linux:network:mail:sendmail-submission-howto
Inhoud
Sendmail Message Submission Agent Howto (SASL2, STARTTLS)
This document describes how to set up a Sendmail mailserver as a “Message Submission Agent” (MSA). 1)
Debian: 8.8 (Jessie)
sendmail: 8.14.4
sasl2-bin: 2.1.26
1. Introduction
A “Message Submission Agent” (MSA) allows users to securely submit
mail from their “Mail User Agent” (MUA) 2)
to the outgoing mail server.
To restrict access to authorized users only the user has to authenticate
with a user name and password.
3)
Common practice is to send the mail to the MSA via TLS/SSL encryption.
The MSA listens on TCP port 587.
4)
The sendmail MSA uses SASL2 for authentication.
SASL stands for “Simple Authentication and Security Layer”.
SASL is a glue layer between the MSA and a variety of authentication
mechanisms.
This document describes using the “pam”
5)
mechanism to allow shell users to log in to the MSA.
The SASL glue layer is implemented as a daemon process (saslauthd)
which interfaces with the MSA via a socket connection.
2. Installation
2.1 install sasl2-bin
# apt-get install sasl2-bin
2.2 sasl2-bin bug #791814
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791814
sasl2-bin: fails to start saslauthd
As a workaround we can skip the redirect to systemctl (systemd):
/etc/init.d/saslauthd:
.. # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh ### Skip redirect to systemctl _SYSTEMCTL_SKIP_REDIRECT="true" echo "_SYSTEMCTL_SKIP_REDIRECT: $_SYSTEMCTL_SKIP_REDIRECT" >&2 # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. . /lib/lsb/init-functions ..
2.3 saslauthd configuration
/etc/default/saslauthd:
.. # Should saslauthd run automatically on startup? (default: no) # START=no START=yes .. MECHANISMS="pam" ..
2.4 Start saslauthd
# /etc/init.d/saslauthd start
3. Configuration
3.1 Add SASL2 support to Sendmail
# /usr/share/sendmail/update_auth
Note 6)
3.2 Add SASL2 and STARTTLS to sendmail.mc
Add the following lines to the sendmail.mc:
include(`/etc/mail/sasl/sasl.m4')dnl include(`/etc/mail/tls/starttls.m4')dnl
- Note: Insert the new config lines before the MAILER definitions.
/etc/mail/sendmail.mc:
.. dnl # SASL2 include(`/etc/mail/sasl/sasl.m4')dnl dnl # dnl # STARTTLS include(`/etc/mail/tls/starttls.m4')dnl dnl # dnl # dnl # Masquerading options FEATURE(`always_add_domain')dnl dnl # dnl # FEATURE() should before MAILER() ..
3.3 Require AUTH on Port 587
The submission service requires AUTH (M=a).
Eventually disable ETRN (M=E).
Specify Modifier “M=Ea” at the DAEMON_OPTIONS macro.
/etc/mail/sendmail.mc:
DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea')dnl
- More on DaemonPortOptions: See documentation links.
3.4 PLAIN or LOGIN authentication security
If PLAIN or LOGIN authentication mechanisms are used, a strong encryption layer
(STARTTLS/SSL) should be active to prevent sniffering.
This can be enforced by “O AuthOptions=p”.
The “y” flag disables anonymous login.
/etc/mail/sendmail.mc:
define(`confAUTH_OPTIONS',`p y')dnl
3.5 Disable SMTP AUTH on Port 25
In most cases we don't need/want SMTP AUTH on port 25.
You can disable SMTP AUTH for the Sendmail MTA service by
specifying Modifier “M=A” at the DAEMON_OPTIONS macro.
/etc/mail/sendmail.mc:
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, M=A')dnl
3.6 Configure Sendmail
Configure Sendmail with the new configuration:
# sendmailconfig
Simply accept the defaults.
3.7 Restart Sendmail
# /etc/init.d/sendmail restart
3.8 Firewall configuration
If you are operating a firewall (e.g. Shorewall), you need to open port 587.
3.8.1 Shorewall configuration
/etc/shorewall/rules:
.. # SMTP ACCEPT net $FW tcp 25 # Submission ACCEPT net $FW tcp 587 ..
4. Mail client configuration
4.1 Thunderbird
| Account Settings: Outgoing Server | |
|---|---|
| Server Name: | your_mailserver.domain |
| Port: | 587 |
| User Name: | linux_user_name_here |
| Authentication method: | Normal password |
| Connection Security: | STARTTLS |
- Note: Use TSL/SSL encryption to prevent sniffering your plaintext password!
5. Troubleshooting
5.1 Debug saslauthd
Run saslauthd in debug mode in foreground:
# /etc/init.d/saslauthd stop ### We have to restart sendmail in order to close the saslauthd socket # /etc/init.d/sendmail restart # saslauthd -a pam -d -m /var/run/saslauthd saslauthd[10006] :main : num_procs : 5 saslauthd[10006] :main : mech_option: NULL saslauthd[10006] :main : run_path : /var/run/saslauthd saslauthd[10006] :main : auth_mech : pam saslauthd[10006] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept saslauthd[10006] :detach_tty : master pid is: 0 saslauthd[10006] :ipc_init : listening on socket: /var/run/saslauthd/mux saslauthd[10006] :main : using process model saslauthd[10006] :have_baby : forked child: 10007 saslauthd[10006] :have_baby : forked child: 10008 saslauthd[10006] :have_baby : forked child: 10009 saslauthd[10006] :have_baby : forked child: 10010 saslauthd[10006] :get_accept_lock : acquired accept lock
5.2 Test SASL2 using telnet
Using telnet we can test the SASL authentication system.
