Sendmail with AUTH
Copyright 2002, 2003 Oscar Miranda
OpenContent License (OPL)
How to configure Sendmail with AUTH and TLS support on Solaris 8
by oscar@osbsecurity.net
Requirements
============
Perl 5.x:
The perl package that comes installed by default with Solaris 8
works just fine.
Solaris 8 with /dev/random:
Install patch 112438-01 for /dev/random and /dev/urandom functionality needed for
OpenSSL.
Congiguring OpenSSL 0.9.6d
==========================
Get the source from http://www.openssl.org/source/openssl-0.9.6d.tar.gz
I set the install directory for my certs to /usr/local/ssl and the openssl
engine into /usr/local/openssl
#./config --prefix=/usr/local/ssl --openssldir=/usr/local/openssl
Next you need to become your own CA. The following steps where directly
taken from “Lutz's very short course on being your own CA”
(http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/myownca.html).
Nice piece of work Doc!
$OPENSSL_HOME=/usr/local/openssl
$CERTS_HOME=/root/certs
First, become a Certificate Authority.
#cd $OPENSSL_HOME/ssl/misc
#perl CA.pl -newca
Next self sign your site certificate without encrypting the server private key
so sendmail will start up properly. You will need to edit the CA.pl you used
earlier and add the –nodes option where you see –newcert and/or newreq commands:
==============================================================================
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
exbit 0;
} elsif (/^-newcert$/) {
# create a certificate
system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Certificate (and private key) is in newreq.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request (and private key) is in newreq.pem\n";
} elsif (/^-newca$/) {
# if explicitly asked for or it doesn't exist then setup the
# directory structure that Eric likes to manage things
---------------------------------------------------------------------------------
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Certificate (and private key) is in newreq.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
system ("$REQ -new –nodes -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request (and private key) is in newreq.pem\n";
} elsif (/^-newca$/) {
# if explicitly asked for or it doesn't exist then setup the
# directory structure that Eric likes to manage things
===================================================================================
Next request and self sign your certificate for sendmail
#perl CA.pl -newreq
#perl CA.pl -sign
Copy the CA certificate in $OPENSSL_HOME/ssl/misc/demoCA/cacert.pem to
$CERTS_HOME and rename it to Cacert.pem
#cp $OPENSSL_HOME/misc/demoCA/cacert.pem $CERTS_HOME/CAcert.pem
Copy your site certificate to $CERTS_HOME
#cp $OPENSSL_HOME/newcert.pem $CERTS_HOME/cert.pem
Copy your self signed host certificate to $CERTS_HOME
#cp $OPENSSL_HOME/newreq.pem $CERTS_HOME/host.key
Edit out the certificate request portion of the host.key
set the permissions of $CERTS_HOME to 700 owned by root
chmod –R 700 $CERTS_HOME
Congiguring SASL 1.5.26
=======================
Get the source for SASL 1.5.26 from ftp://ftp.andrew.cmu.edu \
/pub/cyrus-mail/OLD-VERSIONS/sasl/ cyrus-sasl-1.5.26.tar.gz
According to sendmail.org there’s a patch for SASL 2.x to work with
sendmail but I have not tried it yet, so I go with what I know.
I set the install directory to /usr/local/sasl with no Kerberos 4
or GSSAPI support
#./configure --prefix=/usr/local/sasl --disable-krb4 --disable-gssapi
Make sure that /usr/local/sasl and all sub directories do not allow
group writeable
#chmod -R 744 /usr/local/sasl
Note that /usr and/or /usr/lib may be group writable so you will
have to chmod 755.
By default sendmail reads it's configuration
from /usr/lib/sasl/Sendmail.conf so you //need to make a symbolic
link from /usr/local/sasl/lib/sasl/ to /usr/lib/sasl
#cd /usr/lib
#ln –s /usr/local/sasl/lib/sasl/ sasl
You need to tell SASL what authentication method you want
to use, in this case I use the system shadow password file.
