From owner-freebsd-questions@FreeBSD.ORG Thu Mar 13 01:43:35 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C0501065670 for ; Thu, 13 Mar 2008 01:43:35 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id D4D298FC1F for ; Thu, 13 Mar 2008 01:43:34 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m2D1hCgV062209; Thu, 13 Mar 2008 01:43:18 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.5.0 smtp.infracaninophile.co.uk m2D1hCgV062209 Message-ID: <47D886AF.1010207@infracaninophile.co.uk> Date: Thu, 13 Mar 2008 01:43:11 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.12 (X11/20080310) MIME-Version: 1.0 To: Derek Ragona References: <9587.208.49.58.254.1205349581.squirrel@email.polands.org> <6.0.0.22.2.20080312190519.0255f878@mail.computinginnovations.com> In-Reply-To: <6.0.0.22.2.20080312190519.0255f878@mail.computinginnovations.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig5971CE8C335DBECDE734F9D9" X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Thu, 13 Mar 2008 01:43:19 +0000 (GMT) X-Virus-Scanned: ClamAV 0.92.1/6220/Wed Mar 12 22:33:03 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,NO_RELAYS autolearn=ham version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on happy-idiot-talk.infracaninophile.co.uk Cc: Doug Poland , questions@freebsd.org Subject: Re: Best practice: sendmail and SMTP auth X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 01:43:35 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5971CE8C335DBECDE734F9D9 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Derek Ragona wrote: > At 02:19 PM 3/12/2008, Doug Poland wrote: >> Hello, >> >> Not sure if this is the most appropriate place for this question, but >> since all my servers are FreeBSD 6.x/7.x, I'll give it a go... >> >> I am considering setting up SMTP auth on a number of sendmail >> instances that I control. After much googling and reading, it is not >> clear to me that a server with SMTP auth configured/enabled can relay >> mail in both auth and non-auth modes. >> >> If one sendmail configuration cannot accommodate both SMTP auth and >> access.db, does one setup a dedicated SMTP auth host with a SMART_HOST= >> option and feed incoming email to an non-auth instance of sendmail? >> >> Sorry if my terminology is ambiguous, I'm not a sendmail professional >> by day. > You can set up sendmail to do both auth and non-auth. However best=20 > practice is to use auth only to control any spam relaying. Check the=20 > sendmail.org website FAQ's for setting this up. You will want to=20 > probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail. A good solution to this is to use port 587 for Authenticated new mail submission and leave port 25 for the normal MTA-MTA type of (not authenticated) traffic. Firstly, to enable authentication you need to compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's legacy only). Now, you can either do that by installing sendmail from ports, or you can install the cyrus-sasl port and then make the base system sendmail link against it by adding this to /etc/make.conf: SENDMAIL_CFLAGS+=3D -I/usr/local/include -DSASL=3D2 SENDMAIL_LDFLAGS+=3D -L/usr/local/lib SENDMAIL_LDADD+=3D -lsasl2 I also like to use these two so that any milters etc. I build from ports interoperate with the base system sendmail. SENDMAIL_MILTER_IN_BASE=3D yes WITH_SENDMAIL_BASE=3D yes In order to do SMTP AUTH most effectively, you should enable STARTSSL support -- I alway feel better knowing that passwords are sent over an encrypted connection. This is a guide to what you need in your $(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted via port 587, but not provided on port 25: first: turn off the default MSA setup, which we'll provide our own settings for later: FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below [...] second: basic configuration for SMTP AUTH -- what mechanisms are supporte= d Note that LOGIN should only ever be allowed over encrypted connections as= it sends passwords in plain text. You can also authenticate by using SSL certificates but that is handled directly by sendmail and you don't need = to list EXTERNAL as a SASL mechanism. dnl ## Set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_REALM', `your.domain.name')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl [...] thirdly: insert the IP numbers of your servers into the following rules -= - if you don't use IPv6 you can omit the lines for the external address, bu= t you'll find things seem to work rather smoother if you keep the ::1 entri= es. The M=3DE flag says 'disable ETRN' and the M=3DEa flag says 'require auth= entication (and disable ETRN)' M=3DA means 'don't offer authentication here' Note th= at I'm only requiring authentication on the external interfaces so I implicitly trust= myself to submit e-mails via localhost:587 without it. You requirements may dif= fer. See http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptio= ns.html for an explanation of the capabilities of DAEMON_OPTIONS: dnl dnl Where the sendmail daemon should listen dnl DAEMON_OPTIONS(`Name=3DIPv4, Addr=3D12.34.56.78, M=3DA, Family=3Dinet')dn= l DAEMON_OPTIONS(`Name=3DIPv4, Addr=3D127.0.0.1, M=3DA, Family=3Dinet')dnl DAEMON_OPTIONS(`Name=3DIPv6, Addr=3D::1, M=3DA, Family=3Dinet6')dnl DAEMON_OPTIONS(`Name=3DIPv6, Addr=3D2000:aa:bb:cc::1, M=3DA, Family=3Dine= t6')dnl DAEMON_OPTIONS(`Name=3DMSA, Addr=3D12.34.56.78, Port=3D587, M=3DEa')dnl DAEMON_OPTIONS(`Name=3DMSA, Addr=3D127.0.0.1, Port=3D587, M=3DE')dnl DAEMON_OPTIONS(`Name=3DMSA, Addr=3D2000:aa:bb:cc::1, Port=3D587, M=3DEa, = Family=3Dinet6')dnl DAEMON_OPTIONS(`Name=3DMSA, Addr=3D::1, Port=3D587, M=3DE, Family=3Dinet6= ')dnl fourthly: enable SSL capabilities in sendmail. See=20 http://aput.net/~jheiss/sendmail/tlsandrelay.shtml for a good article on configuring this stuff (although ignore the section on compiling sendmail: you get that automatically built into the base system sendmail already) dnl dnl TLS stuff dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl fifthly: there is no fifthly -- you're done. Build a sendmail.cf and tes= t that it all works. Cheers, Matthew=20 --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig5971CE8C335DBECDE734F9D9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkfYhrAACgkQ8Mjk52CukIxpEwCfR28IYZonEuuBTX4kojQt1Uwk WHwAoIcoIoR+rgMf3ZFFwBztCwSQ4HQO =9sCn -----END PGP SIGNATURE----- --------------enig5971CE8C335DBECDE734F9D9--