From owner-freebsd-security@FreeBSD.ORG  Sat Jul 19 16:51:50 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2E5C337B401
	for <freebsd-security@freebsd.org>;
	Sat, 19 Jul 2003 16:51:50 -0700 (PDT)
Received: from ms-smtp-02.texas.rr.com (ms-smtp-02.texas.rr.com
	[24.93.36.230])	by mx1.FreeBSD.org (Postfix) with ESMTP id 28F4C43FA3
	for <freebsd-security@freebsd.org>;
	Sat, 19 Jul 2003 16:51:49 -0700 (PDT)
	(envelope-from cboyd@gizmopartners.com)
Received: from gizmopartners.com (cs24359-109.austin.rr.com [24.243.59.109])
	h6JNpgef000650;	Sat, 19 Jul 2003 18:51:46 -0500 (CDT)
Date: Sat, 19 Jul 2003 18:51:42 -0500
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v552)
From: Chris Boyd <cboyd@gizmopartners.com>
To: freebsd-security@freebsd.org
Content-Transfer-Encoding: 7bit
In-Reply-To: <yge65lzol3s.wl%ume@mahoroba.org>
Message-Id: <F253ED5B-BA43-11D7-9685-00039375B178@gizmopartners.com>
X-Mailer: Apple Mail (2.552)
Subject: Re: ASMTP setup  on 4.8
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2003 23:51:50 -0000

Thanks to Hajimu UMEMOTO, Sergey Dorokhov and Josh Tolbert for helping 
me get this figured out.

What follows is a very terse procedure for getting ASMTP, IMAP and POP 
over SSL running.

--Chris

See http://puresimplicity.net/~hemi/freebsd/sendmail.html
for original procedures.


cd /usr/ports/mail/cclient
make -DWITH_SSL_AND_PLAINTEXT=yes install

cd /usr/ports/mail/imap-uw
make -DWITH_SSL_AND_PLAINTEXT=yes install

Put these in /etc/inetd.conf
imaps   stream  tcp     nowait  root    /usr/local/libexec/imapd        
imapd
pop3s   stream  tcp     nowait  root    /usr/local/libexec/ipop3d       
ipop3d

kill -HUP <inetd's PID>

cd /usr/ports/security/cyrus-sasl2
make install

cd /usr/ports/security/cyrus-sasl2-saslauthd/
make install

Add these lines to /etc/rc.conf

########## Start SASLAUTHD and look at local passwds
sasl_saslauthd_enable="YES"
sasl_saslauthd_flags="-a getpwent"


Add these line to /etc/make.conf
# SASL (cyrus-sasl v2) sendmail build flags...
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
# Adding to enable alternate port (smtps) for sendmail...
SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL

Build sendmail from the source tree.  (Does /etc/make.conf work if 
building from ports?)

cd /usr/src/usr.sbin/sendmail
make clean
make depend
make

(My make stopped at
cc: /usr/src/usr.sbin/sendmail/../../lib/libsmutil/libsmutil.a: No such 
file or directory
cc: /usr/src/usr.sbin/sendmail/../../lib/libsm/libsm.a: No such file or 
directory

I remedied by doing
cd ../../lib/libsmutil/
make
cd /usr/src/usr.sbin/sendmail
cd ../../lib/libsm
make

and then continuing
cd /usr/src/usr.sbin/sendmail
make
)

make install




Do the SSL cert creation.  Don't forget to put the hostname in when it 
asks for the common name.

mkdir /etc/mail/certs
cd /etc/mail/certs
openssl dsaparam 1024 -out dsa1024.pem
openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem 
-keyout mykey.pem
rm dsa1024.pem
chmod -R 600 /etc/mail/certs/*




Tell sendmail to use saslauthd to check passwords
vi /usr/local/lib/sasl2/Sendmail.conf

and change the line to read
pwcheck_method: saslauthd





Set up sendmail by editing the host's mc file and adding these just 
above
the MAILER(local) line

define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

Rebuild the cf files
make all install restart



Probably ought to do a good reboot about now to make sure everything 
gets started
correctly (mainly saslauthd).