Skip to content.

UPR HPCf

Sections
Personal tools
You are here: Home » Members » humberto's Home » Test ZWiki » SmtpAuthAndStartTls
Log in


Forgot your password?
 
Views

SmtpAuthAndStartTls

last edited 6 years ago by cheo

Sendmail SMTP AUTH and STARTTLS for secure relaying

This document describes how to set up sendmail with SMTP AUTH and STARTTLS to allow mail users to authenticate against the system password before sending mail. This allows secure relaying from any location and prevents spammers from using your site as an open relay.

Much of the ideas here came from a slide presentation on BSD and SMTP AUTH and STARTTLS:

http://sial.org/talks/smtpauth-starttls/talk.html

The simple way

You can immediately set up SMTP AUTH works on redhat 7 (and above) systems, using the authentication mechanism called CRAM-MD5, all you need to do is set up username/password combinations in /etc/sasldb using

/usr/sbin/saslpasswd -a Sendmail -u hpcf.upr.edu -c humberto

Then set up client to use smtp auth, username humberto@hpcf.upr.edu password. The "realm" is the @domain part. Your users do not need an account on the mail server, but have no way of changing their SMTP passwords (they are stored in /etc/sasldb only).

Here is a log of mail sent using this authentication.

Connecting to SMTP server: gimel.hpcf.upr.edu ...
SMTP< 220 gimel.hpcf.upr.edu ESMTP Sendmail 8.11.6/8.11.6; Fri, 24 May 2002 11:44:42 -0400
ESMTP> EHLO gimel
ESMTP< 250-gimel.hpcf.upr.edu Hello gimel.hpcf.upr.edu [136.145.54.138], pleased to meet you
ESMTP< 250-ENHANCEDSTATUSCODES
ESMTP< 250-8BITMIME
ESMTP< 250-SIZE
ESMTP< 250-DSN
ESMTP< 250-ONEX
ESMTP< 250-ETRN
ESMTP< 250-XUSR
ESMTP< 250-AUTH DIGEST-MD5 CRAM-MD5
ESMTP< 250 HELP
ESMTP> AUTH CRAM-MD5
ESMTP< 334 PDIxODAwNDI3MDUuMTU2MjIxODJAZ2ltZWwuaHBjZi51cHIuZWR1Pg==
ESMTP< Decoded: <2180042705.15622182@gimel.hpcf.upr.edu>
ESMTP> Encoded humberto@hpcf.upr.edu c98145fe7e582c4a4fac978408269a46
ESMTP> aHVtYmVydG9AaHBjZi51cHIuZWR1IGM5ODE0NWZlN2U1ODJjNGE0ZmFjOTc4NDA4MjY5YTQ2
ESMTP< 235 2.0.0 OK Authenticated
SMTP> MAIL FROM: 
SMTP< 250 2.1.0 ... Sender ok
SMTP> RCPT TO: 
SMTP< 250 2.1.5 ... Recipient ok
SMTP> DATA
SMTP< 354 Enter mail, end with "." on a line by itself
SMTP> . (EOM)
SMTP< 250 2.0.0 g4OFigC02272 Message accepted for delivery
SMTP> QUIT
SMTP< 221 2.0.0 gimel.hpcf.upr.edu closing connection

Using system passwords and SSL

As an alternative that allows users to use their regular system password (i.e., the same one they use to telnet, ftp, pop, or imap their mail), we can also use plain/login and pam authentication if we change sendmail.cf. PAM allows authentication via a number of mechanisms, including the /etc/passwd file, NIS, LDAP, Windows Servers (Active Directory), and databases. Our installation uses the system passwords on our mail server.

Install sendmail-cf package, copy /usr/share/sendmail-cf/cf/redhat.mc to a new file, then edit and uncomment the following lines:

define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

make a new sendmail.cf and install. Authenticating sendmail against PAM will use plain text passwords, so we should set up starttls support at the same time as the pam if you don't want your user passwords to pass unencrypted over the network.

