OpenBSD Sendmail + SMTP AUTH Mini-HOWTO

Introduction

This Mini-HOWTO describes the steps I took to set up sendmail with SMTP AUTH [RFC 2554] support on OpenBSD 2.9. It covers recompiling OpenBSD's sendmail sources with support for SASL [RFC 2222], which SMTP AUTH is based on. Note that I am talking about the sendmail source code distributed with OpenBSD's source tree here (ie. from the OpenBSD 2.9 src.tar.gz archive file) and not the sendmail source tarball distributed by www.sendmail.org.

Caveat and Disclaimer

If you are following these instructions with a version of OpenBSD other than 2.9, your mileage may vary. Another version of OpenBSD should be fairly similar, but you may well have some additional problem solving to do.

As usual, I am responsible for nothing you do. You are responsible for everything you do. If you destroy your system, it is your fault. It is not my fault, the fault of my parents, the fault of my children or the fault of my dog.

Recompiling OpenBSD's Sendmail with SASL Support

In order to recompile sendmail with SASL support, you will need to first install the 'cyrus-sasl' port from the OpenBSD ports tree. The following steps will accomplish this.

  o Download ports.tar.gz

  o Untar it in /usr with a command like
    tar -C /usr -xvzf ports.tar.gz

  o cd to
    /usr/ports/security/cyrus-sasl

  o Do a
    make install ; make clean

Next, you will need to install the OpenBSD source tree so the sendmail source is available. The following steps will accomplish this.

  o Download src.tar.gz

  o Untar it in /usr/src with a command like
      tar -C /usr/src -xvzf src.tar.gz

Now, to recompile sendmail with the SASL libraries and SASL support, do the following.

  o cd to
    /usr/src/gnu/usr.sbin/sendmail/sendmail

  o Edit the Makefile in this directory as follows
    Add -DSASL to the ENVDEF variable
    Add -lsasl to the LDADD variable

  o Edit the sendmail.h file and change
    # include <sasl.h>
    to
    # include <sasl/sasl.h>

  o Make the following symlinks
    ln -s /usr/local/include/sasl /usr/include/sasl
    cd /usr/local/lib ; ln -s libsasl.so.8.8 libsasl.so

  o Add /usr/local/lib to your LD_LIBRARY_PATH like so
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

  o cd to
    /usr/src/gnu/usr.sbin/sendmail

  o Do a
    make ; make install ; make clean

Now, assuming god loves you, your sendmail binary has SMTP AUTH support. :-)

Fixing OpenBSD's 'cyrus-sasl' Port

For some reason, although the cyrus-sasl port make symlinks as required in the /usr/local/lib/sasl directory, it makes them all wrong. It makes dangling symlinks to library files that don't exist! In order to have your new sendmail binary actually be able to support SMTP AUTH via these sasl libraries, you need to delete all the symlinks in this directory and re-create them such that they actually point to the real library files. For example, the follwing should do it.

  cd /usr/local/lib/sasl
  find . -type L -exec rm {} \;
  ln -s libanonymous.so.1.15 libanonymous.so
  ln -s libcrammd5.so.1.15 libcrammd5.so
  ln -s libdigestmd5.so.0.17 libdigestmd5.so
  ln -s libkerberos4.so.1.15 libkerberos4.so
  ln -s libplain.so.1.14 libplain.so

At this point, your sendmail binary and the SASL libraries it is dependant on for SMPT AUTH support are all ready to rock. All you need to do now in order to make use of SMTP AUTH is configure SASL and sendmail. Note that if you do no additional configuration from this point, your sendmail should continue to function fine. It will just not have SMTP AUTH configured for use.

Creating a SASL Sendmail.conf file

You need to create a /usr/local/lib/sasl/Sendmail.conf file for sendmail. The content of mine is as folows, but your requirements may differ.

  pwcheck_method: sasldb

This makes SMTP AUTH use /etc/sasldb, the SASL database.

The possible arguments to pwcheck_method here are:

  sasldb         The user is looked up in sasldb with the realm
  passwd         The user is looked up via getpwnam()
  shadow         The user is looked up via getspnam()
  PAM            The user is looked up via PAM
  kerberos_v4    The user is looked up via KERBEROS V4
  pwcheck        The user/passwd combination is checked via a seperate daemon

Use whatever suits your need, but I am concentrating on sasldb here.

Configuring Users

To create users with associated passwords in /etc/sasldb, use the 'saslpasswd' command as follows:

  saslpasswd someuser

It will prompt you to enter the password twice and then create or modify the specified user accordingly. Note that the /etc/sasldb file is created the first time this command is used. Be sure the ownership and permissions are appropriate upon creation (ie. read and write by root only).

You can check the conents of /etc/sasldb with the 'sasldblistusers' command.

Configuring /etc/mail/sendmail.cf

In order to have relaying for authenticated users actually work, you will need to make some additions to your /etc/mail/sendmail.cf file. Using the m4 configuration method, I added the following to my domain.m4 file and regenerated senmdail.cf.

define(`confAUTH_MECHANISMS',`DIGEST-MD5 CRAM-MD5 GSSAPI KERBEROS_V4')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 GSSAPI KERBEROS_V4')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/default-auth-info')dnl
FEATURE(`no_default_msa')
DAEMON_OPTIONS(`Name=MTA')
DAEMON_OPTIONS(`Port=587, Name=MSA, M=a')dnl

Your requirements may be different however, so I caution you to read the relevant sections of the sendmail README file and whatever other resources are necessary for you to have properly done your homework on this.

That's all I'm going to say about configuring sendmail because I figure that if you don't already have a pretty darn good idea how to do it, you probably aren't reading this.

Resources

Additional, relevant webpages that may be of interest:

  o  SMTP AUTH in sendmail 8.10/8.11

  o  Cyrus SASL for System Administrators

Additional, relevant RFCs that may be of interest:

  o  RFC 2595     Using TLS with IMAP, POP3 and ACAP

Afterthought

One can remove the program identification and version number from sendmail's SMTP login message by including something like...

  define(`confSMTP_LOGIN_MSG', `$j MYOB; $b')dnl

in one of the m4 configuration files used to generate one's sendmail.cf file.

One can remove the program identification and version number from sendmail's Recieved: headers by including something like...

  define(`confRECEIVED_HEADER', `$?sfrom $s $.$?_($?s$|from $.$_)
          $.$?{auth_type}(authenticated)
          by $j (MYOB)$?r with $r$. id $i$?u
          for $u; $|; $.$b')dnl

in one of the m4 configuration files used to generate one's sendmail.cf file.

Unfortunately, however, there is no configuration option I am aware of that will allow one to remove the program identification and version number from sendmail's response to the HELP command. Therefore, one must edit sendmail's srvrsmtp.c source file and recompile sendmail in order to eliminate this. For example:

  vi /usr/src/gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c

  and change

  message("502 5.3.0 Sendmail %s -- HELP not implemented",
          Version);

  to something like

  message("502 5.3.0 MYOB");

Good Luck,

-- Kyle Amon

BackWatcher, Inc.
Information Security Solutions
http://www.backwatcher.com/
support@backwatcher.com
813-655-8056