====== Sendmail Message Submission Agent Howto (SASL2, STARTTLS) ======
This document describes how to set up a Sendmail mailserver as a
"Message Submission Agent" (MSA).
((Wikipedia: https://en.wikipedia.org/wiki/Message_submission_agent))
Debian: 8.8 (Jessie)\\
sendmail: 8.14.4\\
sasl2-bin: 2.1.26\\
===== 1. Introduction =====
A "Message Submission Agent" (MSA) allows users to securely submit
mail from their "Mail User Agent" (MUA) ((e.g. Thunderbird, Evolution,,))
to the outgoing mail server.\\
To restrict access to authorized users only the user has to authenticate
with a user name and password.
((The authentication requirement prevents the mailserver from becoming
an "Open Relay" (spam server).))\\
Common practice is to send the mail to the MSA via TLS/SSL encryption.\\
The MSA listens on TCP port 587.
((The MTA listens on TCP port 25 (smtp).))
The sendmail MSA uses SASL2 for authentication.
SASL stands for "Simple Authentication and Security Layer".
SASL is a glue layer between the MSA and a variety of authentication
mechanisms.
This document describes using the "pam"
(("Pluggable Authentication Modules"\\
PAM is an authentication framework for Linux systems.))
mechanism to allow shell users to log in to the MSA.\\
The SASL glue layer is implemented as a daemon process (saslauthd)
which interfaces with the MSA via a socket connection.
===== 2. Installation =====
==== 2.1 install sasl2-bin ====
# apt-get install sasl2-bin
==== 2.2 sasl2-bin bug #791814 ====
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791814
sasl2-bin: fails to start saslauthd
As a workaround we can skip the redirect to systemctl (systemd):
/etc/init.d/saslauthd:
..
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
### Skip redirect to systemctl
_SYSTEMCTL_SKIP_REDIRECT="true"
echo "_SYSTEMCTL_SKIP_REDIRECT: $_SYSTEMCTL_SKIP_REDIRECT" >&2
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
..
==== 2.3 saslauthd configuration ====
/etc/default/saslauthd:
..
# Should saslauthd run automatically on startup? (default: no)
# START=no
START=yes
..
MECHANISMS="pam"
..
==== 2.4 Start saslauthd ====
# /etc/init.d/saslauthd start
===== 3. Configuration =====
==== 3.1 Add SASL2 support to Sendmail ====
# /usr/share/sendmail/update_auth
Note ((Debian script "/usr/share/sendmail/update_auth" suggests adding SASL2
to the /etc/mail/submit.mc. \\
However this doesn't make much sense since the //submit.mc// configures
the MSP service of sendmail, not the MTA service daemon! \\
(The Mail Submission Program (MSP) transfers mail from local programs
e.g. /bin/mail to the Sendmail MTA service daemon.) ))
==== 3.2 Add SASL2 and STARTTLS to sendmail.mc ====
Add the following lines to the sendmail.mc:
include(`/etc/mail/sasl/sasl.m4')dnl
include(`/etc/mail/tls/starttls.m4')dnl
* Note: Insert the new config lines before the MAILER definitions.
/etc/mail/sendmail.mc:
..
dnl # SASL2
include(`/etc/mail/sasl/sasl.m4')dnl
dnl #
dnl # STARTTLS
include(`/etc/mail/tls/starttls.m4')dnl
dnl #
dnl #
dnl # Masquerading options
FEATURE(`always_add_domain')dnl
dnl #
dnl # FEATURE() should before MAILER()
..
==== 3.3 Require AUTH on Port 587 ====
The submission service requires AUTH (M=a).
Eventually disable ETRN (M=E).\\
Specify Modifier "M=Ea" at the DAEMON_OPTIONS macro.
/etc/mail/sendmail.mc:
DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea')dnl
* More on DaemonPortOptions: See documentation links.
==== 3.4 PLAIN or LOGIN authentication security ====
If PLAIN or LOGIN authentication mechanisms are used, a strong encryption layer
(STARTTLS/SSL) should be active to prevent sniffering.\\
This can be enforced by "O AuthOptions=p".
The "y" flag disables anonymous login.
/etc/mail/sendmail.mc:
define(`confAUTH_OPTIONS',`p y')dnl
==== 3.5 Disable SMTP AUTH on Port 25 ====
In most cases we don't need/want SMTP AUTH on port 25.\\
You can disable SMTP AUTH for the Sendmail MTA service by
specifying Modifier "M=A" at the DAEMON_OPTIONS macro.
/etc/mail/sendmail.mc:
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, M=A')dnl
==== 3.6 Configure Sendmail ====
Configure Sendmail with the new configuration:
# sendmailconfig
Simply accept the defaults.
==== 3.7 Restart Sendmail ====
# /etc/init.d/sendmail restart
==== 3.8 Firewall configuration ====
If you are operating a firewall (e.g. Shorewall), you need to open port 587.
=== 3.8.1 Shorewall configuration ===
/etc/shorewall/rules:
..
# SMTP
ACCEPT net $FW tcp 25
# Submission
ACCEPT net $FW tcp 587
..
===== 4. Mail client configuration =====
==== 4.1 Thunderbird ====
^ Account Settings: Outgoing Server ^^
| Server Name: | your_mailserver.domain |
| Port: | 587 |
| User Name: | linux_user_name_here |
| Authentication method: | Normal password |
| Connection Security: | STARTTLS |
* Note: Use TSL/SSL encryption to prevent sniffering your plaintext password!