Redhat doesn't include STARTTLS support, I found RPMs? for sendmail and sfio-1999 in the doors 3.2 distribution:

http://www.megaloman.com/~hany/RPM/SByName.html

HPCf users can get sfio and a patched sendmail from

http://hpcfinfo.hpcf.upr.edu/sendmail/

Install or build these RPMs?, then add the following lines to the mc file to generate sendmail.cf

define(`CERT_DIR', `/etc/mail/certs')
define(`confCACERT', `CERT_DIR/cacert.pem')
define(`confCACERT_PATH', `CERT_DIR/CA')
define(`confSERVER_CERT', `CERT_DIR/host.cert')
define(`confSERVER_KEY', `CERT_DIR/host.key')
define(`confCLIENT_CERT', `CERT_DIR/host.cert')
define(`confCLIENT_KEY', `CERT_DIR/host.key')

You will need to download the root ca certs file into cacert.pem, and set up a host.cert and host.key file for your machine.

The cacert.pem can be downloaded from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/ports-stable/security/ca-roots/files/ca-root.crt

HPCf users can see SslCertificates for instructions on getting a certificate signed by our CA. The tail end of the file contains the instructions for creating mail's host.cert and host.key. These host files must use the machine's full hostname as the Common Name (CN) of the certificate, in order for SSL to work reliably.

Those files and the /etc/mail/certs directory must not be group writable or readable, or sendmail will refuse to load them.

After generating the new sendmail.cf file, restart sendmail. Verify that there are no errors in the log files.

Here's a log of sending TLS/AUTH mail through a machine with no relaying allowed.

SMTP< 220 gimel.hpcf.upr.edu ESMTP Sendmail 8.11.6/8.11.6; Fri, 24 May 2002 15:44:17 -0400
ESMTP> EHLO gimel
ESMTP< 250-gimel.hpcf.upr.edu Hello gimel.hpcf.upr.edu [136.145.54.138], pleased to meet you
ESMTP< 250-ENHANCEDSTATUSCODES
ESMTP< 250-8BITMIME
ESMTP< 250-SIZE
ESMTP< 250-DSN
ESMTP< 250-ONEX
ESMTP< 250-ETRN
ESMTP< 250-XUSR
ESMTP< 250-AUTH LOGIN PLAIN
ESMTP< 250-STARTTLS
ESMTP< 250 HELP
ESMTP> STARTTLS
ESMTP< 220 2.0.0 Ready to start TLS
SSL connection using EDH-RSA-DES-CBC3-SHA
Server certificate:
  Subject: /C=PR/ST=Puerto Rico/L=San Juan/O=UPR HPCf/CN=gimel.hpcf.upr.edu/Email=root@hpcf.upr.edu
  Issuer: /C=PR/ST=Puerto Rico/L=San Juan/O=HPCf/OU=HPCf CA/CN=HPCf Admins/Email=root@hpcf.upr.edu
ESMTP> EHLO gimel
ESMTP< 250-gimel.hpcf.upr.edu Hello gimel.hpcf.upr.edu [136.145.54.138], pleased to meet you
ESMTP< 250-ENHANCEDSTATUSCODES
ESMTP< 250-8BITMIME
ESMTP< 250-SIZE
ESMTP< 250-DSN
ESMTP< 250-ONEX
ESMTP< 250-ETRN
ESMTP< 250-XUSR
ESMTP< 250-AUTH LOGIN PLAIN
ESMTP< 250 HELP
ESMTP> AUTH CRAM-MD5
ESMTP< 503 5.3.3 AUTH mechanism CRAM-MD5 not available
ESMTP> AUTH LOGIN
ESMTP< 334 VXNlcm5hbWU6
ESMTP> USERID
ESMTP< 334 UGFzc3dvcmQ6
ESMTP> PASSWORD
ESMTP< 235 2.0.0 OK Authenticated
SMTP> MAIL FROM: 
SMTP< 250 2.1.0 ... Sender ok
SMTP> RCPT TO: 
SMTP< 250 2.1.5 ... Recipient ok
SMTP> RCPT TO: 
SMTP< 250 2.1.5 ... Recipient ok
SMTP> DATA
SMTP< 354 Enter mail, end with "." on a line by itself
SMTP> . (EOM)
SMTP< 250 2.0.0 g4OJiHb07126 Message accepted for delivery
SMTP> QUIT
SMTP< 221 2.0.0 gimel.hpcf.upr.edu closing connection

You can setup your email clients to use SMTP AUTH and STARTTLS.

-- Main.HumbertoOrtiz - 24 May 2002

 
Powered by Plone

This site conforms to the following standards: