Erik: Copy from old

2009-06-06T23:22:18Z

Copy from old

New page

[[Category:Tutorials]]

= Sendmail TLS SMTP-AUTH - A Quick and Dirty howto =

Reliable, flexible, and configurable enough to solve any mail routing needs, '''sendmail''' has withstood the test of time, but has become no less daunting in its complexity. Even the most experienced system administrators have found it challenging to configure and difficult to understand. We cut through the chase and describe how to setup sendmail with industry standard encryption and discourage spam in less than an hour. Although described as a Slackware specific howto, the actual setup is similar for all UNIX's.

This HOWTO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Copyright (C) 2006 Strykar: s_at_hackerzlair_dot_org

* NOTE: I hate wiki markup and the latest and much more readable version of this howto can always be found at [http://www.hungryhacker.com/articles/misc/sendmail_howto.html]

== Sendmail server configuration achieved by this howto: ==

* SMTP-AUTH based relay for authorized users only.
* Encrypted SMTP-AUTH client/server transaction preventing sniffing of username and passwords.
* Configure and use Cyrus SASL to verify user credentials against the UNIX shadow file.
* Create and use your own SSL certificates. Get them signed at no charge by cacert.org and use their CRL.
* Disable using the old SSLv2 protocol and support SSLv3 and TLSv1.
* Enable/Disable use and verification of client certificates for user identification.
* Throttle the number of connections sendmail will accept and limit the number of child processes it spawns.
* Use features like delay checks to make full use of the versatile access_db.
* Enable blacklisting recipients and use DNSBL for real-time blackisting of known spam hosts.
* Use regular expressions and the MAP_REGEX feature to ease complicated header processing and re-writing. -- '''TBD'''
* The ability to add any missing/desired sendmail feature to itself by mailing the author a postcard with pictures of mountains in your area.

== Prerequisites: ==

* Untouched Slackware 12 or updated to Slackware-current install Sendmailwise.
* Latest version of sendmail - v 8.14.1 at the time of writing. You can check your version by <code>sendmail -d0.1 -bt < /dev/null</code>
* Just <code>wget && upgradepkg</code> the latest version from your favorite Slackware mirror.
* Make sure the output of the command above at least includes: <blockquote>Compiled with: <code>DNSMAP LOG MAP_REGEX SASLv2 STARTTLS USERDB</code></blockquote>
* Ensure you have the latest version of Cyrus-SASL - v 2.1.22 at the time of writing. See that our required password mechanisms are allowed by doing:
<code>root@john:~# saslauthd -v saslauthd 2.1.22 authentication mechanisms: getpwent rimap shadow</code> shadow is what we will use.

* A real hostname that is available when you: <code>host myhost.org</code>
* Reset any configurations you may have played with for Cyrus-SASL and sendmail. Keep your pack of smokes and mug of coffee handy. Figure out why your system won't play nice if it doesn't meet any of the above prerequisites.
* Call that friend who told you to move to Postfix and ask him to call you back in an hour.

=== Diving right in: ===

''For the purpose of this HOWTO, we will assume the FQDN of the host is <code>john.doe.org.</code>''

First, start by creating your private key and Certificate Signing Request (CSR) as shown in the much easier than before steps below. The only field in you need to fill is the Common Name (CN). Put your mailserver hostname there when prompted, like <code>mail.doe.org</code>

 <code>root@john:~# openssl genrsa 1024 > smtp.key.pem root@john:~# openssl req -new -key smtp.key.pem > newreq.csr</code>

Get the CSR signed by CAcert.org. That will give you the server certificate, paste it into a file named <code>smtp.cert.pem</code>

'''1.''' Make sure you have the user <code>smmsp</code>, sendmail will not start up unless it has it's own userid:

<code>root@john::~# cat /etc/passwd | grep smmsp smmsp:x:25:25:smmsp:/var/spool/clientmqueue:</code>

 If not, create one:

<code>root@john:~# groupadd -g 25 smmsp root@john:~# useradd -u 25 -g 25 -c smmsp -d /var/spool/clientmqueue -s /usr/bin/true smmsp root@john:~# mkdir -p /var/spool/clientmqueue /var/spool/mqueue root@john:~# chmod 770 /var/spool/clientmqueue root@john:~# chown smmsp /var/spool/clientmqueue root@john:~# chgrp smmsp /var/spool/clientmqueue root@john:~# chmod 700 /var/spool/mqueue root@john:~# chown root /var/spool/mqueue root@john:~# chgrp daemon /var/spool/mqueue </code>

'''2.''' Now edit <code>/etc/mail/access</code> and make sure your hostname is in there:

<code>root@john:~# cat /etc/mail/access john.doe.org RELAY doe.org RELAY</code>

'''3.''' Now edit <code>/etc/hosts</code> and make sure 127.0.0.1 points to localhost:

<code>root@john:~# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain 1.2.3.4 john.doe.org john</code>

Replace 1.2.3.4 with the actual public IP address of your mailserver.

