OpenBSD Sendmail + SMTP AUTH Mini-HOWTO [local]
This howto will detail how to (durh) set up the version of sendmail included with OpenBSD 3.3 to accept authentication via Cyrus SASL.
these instructions work just fine with 3.6, and you do NOT need to re-compile sendmail to enable SSMTP.
- install cyrus sasl v2
# pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/`uname -r`/packages/`machine`/cyrus-sasl-2.1.11.tgz - enable SASL in sendmail
# echo WANT_SMTPAUTH= yes >> /etc/mk.conf - set up a "proper" libsasl2
# cd /usr/local/lib; ln -s libsasl2.so.2.11 libsasl2.so - # cd /usr/src/gnu/usr.sbin/sendmail
- edit cf/cf/openbsd-proto.mc
after the FEATURE(`no_default_msa') line, add: LOCAL_DOMAIN(`fqdn.of.machine.org')
LOCAL_DOMAIN(`domain.org')
define(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
define(`confAUTH_OPTIONS',`p,y')dnl
define(`confPRIVACY_FLAGS',`authwarnings,goaway')
notes:- if you want to recieve mail for other domains you can add LOCAL_DOMAIN directives as needed
- the confAUTH_OPTIONS entry is optional, but since it blocks PLAIN and LOGIN attempts on unsecured channels (i.e. port 25 w/o a STARTTLS command issued first) it adds a beneficial bit of security. thanks, Zyl!
- the confPRIVACY_FLAGS setting "goaway" simply disables EXPN VRFY and VERB, denying information to the malicous. authwarnings is part of the default ruleset, so I added it for completeness.
- build sendmail
# make clean obj depend && make && make install - install the new config file
# cp cf/cf/obj/openbsd-proto.cf /etc/mail/sendmail.cf - add the SASL config file
we'll be using the sasl auth daemon, so...
# echo pwcheck_method: saslauthd > /usr/local/lib/sasl2/Sendmail.conf - add users with /usr/local/sbin/saslpasswd2
username
saslpasswd2 may complain about kerberos, it may be helpful to
# touch /etc/kerberosIV/srvtab
to silence some of the warnings - edit /etc/rc.conf
remove -C/etc/mail/localhost.cf from sendmail_flags - give sasl a directory to play in
# mkdir /var/sasl2 - start saslauthd
# /usr/local/sbin/saslauthd -a getpwent - configure saslauthd to start at boot.
add the following to /etc/rc.local
if [ -x /usr/local/sbin/saslauthd ]; then echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a getpwent fi
- kill the existing sendmail
# kill `head -n1 /var/run/sendmail.pid` - start the new sendmail
# . /etc/rc.conf
# /usr/sbin/sendmail $sendmail_flags
here's the config file i use: dorkzilla.mc
STARTTLS
if you want STARTTLS support, add the following to your .mc file:
then run the following commands to generate your self-signed certificates (unless you ponied up $300 to Thatwe)..define(`confCACERT_PATH',`/etc/mail/certs') define(`confCACERT',`/etc/mail/certs/ca-bundle.crt') define(`confSERVER_CERT',`/etc/mail/certs/sendmail.pem') define(`confSERVER_KEY',`/etc/mail/certs/sendmail.pem')
# mkdir /etc/mail/certs
# cd /etc/mail/certs
# PEM1=`mktemp /tmp/openssl.XXXXXX`
# PEM2=`mktemp /tmp/openssl.XXXXXX`
# openssl req -newkey rsa:1024 -keyout $PEM1 \
-nodes -x509 -days 365 -out $PEM2
# cat $PEM1 > sendmail.pem
# echo "" >> sendmail.pem
# cat $PEM2 >> sendmail.pem
# cp $PEM2 ca-bundle.crt
# rm $PEM1 $PEM2
# chmod 400 sendmail.pem
# chmod 400 ca-bundle.crt
and, of course, recreate /etc/mail/sendmail.cf and restart
sendmail.thanks to Richard Harms for pulling this information out of a RedHat 8.0 install. see http://flint.kitiara.com/Lists-Archives/l-cialug-0306/msg00023.html [local] and http://flint.kitiara.com/Lists-Archives/l-cialug-0306/msg00025.html [local]
SSMTP
ssmtp (on port 465) is the other half-assed hack to get encryption on an smtp connection. there's a _FFR (for future release) option you can compile into sendmail to enable this feature.
compile _FFR_SMTP_SSL into sendmail
- patch /usr/src/gnu/usr.sbin/sendmail/sendmail/Makefile
--- gnu/usr.sbin/sendmail/sendmail/Makefile Sun Jun 8 15:43:33 2003 +++ gnu/usr.sbin/sendmail/sendmail/Makefile Sun Jun 8 15:05:56 2003 @@ -9,7 +9,7 @@ WANT_LIBSMUTIL=1 # For TLS/SSL support -ENVDEF+= -DSTARTTLS +ENVDEF+= -DSTARTTLS -D_FFR_SMTP_SSL LDADD+= -lssl -lcrypto DPADD= ${LIBSSL} ${LIBCRYPTO} - re-build sendmail
# cd /usr/src/gnu/usr.sbin/sendmail
# make clean && make
# make install
enable ssmtp in /usr/src/gnu/usr.sbin/sendmail/cf/cf/openbsd-proto.mc
- # cd /usr/src/gnu/usr.sbin/sendmail/cf/cf
- add the following line to openbsd-proto.mc
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl - rebuild and install the config
# make
# cp obj/openbsd-proto.cf /etc/mail/sendmail.cf
restart sendmail
- kill the existing sendmail
kill `head -n1 /var/run/sendmail.pid` - start the new sendmail
# . /etc/rc.conf
# /usr/sbin/sendmail $sendmail_flags
MILTER-REGEX
this milter regects mail based on regular expressions. written by Daniel Hartmeier of PF fame, it's pretty brain-dead easy to use. i just use it for blocking Swen for now, but it looks like it has great potential. see http://www.benzedrine.cx/milter-regex.html for details on installation and use.
SPAMHAUS XBL+SBL
i've been using the spamhaus sbl+xbl dnsbl for a while now, and it seems to be pretty effective. to make it happen, just add the following to your openbsd-proto.mc, recompile the .mc, install the resulting .cf, and restart sendmail.
FEATURE(`dnsbl', `sbl-xbl.spamhaus.org',
`"571 ACCESS DENIED to <"$&f"> thru "$&{client_name}"by /spamhaus/ ;Please see http://www.spamhaus.org/sbl/"')dnl
CYRUS-IMAPD
if you'd like an imap and pop3 server, i suggest reading this: http://www.monkey.org/openbsd/archive/ports/0302/msg00266.html [local] ... a port of cyrus-imapd 2.1.12 for openbsd. makes life easier (but make sure you install /usr/ports/databases/db first). also note that if you remove libotp.* from /usr/local/lib/sasl2 OTP secrets will not be created and *-MD5 authentication will fail.
if anything breaks, it's not my fault. this should work, but i offer no warranty for the usability, etc, etc, of this document.
#include <standardDisclaimer.h>