Date: Thu, 13 Mar 2008 01:43:11 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Derek Ragona <derek@computinginnovations.com> Cc: Doug Poland <doug@polands.org>, questions@freebsd.org Subject: Re: Best practice: sendmail and SMTP auth Message-ID: <47D886AF.1010207@infracaninophile.co.uk> In-Reply-To: <6.0.0.22.2.20080312190519.0255f878@mail.computinginnovations.com> References: <9587.208.49.58.254.1205349581.squirrel@email.polands.org> <6.0.0.22.2.20080312190519.0255f878@mail.computinginnovations.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5971CE8C335DBECDE734F9D9 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Derek Ragona wrote: > At 02:19 PM 3/12/2008, Doug Poland wrote: >> Hello, >> >> Not sure if this is the most appropriate place for this question, but >> since all my servers are FreeBSD 6.x/7.x, I'll give it a go... >> >> I am considering setting up SMTP auth on a number of sendmail >> instances that I control. After much googling and reading, it is not >> clear to me that a server with SMTP auth configured/enabled can relay >> mail in both auth and non-auth modes. >> >> If one sendmail configuration cannot accommodate both SMTP auth and >> access.db, does one setup a dedicated SMTP auth host with a SMART_HOST= >> option and feed incoming email to an non-auth instance of sendmail? >> >> Sorry if my terminology is ambiguous, I'm not a sendmail professional >> by day. > You can set up sendmail to do both auth and non-auth. However best=20 > practice is to use auth only to control any spam relaying. Check the=20 > sendmail.org website FAQ's for setting this up. You will want to=20 > probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail. A good solution to this is to use port 587 for Authenticated new mail submission and leave port 25 for the normal MTA-MTA type of (not authenticated) traffic. Firstly, to enable authentication you need to compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's legacy only). Now, you can either do that by installing sendmail from ports, or you can install the cyrus-sasl port and then make the base system sendmail link against it by adding this to /etc/make.conf: SENDMAIL_CFLAGS+=3D -I/usr/local/include -DSASL=3D2 SENDMAIL_LDFLAGS+=3D -L/usr/local/lib SENDMAIL_LDADD+=3D -lsasl2 I also like to use these two so that any milters etc. I build from ports interoperate with the base system sendmail. SENDMAIL_MILTER_IN_BASE=3D yes WITH_SENDMAIL_BASE=3D yes In order to do SMTP AUTH most effectively, you should enable STARTSSL support -- I alway feel better knowing that passwords are sent over an encrypted connection. This is a guide to what you need in your $(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted via port 587, but not provided on port 25: first: turn off the default MSA setup, which we'll provide our own settings for later: FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below [...] second: basic configuration for SMTP AUTH -- what mechanisms are supporte= d Note that LOGIN should only ever be allowed over encrypted connections as= it sends passwords in plain text. You can also authenticate by using SSL certificates but that is handled directly by sendmail and you don't need = to list EXTERNAL as a SASL mechanism. dnl ## Set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_REALM', `your.domain.name')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl [...] thirdly: insert the IP numbers of your servers into the following rules -= - if you don't use IPv6 you can omit the lines for the external address, bu= t you'll find things seem to work rather smoother if you keep the ::1 entri= es. The M=3DE flag says 'disable ETRN' and the M=3DEa flag says 'require auth= entication (and disable ETRN)' M=3DA means 'don't offer authentication here' Note th= at I'm only requiring authentication on the external interfaces so I implicitly trust= myself to submit e-mails via localhost:587 without it. You requirements may dif= fer. See http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptio= ns.html for an explanation of the capabilities of DAEMON_OPTIONS: dnl dnl Where the sendmail daemon should listen dnl DAEMON_OPTIONS(`Name=3DIPv4, Addr=3D12.34.56.78, M=3DA, Family=3Dinet')dn= l DAEMON_OPTIONS(`Name=3DIPv4, Addr=3D127.0.0.1, M=3DA, Family=3Dinet')dnl DAEMON_OPTIONS(`Name=3DIPv6, Addr=3D::1, M=3DA, Family=3Dinet6')dnl DAEMON_OPTIONS(`Name=3DIPv6, Addr=3D2000:aa:bb:cc::1, M=3DA, Family=3Dine= t6')dnl DAEMON_OPTIONS(`Name=3DMSA, Addr=3D12.34.56.78, Port=3D587, M=3DEa')dnl DAEMON_OPTIONS(`Name=3DMSA, Addr=3D127.0.0.1, Port=3D587, M=3DE')dnl DAEMON_OPTIONS(`Name=3DMSA, Addr=3D2000:aa:bb:cc::1, Port=3D587, M=3DEa, = Family=3Dinet6')dnl DAEMON_OPTIONS(`Name=3DMSA, Addr=3D::1, Port=3D587, M=3DE, Family=3Dinet6= ')dnl fourthly: enable SSL capabilities in sendmail. See=20 http://aput.net/~jheiss/sendmail/tlsandrelay.shtml for a good article on configuring this stuff (although ignore the section on compiling sendmail: you get that automatically built into the base system sendmail already) dnl dnl TLS stuff dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl fifthly: there is no fifthly -- you're done. Build a sendmail.cf and tes= t that it all works. Cheers, Matthew=20 --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig5971CE8C335DBECDE734F9D9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkfYhrAACgkQ8Mjk52CukIxpEwCfR28IYZonEuuBTX4kojQt1Uwk WHwAoIcoIoR+rgMf3ZFFwBztCwSQ4HQO =9sCn -----END PGP SIGNATURE----- --------------enig5971CE8C335DBECDE734F9D9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47D886AF.1010207>