[Mimedefang] OT:configure starttls for sendmail

Andrew J Caird andrew.caird at fccc.edu
Wed Jan 21 09:09:19 EST 2004


Lucas,
  I meant to send this earlier, and actually might have, so if this is a
duplicate, my apologies.  This is what I did to implement SMTPAUTH
and STARTTLS in sendmail, I hope it helps.
--
Andrew Caird            andrew.caird at fccc.edu               215.728.4071
Email Administrator                              Fox Chase Cancer Center


          Enabling Secure Authenticated Relaying with sendmail
         ------------------------------------------------------
						  	   Andrew Caird
						Fox Chase Cancer Center
						          December 2003

In support of off-site users of your mail system, you may want to allow
them to use the corporate mail servers for sending and receiving email.
However, sending email from outside of the corporate network to a recipient
who is not part of your corporation is considered relaying, and having
an open relay in these days of excessive spam will cause your mail servers
to be abused and get you listed on black lists.

This document explains how to configure sendmail to allow relaying to
authenticated users.

The basic step is to use SMTP AUTH to authenticate the user.  However,
authentication implies some sort of login/password database.  In order
to support a wide array of authentication mechanisms, sendmail relies on
Cyrus SASL (Simple Authentication and Security Layer).  Essentially,
sendmail off-loads the authentication to SASL, allowing it to deal with
the wide variety of available mechanisms (CRAM-MD5, DIGEST-MD5, Kerberos 4
and 5, Windows NT LAN Manager (NTLM), PLAIN, and external (LDAP, SQL
Database, etc.)).  Because of the complexity of using CRAM, DIGEST, or
Kerberos, we will choose PLAIN.  However, this means that the password
would be sent in clear-text between the client and the server.  Since, by
design, this is for access from a potentially unfriendly network, we need
to now secure that connection.  Recent versions of sendmail support SSL/TLS
using a mechanism called STARTTLS (RFC 2487) that allows for encrypting
the SMTP transaction.  sendmail also has the option to not accept clear-text
passwords unless the STARTTLS has been initiated.

Assuming you already have OpenSSL and OpenLDAP installed, the first step is
to compile cyrus-sasl.  (If you don't have OpenSSL and OpenLDAP, compile and
install them first; you can configure OpenLDAP without slapd or slurpd with
the configure options --disable-slapd --disable-slurpd and depending on what
you are using OpenLDAP for, you might want --with-tls.) The configuration
options for cyrus-sasl are:

	configure --enable-krb4=no --enable-gssapi=no --with-openssl=/usr/local/openssl --enable-login --with-ldap=/usr/local/openldap

The '--enable-login' is required (even though, in general, it is not recommended)
to support MSOutlook.  From the Cyrus documentation:
      "The LOGIN mechanism (not to be confused with IMAP4's LOGIN command) is
       an undocumented, unsupported mechanism. It's included in the Cyrus SASL
       distribution for the sake of SMTP servers that might want to interoperate
       with old clients. Do not enable this mechanism unless you know you're
       going to need it. When enabled, it verifies passwords the same way the
       PLAIN mechanism does."
However, according to:
     http://www.google.com/groups?selm=3E314FBD.CB0E4BF3%40oceana.com
Outlook doesn't support any "normal" SASL methods (only LOGIN and NTLM), so
we need to enable LOGIN.  Once SASL is compiled, create a
/usr/local/etc/saslauthd.conf file with the contents:
	ldap_servers: ldap://ldapmaster/ ldap://ldap/
	ldap_search_base: ou=People,o=Fox Chase Cancer Center,c=US
and start saslauthd with the "-a ldap" option (note that this is the same
thing that is done for the IMAP server on pollux (cyrus.fccc.edu)).

