Lucas, I meant to send this earlier, and actually might have, so if this is a duplicate, my apologies. This is what I did to implement SMTPAUTH and STARTTLS in sendmail, I hope it helps. -- Andrew Caird [EMAIL PROTECTED] 215.728.4071 Email Administrator Fox Chase Cancer Center
Enabling Secure Authenticated Relaying with sendmail ------------------------------------------------------ Andrew Caird Fox Chase Cancer Center December 2003 In support of off-site users of your mail system, you may want to allow them to use the corporate mail servers for sending and receiving email. However, sending email from outside of the corporate network to a recipient who is not part of your corporation is considered relaying, and having an open relay in these days of excessive spam will cause your mail servers to be abused and get you listed on black lists. This document explains how to configure sendmail to allow relaying to authenticated users. The basic step is to use SMTP AUTH to authenticate the user. However, authentication implies some sort of login/password database. In order to support a wide array of authentication mechanisms, sendmail relies on Cyrus SASL (Simple Authentication and Security Layer). Essentially, sendmail off-loads the authentication to SASL, allowing it to deal with the wide variety of available mechanisms (CRAM-MD5, DIGEST-MD5, Kerberos 4 and 5, Windows NT LAN Manager (NTLM), PLAIN, and external (LDAP, SQL Database, etc.)). Because of the complexity of using CRAM, DIGEST, or Kerberos, we will choose PLAIN. However, this means that the password would be sent in clear-text between the client and the server. Since, by design, this is for access from a potentially unfriendly network, we need to now secure that connection. Recent versions of sendmail support SSL/TLS using a mechanism called STARTTLS (RFC 2487) that allows for encrypting the SMTP transaction. sendmail also has the option to not accept clear-text passwords unless the STARTTLS has been initiated. Assuming you already have OpenSSL and OpenLDAP installed, the first step is to compile cyrus-sasl. (If you don't have OpenSSL and OpenLDAP, compile and install them first; you can configure OpenLDAP without slapd or slurpd with the configure options --disable-slapd --disable-slurpd and depending on what you are using OpenLDAP for, you might want --with-tls.) The configuration options for cyrus-sasl are: configure --enable-krb4=no --enable-gssapi=no --with-openssl=/usr/local/openssl --enable-login --with-ldap=/usr/local/openldap The '--enable-login' is required (even though, in general, it is not recommended) to support MSOutlook. From the Cyrus documentation: "The LOGIN mechanism (not to be confused with IMAP4's LOGIN command) is an undocumented, unsupported mechanism. It's included in the Cyrus SASL distribution for the sake of SMTP servers that might want to interoperate with old clients. Do not enable this mechanism unless you know you're going to need it. When enabled, it verifies passwords the same way the PLAIN mechanism does." However, according to: http://www.google.com/groups?selm=3E314FBD.CB0E4BF3%40oceana.com Outlook doesn't support any "normal" SASL methods (only LOGIN and NTLM), so we need to enable LOGIN. Once SASL is compiled, create a /usr/local/etc/saslauthd.conf file with the contents: ldap_servers: ldap://ldapmaster/ ldap://ldap/ ldap_search_base: ou=People,o=Fox Chase Cancer Center,c=US and start saslauthd with the "-a ldap" option (note that this is the same thing that is done for the IMAP server on pollux (cyrus.fccc.edu)). sendmail site.config.m4 looks like: APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER -DSASL -DSTARTTLS -DEGD') APPENDDEF(`confMAPDEF',`-DNEWDB') APPENDDEF(`conf_sendmail_LIBS', `-lsasl2 -lssl -lcrypto') APPENDDEF(`confINCDIRS', `-I/usr/local/include/sasl -I/usr/local/BerkeleyDB.4.1/include -I/usr/local/openssl/include/') APPENDDEF(`confLIBDIRS', `-L/usr/local/lib -L/usr/local/BerkeleyDB.4.1/lib -L/usr/local/openssl/lib') which adds BerkeleyDB, SASL, and SSL/EGD. With this configuration the sendmail binary will be linked with the SASL2 and OpenSSL libraries to support authentication and encryption and will have support for the "egd:" source of entropy needed for SSL. sendmail .mc file has added these lines: TRUST_AUTH_MECH(`LOGIN PLAIN') define(`confAUTH_MECHANISMS', `LOGIN PLAIN') define(`confAUTH_OPTIONS', `A,p') this adds support for SASL authentication, but not for TLS, although it relies heavily on the TLS lines below, because the 'p' in confAUTH_OPTIONS means that the 'LOGIN PLAIN' method isn't available unless you've first set up the TLS channel. To test authentication, turn off the "p" option in AUTH_OPTIONS, then encode your login and password in Base64 (you can use ed64: http://www.sendmail.org/~ca/email/prgs/ed64.c). Next follow the script below. If you see STARTTLS in the ehlo output, but not "AUTH LOGIN PLAIN", you probably forgot to turn off the "p". If you see neither, make sure you've followed the compilation instructions above and that you are running your new version sendmail and sendmail.cf. helo% telnet challenger smtp Trying 131.249.2.64... Connected to challenger.fccc.edu. Escape character is '^]'. 