Date: Thu, 13 Mar 2008 07:10:31 -0500 From: Doug Poland <doug@polands.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: Doug Poland <doug@polands.org>, questions@freebsd.org, Derek Ragona <derek@computinginnovations.com> Subject: Re: Best practice: sendmail and SMTP auth Message-ID: <20080313121031.GA35591@polands.org> In-Reply-To: <47D886AF.1010207@infracaninophile.co.uk> References: <9587.208.49.58.254.1205349581.squirrel@email.polands.org> <6.0.0.22.2.20080312190519.0255f878@mail.computinginnovations.com> <47D886AF.1010207@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 13, 2008 at 01:43:11AM +0000, Matthew Seaman wrote: > Derek Ragona wrote: > >At 02:19 PM 3/12/2008, Doug Poland wrote: > >>Hello, > >> > >>Not sure if this is the most appropriate place for this question, > >>but since all my servers are FreeBSD 6.x/7.x, I'll give it a go... > >> > >>I am considering setting up SMTP auth on a number of sendmail > >>instances that I control. After much googling and reading, it is > >>not clear to me that a server with SMTP auth configured/enabled can > >>relay mail in both auth and non-auth modes. > >> > >>If one sendmail configuration cannot accommodate both SMTP auth and > >>access.db, does one setup a dedicated SMTP auth host with a > >>SMART_HOST option and feed incoming email to an non-auth instance of > >>sendmail? > >> > >>Sorry if my terminology is ambiguous, I'm not a sendmail > >>professional by day. > > >You can set up sendmail to do both auth and non-auth. However best > >practice is to use auth only to control any spam relaying. Check the > >sendmail.org website FAQ's for setting this up. You will want to > >probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail. > > A good solution to this is to use port 587 for Authenticated new mail > submission and leave port 25 for the normal MTA-MTA type of (not > authenticated) traffic. Firstly, to enable authentication you need to > compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's > legacy only). Now, you can either do that by installing sendmail from > ports, or you can install the cyrus-sasl port and then make the base > system sendmail link against it by adding this to /etc/make.conf: > > SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 > SENDMAIL_LDFLAGS+= -L/usr/local/lib > SENDMAIL_LDADD+= -lsasl2 > > I also like to use these two so that any milters etc. I build from > ports interoperate with the base system sendmail. > > SENDMAIL_MILTER_IN_BASE= yes > WITH_SENDMAIL_BASE= yes > > In order to do SMTP AUTH most effectively, you should enable STARTSSL > support -- I alway feel better knowing that passwords are sent over an > encrypted connection. This is a guide to what you need in your > $(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted > via port 587, but not provided on port 25: > > first: turn off the default MSA setup, which we'll provide our own > settings for later: > > FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below > > [...] > > second: basic configuration for SMTP AUTH -- what mechanisms are > supported Note that LOGIN should only ever be allowed over encrypted > connections as it sends passwords in plain text. You can also > authenticate by using SSL certificates but that is handled directly by > sendmail and you don't need to list EXTERNAL as a SASL mechanism. > > dnl ## Set SASL options > TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl > define(`confAUTH_REALM', `your.domain.name')dnl > define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl > define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl > > [...] > > thirdly: insert the IP numbers of your servers into the following > rules -- if you don't use IPv6 you can omit the lines for the external > address, but you'll find things seem to work rather smoother if you > keep the ::1 entries. > > The M=E flag says 'disable ETRN' and the M=Ea flag says 'require > authentication (and disable ETRN)' M=A means 'don't offer > authentication here' Note that I'm only requiring authentication on > the external interfaces so I implicitly trust myself > to submit e-mails via localhost:587 without it. You requirements may > differ. See > http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html > for an explanation of the capabilities of DAEMON_OPTIONS: > > dnl > dnl Where the sendmail daemon should listen > dnl > DAEMON_OPTIONS(`Name=IPv4, Addr=12.34.56.78, M=A, Family=inet')dnl > DAEMON_OPTIONS(`Name=IPv4, Addr=127.0.0.1, M=A, Family=inet')dnl > DAEMON_OPTIONS(`Name=IPv6, Addr=::1, M=A, Family=inet6')dnl > DAEMON_OPTIONS(`Name=IPv6, Addr=2000:aa:bb:cc::1, M=A, Family=inet6')dnl > DAEMON_OPTIONS(`Name=MSA, Addr=12.34.56.78, Port=587, M=Ea')dnl > DAEMON_OPTIONS(`Name=MSA, Addr=127.0.0.1, Port=587, M=E')dnl > DAEMON_OPTIONS(`Name=MSA, Addr=2000:aa:bb:cc::1, Port=587, M=Ea, > Family=inet6')dnl > DAEMON_OPTIONS(`Name=MSA, Addr=::1, Port=587, M=E, Family=inet6')dnl > > fourthly: enable SSL capabilities in sendmail. See > http://aput.net/~jheiss/sendmail/tlsandrelay.shtml for a good article > on configuring this stuff (although ignore the section on compiling > sendmail: you get that automatically built into the base system > sendmail already) > > dnl > dnl TLS stuff > dnl > define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl > define(`confCACERT_PATH', `CERT_DIR')dnl > define(`confCACERT', `CERT_DIR/cacert.pem')dnl > define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl > define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl > define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl > define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl > > fifthly: there is no fifthly -- you're done. Build a sendmail.cf and > test that it all works. > > Cheers, > Matthew > Thank you very much for that comprehensive explanation. -- Regards, Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080313121031.GA35591>