...making Linux just a little more fun!

<-- prev | next -->

Sendmail AUTH/STARTTLS

By David Lechnyr

Sendmail has two little-used options that are great for security and access control. This is commonly referred to as AUTH/STARTTLS. With AUTH support, you can require that all SMTP traffic must log in first with a valid username and password; those that do can also be allowed to relay (great for laptops with random/mobile IP-addresses). With STARTTLS support, all SMTP traffic can be SSL-encrypted. To access these features, you'll need to download and install OpenSSL, Cyrus SASL, and Sendmail.

OpenSSL

Download OpenSSL from http://www.openssl.org/source/ and run:

$ ./config --prefix=/usr --openssldir=/etc/ssl shared
$ make
$ make test
# make install
# strip /usr/bin/openssl /usr/lib/libcrypto.a /usr/lib/libssl.a
# cp -fa /etc/ssl/man /usr && rm -rf /etc/ssl/man
# ldconfig -v

Cyrus SASL

Download Cyrus SASL 1.5.28 from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/. At present, Cyrus SASL 2.1.15 appears to have problems with Sendmail 8.12.10, however reports are mixed.

$ tar xzf cyrus-sasl-1.5.28.tar.gz
$ cd cyrus-sasl-1.5.28
$ ./configure --prefix=/usr --enable-login
$ make
# make install
# echo "/usr/lib/sasl" >> /etc/ld.so.conf
# ldconfig -v

Next, create the AUTH configuration file that Sendmail will look for. It should reside in /usr/lib/sasl/Sendmail.conf (note the uppercase "S" in the filename):

pwcheck_method: shadow

Sendmail

Download Sendmail 8.12.10 from http://www.sendmail.org and unpack the archive:

$ tar xzf sendmail.8.12.10.tar.gz
$ cd sendmail-8.12.10/devtools/Site

Create the file devtools/Site/site.config.m4 with the following contents:

APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL -DSTARTTLS')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl -lcrypto')

Then, from the main directory of the archive, run the standard build command with the '-c' switch, which essentially tells Sendmail to re-read any configuration changes we've made:

$ cd ../..
$ sh Build -c

$ cd cf/cf

Before we can continue, we need to create our Sendmail configuration file in cf/cf/sendmail.mc -- everyone's is different; adjust it to fit your specific circumstance. The required items for AUTH are in red; those for STARTTLS are in blue:

VERSIONID(`Sample Sendmail AUTH/STARTTLS configuration file')dnl
OSTYPE(linux)dnl
DOMAIN(generic)dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_MECHANISMS', `PLAIN')dnl
TRUST_AUTH_MECH(`PLAIN')dnl

define(`confCACERT_PATH', `/etc/ssl/certs')dnl
define(`confCACERT', `/etc/ssl/certs/certificate-authority.crt')dnl
define(`confSERVER_CERT', `/etc/ssl/certs/server.crt')dnl
define(`confSERVER_KEY', `/etc/ssl/certs/server.key')dnl

define(`confPRIVACY_FLAGS', `goaway')dnl
MAILER(local)dnl
MAILER(smtp)dnl

We can't use cram-md5 or digest-md5 as it's tricky (if not impossible) to get them to work. Which is why we also use STARTTLS to make sure that our plain-text password is encrypted during the AUTH transaction.

Once done, you can generate the final configuration files and then install the Sendmail binary:

$ sh Build sendmail.cf
# mkdir -p /etc/mail
# sh Build install-cf
# cd ../..
# sh Build install

Install Your Certificates

If you haven't yet purchased your certificates, from personal experience I can recommend Thawte. If you'd like to have additional information in detail regarding certificates and keys, or if you'd rather generate your own, please see http://hr.uoregon.edu/davidrl/lamp.html#CERTIFICATES and http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24.

The bottom line is that you'll need three files:

  1. /etc/ssl/certs/server.crt -- This is your server's SSL certificate (chmod 400)
  2. /etc/ssl/certs/server.key -- This is your server's SSL private key (chmod 400)
  3. /etc/ssl/certs/certificate-authority.crt -- This is the root certificate from your issuing certificate authority; for example, Thawte's is available here.

