From owner-freebsd-questions@FreeBSD.ORG Thu Mar 13 12:10:41 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70617106566C for ; Thu, 13 Mar 2008 12:10:41 +0000 (UTC) (envelope-from djp@polands.org) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.122]) by mx1.freebsd.org (Postfix) with ESMTP id 22BB78FC13 for ; Thu, 13 Mar 2008 12:10:40 +0000 (UTC) (envelope-from djp@polands.org) Received: from corinth.polands.org ([75.87.219.217]) by hrndva-omta05.mail.rr.com with ESMTP id <20080313121039.QFLZ7571.hrndva-omta05.mail.rr.com@corinth.polands.org>; Thu, 13 Mar 2008 12:10:39 +0000 Received: from ammon.polands.org (ammon.polands.org [172.16.1.7]) by corinth.polands.org (8.14.2/8.14.2) with ESMTP id m2DCAZHq066413; Thu, 13 Mar 2008 07:10:35 -0500 (CDT) (envelope-from djp@polands.org) Received: from ammon.polands.org (localhost [127.0.0.1]) by ammon.polands.org (8.13.8/8.13.8) with ESMTP id m2DCAYGU035615; Thu, 13 Mar 2008 07:10:34 -0500 (CDT) (envelope-from djp@ammon.polands.org) Received: (from djp@localhost) by ammon.polands.org (8.13.8/8.13.8/Submit) id m2DCAVfj035614; Thu, 13 Mar 2008 07:10:31 -0500 (CDT) (envelope-from djp) Date: Thu, 13 Mar 2008 07:10:31 -0500 From: Doug Poland To: Matthew Seaman Message-ID: <20080313121031.GA35591@polands.org> References: <9587.208.49.58.254.1205349581.squirrel@email.polands.org> <6.0.0.22.2.20080312190519.0255f878@mail.computinginnovations.com> <47D886AF.1010207@infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47D886AF.1010207@infracaninophile.co.uk> User-Agent: Mutt/1.5.11 X-Virus-Scanned: ClamAV 0.88.4/6223/Thu Mar 13 06:37:57 2008 on corinth.polands.org X-Virus-Status: Clean Cc: Doug Poland , questions@freebsd.org, Derek Ragona Subject: Re: Best practice: sendmail and SMTP auth X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 12:10:41 -0000 On Thu, Mar 13, 2008 at 01:43:11AM +0000, Matthew Seaman wrote: > Derek Ragona wrote: > >At 02:19 PM 3/12/2008, Doug Poland wrote: > >>Hello, > >> > >>Not sure if this is the most appropriate place for this question, > >>but since all my servers are FreeBSD 6.x/7.x, I'll give it a go... > >> > >>I am considering setting up SMTP auth on a number of sendmail > >>instances that I control. After much googling and reading, it is > >>not clear to me that a server with SMTP auth configured/enabled can > >>relay mail in both auth and non-auth modes. > >> > >>If one sendmail configuration cannot accommodate both SMTP auth and > >>access.db, does one setup a dedicated SMTP auth host with a > >>SMART_HOST option and feed incoming email to an non-auth instance of > >>sendmail? > >> > >>Sorry if my terminology is ambiguous, I'm not a sendmail > >>professional by day. > > >You can set up sendmail to do both auth and non-auth. However best > >practice is to use auth only to control any spam relaying. Check the > >sendmail.org website FAQ's for setting this up. You will want to > >probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail. > > A good solution to this is to use port 587 for Authenticated new mail > submission and leave port 25 for the normal MTA-MTA type of (not > authenticated) traffic. Firstly, to enable authentication you need to > compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's > legacy only). Now, you can either do that by installing sendmail from > ports, or you can install the cyrus-sasl port and then make the base > system sendmail link against it by adding this to /etc/make.conf: > > SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 > SENDMAIL_LDFLAGS+= -L/usr/local/lib > SENDMAIL_LDADD+= -lsasl2 > > I also like to use these two so that any milters etc. I build from > ports interoperate with the base system sendmail. > > SENDMAIL_MILTER_IN_BASE= yes > WITH_SENDMAIL_BASE= yes > > In order to do SMTP AUTH most effectively, you should enable STARTSSL > support -- I alway feel better knowing that passwords are sent over an > encrypted connection. This is a guide to what you need in your > $(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted > via port 587, but not provided on port 25: > > first: turn off the default MSA setup, which we'll provide our own > settings for later: > > FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below > > [...] > > second: basic configuration for SMTP AUTH -- what mechanisms are > supported Note that LOGIN should only ever be allowed over encrypted > connections as it sends passwords in plain text. You can also > authenticate by using SSL certificates but that is handled directly by > sendmail and you don't need to list EXTERNAL as a SASL mechanism. > > dnl ## Set SASL options > TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl > define(`confAUTH_REALM', `your.domain.name')dnl > define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl > define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl > > [...] > > thirdly: insert the IP numbers of your servers into the following > rules -- if you don't use IPv6 you can omit the lines for the external > address, but you'll find things seem to work rather smoother if you > keep the ::1 entries. > > The M=E flag says 'disable ETRN' and the M=Ea flag says 'require > authentication (and disable ETRN)' M=A means 'don't offer > authentication here' Note that I'm only requiring authentication on > the external interfaces so I implicitly trust myself > to submit e-mails via localhost:587 without it. You requirements may > differ. See > http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html > for an explanation of the capabilities of DAEMON_OPTIONS: > > dnl > dnl Where the sendmail daemon should listen > dnl > DAEMON_OPTIONS(`Name=IPv4, Addr=12.34.56.78, M=A, Family=inet')dnl > DAEMON_OPTIONS(`Name=IPv4, Addr=127.0.0.1, M=A, Family=inet')dnl > DAEMON_OPTIONS(`Name=IPv6, Addr=::1, M=A, Family=inet6')dnl > DAEMON_OPTIONS(`Name=IPv6, Addr=2000:aa:bb:cc::1, M=A, Family=inet6')dnl > DAEMON_OPTIONS(`Name=MSA, Addr=12.34.56.78, Port=587, M=Ea')dnl > DAEMON_OPTIONS(`Name=MSA, Addr=127.0.0.1, Port=587, M=E')dnl > DAEMON_OPTIONS(`Name=MSA, Addr=2000:aa:bb:cc::1, Port=587, M=Ea, > Family=inet6')dnl > DAEMON_OPTIONS(`Name=MSA, Addr=::1, Port=587, M=E, Family=inet6')dnl > > fourthly: enable SSL capabilities in sendmail. See > http://aput.net/~jheiss/sendmail/tlsandrelay.shtml for a good article > on configuring this stuff (although ignore the section on compiling > sendmail: you get that automatically built into the base system > sendmail already) > > dnl > dnl TLS stuff > dnl > define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl > define(`confCACERT_PATH', `CERT_DIR')dnl > define(`confCACERT', `CERT_DIR/cacert.pem')dnl > define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl > define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl > define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl > define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl > > fifthly: there is no fifthly -- you're done. Build a sendmail.cf and > test that it all works. > > Cheers, > Matthew > Thank you very much for that comprehensive explanation. -- Regards, Doug