- Wait for the sendmail greeting message
- Identify yourself: EHLO 7) your_mail_domain
- Authenticate: AUTH LOGIN
- Submit mail message
- Quit
Note:
If “O AuthOptions=p” has been enforced LOGIN or PLAIN authentication
will not be available. (See: 3.4)
Temporarily comment out this option in the sendmail.cf:
## O AuthOptions=p y
5.2.1 Generate base64 strings for username and password
Since the AUTH LOGIN method requires base64 encoded strings for username and password, we have to generate those strings first:
$ echo -n "user_name_here" | base64 dXNlcm5hbWU= $ echo -n "password_here" | base64 cGFzc3dvcmQ=
5.2.2 Telnet from the mail client to the mail server
From your mail client open a telnet session to your mail server on port 587.
Enter the generated base64 encoded strings for username and password
after “AUTH LOGIN”.
$ telnet your_mailserver.domain 587 Trying 10.0.0.116... Connected to your_mailserver.domain. Escape character is '^]'. 220 your_mailserver.domain ESMTP Sendmail 8.14.4/8.14.4/Debian-8+deb8u1; Tue, 3 Jan 2017 20:05:28 +0100; (No UCE/UBE) logging access from: mailclient.domain [192.168.1.197] EHLO your_mail_domain 250-your_mail_domain Hello mailclient.domain [192.168.1.197], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP AUTH LOGIN 334 VXNlcm5hbWU6 dXNlcm5hbWU= 334 UGFzc3dvcmQ6 cGFzc3dvcmQ= 235 2.0.0 OK Authenticated
5.2.3 Watch debug info at the mail server
Supposing saslauthd is still running in debug mode at your mail server, you can now see its response show up in the terminal window:
saslauthd[10006] :rel_accept_lock : released accept lock saslauthd[10010] :get_accept_lock : acquired accept lock saslauthd[10006] :do_auth : auth success: [user=user_name] [service=smtp] [realm=] [mech=pam] saslauthd[10006] :do_request : response: OK
This line is written in the “/var/log/mail.log”:
Jan 3 20:06:15 mailserver sm-mta[10043]: AUTH=server, relay=mailclient.domain [192.168.1.197], authid=user_name, mech=LOGIN, bits=0
5.2.4 Submit mail message
Once authenticated you can send a mail message via the submission service:
Mail from: user_name@your_mail_domain 250 2.1.0 user_name@your_mail_domain... Sender ok Rcpt to: other_person@somedom.com 250 2.1.5 other_person@somedom.com... Recipient ok data 354 Enter mail, end with "." on a line by itself Hello I hope this message finds you well. . 250 2.0.0 v03J5SE3010043 Message accepted for delivery QUIT 221 2.0.0 your_mailserver.domain closing connection Connection closed by foreign host.
5.3 Renew Sendmail server certificate
Remove old cerificate:
# cd /etc/mail # rm tls/sendmail-server.crt
Create new certificate:
# sendmailconfig
Simply accept the defaults.
5.4 View Sendmail server certificate
# openssl x509 -in /etc/mail/tls/sendmail-server.crt -text
6. Documentation
| On board docs | |
|---|---|
| cf/README | sendmail-doc: /usr/share/doc/sendmail-doc/cf.README.gz |
| Sendmail Installation and Operation Guide | sendmail-doc: /usr/share/doc/sendmail-doc/op/op.ps.gz |
| Links | |
|---|---|
| sendmail.org/~ca | http://www.sendmail.org/~ca/email/misc.html |
| cf/README | http://www.sendmail.org/~ca/email/doc8.12/cf/m4/readme.html |
| Cyrus SASL | https://cyrusimap.org/sasl/ |
| Sendmail Config David Bank | http://hiredavidbank.com/prac-send.html |
| Sendmail DAEMON_OPTIONS | http://etutorials.org/Server+Administration/Sendmail/Part+III+The+Configuration+File/Chapter+24.+The+O+Options+Configuration+Command/DaemonPortOptions/ |
| Sendmail PrivacyOptions | https://docstore.mik.ua/orelly/other/Sendmail_3rd/1565928393_ch24-91368.html |
.
Copyright © 2019 Tux4u.be
Author: Marjan Waldorp; sendmail-submission-howto 2019-03-05
2)
e.g. Thunderbird, Evolution,,
3)
The authentication requirement prevents the mailserver from becoming
an “Open Relay” (spam server).
4)
The MTA listens on TCP port 25 (smtp).
5)
“Pluggable Authentication Modules”
PAM is an authentication framework for Linux systems.
PAM is an authentication framework for Linux systems.
6)
Debian script “/usr/share/sendmail/update_auth” suggests adding SASL2
to the /etc/mail/submit.mc.
However this doesn't make much sense since the submit.mc configures the MSP service of sendmail, not the MTA service daemon!
(The Mail Submission Program (MSP) transfers mail from local programs e.g. /bin/mail to the Sendmail MTA service daemon.)
However this doesn't make much sense since the submit.mc configures the MSP service of sendmail, not the MTA service daemon!
(The Mail Submission Program (MSP) transfers mail from local programs e.g. /bin/mail to the Sendmail MTA service daemon.)
7)
EHLO: “Extended Hello”
linux/network/mail/sendmail-submission-howto.txt · Laatst gewijzigd: 2019/03/05 19:07 (Externe bewerking)
Paginahulpmiddelen