Bringing it all together

Go ahead and start up your Sendmail daemon:

# /usr/sbin/sendmail -L sm-mta -bd -q30m
# /usr/sbin/sendmail -L sm-msp-queue -Ac -q30m

Testing

Nothing's ever good without a test. On your mail server, run the following commands, which are in bold:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.fluffygerbils.net ESMTP Sendmail 8.12.10/8.12.10; Tue, 23 Sep 2003 12:16:07 -0700
ehlo localhost
250-mail.fluffygerbils.net Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP

It's the presence of the AUTH PLAIN and STARTTLS statements that should make you feel that your time was well spent ;-)

Now, let's compare a non-AUTH/STARTTLS transaction to our new transaction:

Regular SMTP Transaction

E..<..@[email protected]\....e...........................xVo.....E..<..@[email protected]\..3.
.......be.......................xVo.....E..4..@.@..'..3...2\....e......c........
....xVo.....E..[b.@[email protected]\..3........ce........P..........xVo.220.Sendmail.ESM
TP.-.Is.It.Not.Nifty?..E..I..@[email protected]\....e...................xVo.....EHLO.
hr.uoregon.edu..E..4b.@[email protected](..2\..3.........e..(................xVo.E...b.@[email protected]\
..2\..3.........e..(....H...........xVo.250-hr.uoregon.edu.Hello.[128.223.51.169
],.pleased.to.meet.you..250-ENHANCEDSTATUSCODES..250-PIPELINING..250-8BITMIME..2
50-SIZE..250-DSN..250-ETRN..250-AUTH.PLAIN..250-STARTTLS..250-DELIVERBY..250.HEL
P..E..V..@[email protected]\....e..(...U.....X......xVo.....MAIL.FROM:<[email protected]
on.edu>..E..cb.@[email protected]\..3........Ue..J...../..........xVo.250.2.1.0.<david@hr
.uoregon.edu>....Sender.ok..E..T..@[email protected]\[email protected].....
RCPT.TO:<[email protected]>..E..fb.@[email protected]\..3.........e..j.....W..........
xVo.250.2.1.5.<[email protected]>....Recipient.ok..E..4./@[email protected]\....e.
.j.........a......xVo.....E..:.A@[email protected]\....e..j................xVo.....DA
TA..E..fb.@[email protected]\..3.........e..p................xVo.354.Enter.mail,.end.with
.".".on.a.line.by.itself..E....B@[email protected]\....e..p................xVo.....Da
te:.Tue,.30.Sep.2003.09:44:07.-0700..Mime-Version:.1.0.(Apple.Message.framework.
v552)..Content-Type:.text/plain;.charset=US-ASCII;.format=flowed..Subject:.Linus
.Torvalds,.on.releasing.1.3.27..From:.David.Lechnyr.<[email protected]>..To:.
[email protected]:.7bit..Message-Id:.<4EED6E4A-F36
[email protected]>..X-Mailer:.Apple.Mail.(2.552)....Eh,.th
at's.it,.I.guess...No.300.million.dollar.unveiling.event.for.this..kernel,.I'm.a
fraid,.but.you're.still.supposed.to.think.of.this.as.the.."happening.of.the.cent
ury".(at.least.until.the.next.kernel.comes.along)...Oh,.and.this.is.another.kern
el.in.that.great.and.venerable."BugFree(tm)"..series.of.kernels..So.be.not.afrai
d.of.bugs,.but.go.out.in.the.streets..and.deliver.this.message.of.joy.to.the.mas
ses............--.Linus.Torvalds,.on.releasing.1.3.27....E..4b.@[email protected]#..2\..3....
.....e...................xVo.E..7.C@[email protected]\....e...........ml......xVo....
....E..4b.@[email protected]"..2\..3.........e...................xVo.E..lb.@[email protected]\..3.....
....e.......D...........xVo.250.2.0.0.h8UGi6WP012112.Message.accepted.for.delive
ry..E..4..@[email protected]\....e............?......xVo.....E..:..@[email protected]\....
e............}......xVo.....QUIT..E..4b.@[email protected]\..3.........e........u........
..xVo.E..ab.@[email protected]\..3.........e...................xVo.221.2.0.0.hr.uoregon.e
du.closing.connection..E..4b.@[email protected]\..3........Me........F..........xVo.E..4.
.@.@..:..3...2\....e............8......xVo.....E..4b.@[email protected]\..3........Ne....
....E..........xVo.E..(..@[email protected]\....e.......P.............E..(..@[email protected]
...2\....e.......P.............E..(..@[email protected]\....e.......P.............