sendmail site.config.m4 looks like:
	APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER -DSASL -DSTARTTLS -DEGD')
	APPENDDEF(`confMAPDEF',`-DNEWDB')
	APPENDDEF(`conf_sendmail_LIBS', `-lsasl2 -lssl -lcrypto')
	APPENDDEF(`confINCDIRS', `-I/usr/local/include/sasl -I/usr/local/BerkeleyDB.4.1/include -I/usr/local/openssl/include/')
	APPENDDEF(`confLIBDIRS', `-L/usr/local/lib -L/usr/local/BerkeleyDB.4.1/lib -L/usr/local/openssl/lib')
which adds BerkeleyDB, SASL, and SSL/EGD.  With this configuration the sendmail
binary will be linked with the SASL2 and OpenSSL libraries to support
authentication and encryption and will have support for the "egd:" source of
entropy needed for SSL.

sendmail .mc file has added these lines:
	TRUST_AUTH_MECH(`LOGIN PLAIN')
	define(`confAUTH_MECHANISMS', `LOGIN PLAIN')
	define(`confAUTH_OPTIONS', `A,p')

this adds support for SASL authentication, but not for TLS, although it
relies heavily on the TLS lines below, because the 'p' in confAUTH_OPTIONS
means that the 'LOGIN PLAIN' method isn't available unless you've first
set up the TLS channel.


To test authentication, turn off the "p" option in AUTH_OPTIONS, then
encode your login and password in Base64 (you can use ed64:
http://www.sendmail.org/~ca/email/prgs/ed64.c).  Next follow the script
below.  If you see STARTTLS in the ehlo output, but not "AUTH LOGIN PLAIN",
you probably forgot to turn off the "p".  If you see neither, make sure
you've followed the compilation instructions above and that you are running
your new version sendmail and sendmail.cf.

helo% telnet challenger smtp
Trying 131.249.2.64...
Connected to challenger.fccc.edu.
Escape character is '^]'.
220 challenger.fccc.edu ESMTP Sendmail; Fri, 12 Dec 2003 16:14:04 -0500 (EST)
ehlo helo
250-challenger.fccc.edu Hello helo.fccc.edu [131.249.12.143], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
auth login
334 VXNlcm5hbWU6
YWnhjjjx
334 UGFzc3dvcmQ6
Nf7YqWjjjxx=
235 2.0.0 OK Authenticated
mail from: andrew.caird at fccc.edu
250 2.1.0 andrew.caird at fccc.edu... Sender ok
rcpt to: andrew.caird at fccc.edu
250 2.1.5 andrew.caird at fccc.edu... Recipient ok
data
354 Enter mail, end with "." on a line by itself
From: Andrew Caird <andrew.caird at fccc.edu>
To: Andrew Caird <andrew.caird at fccc.edu>
Subject: Test 1 of SMTP Auth against LDAP

Test 1 of SMTP Auth against LDAP.
.
250 2.0.0 hBCLE49W001927 Message accepted for delivery
quit
221 2.0.0 challenger.fccc.edu closing connection
Connection to challenger.fccc.edu closed by foreign host.
helo%

This configuration allows relaying if you first authenticate - that is,
you can authenticate, you can claim to be sending mail to and from anyone,
and the relay checks are ignored.  When you get the test message, look in
the header for a line that looks like:
   (authenticated bits=0)
This means that the sender was authenticated but that there were 0 bits of
security (base64 encoding is not security) (this is because you used either
the LOGIN or PLAIN method to authenticate and there is no encryption with
that) - this is why we need to add the TLS component to this.

STARTTLS: Adding SSL/TLS to sendmail

In our tests, we pretend to be our own certificate authority
(see http://hr.uoregon.edu/davidrl/lamp.html) and generate CA keys and
host keys; normally, you'll get a real key/certificate pair (on challenger,
the CA passphrase is "pass phrase" and the server passphrase is "challenger"
for this test).

Much like when implmenting imaps, we need an unencrypted key, so run:
	openssl rsa -in server.key -out server_nopw.key
on the key and enter the password when prompted.  Put the unencrypted key
along with the server and CA certificates in /etc/mail/certs.

