Posted in: sendmail

Sendmail AUTH & Server STARTTLS FreeBSD 9.2

Background

I have an email server running on my adsl line, and I want people to be able to send email via my smtp server.  I want them to be able to use pam authentication.  I use freebsd and the default mail server is sendmail.  To use pam authentication with sendmail and saslauthd plain text authentication must be used.  As plain text authentication is insecure, I need to encapsulate the smtp traffic in TLS.  There are several steps to complete to get this working.  I will assume that you have pam working, and also have sendmail working.

  1. install cyrus-sasl2 and cyrus-sasl2-saslauthd
  2. recomplile sendmail with sasl2 libraries
  3. configure pam
  4. Create certificates
  5. configure sendmail

Install curys-sasl2 and cyris-sasl2-saslauthd

Installing these ports is simple, as there is no additional options or config to create.

# cd /usr/ports/security-cyrus-sasl2
# make install
# cd /usr/ports/security/cyrus-sasl2-saslauthd
# make install

follwing the installation of cyrus-sasl2-saslauthd you need to enable the service by adding the following to rc.conf

saslauthd_enable="YES"

now start the service with

# service saslauthd start

Recompile sendmail with sasl libraries.

Before recompiling sendmail, ensure that the entire Freebsd source is installed and patched in line with the update version you are running. Once your source is up-to-date edit the /etc/make.conf and add the following lines

SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

Recompile sendmail with the following commands

# cd /usr/src/lib/libsmutil
# make cleandir && make obj && make
# cd /usr/src/lib/libsm
# make cleandir && make obj && make
# cd /usr/src/usr.sbin/sendmail
# make cleandir && make obj && make && make install

Configure PAM

the sendmail / saslauthd combination will use the /etc/pam.d/sendmail pam config file,  this will need to be created.  The existing imap config file is a good template.  I use ldap within pam, so I have pam_ldap.so lines added,  here is my example pam config file.

# 
# $FreeBSD: release/9.2.0/etc/pam.d/imap 170771 2007-06-15 11:33:13Z yar $ 
# 
# PAM configuration for the "imap" service 
#
# auth 
#auth           sufficient      pam_krb5.so             no_warn try_first_pass 
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass
# account 
#account        required        pam_nologin.so 
account         required        /usr/local/lib/pam_ldap.so 
account         required        pam_unix.so

Create certificate

A ssl x509 certificate is required when the sendmail server offers TLS. The following page shows how to create a certificate.  I place my certificates in /etc/mail/ssl

Configure sendmail

Finally sendmail’s configuration files need updating to tell sendmail to offer STARTTLS and authentication.  The configuration items need adding to the local .mc file, usually /etc/mail/<hostname>.mc  The first lines to add are for sasl authentication as follows;

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

The second set of lines are for STARTTLS as follows;

define(``CERT_DIR', `/etc/mail/ssl')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/mercury.rjctest.co.uk.crt')
define(`confSERVER_CERT', `CERT_DIR/mercury.rjctest.co.uk.crt')
define(`confSERVER_KEY', `CERT_DIR/mercury.rjctest.co.uk.key')
define(`confAUTH_OPTIONS',`A,p,y')dnl

Also whilst editing the sendmail config I add in a line to silently drop mail to unknown recipients.  Note that the bit-bucket alias needs exist pointing to /dev/null

define(`LUSER_RELAY', `local:bit-bucket')dnl

now all that remains is to make the .cf files and to install them

# make && make install && make restart

Now sendmail should be accepting STARTTLS and auth,  this can be checked by connecting to sendmail locally and sending elho

References

I have used the following references in creating this page.

https://blogs.oracle.com/jbeck/entry/how_to_set_up_sendmail

http://www2.weldon.whipple.org/sendmail/starttlstut.html

http://www.freebsd.org/doc/handbook/smtp-auth.html

define(``CERT_DIR', `/etc/mail/ssl')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/mercury.rjctest.co.uk.crt')
define(`confSERVER_CERT', `CERT_DIR/mercury.rjctest.co.uk.crt')
define(`confSERVER_KEY', `CERT_DIR/mercury.rjctest.co.uk.key')
define(`confAUTH_OPTIONS',`A,p,y')dnl