AUTH/SASL SMTP Transaction

E..<..@[email protected]\................\[..............xVpy....E..<..@[email protected]\..3.
.......h........L...............xVpy....E..4..@[email protected]\...........i........
....xVpy....E..[O.@[email protected]\..3........i.........o..........xVpy220.Sendmail.ESM
TP.-.Is.It.Not.Nifty?..E..I..@[email protected]\................F.......xVpy....EHLO.
hr.uoregon.edu..E..4O.@.@../..2\..3.................x8..........xVpyE...O.@[email protected]
..2\..3.............................xVpy250-hr.uoregon.edu.Hello.[128.223.51.169
],.pleased.to.meet.you..250-ENHANCEDSTATUSCODES..250-PIPELINING..250-8BITMIME..2
50-SIZE..250-DSN..250-ETRN..250-AUTH.PLAIN..250-STARTTLS..250-DELIVERBY..250.HEL
P..E..>..@[email protected]\...........[............xVpy....STARTTLS..E..RO.@[email protected]
\..3........[........`...........xVpy220.2.0.0.Ready.to.start.TLS..E..4..@.@....
.3...2\...........y............xVpy....E..z..@[email protected]\...........y.........
...xVpy........A...=..?y.O.`.........]....2:b..?,..t.!..........................
.E...O.@.@.}...2\..3........y........M...........xVpy....J...F..?y.N..(......'..
..>1..<.w.||lod...+....vo...>.^.Qby..+Z....=.Y.....................0...0..M.....
...i.0...*.H........0..1.0...U....ZA1.0...U....Western.Cape1.0...U....Cape.Town1
.0...U....Thawte.Consulting.cc1(0&..U....Certification.Services.Division1.0...U.
...Thawte.Server.CA1&0$..*[email protected]
1008230345Z0..1.0...U....US1.0...U....Oregon1.0...U....Eugene1.0...U....Universi
ty.of.Oregon1.0...U....Human.Resources1.0...U....hr.uoregon.edu0..0...*.H.......
.....0.........y.......e..PG3.!\j.Z.lP...b.dE|.S....&:.....!.Z..&.o..[.h.#E....$
.l.[............M.....u..*s.....2.~.<...t.._..S.LN.|...T.Bm.......%0#0...U.%..0.
..+.......0...U.......0.0...*.H............q.`'.r.x|..+5F...6o....hk.....bpq{f..
....+.?K.s{.[%-..\....C....|....5...iE....3.......u._....B..."`.U!.g^....#UQ....
-t..s.........0...0..|........0...*.H........0..1.0...U....ZA1.0...U....Western.
Cape1.0...U....Cape.Town1.0...U....Thawte.Consulting.cc1(0&..U....Certification.
Services.Division1.0...U....Thawte.Server.CA1&0$..*.H........server-certs@thawte
.com0...960801000000Z..201231235959Z0..1.0...U....ZA1.0...U....Western.Cape1.0..
.U....Cape.Town1.0...U....Thawte.Consulting.cc1(0&..U....Certification.Services.
Division1.0...U....Thawte.Server.CA1&0$..*[email protected].
..*.H............0........Pn..Vk..]...huG.....%...GQ....t....u...a..m0n....R.b.M
...j.D8....d.p...k)./I.;.'.%../..m.(B..LC...!mT.].X....[....{E...O.@[email protected]\..3
........!........;w..........xVpy.6:..f"...........0.0...U.......0....0...*.H...
...........Li\...F...M!0....oI...Q.`pl.a....H>YC}[email protected].
..o.)...(;..@(.Z<...........Q..L,Y....u..B...........#.pG................0..1.0.
..U....ZA1.0...U....Western.Cape1.0...U....Cape.Town1.0...U....Thawte.Consulting
.cc1(0&..U....Certification.Services.Division1.0...U....Thawte.Server.CA1&0$..*.
[email protected]..@.`@[email protected]\.................'......
xVpy................E..4O.@.@..*..2\..3.................o...........xVpyE....c@.
@.....3...2\.................I......xVpy................._b...H.qf..[..}H(J....U
HDO.IZ..]..q.K...S...$..D.tv.....*{^..4..e....B....6$HRq........<.S......o.1....