To add support for SSL to the cf file, add these lines to the .mc file:
	define(`confCACERT_PATH', `/etc/mail/certs')dnl
	define(`confCACERT', `/etc/mail/certs/ca.crt')dnl
	define(`confSERVER_CERT', `/etc/mail/certs/challenger.crt')dnl
	define(`confSERVER_KEY', `/etc/mail/certs/challenger.key')dnl unencrypted
	define(`confRAND_FILE', `egd:/var/run/egd-pool')dnl

We also need prngd to generate randomness for TLS on Solaris (other OSs may
not need this).  Install prngd, configure it to create /var/run/egd-pool, and
start it - don't forget to add this to an init script if you are using this in
production.  prngd can be obtained from
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html

Generate a new sendmail.cf file using the options in the two blocks for the
.mc file above (in addition to any other options you need for your server)
and compile sendmail using the options in the site.config.m4 above.  In our
case, the complete .mc file looks like:

     divert(0)dnl
     VERSIONID(`$Id: generic-solaris.mc,v 8.13 2001/06/27 21:46:30 gshapiro Exp $')
     OSTYPE(solaris2)dnl
     DOMAIN(generic)dnl
     LOCAL_CONFIG
     define(`confPRIVACY_FLAGS',`goaway')dnl             To match 8.12.6 setting.
     define(`confQUEUE_LA',8)dnl                         To match 8.12.6 setting.
     define(`confDELAY_LA',10)dnl                        To match 8.12.6 setting.
     define(`confCONNECTION_RATE_THROTTLE', 5)dnl        To match 8.12.6 setting.
     define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl     To match 8.12.6 setting.
     Cw fccc.edu mail-gw.fccc.edu
     dnl ------ Below this line is SMTPAUTH and STARTTLS configuration ---------
     TRUST_AUTH_MECH(`LOGIN PLAIN')
     define(`confAUTH_MECHANISMS', `LOGIN PLAIN')
     define(`confAUTH_OPTIONS', `A,p')
     define(`confCACERT_PATH', `/etc/mail/certs')dnl
     define(`confCACERT', `/etc/mail/certs/ca.crt')dnl
     define(`confSERVER_CERT', `/etc/mail/certs/challenger.crt')dnl
     define(`confSERVER_KEY', `/etc/mail/certs/challenger.key')dnl
     define(`confRAND_FILE', `egd:/var/run/egd-pool')dnl
     dnl ------ Above this line is SMTPAUTH and STARTTLS configuration ---------
     MAILER(local)dnl
     MAILER(smtp)dnl

When the .cf file and binary are installed, sendmail should start without errors
and in the final configuration, if you connect to the smtp server by hand and
type:
		ehlo client.fccc.edu
you should see STARTTLS but _not_ "AUTH LOGIN PLAIN", because until the TLS
channel is established, those are available.  If you test without the "p"
option, you will see the STARTTLS and "AUTH LOGIN PLAIN" lines.

When you use the server with sendmail configured as described here, you
will see two additional entries in the header line where the server name
is:
	(authenticated bits=0)
which means that the user authenticated with with 0 bits of security
(DIGEST-MD5 offers 128 bits of security, Kerberos 4 and 5 offer 56 bits),
meaning,essentially, that the authentication was plain-text; the second
entry is:
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
which describes the TLS/SSL part of the transaction.  In this case, the
"verify=NO" means (if I understand correctly) that the client didn't
present a certificate, which will rarely happen, but doesn't mean that
the session isn't encrypted, it just means that the certificate based
operations (see http://www.sendmail.org/%7Eca/email/starttls.html) won't
work - in our case, the combination of AUTH+TLS is the same as TLS with
certificates on both sides.




On Fri, 16 Jan 2004, Lucas Albers wrote:

> I have been unsuccesful in configuring my sendmail server to support TTLS.
> If anyone could point(directly or via the mailing list, directly preferred
> I guess because it is off-topic) me in the direction of any good HOWTO's
> on configuring sendmail with TLS support, I would be much appreciative.
>
> --
> Luke Computer Science System Administrator
> Security Administrator,College of Engineering
> Montana State University-Bozeman,Montana
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>



More information about the MIMEDefang mailing list