Also, make sure that you permissions for the Sendmail.conf
are set to 0400 mode
#cat > /usr/local/sasl/lib/sasl/Sendmail.conf
#pwcheck_method: shadow
#Crtl D
#chmod 400 /usr/local/sasl/lib/sasl/Sendmail.conf
Sendmail 8.12.5
===============
Get the source code for Sendmail 8.12.5 from
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.5.tar.Z
Unpack and untar the source
#zcat sendmail.8.12.5.tar.Z | tar xvf –
Using your favorite create a file named `site.config.m4` under
$sendmail_source_diretory/devtools/Site and add the following:
-------------------------------------------------------------
APPENDDEF(`confENVDEF', `-DSASL -DSTARTTLS -DHASURANDOMDEV ')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl -lcrypto')
APPENDDEF(`confLIBDIRS', `-L/usr/local/lib -L/usr/lib \
-L$SASL_INSTALL_DIRECTORY/lib -L$SSL_INSTALL_DIRECTORY/lib')
APPENDDEF(`confLIBDIRS', `-R/usr/local/lib -R/usr/lib \
-R$SASL_INSTALL_DIRECTORY/lib')
APPENDDEF(`confINCDIRS', `-I/usr/local/include \
-I $SASL_INSTALL_DIRECTORY/include -I $SSL_INSTALL_DIRECTORY/include/openssl')
-------------------------------------------------------------
Create a user and group with the name of `smmsp` with the
home directory of /var/spool/clientmque
#mkdir /var/spool/clientmque
#chown smmsp:smmsp /var/spool/clientmqueue
#chmod 700 /var/spool/ clientmqueue
Next compile sendmail
#$SENDMAIL_SOURCE_DIRECTORY/Build
Using your favorite editor create a site.mc macro used
to generate a sendmail.cf
#cd $SENDMAIL_SOURCE_DIRECTORY/cf/cf
#vi sendmail.mc
-------------------------------------------------------------
divert(0)dnl
VERSIONID(`@(#)solaris2 8.12.5 (SASL+SSL) 8/14/2002')
OSTYPE(solaris2)
TRUST_AUTH_MECH(`LOGIN PLAIN ANONYMOUS DIGEST-MD5 CRAM-MD5')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN ANONYMOUS DIGEST-MD5 CRAM-MD5')dnl
define(`DATABASE_MAP_TYPE', `dbm')
define(`confCACERT_PATH',`/your_path/certs')
define(`confCACERT',`/your_pathCAcert.pem')
define(`confSERVER_CERT',`/your_path/certs/cert.pem')
define(`confSERVER_KEY',`/your_path/host.key')
MASQUERADE_AS(your-domain.com)
MASQUERADE_DOMAIN(your-domain.com)
FEATURE(masquerade_envelope)
FEATURE(masquerade_entire_domain)
FEATURE(always_add_domain)
FEATURE(use_cw_file)
MAILER(local)
MAILER(smtp)
--------------------------------------------------------------
Install and compile your sendmail.mc to /etc/mail/sendmail.cf
#$SENDMAIL_SOURCE_DIRECTORY/cf/cfmake install-cf
List all the domains and hosts sendmail will accept mail
for under /etc/mail/local-host-names
#vi local-host-names
List all the domains and networks clients that are allowed to relay mail
#vi /etc/mail/relay-domains
Add the follow entry to disable client side certificate
requests from sendmail if not you will recieve an anonying
message from you mail client
#echo “Srv_Features: V” > /etc/mail/access
Don’t forget to compile your map file
#makemap dbm /etc/mail/access < /etc/mail/access
Create a stop and startup script in /etc/init.d/sendmail
#vi /etc/init.d/sendmail
------------------------------------------------------------------------
#!/bin/sh
version=`echo \$Z | /usr/lib/sendmail -bt -d0 | grep Version \
| awk '{print $2}'`
case "$1" in
start)
# Start daemons.
echo "Starting Sendmail $version"
# Enable the below line to set serious logging for trouble shooting
# /usr/lib/sendmail -O LogLevel=14 -L sm-mta -bd -q1h
/usr/lib/sendmail -L sm-mta -bd -q1h
/usr/lib/sendmail -L sm-msp-queue -Ac -q30m
;;
stop)
# Stop daemons.
echo "Shutting down Sendmail $version"
kill `cat /var/run/sendmail.pid | head -1`
kill `cat /var/spool/clientmqueue/sm-client.pid | head -1`
;;
*)
echo "Usage: sendmail {start|stop}"
exit 1
esac
exit 0
-----------------------------------------------------------------------------
Time to test your work by telneting to port 25 and testing TLS
#telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 candela.osbsecurity.net ESMTP Sendmail 8.12.5/8.12.5;
Thu, 15 Aug 2002 16:16:03 -0700 (PDT)
ehlo localhost
250-candela.osbsecurity.net Hello localhost [127.0.0.1],
pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
If you see AUTH PLAIN ANONYMOUS (SASL works) and STARTTLS (OpenSSL is working)
you are good to go! To test TLS just issue the STARTTLS command.
#starttls
220 2.0.0 Ready to start TLS
If you run into problems enable level 14 logging when starting
sendmail and take a look at /var/log/syslog for error messages.
#/usr/lib/sendmail -O LogLevel=14 -L sm-mta -bd -q1h
#tail /var/log/messages
Aug 15 16:17:54 candela sm-mta[5334]: [ID 702911 mail.warning]
error: safesasl(/etc/sasldb.dir) failed: No such file or directory
Aug 15 16:17:54 candela sm-mta[5335]: [ID 702911 mail.info]
starting daemon (8.12.5): SMTP+queueing@01:00:00
Aug 15 16:17:54 candela sm-msp-queue[5338]: [ID 702911 mail.info]
starting daemon (8.12.5): queueing@00:30:00
Aug 15 16:17:54 candela sm-mta[5335]: [ID 702911 mail.info]
STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
Aug 15 16:17:54 candela sm-mta[5335]: [ID 702911 mail.info]
STARTTLS=server, init=1
Aug 15 16:17:54 candela sm-mta[5335]: [ID 702911 mail.info] started
as: /usr/lib/sendmail -O LogLevel=14 -L sm-mta -bd -q1h