If there are some people jumped for this in USA?
sendmail and SASL. V0.1 of this document show you only how to set up
LOGIN AUTH (several ail client like outlook express, netscape use this
method of authentification. SMTP AUTH are use to permit relaying for
user who where authentified. You must use at least sendmail 8.9.
[wrong, it’s 8.10]
2. Get the needed software 2.1 Download Cyprus SASL You can get the source of cyrus SASL at
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/. Get the latest stable
[1.5.x, no 2.x] 2.2 Download Sendmail You will need to recompile sendmail. Get the source of sendmail
at http://www.sendmail.com if your distribution don’t give you the source.
[http://www.sendmail.org not com!]
For me, i use a slackware, and i have get the source from the cd
source of the slackware. 3. Compile the software 3.1 Compile and install SASL Extract file from the SASL package: gzip -cd cyrus-sasl-1.5.27.tar.gz | tar xvf – Enter the SASL directory, and do a: ./configure –enable-login The –enable-login option will enable login authentification (that
is not enable by default). Check for other option that you will
need (–perfix, …, make a configure –help to show all options).
Next do a make, make install. So sasl is now installed. Depending
to wich prefiw directory you have installed SASL, you will need to
add an entry to /etc/ld.so.conf to add the SASL lib directory. Then
make a “ldconfig”. 3.2 Compile sendmail I will not describe here all the option of sendmail compilation,
but i will show you only how to add the SASL support in sendmail.
In the source directory of sendmail, go to devtools/OS sub directory,
and add to the file that match your plateform: [do NOT do that! Use devtools/Site/site.config.m4
See devtools/Site/README] APPENDDEF(`confENVDEF’, `-DSASL’)
APPENDDEF(`conf_sendmail_LIBS’, `-lsasl’) For me, i add this two line to the devtools/OS/Linux file because
i have a Linux platform. Then recompil and install sendmail. To
be sure that Sendmail have the SASL support, do a: sendmail -d0.1 -bv root | grep SASL You must see something like that: NETUNIX NEWDB QUEUE SASL SCANF SMTP USERDB XDEBUG Make sure SASL appears in the output. Otherwise, recompile sendmail and
make sure you have put the two APPENDDEF line is the correct OS file
for your system. 4. Configure For this example i use only LOGIN method, so only this method will
be described here. LOGIN method will use real user/passwd that are
described by your /etc/passwd. So user in this file are able to do
SMTP AUTH. 4.1 Configure SASL for Login AUTH You must add a file for sendmail configuration of SASL.
Go to the /usr/lib/sasl directory.
Create a file Sendmail.conf with: pwcheck_method: shadow I suppose that your system use the shadow method for user
authentification. If your system uses the (old) password method,
replace shadow by passwd.
4.2 Sendmail configuration.
Edit your sendmail.cf (normally /etc/mail/sendmail.cf).
[Oh, great…. read cf/README] Add this line: # list of authentication mechanisms
O AuthMechanisms=LOGIN GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5]]>
STEP 1: Enable STARTTLS in sendmail:
1. Install openSSL (http://www.openssl.org) as described in the openSSL’s INSTALL
file. After installation, be sure that the openSSL program is in your path
(cp /usr/local/ssl/bin/openssl /usr/bin), otherwise the CA.pl program does
not work. 2. Create or edit /usr/src/sendmail-8.12.7/devtools/Site/site.config.m4 and
insert the following lines: APPENDDEF(`confINCDIRS’, `-I/usr/local/ssl/include’)
APPENDDEF(`conf_sendmail_LIBS’, `-lssl -lcrypto’) 3. Rebuild and install sendmail with the -c option (see README in
devtools/Site): cd /usr/src/sendmail-8.12.7
./Build install 4. Check to see if sendmail is compiled with STARTTLS: /usr/sbin/sendmail -d0.1 -bp 5. Edit /usr/src/sendmail-8.12.7/cf/cf/sendmail.mc and insert the following
lines: define(`confCACERT_PATH’, `/etc/mail/certs/’)dnl
define(`confCLIENT_KEY’, `/etc/mail/certs/key.pem’)dnl 6. Backup and regenerate /etc/mail/sendmail.cf: cd /etc/mail
cp sendmail.cf sendmail.cf.bak
./Build install-cf 7. Now you have to create three files: cacert.pem (CA certificate), cert.pem
(x.509 certificate, signed by CA) and key.pem (x.509 private key). This is
how you do this: cd /usr/local/ssl/certs
cp demoCA/cacert.pem /etc/mail/certs
cp newreq.pem /etc/mail/certs/key.pem
cp newcert.pem /etc/mail/certs/cert.pem
chmod 400 /etc/mail/certs/key.pem When the command ‘CA.pl -newca’ asks for a Common Name, fill in the name of
your organization. When the command ‘CA.pl -newreq-nodes’ asks for a Common
Name, you must enter the hostname of your smtp server and it must be the
same name as your smtp-server field on the mailclient, e.g. smtp.domain.nl. 8. Restart sendmail : kill `head -1 /var/run/sendmail.pid`
/usr/sbin/sendmail -L sm-mta -bd -q30m
telnet localhost 25 9. Check if sendmail supports STARTTLS. Issue a ‘EHLO localhost’ command.