1.s.6[.ZM....r.L..k.J.]..........(..+...........m6.*...C}>.......s.\R.....E..4O.
@.@..)..2\..3.................n...........xVpyE..gO.@[email protected]\..3...............
..iV..........xVpy..........(..k.X./:...T!...{~.!.wD.......=..*..;..qE..i.d@.@..
g..3...2\........................xVpy........0.....e..v._...5&K..=.;.`08....:.uI
=b..p...Y...G.E...O.@[email protected]\[email protected]..
..`vX.P.....6W.H.A.....h......P....Z..5..G..}....S.-=.....#e...}..<.Ym.h..N..\.4
\LV..........P|......i1p6./"[email protected].^.>.....k.>....-.N*....l...4.(...
.xa..tg...?x..=...?......D.fN@;..O.D/...J*....}E..y.e@[email protected]\.............
...........xVpy........@>z,%+m.;k.B..y..M.0;...X$.....9..nP.!.y.fE9..T.<~..W."..
...Q.&.mE..qO.@[email protected]\..3............-................xVpy....8.F......h....1.
U.gU..MA}G....].J.N+7.x......G..o........E..q.f@.@..]..3...2\.......-...........
.....xVpy........8....7fk...}...o@$...h4."...Z.O.9-.L..D...A.*........._)cE...O.
@[email protected]\..3............j................xVpy....H.....2...\Z....V..Y.i.az'.]@.
j..K....v.........[...Z9.R.3.....e.0....i..E..q.g@.@..\..3...2\.......j...N....f
p......xVpy........8.vh..&W..XO......3...2.?.OF..............g....pzy.m*...QE...
O.@[email protected]\..3........N....................xVpy....H<........B`7./)..I/.dR...Uq
....Q..&.....W=o...{..]...a.5......].PL.}....E..Y.h@[email protected]\...............
.........xVpy.........x..C..%.Xmo.p.n.T...(.i..[......E...O.@[email protected]\..3.......
......................xVpy....H.;X..0..>C....#.3.....N...+%..V......5IHl$5*UG.8x
=.........:9.^k..0oW.%mE.....@[email protected]\........................xVpz........p
yB).......D.:9..\[email protected].$].........g.=.D1..5......I......O.H..iM.J.$..O...9..S.
......>%.~...Z.Ir....[.R........v./...A..v.h..J.......,....).....T.....l.......:
.T^..!y..Y_.|.1u..O..m....L..f...d.J....i.MoZ..T.l.Igy....$.3.......:@E.I,C#....
X..9....).(..bt.T#.<...!..\..;),.....u,.......1IQkVw..,..WU?".....#..)..10..\m..
h.S.0.........sh.._=..:.......B.......=.VK..A\...P..(]+.)?7...E....x.#.....;.L..
\.O...>q<..N.V..G...M....9.p(....d6..F.....9x.5+:..Syr.Y....afg.a.[...]I<8.^...E
.g...*...z..4.~..OO..._......j..6V...0.`....A./b..{q'.I........7......)O:j.8...J
..O.\.....oP.."......N&..t.*.v.e....+Z+-.<..p^.0nX.......9..nh..&x.{U...'......!
......:..U.D.1...KB.X!.E..vF.......zi>.<6.<....y..S.....?..0.n.m}.:7m..Qi......m
Bra..T....QM...U...)...)..y...._]0f...O.G.9..u..f*_f..e.W..V-....Q.i3b?:(.../n!.
...T....8..*;..X.\=....h.5.P._.N.wd........m..OX.|....3..(...W.......t/}.;bfm?w.
E..4O.@.@.."..2\..3............A....c...........xVpzE..(..@[email protected]\..3........=
....P...."..

Client Configuration Examples

Apple Mail (MacOS X):

Microsoft Outlook XP:

 

Additional Resources

 


[BIO] David is a Network Manager at the Human Resources department of the University of Oregon. He holds a Master's Degree in Social Work along with his MCSE+I, CNE, and CCNA certifications. He has been working with Linux for the past six years, with an emphasis on systems security, network troubleshooting, and PHP/MySQL integration.

Copyright © 2003, David Lechnyr. Released under the Open Publication license unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 96 of Linux Gazette, November 2003

<-- prev | next -->
Tux