Encryption for Sendmail

Why do this at all? Mostly because users wish to connect to mail server with mobile devices (phones and tablets), and see mail as it is on the PCs…

Necessary start conditions : functioning mail server (in my case RHEL 6U2, MailScanner + Sendmail + Dovecot + Apache + Cyrus).

Test Sendmail if it has the support for SSL and SASL :
# sendmail -d0.1 -bv
Version 8.14.4
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail-2012
(canonical domain name) $j = mail-2012.test
(subdomain name) $m = test
(node name) $k = mail-2012.test
========================================================

How to generate local certificates (not root certificates) :
# cd /etc/pki/tls/certs
# make sendmail.pem
…. Answer a bunch of standard certification questions
And in the end on the location /etc/pki/tls/certs you get a certificate :
-rw——- 1 root root 3129 Sep 25 10:04 sendmail.pem

This certificate needs to be activated under /etc/mail/sendmail.mc :
define(`confAUTH_OPTIONS’, `A y’)dnl
With this we ask for authentification, and bann anonymous login

define(`confCACERT_PATH’, `/etc/pki/tls/certs’)dnl
define(`confCACERT’, `/etc/pki/tls/certs/ca-bundle.crt’)dnl
define(`confSERVER_CERT’, `/etc/pki/tls/certs/sendmail.pem’)dnl
define(`confSERVER_KEY’, `/etc/pki/tls/certs/sendmail.pem’)dnl

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl

DAEMON_OPTIONS(`Port=smtp, Name=MSA, M=bh’)dn So it works also on port 25
DAEMON_OPTIONS(`Port=smtps, Name=MSA, M=s’)dnl For port 456
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea’)dnl For port 587
E-disallow ETRN (see RFC 2476), a-asks for SMTP authentification
Note : all these lines already exist in the file, only dnl needs to be removed

# /etc/mail/make
# service MailScanner restart

Test the setup (port 25, port 587-submission i 465-smtps) :
# telnet 127.0.0.1 587
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
220 mail-2012.trezor ESMTP Sendmail 8.14.4/8.14.4; Tue, 25 Sep 2012 10:43:16 +0200
starttls Type this manually…
220 2.0.0 Ready to start TLS

# telnet 127.0.0.1 587
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
220 mail-2012.trezor ESMTP Sendmail 8.14.4/8.14.4; Tue, 25 Sep 2012 10:50:57 +0200
auth plain Type this manually…
334 Also “plain” authentification is allowed

# telnet 127.0.0.1 465
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.

# telnet 127.0.0.1 25
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
220 mail-2012.trezor ESMTP Sendmail 8.14.4/8.14.4; Tue, 25 Sep 2012 14:15:09 +0200
ehlo localhost
250-mail-2012.trezor Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
starttls
220 2.0.0 Ready to start TLS
334 VXNlcm5hbWU6
Connection closed by foreign host.

[root@mail-2012 mail]# telnet 127.0.0.1 25
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
220 mail-2012.test ESMTP Sendmail 8.14.4/8.14.4; Tue, 25 Sep 2012 14:16:00 +0200
ehlo localhost Type this manually
250-mail-2012.test Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
auth login Type this manually
334 VXNlcm5hbWU6
dmVs(*ppE= Type this manually, username in Base64
334 UGFzc3dvcmQ6
OoTkklmR1ci5taW5l Type this manually, pass in Base64
235 2.0.0 OK Authenticated
mail from: velda@test.rs
250 2.1.0 velda@test.rs… Sender ok
rcpt to: velda@test.rs
250 2.1.5 velda@test.rs… Recipient ok
data
354 Enter mail, end with “.” on a line by itself
sa servera 14:18
.
250 2.0.0 q8PCG0QF009231 Message accepted for delivery
quit
221 2.0.0 mail-2012.test closing connection
Connection closed by foreign host.

So that authentification is demanded also for outgoing SMTP, saslauthd service MUST be up and running (and configured to strat when server powers up).
# service saslauthd start

So that POP3S (port 995) works, configure /etc/dovecot/dovecot.conf lines :
ssl = yes
ssl_cert =

This entry was posted in Linux and tagged , . Bookmark the permalink.

Comments are closed.