220 challenger.fccc.edu ESMTP Sendmail; Fri, 12 Dec 2003 16:14:04 -0500 (EST) ehlo helo 250-challenger.fccc.edu Hello helo.fccc.edu [131.249.12.143], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP auth login 334 VXNlcm5hbWU6 YWnhjjjx 334 UGFzc3dvcmQ6 Nf7YqWjjjxx= 235 2.0.0 OK Authenticated mail from: [EMAIL PROTECTED] 250 2.1.0 [EMAIL PROTECTED] Sender ok rcpt to: [EMAIL PROTECTED] 250 2.1.5 [EMAIL PROTECTED] Recipient ok data 354 Enter mail, end with "." on a line by itself From: Andrew Caird <[EMAIL PROTECTED]> To: Andrew Caird <[EMAIL PROTECTED]> Subject: Test 1 of SMTP Auth against LDAP Test 1 of SMTP Auth against LDAP. . 250 2.0.0 hBCLE49W001927 Message accepted for delivery quit 221 2.0.0 challenger.fccc.edu closing connection Connection to challenger.fccc.edu closed by foreign host. helo% This configuration allows relaying if you first authenticate - that is, you can authenticate, you can claim to be sending mail to and from anyone, and the relay checks are ignored. When you get the test message, look in the header for a line that looks like: (authenticated bits=0) This means that the sender was authenticated but that there were 0 bits of security (base64 encoding is not security) (this is because you used either the LOGIN or PLAIN method to authenticate and there is no encryption with that) - this is why we need to add the TLS component to this. STARTTLS: Adding SSL/TLS to sendmail In our tests, we pretend to be our own certificate authority (see http://hr.uoregon.edu/davidrl/lamp.html) and generate CA keys and host keys; normally, you'll get a real key/certificate pair (on challenger, the CA passphrase is "pass phrase" and the server passphrase is "challenger" for this test). Much like when implmenting imaps, we need an unencrypted key, so run: openssl rsa -in server.key -out server_nopw.key on the key and enter the password when prompted. Put the unencrypted key along with the server and CA certificates in /etc/mail/certs. To add support for SSL to the cf file, add these lines to the .mc file: define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/ca.crt')dnl define(`confSERVER_CERT', `/etc/mail/certs/challenger.crt')dnl define(`confSERVER_KEY', `/etc/mail/certs/challenger.key')dnl unencrypted define(`confRAND_FILE', `egd:/var/run/egd-pool')dnl We also need prngd to generate randomness for TLS on Solaris (other OSs may not need this). Install prngd, configure it to create /var/run/egd-pool, and start it - don't forget to add this to an init script if you are using this in production. prngd can be obtained from http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html Generate a new sendmail.cf file using the options in the two blocks for the .mc file above (in addition to any other options you need for your server) and compile sendmail using the options in the site.config.m4 above. In our case, the complete .mc file looks like: divert(0)dnl VERSIONID(`$Id: generic-solaris.mc,v 8.13 2001/06/27 21:46:30 gshapiro Exp $') OSTYPE(solaris2)dnl DOMAIN(generic)dnl LOCAL_CONFIG define(`confPRIVACY_FLAGS',`goaway')dnl To match 8.12.6 setting. define(`confQUEUE_LA',8)dnl To match 8.12.6 setting. define(`confDELAY_LA',10)dnl To match 8.12.6 setting. define(`confCONNECTION_RATE_THROTTLE', 5)dnl To match 8.12.6 setting. define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl To match 8.12.6 setting. Cw fccc.edu mail-gw.fccc.edu dnl ------ Below this line is SMTPAUTH and STARTTLS configuration --------- TRUST_AUTH_MECH(`LOGIN PLAIN') define(`confAUTH_MECHANISMS', `LOGIN PLAIN') define(`confAUTH_OPTIONS', `A,p') define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/ca.crt')dnl define(`confSERVER_CERT', `/etc/mail/certs/challenger.crt')dnl define(`confSERVER_KEY', `/etc/mail/certs/challenger.key')dnl define(`confRAND_FILE', `egd:/var/run/egd-pool')dnl dnl ------ Above this line is SMTPAUTH and STARTTLS configuration --------- MAILER(local)dnl MAILER(smtp)dnl When the .cf file and binary are installed, sendmail should start without errors and in the final configuration, if you connect to the smtp server by hand and type: ehlo client.fccc.edu you should see STARTTLS but _not_ "AUTH LOGIN PLAIN", because until the TLS channel is established, those are available. If you test without the "p" option, you will see the STARTTLS and "AUTH LOGIN PLAIN" lines. When you use the server with sendmail configured as described here, you will see two additional entries in the header line where the server name is: (authenticated bits=0) which means that the user authenticated with with 0 bits of security (DIGEST-MD5 offers 128 bits of security, Kerberos 4 and 5 offer 56 bits), meaning,essentially, that the authentication was plain-text; the second entry is: (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) which describes the TLS/SSL part of the transaction. In this case, the "verify=NO" means (if I understand correctly) that the client didn't present a certificate, which will rarely happen, but doesn't mean that the session isn't encrypted, it just means that the certificate based operations (see http://www.sendmail.org/%7Eca/email/starttls.html) won't work - in our case, the combination of AUTH+TLS is the same as TLS with certificates on both sides. On Fri, 16 Jan 2004, Lucas Albers wrote: > I have been unsuccesful in configuring my sendmail server to support TTLS. > If anyone could point(directly or via the mailing list, directly preferred > I guess because it is off-topic) me in the direction of any good HOWTO's > on configuring sendmail with TLS support, I would be much appreciative. > > -- > Luke Computer Science System Administrator > Security Administrator,College of Engineering > Montana State University-Bozeman,Montana > > _______________________________________________ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang