Unmemorable Memories

Introduction
SMTP Athentication (SMTP-AUTH) is a feature that allows one to have an SMTP server that can be used by authorized parties on the internet. The idea is to allow only authorized users to use the SMTP server as a relay. Users that have not authenticated themselves may only use the SMTP server to deliver mail to domains managed by that SMTP server. They cannot use it to relay to other domains.

This document describes how to enable SMTP-AUTH with Sendmail on Debian 3.1.
SMTP Authentication uses SASL and TLS. Debian comes with a version of sendmail that has TLS and SASL support. It also comes with SASLv2. One would naturally expect that since all the pieces are there, it should work right out of the box. Well it doesn’t. The reason is that there are SASL plugins that are missing from Debian 3.1

Pre-requisites
There are a few packages that are required for this

1. sendmail
2. sendmail-base
3. sendmail-bin
4. sendmail-cf
5. sendmail-doc
6. sasl2-bin
7. libsasl2-modules
8. libssl-0.9.7
9. openssl

Configure SASL for sendmail

echo “pwcheck_method: saslauthd” > /usr/lib/sasl2/Sendmail.conf
echo “mech_list: EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN” >> /usr/lib/sasl2/Sendmail.conf

mkdir -p /var/run/saslauthd

Create the OpenSSL certificates

mkdir -p /etc/mail/certs
cd /etc/mail/certs
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365

: Enter your password for smtpd.key.
: Enter your Country Name (e.g., “DE”).
: Enter your State or Province Name.
: Enter your City.
: Enter your Organization Name (e.g., the name of your company).
: Enter your Organizational Unit Name (e.g. “IT Department”).
: Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
: Enter your Email Address.

openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 365

: Enter your Country Name (e.g., “DE”).
: Enter your State or Province Name.
: Enter your City.
: Enter your Organization Name (e.g., the name of your company).
: Enter your Organizational Unit Name (e.g. “IT Department”).
: Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
: Enter your Email Address.

openssl x509 -noout -text -in sendmail.pem
chmod 600 ./sendmail.pem

Configure Sendmail

1. Create the SASL sendmail configuration file

mkdir -p /etc/mail/sasl (if it doesn’t already exist)

Create /etc/mail/sasl/sasl.m4 with the following contents

dnl ### do SMTPAUTH
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN DIGEST-MD5 CRAM-MD5′)dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5′)dnl

2. Configure the TLS settings for Sendmail
edit /etc/mail/tls/starttls.m4
look in the file for the following settings and change them as follows:

define(`confCACERT_PATH’, `/etc/mail/certs’)dnl
define(`confCACERT’, `/etc/mail/certs/cacert.pem’)dnl
define(`confSERVER_CERT’, `/etc/mail/certs/sendmail.pem’)dnl
define(`confSERVER_KEY’, `/etc/mail/certs/sendmail.pem’)dnl
define(`confCLIENT_CERT’, `/etc/mail/certs/sendmail.pem’)dnl
define(`confCLIENT_KEY’, `/etc/mail/certs/sendmail.pem’)dnl

3. Configure main sendmail config file
edit /etc/mail/sendmail.mc
ensure that the following lines are in the file (after the first include)

include(`/etc/mail/tls/starttls.m4′)dnl
include(`/etc/mail/sasl/sasl.m4′)dnl

4. Rebuild the sendmail configuration

cd /etc/mail
make

5. restart sendmail.

/etc/init.d/sendmail reload

SMTP-AUTH test

telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 localhost ESMTP Sendmail 8.13.4/8.13.4/Debian-3; Thu, 23 Feb 2006 11:33:14 -0500; (No UCE/UBE) logging access from: localhost(OK)-root@localhost 127.0.0.1
ehlo localhost
250-localhost Hello root@localhost 127.0.0.1, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP

if you see the 250-AUTH line then all is well.

References

1. http://howtoforge.com/howto_sendmail_smtp_auth_tls

This entry was posted on Thursday, February 23rd, 2006 at 12:51 pm. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.