/sendmail/cf
dnl# sh Build config.cf
dnl#
dnl# You may then install the resulting .cf file:
dnl# cp config.cf /etc/mail/sendmail.cf
dnl#
include(`../m4/cf.m4')
VERSIONID(`TLS supporting setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
dnl#
dnl# You will need to create the certificates below with OpenSSL first:
define(`confCACERT_PATH', `/etc/mail/certs/')
define(`confCACERT', `/etc/mail/certs/CA.cert.pem')
define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem')
define(`confSERVER_KEY', `/etc/mail/certs/smtp.key.pem')
define(`confCRL', `/etc/mail/certs/revoke.crl')
dnl# These settings help protect against people verifying email addresses
dnl# at your site in order to send you email that you probably don't want:
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl# Uncomment the line below to send outgoing mail through an external server:
dnl define(`SMART_HOST',`mailserver.example.com')
dnl# No timeout for ident:
define(`confTO_IDENT', `0')dnl
dnl# Enable the line below to use smrsh to restrict what sendmail can run:
dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
dnl# LOCAL_CONFIG dnl
dnl#CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULLdnl#dnl
See the README in /usr/share/sendmail/cf for a ton of information on
dnl# how these options work:
FEATURE(`delay_checks')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
dnl #FEATURE(`enhdnsbl', `relays.ordb.org', `', `t', `127.0.0.2')
FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected spam as" $&{client_addr} " found in dnsbl.sorbs.net"')dnl
FEATURE(`enhdnsbl', `zen.spamhaus.org', `"Spam blocked see: http://www.abuse.net/sbl.phtml?IP="$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `list.dsbl.org', `"Spam blocked see: http://dsbl.org"$&{client_addr}', `t')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
FEATURE(`no_default_msa')dnl
dnl# Turn this feature on if you don't always have DNS, or enjoy junk mail:
dnl FEATURE(`accept_unresolvable_domains')dnl
EXPOSED_USER(`root')dnl
dnl# Also accept mail for localhost.localdomain:
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl# Allow SASL authentication/relaying:
define(`confAUTH_OPTIONS', `A p y')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=E')dnl
dnl# EOF


Notice the filenames in
define(`confCACERT', `/etc/mail/certs/CA.cert.pem')
define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem')
define(`confSERVER_KEY', `/etc/mail/certs/smtp.key.pem')
-- make sure your certificates are named exactly the same as in your mc configuration.

I use free certificates signed by www.cacert.org and use their CRL - define(`confCRL', `/etc/mail/certs/revoke.crl') above.

The define(`confAUTH_OPTIONS', `A p y')dnl configures sendmail to:

  • A is a workaround for broken MTAs that do not implement RFC 2554.
  • The p option tells sendmail: "don't permit mechanisms susceptible to simple passive attack (e.g., LOGIN, PLAIN), unless a security layer (think TLS tunnel) is active."
  • The y option prohibits anonymous logins.

Take note that this will only allow LOGIN/PLAIN SMTP-AUTH after encryption has been established in a TLS tunnel. Allowing both TLS and non-TLS PLAIN/LOGIN SMTP-AUTH is left as an exercise to the reader.

Read: http://www.sendmail.org/~ca/email/doc8.12/op-sh-5.html#sh-5.6 for more information.

The define(`confCONNECTION_RATE_THROTTLE', `100') and define(`confMAX_DAEMON_CHILDREN',`1000') are for my configuration and should be set to 50% higher than what your requirements are. If you don't understand what this does (sendmail forks); comment those two lines out with a dnl# before them like: dnl# define (`confMAX_DAEMON_CHILDREN',`1000')

None of my user's email clients use certificates; this tells sendmail not to ask for them for one: define(`confTLS_SRV_OPTIONS', V')

SLACKWARE USERS NOTE line 37:

LOCAL CONFIG CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4 RSA: HIGH: MEDIUM:-LOW: SSLv3: TLSv1:-SSLv2: EXP: eNULL

This disables using the older SSLv2 protocol and allows SSLv3 and TLSv1. You'll need some openssl ciphers and perl-fu to get this going with Slackware 12 as it's not compiled with _FFR_TLS_1. STARTTLS

Read this for info on setting it up in Slackware, it's trivial. Some older clients don't speak TLS and you may want to skip this.


7. Now:

root@john:~# cd /usr/share/sendmail/cf/cf
root@john:~# m4 sendmail-slackware-tls-sasl.mc > /etc/mail/sendmail.cf

Also remember that the mc file should always end in a new line. So hit enter at the end of sendmail-slackware-tls-sasl.mc if m4 crashes with an m4: INTERNAL ERROR: recursive push_string error.


8. If the previous command gives no errors, you're done! Simply restart sendmail using /etc/rc.d/rc.sendmail restart

Now see what sendmail is saying by tail -f /var/log/maillog

You can increase log verbosity by adding: -O LogLevel=16 to /etc/rc.d/rc.sendmail


9. Also: Add hosts for which you receive mail to /etc/mail/local-host-names

root@john:~# cat /etc/mail/local-host-names
# names of hosts for which we receive email
john.doe.org doe.org


10. Make sure SASL is with you:

root@john:~# cat /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd mech_list:login plain

root@john:~# testsaslauthd -u yourusername -p yourpassword

If you see:

0: OK! Success!

Congratulations! SASL is now working.

If not, make sure saslauthd is running by: /etc/rc.d/rc.saslauthd start


11. Most errors are because of not following this HOWTO to the T.

Go over each step again and confirm you did everything right.