How to enable SMTP AUTH on a Linux system running sendmail.
Table of Contents
What follows are the steps I took to implement the policies we’ve established at work for our authenticated mail relay, currently running Fedora Core 2:
All inbound connections except those originating on the localhost must authenticate against our local password map. We rely on the Pluggable Authentication Modules (PAM)—not Kerberos or SASL—for authentication and authorization, so passwords are sent over the wire with the LOGIN or PLAIN authentication mechanism.
All inbound connections must be transported over an SSL connection with a key length of at least 128 bits.
There are two key elements in a sendmail.cf that’ll work as I intended: authentication
mechanisms and SSL path information. I’m not a hardcore sendmail guru, so I
rely completely on the m4 macro mechanism for building my configuration. Here
are the key bits that need to get pushed into /etc/mail/sendmail.mc. (If you’re new to SSL, you
might find my instructions for building a self-signed certificate
helpful.)
dnl dnl The following allows relaying if the user authenticates, dnl and disallows plaintext authentication (PLAIN/LOGIN) on dnl non-TLS links. dnl define(`confAUTH_OPTIONS', `A p')dnl dnl dnl Accept PLAIN and LOGIN authentications. dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl dnl dnl Define paths to directory hosting certs of trusted certificate dnl authorities (like VeriSign) and path to local certificate. dnl define(`confCACERT_PATH',`/etc/mail/certs')dnl define(`confCACERT',`/etc/mail/certs/ca-bundle.crt')dnl define(`localCERT', `/etc/mail/certs/our-cert.pem')dnl define(`confCLIENT_CERT',`localCERT')dnl define(`confCLIENT_KEY',`localCERT')dnl define(`confSERVER_CERT',`localCERT')dnl define(`confSERVER_KEY',`localCERT')dnl
For our purposes, sendmail absolutely must have an access map. It’s almost always part of a standard configuration, but here’s the macro just in case.
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
Once the macro file has been updated, regenerate sendmail.cf.
make sendmail.cf -C /etc/mail
The access map is configured to enforce the 128-bit-key policy. Our /etc/mail/access is
quite simple. Mail originating on the local host is relayed, while everyone wanting to connect via SSL (which is everyone)
must have 128-bit crypto.
localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY TLS_Clt: ENCR:128
Note: You may find that that the TLS_Clt setting breaks
your configuration. Deleting it probably won’t hurt anything.
After updating the text version of the access map, then rebuild the binary version.
make access.db -C /etc/mail
Since sendmail is linked to version 2 of the Cyrus SASL libraries, it relies on saslauthd to handle plaintext authentication. On Fedora Core systems, the default
authentication mechanism is the local shadow password file. In our environment, however, I need to use PAM. Implementing the
change is a simple matter of altering the MECH setting in /etc/sysconfig/saslauthd.
# the default is "shadow", but we're using "pam" MECH=pam # these two settings are the defaults SOCKETDIR=/var/run/saslauthd FLAGS=
Fedora’s sendmail package ships with a SASL configuration file, /usr/lib/sasl2/Sendmail.conf, that should work out of the box. It’s a one-liner.
pwcheck_method:saslauthd
Note: Newer versions of Cyrus SASL will look for /etc/sasl2/Sendmail.conf rather than /usr/lib/sasl2/Sendmail.conf. Sooner or
later, this change will also impact Fedora.
Also, you’ll want to make sure that saslauthd is started at boot time.
chkconfig saslauthd on
Fedora’s sendmail package also ships with a working PAM configuration file, /etc/pam.d/smtp,
but it’s worthwhile to double-check that it exists and contains the two requisite lines.
#%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth
With all those configuration files in place, all that’s left to do is start (or restart) the server software.
/etc/init.d/saslauthd start /etc/init.d/sendmail start
The instructions provided above will work on Gentoo Linux systems with a few modifications:
When building sendmail, make sure that your USE variable includes “sasl” and “ssl.”
USE="sasl ssl" emerge mail-mta/sendmail
The paths to the key and certificate files in sendmail.cf will be in the /etc/ssl/certs directory tree.
Rebuilding sendmail.cf and access.db needs to be done by
hand.
cd /etc/mail cp sendmail.cf sendmail.cf.bak m4 sendmail.mc > sendmail.cf makemap hash access < access
Some newer cyrus-sasl ebuilds will look for /etc/sasl2/Sendmail.conf rather than
/usr/lib/sasl2/Sendmail.conf.
saslauthd startup options are stored in /etc/conf.d/saslauthd. Use the SASL_AUTHMECH variable to specify the
authentication mechanism.
You’ll need to create the PAM configuration file, /etc/pam.d/smtp:
#%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth
saslauthd and sendmail can be configured to be started at boot time in the standard Gentoo way.
rc-update add saslauthd default rc-update add sendmail default
RFC 2554 defines SMTP AUTH.
SMTP AUTH in sendmail 8.10-8.12 is the
more-or-less official HOWTO page on the subject from sendmail.org.
Several online documents are more complete and include many more details than mine: Falko Timme’s Sendmail-SMTP-AUTH-TLS-Howto, John Fullmer’s How to set up SMTP AUTH, and Rodolfo Paiz’ Sendmail SMTP AUTH HOWTO.
Comments and suggestions about this document are appreciated and can be addressed to the author at <heinlein@madboa.com>.
This article is licensed under a Creative Commons License.