===== 5. Troubleshooting =====
==== 5.1 Debug saslauthd ====
Run saslauthd in debug mode in foreground:
# /etc/init.d/saslauthd stop
### We have to restart sendmail in order to close the saslauthd socket
# /etc/init.d/sendmail restart
# saslauthd -a pam -d -m /var/run/saslauthd
saslauthd[10006] :main : num_procs : 5
saslauthd[10006] :main : mech_option: NULL
saslauthd[10006] :main : run_path : /var/run/saslauthd
saslauthd[10006] :main : auth_mech : pam
saslauthd[10006] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[10006] :detach_tty : master pid is: 0
saslauthd[10006] :ipc_init : listening on socket: /var/run/saslauthd/mux
saslauthd[10006] :main : using process model
saslauthd[10006] :have_baby : forked child: 10007
saslauthd[10006] :have_baby : forked child: 10008
saslauthd[10006] :have_baby : forked child: 10009
saslauthd[10006] :have_baby : forked child: 10010
saslauthd[10006] :get_accept_lock : acquired accept lock
==== 5.2 Test SASL2 using telnet ====
Using telnet we can test the SASL authentication system.
* Wait for the sendmail greeting message
* Identify yourself: EHLO ((EHLO: "Extended Hello")) your_mail_domain
* Authenticate: AUTH LOGIN
* Submit mail message
* Quit
Note:\\
If "O AuthOptions=p" has been enforced LOGIN or PLAIN authentication
will not be available. (See: 3.4)\\
Temporarily comment out this option in the sendmail.cf:
## O AuthOptions=p y
=== 5.2.1 Generate base64 strings for username and password ===
Since the AUTH LOGIN method requires base64 encoded strings for
username and password, we have to generate those strings first:
$ echo -n "user_name_here" | base64
dXNlcm5hbWU=
$ echo -n "password_here" | base64
cGFzc3dvcmQ=
=== 5.2.2 Telnet from the mail client to the mail server ===
From your mail client open a telnet session to your mail server on port 587.\\
Enter the generated base64 encoded strings for username and password
after "AUTH LOGIN".
$ telnet your_mailserver.domain 587
Trying 10.0.0.116...
Connected to your_mailserver.domain.
Escape character is '^]'.
220 your_mailserver.domain ESMTP Sendmail 8.14.4/8.14.4/Debian-8+deb8u1; Tue, 3 Jan 2017 20:05:28 +0100;
(No UCE/UBE) logging access from: mailclient.domain [192.168.1.197]
EHLO your_mail_domain
250-your_mail_domain Hello mailclient.domain [192.168.1.197], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlcm5hbWU=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 2.0.0 OK Authenticated
=== 5.2.3 Watch debug info at the mail server ===
Supposing saslauthd is still running in debug mode at your mail server,
you can now see its response show up in the terminal window:
saslauthd[10006] :rel_accept_lock : released accept lock
saslauthd[10010] :get_accept_lock : acquired accept lock
saslauthd[10006] :do_auth : auth success: [user=user_name] [service=smtp] [realm=] [mech=pam]
saslauthd[10006] :do_request : response: OK
This line is written in the "/var/log/mail.log":
Jan 3 20:06:15 mailserver sm-mta[10043]: AUTH=server, relay=mailclient.domain [192.168.1.197], authid=user_name, mech=LOGIN, bits=0
=== 5.2.4 Submit mail message ===
Once authenticated you can send a mail message
via the submission service:
Mail from: user_name@your_mail_domain
250 2.1.0 user_name@your_mail_domain... Sender ok
Rcpt to: other_person@somedom.com
250 2.1.5 other_person@somedom.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Hello
I hope this message finds you well.
.
250 2.0.0 v03J5SE3010043 Message accepted for delivery
QUIT
221 2.0.0 your_mailserver.domain closing connection
Connection closed by foreign host.
==== 5.3 Renew Sendmail server certificate ====
Remove old cerificate:
# cd /etc/mail
# rm tls/sendmail-server.crt
Create new certificate:
# sendmailconfig
Simply accept the defaults.
==== 5.4 View Sendmail server certificate ====
# openssl x509 -in /etc/mail/tls/sendmail-server.crt -text
===== 6. Documentation =====
^ On board docs ^^
| cf/README | sendmail-doc: /usr/share/doc/sendmail-doc/cf.README.gz |
| Sendmail Installation and Operation Guide | sendmail-doc: /usr/share/doc/sendmail-doc/op/op.ps.gz |
^ Links ^^
| sendmail.org/~ca | http://www.sendmail.org/~ca/email/misc.html |
| cf/README | http://www.sendmail.org/~ca/email/doc8.12/cf/m4/readme.html |
| Cyrus SASL | https://cyrusimap.org/sasl/ |
| Sendmail Config David Bank | http://hiredavidbank.com/prac-send.html |
| Sendmail DAEMON_OPTIONS | http://etutorials.org/Server+Administration/Sendmail/Part+III+The+Configuration+File/Chapter+24.+The+O+Options+Configuration+Command/DaemonPortOptions/ |
| Sendmail PrivacyOptions | https://docstore.mik.ua/orelly/other/Sendmail_3rd/1565928393_ch24-91368.html |
====== . ======
Copyright (c) 2019 Tux4u.be\\
Author: Marjan Waldorp; sendmail-submission-howto 2019-03-05