'''4.''' Now edit <code>/etc/resolv.conf</code> and make sure the DNS settings your ISP provided you are in there:

<code>root@john:~# cat /etc/resolv.conf search doe.org nameserver 1.2.3.4</code>

Replace 1.2.3.4 with the IP address of your ISP's DNS box.

'''5.''' Create a directory where sendmail will read your certificates for TLS from:
<code>root@john:~# mkdir /etc/mail/certs</code>

Download the CAcert root certificate and their CRL from http://www.cacert.org/index.php?id=3 and name them <code>CA.cert.pem</code> and <code>revoke.crl</code>
Copy all three (including the private key file) into <code>/etc/mail/certs</code>

These need strict permissions as they shouldn't be world-readable:

<code>root@john:~# chmod -R 700 /etc/mail/certs root@john:~# chown -R root:sys /etc/mail/certs</code>

'''6.''' Whip up your favorite editor (mine's <code>joe</code>) and edit <code>/usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc</code>

Make sure it includes all the options below. CAREFULLY READ the notes after the end of the configuration, denoted by <code>dnl# EOF</code> to understand the additions I have made to the default <code>sendmail-slackware-tls-sasl.mc</code> file. Ensure you know what you're doing if you modify anything.
<code>
root@john:~# cat /usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc dnl# This is the a sendmail .mc file for Slackware with TLS support. dnl# To generate the sendmail.cf file from this (perhaps after making dnl# some changes), use the m4 files in /usr/share/sendmail/cf like this: dnl# dnl# cp sendmail-slackware-tls.mc /usr/share/sendmail/cf/config.mc dnl# cd /usr/share/sendmail/cf dnl# sh Build config.cf dnl# dnl# You may then install the resulting .cf file: dnl# cp config.cf /etc/mail/sendmail.cf dnl# include(`../m4/cf.m4') VERSIONID(`TLS supporting setup for Slackware Linux')dnl OSTYPE(`linux')dnl dnl# dnl# You will need to create the certificates below with OpenSSL first: define(`confCACERT_PATH', `/etc/mail/certs/') define(`confCACERT', `/etc/mail/certs/CA.cert.pem') define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem') define(`confSERVER_KEY', `/etc/mail/certs/smtp.key.pem') define(`confCRL', `/etc/mail/certs/revoke.crl') dnl# These settings help protect against people verifying email addresses dnl# at your site in order to send you email that you probably don't want: define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl dnl# Uncomment the line below to send outgoing mail through an external server: dnl define(`SMART_HOST',`mailserver.example.com') dnl# No timeout for ident: define(`confTO_IDENT', `0')dnl dnl# Enable the line below to use smrsh to restrict what sendmail can run: dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl dnl# LOCAL_CONFIG dnl dnl#CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULLdnl#dnl See the README in /usr/share/sendmail/cf for a ton of information on dnl# how these options work: FEATURE(`delay_checks')dnl FEATURE(`use_cw_file')dnl FEATURE(`use_ct_file')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl FEATURE(`blacklist_recipients')dnl dnl #FEATURE(`enhdnsbl', `relays.ordb.org', `', `t', `127.0.0.2') FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected spam as" $&{client_addr} " found in dnsbl.sorbs.net"')dnl FEATURE(`enhdnsbl', `zen.spamhaus.org', `"Spam blocked see: http://www.abuse.net/sbl.phtml?IP="$&{client_addr}', `t')dnl FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl FEATURE(`enhdnsbl', `list.dsbl.org', `"Spam blocked see: http://dsbl.org"$&{client_addr}', `t')dnl FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`always_add_domain')dnl FEATURE(`redirect')dnl FEATURE(`no_default_msa')dnl dnl# Turn this feature on if you don't always have DNS, or enjoy junk mail: dnl FEATURE(`accept_unresolvable_domains')dnl EXPOSED_USER(`root')dnl dnl# Also accept mail for localhost.localdomain: LOCAL_DOMAIN(`localhost.localdomain')dnl MAILER(local)dnl MAILER(smtp)dnl MAILER(procmail)dnl dnl# Allow SASL authentication/relaying: define(`confAUTH_OPTIONS', `A p y')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=E')dnl dnl# EOF
</code>

Notice the filenames in <code>define(`confCACERT', `/etc/mail/certs/CA.cert.pem') define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem') define(`confSERVER_KEY', `/etc/mail/certs/smtp.key.pem')</code> -- make sure your certificates are named exactly the same as in your mc configuration.

