Screaming Penguin - Source Does Matter

Very good and very specific and complete tutorial on the complicated setup of sendmail with SMTP AUTH and TLS at Falko Timme's site. Sendmail-SMTP-AUTH-TLS-Howto.

(Related TotSP articles: http://www.screaming-penguin.com/node/4214, http://www.screaming-penguin.com/node/3033.)

I have one question/issue with this setup and its use of "delay_checks" but its a great article and that single issue is probably more a reflection of my lack of understanding of the complicated delay_checks SMTP AUTH issue than of the article itself having any problems. (My issue, in case anyone here can enlighten me, is that by looking at it it seems that delay_checks does what it intends in that it allows you to use dnsbl and smtp_auth together, by delaying the dnsbl checks, but that also would then allow EVERYONE to spoof email source addresses because those are delayed as well? I dont totally understand it granted, but for myself this delay_checks stuff needs more research before getting placed in the sendmail.mc.)

Reproduced here for posterity (this is work of and credited to Falko Timme):

Sendmail-SMTP-AUTH-TLS-Howto

Version 1.0
Author: Falko Timme
Last edited 02/09/2004

This document describes
how to install a mail server based on sendmail that is capable of SMTP-AUTH
and TLS. It should work (maybe with slight changes concerning paths etc.) on
all *nix operating systems. I tested it on Debian Woody so far.
This howto is meant
as a practical guide; it does not cover the theoretical backgrounds. They are
treated in a lot of other documents in the web.
This document comes
without warranty of any kind!

1 Get the Sources
We need the following
software: openssl, cyrus-sasl2, and sendmail. We will install the software from
the /tmp directory.
cd /tmp
wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
wget --passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz
wget --passive-ftp
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.11.tar.gz

2 Install Openssl
tar xvfz openssl-0.9.7c.tar.gz
cd openssl-0.9.7c
./config
make
make install

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

3 Install Cyrus-sasl2
cd /tmp
tar
xvfz cyrus-sasl-2.1.17.tar.gz
cd cyrus-sasl-2.1.17
./configure --enable-anon --enable-plain --enable-login --disable-krb4 --with-saslauthd=/var/run/saslauthd
--with-pam --with-openssl=/usr/local/ssl --with-plugindir=/usr/local/lib/sasl2
--enable-cram --enable-digest --enable-otp (1
line!)

make
make install

If /usr/lib/sasl2
exists:
mv /usr/lib/sasl2 /usr/lib/sasl2_orig
echo "pwcheck_method:
saslauthd" > /usr/local/lib/sasl2/Sendmail.conf

echo "mech_list: login plain" >> /usr/local/lib/sasl2/Sendmail.conf
mkdir -p /var/run/saslauthd

4 Create Certificates
for TLS
mkdir -p /etc/mail/certs
cd /etc/mail/certs

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365
<- Enter your
password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).

<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.
openssl req -nodes -new
-x509 -keyout sendmail.pem -out sendmail.pem -days 365
<- Again, enter
your password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.

<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.
openssl x509 -noout -text
-in sendmail.pem

chmod 600 ./sendmail.pem

5 Install Sendmail
cd /tmp
tar xvfz sendmail.8.12.11.tar.gz
cd sendmail-8.12.11/devtools/Site/

Create the
file site.config.m4
(in
devtools/Site/):

# SASL2 (smtp authentication)
APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
#
# STARTTLS (smtp + tls/ssl)
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS')
APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_SMTP_SSL')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto -L/usr/local/ssl/lib')

mkdir -p /usr/man
mkdir -p /usr/man/man1
mkdir -p /usr/man/man8
cp -pfr /usr/local/lib/sasl2 /usr/lib/sasl2
echo /usr/lib/sasl2 >> /etc/ld.so.conf

ldconfig
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
Now we can compile
sendmail:
cd /tmp/sendmail-8.12.11/
useradd smmsp
groupadd smmsp
sh Build -c

sh Build install
Let's create our
sendmail.cf:
cd cf/cf/

Create the file
sendmail.mc with the
following contents:

dnl ### do SMTPAUTH
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl

dnl ### do STARTTLS
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/sendmail.pem')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl

dnl ###
define(`confDEF_CHAR_SET', `iso-8859-1')dnl
define(`confMAX_MESSAGE_SIZE', `15000000')dnl Denial of Service Attacks
define(`confMAX_DAEMON_CHILDREN', `30')dnl Denial of Service Attacks
define(`confCONNECTION_RATE_THROTTLE', `2')dnl Denial of Service Attacks
define(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacks
define(`confSINGLE_LINE_FROM_HEADER', `True')dnl
define(`confSMTP_LOGIN_MSG', `$j')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`confTO_INITIAL', `6m')dnl
define(`confTO_CONNECT', `20s')dnl
define(`confTO_HELO', `5m')dnl
define(`confTO_HOSTSTATUS', `2m')dnl
define(`confTO_DATAINIT', `6m')dnl
define(`confTO_DATABLOCK', `35m')dnl
define(`confTO_DATAFINAL', `35m')dnl
define(`confDIAL_DELAY', `20s')dnl
define(`confNO_RCPT_ACTION', `add-apparently-to')dnl
define(`confALIAS_WAIT', `0')dnl
define(`confMAX_HOP', `35')dnl
define(`confQUEUE_LA', `5')dnl
define(`confREFUSE_LA', `12')dnl
define(`confSEPARATE_PROC', `False')dnl
define(`confCON_EXPENSIVE', `true')dnl
define(`confWORK_RECIPIENT_FACTOR', `1000')dnl
define(`confWORK_TIME_FACTOR', `3000')dnl
define(`confQUEUE_SORT_ORDER', `Time')dnl
define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnl

FEATURE(`delay_checks')dnl
FEATURE(`generics_entire_domain')dnl
FEATURE(`local_procmail')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`nouucp',`reject')dnl
FEATURE(`redirect')dnl
FEATURE(`relay_entire_domain')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`virtuser_entire_domain')dnl

FEATURE(dnsbl,`blackholes.mail-abuse.org',
` Mail from $rejected; see http://mail-abuse.org/cgi-bin/lookup?$')dnl
FEATURE(dnsbl,`dialups.mail-abuse.org',
` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm')dnl

FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl
FEATURE(access_db)dnl
FEATURE(lookupdotdomain)dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

In order to create
/etc/mail/sendmail.cf
run the following commands:

sh Build sendmail.cf
cp sendmail.cf /etc/mail/sendmail.cf
Finally we have
to create some files:
cd /etc/mail/
touch /etc/mail/local-host-names
touch /etc/mail/virtusertable
/usr/sbin/makemap hash virtusertable < virtusertable

mkdir -p /var/spool/mqueue
chmod 700 /var/spool/mqueue
chown root:root /var/spool/mqueue
chown root:root /etc/mail/sendmail.cf
chmod 444 /etc/mail/sendmail.cf
chown root:root /etc/mail/submit.cf

chmod 444 /etc/mail/submit.cf
touch /etc/mail/aliases
newaliases
touch /etc/mail/access
/usr/sbin/makemap hash access < access

We need an init
script for sendmail (this should be copied to /etc/init.d/sendmail):

#! /bin/sh

case "$1" in
    start)
        echo "Initializing SMTP port. (sendmail)"
        /usr/sbin/sendmail -bd -q1h
        ;;
    stop)
        echo "Shutting down SMTP port:"
        killall /usr/sbin/sendmail
        ;;
    restart|reload)
        $0 stop  &&  $0 start
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|reload}"
        exit 1
esac
exit 0

chmod 755 /etc/init.d/sendmail

In order to start
sendmail at boot time
do the following:
ln -s /etc/init.d/sendmail
/etc/rc2.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc3.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc4.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc5.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc0.d/K20sendmail
ln -s /etc/init.d/sendmail /etc/rc1.d/K20sendmail
ln -s /etc/init.d/sendmail /etc/rc6.d/K20sendmail

6 Configure
Saslauthd
Create /etc/init.d/saslauthd:

#!/bin/sh -e

NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd

test -f "${DAEMON}" || exit 0

# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
    . "${DEFAULTS}"
fi

# If we're not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
    exit 0
fi

# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
    echo "You need to configure ${DEFAULTS} with mechanisms to be used"
    exit 0
fi

# Add our mechanimsms with the necessary flag
for i in ${MECHANISMS}; do
    PARAMS="${PARAMS} -a ${i}"
done

# Consider our options
case "${1}" in
  start)
        echo -n "Starting ${DESC}: "
        ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME}
        ${DAEMON} ${PARAMS}
        echo "${NAME}."
        ;;
  stop)
        echo -n "Stopping ${DESC}: "
        PROCS=`ps aux | grep -iw '/usr/sbin/saslauthd' | grep -v 'grep' |awk '{print $2}' | tr '\n' ' '`
        if [ "x${PROCS}" != "x" ]; then
          kill -15 ${PROCS} &> /dev/null
        fi
        echo "${NAME}."
        ;;
  restart|force-reload)
        $0 stop
        sleep 1
        $0 start
        echo "${NAME}."
        ;;
  *)
        echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
        exit 1
        ;;
esac

exit 0

chmod 755 /etc/init.d/saslauthd
In order to start
saslauthd at boot time
do the following:
ln -s /etc/init.d/saslauthd
/etc/rc2.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd

Then create /etc/default/saslauthd:

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb"
MECHANISMS=shadow

If you find out
that saslauthd is located
in /usr/local/sbin instead
of /usr/sbin create a
symbolic link:

ln -s /usr/local/sbin/saslauthd
/usr/sbin/saslauthd
Then start saslauthd
and sendmail:
/etc/init.d/saslauthd start
/etc/init.d/sendmail start

7 Test your
Configuration
To verify that
your sendmail was compiled with the right options type

/usr/sbin/sendmail -d0.1
-bv root
You should see
that sendmail was compiled with SASLv2
and STARTTLS:

To see if SMTP-AUTH
and TLS work properly now run the following command:
telnet
localhost 25
After you have
established the connection to your postfix mail server type

ehlo
localhost
If you see the
lines
250-STARTTLS
and
250-AUTH
everything is fine.

Type
quit

to return to the
system's shell.