I'd love to take credit for this but I can't. We installed an SMEv5.12 box for a friend who had a need for secure email. I prevailed upon him to document the process and here's what we got. Hope it helps someone. BTW, he had this running on the first day he got the box :>
-jeff ----------------- MAIL SERVER SETUP In the modern Internet, users regularly need to view their email with reasonable assurance that it isn't being shared with interlopers along the way. For this reason, email needs to be encrypted as it's being transmitted to the user's mail client. In the same Internet, service providers need to ensure that the only people sending email through their servers are legitimate users of the service. For this reason, outgoing email needs to be authenticated. ENCRYPTED IMAP / POP3 Post Office Protocol and Internet Message Access Protocol exist as means to allow mail user agents (MUAs or Mail Client) to retrieve electronic mail from a mail server (MHS or Mail Hosting System). These protocols by themselves do not provide any encryption, and only rudimentary plain-text transmittal of the username and password. Fortunately these protocols have the ability to be tunneled through a secure connection such as SSL (Secure Sockets Layer). For this specific example, the system will tunnel POP3 and IMAP via OpenSSL on an E-Smith 5.12 server. The primary resource used is Tim Lars at http://kepler.covenant.edu/~talarson/ssl/SSL-Email-HOWTO-2.html. The step by step instructions: 1. Build MAKE a. Download a current i386 make from a source like ftp://ftp.rpmfind.net/linux/redhat/7.2/en/os/i386/RedHat/RPMS/make-3.79. 1-8.i386.rpm b. Install the software via: rpm -Uvh make-3.79.1-8.i386.rpm 2. Create the RSA key as per Tim Larson section 2.1 3. Create the custom template for /etc/services as per section 2.2 4. Create the custom template for /etc/hosts.allow as per section 2.3 a. Follow Tim's instructions b. ADD and entry for tcp_env : ALL (for using qmail through daemontools) 5. Modify the firewall rules as per section 2.4 6. Rebuild the configuration as per section 2.5 7. Restart the firewall as per section 2.6 8. Modify the configuration to start the tunnel daemons a. Edit /etc/rc.d/rc.local and add the lines in from section 2.7 b. Execute those lines manually You are now done! SMTP AUTH SMTP Authentication is a method by which the MUA provides to the mail server (MTA or Mail Transfer Agent) proof that the MUA is authorized to send mail through it. The MUA does so by supplying a username and password, showing the client is an authorized user. The primary resource used is Mr. Brush at http://members.elysium.pl/brush/qmail-smtpd-auth/ The step by step instructions: 1. Downloading the patch and stuff a. The patch: http://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-auth-0 .26.tar.gz b. Cmd5checkpw (MD5 checkpassword: http://members.elysium.pl/brush/cmd5checkpw/dist/cmd5checkpw-0.22.tar.gz 2. The patch will need to modify the source, so get the qmail source: http://cr.yp.to/software/qmail-1.03.tar.gz 3. The source will need to be compiled, so get the compiler and its pieces from the directory at ftp://ftp.redhat.com/pub/redhat/linux/7.0/en/os/i386/RedHat/RPMS/ a. The compiler itself: gcc-2.96-98.i386.rpm b. C pre-processor: cpp-2.96-98.i386.rpm c. C development libraries: glibc-devel-2.2.4-13.i386.rpm d. Binary building utilities: binutils-2.11.90.0.8-9.i386.rpm e. Kernel headers: kernel-headers-2.4.0-0.26.i386.rpm 4. Build the compiler by doing rpm -Uvh on those RPMs. 5. Unpack the qmail source. Use the file UPGRADE for instructions. a. (note: use /etc/init.d/qmail stop and /etc/init.d/qmail start) 6. Unpack the qmail auth patch. a. Do: gunzip the file b. Do: tar -xvf the file c. Note the name of the patch (qmail-smtpd.patch) d. Cd to the source directory of qmail e. Type in: patch < location/of/patch/qmail-smtpd.patch 7. Do another build. a. Make setup check b. Restart the qmail processes 8. Follow instructions in http://members.elysium.pl/brush/cmd5checkpw/ to build it 9. Unfortunately /bin/checkpassword wants root, and sticky to work. (If you don't do this, you'll get a 421 out of memory error from the SMTP server). a. Chown root /bin/checkpassword b. Chmod 4755 /bin/checkpassword c. Chmod a+s /bin/checkpassword 10. Qmail comes with instructions for inetd. E-smith uses xinetd. To make the entries: a. Create /etc/e-smith/templates-custom/etc/xinetd.conf/ b. DO: cp /etc/e-smith/templates/etc/xinetd.conf 60smtp /etc/e-smith/templates-custom/etc/xinetd.conf c. Edit the middle section of the latter to look like: $OUT .= "service smtp\n"; $OUT .= "{\n"; $OUT .= " socket_type = stream\n"; $OUT .= " wait = no\n"; $OUT .= " user = qmaild\n"; $OUT .= " server = /var/qmail/bin/tcp-env\n"; $OUT .= " server_args = /var/qmail/bin/qmail-smtpd /bin/checkpass word /bin/true /bin/true /bin/true \n"; d. Restart xinetd. e. You're done. Jeff Coleman Resource Strategies, Inc. - "The Intelligent Use of Technology" 7090 N Oracle Rd Suite #178-190 Tucson, AZ 85704 520-797-1000 x401 Voice 520-797-0394 Fax 13910 N Frank Lloyd Wright Blvd Suite 2A-337 Scottsdale AZ 85260-2021 602-381-0455 x401 Voice 602-381-0451 Fax [EMAIL PROTECTED] http://www.rstrat.com -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