I use free certificates signed by [http://www.cacert.org www.cacert.org] and use their CRL - <code>define(`confCRL', `/etc/mail/certs/revoke.crl')</code> above.

The <code>define(`confAUTH_OPTIONS', `A p y')dnl</code> configures sendmail to:

* <code>A</code> is a workaround for broken MTAs that do not implement RFC 2554.
* The <code>p</code> option tells sendmail: "don't permit mechanisms susceptible to simple passive attack (e.g., <code>LOGIN, PLAIN</code>), unless a security layer (think TLS tunnel) is active."
* The <code>y</code> option prohibits anonymous logins.

Take note that this will only allow <code>LOGIN/PLAIN SMTP-AUTH</code> after encryption has been established in a TLS tunnel. Allowing both TLS and non-TLS <code>PLAIN/LOGIN SMTP-AUTH</code> is left as an exercise to the reader.

Read: http://www.sendmail.org/~ca/email/doc8.12/op-sh-5.html#sh-5.6 for more information.

The <code>define(`confCONNECTION_RATE_THROTTLE', `100')</code> and <code>define(`confMAX_DAEMON_CHILDREN',`1000')</code> are for my configuration and should be set to 50% higher than what your requirements are. If you don't understand what this does (sendmail forks); comment those two lines out with a <code>dnl#</code> before them like: <code>dnl# define (`confMAX_DAEMON_CHILDREN',`1000')</code>

None of my user's email clients use certificates; this tells sendmail not to ask for them for one: <code>define(`confTLS_SRV_OPTIONS', V')</code>

'''SLACKWARE USERS NOTE''' line 37:

<code>LOCAL CONFIG CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4 RSA: HIGH: MEDIUM:-LOW: SSLv3: TLSv1:-SSLv2: EXP: eNULL</code>

This disables using the older SSLv2 protocol and allows SSLv3 and TLSv1. You'll need some <code>openssl ciphers</code> and <code>perl</code>-fu to get this going with Slackware 12 as it's not compiled with <code>_FFR_TLS_1. STARTTLS</code>

Read [http://sial.org/howto/sendmail/cipherlist this for info] on setting it up in Slackware, it's trivial. Some older clients don't speak TLS and you may want to skip this.

'''7.''' Now:

<code>root@john:~# cd /usr/share/sendmail/cf/cf root@john:~# m4 sendmail-slackware-tls-sasl.mc > /etc/mail/sendmail.cf</code>

Also remember that the mc file should always end in a new line. So hit enter at the end of <code>sendmail-slackware-tls-sasl.mc</code> if m4 crashes with an <code>m4: INTERNAL ERROR: recursive push_string error</code>.

'''8.''' If the previous command gives no errors, you're done! Simply restart sendmail using <code>/etc/rc.d/rc.sendmail restart</code>

Now see what sendmail is saying by <code>tail -f /var/log/maillog</code>

You can increase log verbosity by adding: <code>-O LogLevel=16</code> to <code>/etc/rc.d/rc.sendmail</code>

'''9.''' Also: Add hosts for which you receive mail to <code>/etc/mail/local-host-names</code>

<code>root@john:~# cat /etc/mail/local-host-names</code>
<code> # names of hosts for which we receive email john.doe.org doe.org</code>

'''10.''' Make sure SASL is with you:

<code>root@john:~# cat /usr/lib/sasl2/Sendmail.conf</code>
 <code>pwcheck_method:saslauthd mech_list:login plain</code>

<code>root@john:~# testsaslauthd -u yourusername -p yourpassword</code>

If you see:

<code>0: OK! Success!</code>

Congratulations! SASL is now working.

If not, make sure saslauthd is running by: <code>/etc/rc.d/rc.saslauthd start</code>

'''11.''' Most errors are because of not following this HOWTO to the T.

Go over each step again and confirm you did everything right.

Sendmail TLS SASL SMTP-AUTH - Revision history

Erik: Copy from old