You should see a line 250-STARTTLS: [email protected]:/# telnet localhost 25
Connected to localhost.
Escape character is ‘^]’.
220 server.pc184.nl ESMTP Sendmail 8.12.7/8.12.7; Wed, 19 Feb 2003
250-server.pc184.nl Hello [email protected] [127.0.0.1], pleased to meet
250 HELP Check your logfiles if you don’t see it (increase LogLevel to 14 in your
sendmail.cf). So far for the server side setup.
STEP 2: Client side setup: The next step is to configure your mailclients for SSL smtp connection and
install the client personal and root certificates on them. If you don’t
install these certificates, the client will complain that it cannot verify
the server certificate. This is normal, because you are using a self signed
servercertificate. You do not have this problem if you are buying a
certificate from a trusted provider. For Outlook Express 6 e.g., you wil see this warning: “The server you are connected to is using a security certificate that could
not be verified. A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.” This is how you create your client certificate: cd /usr/local/ssl/certs
../misc/CA.pl -pkcs12 It will create a file newcert.p12 that you can import in your client. You
will have to fill in a password, that the client have to use when he imports
the newcert.p12 file, so don’t use the same as you have used earlier. — For Outlook Express 6 you can follow these steps: 1. Copy the file newcert.p12 to a directory on your Windows client and
rightclick on it. 2. Choose install PFX and follow instructions. It will install a personal
and a root certificate. That’s great. You can check it in Explorer >
Internet Options. 3. In Outlook, turn on the SSL option for your outgoing mailserver. — For Netscape Messenger 4.7 you can follow these steps: 1. Start Messenger, click on the little lock on the bottom left corner. 2. Choose Certificates > Yours > Import a certificate 3. Import the file newcert.p12. 4. Click on Signers, select your CAcert, and edit it to enable all features. 5. Click on Yours, select your personal cert, and click Verify. You
should get “successfuly verified”. 6. Enable Secure SMTP in Messenger config. Now send a mail to yourself and check the message source. It must contain a
Received header with SSL information. You can also check your sendmail log.
If you see Verify=OK, then the server verified the presented client
certificate as OK. If you see Verify=NO, then the client didn’t present a
certificate and you are probably using Outlook Express. This is what I found
on the Internet: Outlook Express as of Internet Explorer 5 will work, but it
will not present any client certificate. So you can encrypt your email
transfer but you cannot authenticate (and relay) with client certificates
http://www.aet.tu-cottbus.de/personen/j … /test.html). Post
a follow-up for comments on this. I get Verify=OK with Netscape Messenger 4.7 and Verify=NO with Outlook
STEP 3: Allow relaying based on client certificate: The last step is to allow relaying based on a trusted client certificate.
This is very useful, because your client can then send mail to you
mailserver, independent of his IP. It only works if the server can verify
the client (Verify must be OK). Do the following: 1. Open your sendmail logfile and search for the “cert-issuer” field that
came from your client. 2. Copy the content of this field to your access database file (probably
/etc/mail/access_map, see also http://www.sendmail.org/m4/anti_spam.html)
and insert CERTISSUER: and RELAY, like this:
SomeEmail RELAY 3. Create database map: makemap hash access_map
mail and you can check all headers. Remember that this does this setup only
provide a secure transmission from sender to mailserver. Your mail will
probably go unsecure from there. Now, that’s it. I hope this document is usefull and correct, don’t mail me
for suggestion/corrections but please follow-up to this post. You can find more information on: http://www.sendmail.org
“Inaction breeds doubt and fear. Action breeds confidence and courage. If you want to conquer fear, do not sit home and think about it. Go out and get busy.”
– Dale Carnegie