Sendmail Config Authenticated SMTP

From Playing with linux...
Jump to navigation Jump to search

I made the following configuration:


  • Sendmail SMTP (listening on port 25 and SSL port 465)
  • Authentication through cyrus-sasl2 (listening on socket /var/state/saslauthd/mux)
  • Authentication through pam (with the pam_radius module)
  • Authentication with FreeRadius (for now in the users file)

So for this configuration to work you need FreeRadius, pam_radius, Linux-PAM, cyrus-sasl2 and sendmail.

N.B.: I did this in my favourite distro Slackware. (13.37)

FreeRadius

I used the slackbuild from http://slackbuilds.org/repository/13.37/network/freeradius-server/

No problems there. And after installing added a testuser 'testuser' with password 'password' to /etc/raddb/users

Just to be sure it worked I started freeradius and tested the server by using

radtest testuser password 127.0.0.1 1812 testing123

You should get something like:

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=131, length=20

PAM-Linux

Unfortunately http://slackbuilds.org/mirror/slackware/slackware-13.37/extra/source/pam/pam.SlackBuild didn't work for me, so I built it myself with:

wget --no-check-certificate https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-1.1.5.tar.bz2
tar -jxf Linux-PAM-1.1.5.tar.bz2
cd Linux-PAM-1.1.5
./configure --disable-nis --disable-selinux --disable-nls --prefix=/usr
make ; make install

pam_radius

Download from: http://freeradius.org/pam_radius_auth/

Install:

wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz
tar -zxf pam_radius-1.3.17.tar.gz
cd pam_radius-1.3.17
make
cp -a pam_radius_auth.so /lib/security/

File /etc/raddb/server contains:

#  pam_radius_auth configuration file.  Copy to: /etc/raddb/server
#
#  For proper security, this file SHOULD have permissions 0600,
#  that is readable by root, and NO ONE else.  If anyone other than
#  root can read this file, then they can spoof responses from the server!
#
#  There are 3 fields per line in this file.  There may be multiple
#  lines.  Blank lines or lines beginning with '#' are treated as
#  comments, and are ignored.  The fields are:
#
#  server[:port] secret [timeout]
#
#  the port name or number is optional.  The default port name is
#  "radius", and is looked up from /etc/services The timeout field is
#  optional.  The default timeout is 3 seconds.
#
#  If multiple RADIUS server lines exist, they are tried in order.  The
#  first server to return success or failure causes the module to return
#  success or failure.  Only if a server fails to response is it skipped,
#  and the next server in turn is used.
#
#  The timeout field controls how many seconds the module waits before
#  deciding that the server has failed to respond.
#
# server[:port] shared_secret      timeout (s)
127.0.0.1:1812  testing123             1
#other-server    other-secret       3

#
# having localhost in your radius configuration is a Good Thing.
#
# See the INSTALL file for pam.conf hints.

I also made a file called /etc/pam.d/other with the following content:

auth       sufficient   /lib/security/pam_radius_auth.so
account    sufficient   /lib/security/pam_radius_auth.so

cyrus-sasl2

Unfortunately pam support has been excluded from the default cyrus-sasl2 package from slackware 13.37, because the pam package isn't included in slackware. That's why you need to rebuild it to include pam support. There's a slackbuild you can adapt at: http://slackbuilds.org/mirror/slackware/slackware-13.37/source/n/cyrus-sasl/

Just include --with-pam \ in the configuration line.

After you start 'saslauthd -a pam', you can test the authentication with 'testsaslauthd -u user -p password -s Sendmail'.

Sendmail

Just adapt the sendmail-slackware-tls-sasl.mc a bit. It should contain at least something like:

dnl# Allow SASL authentication/relaying:
define(`confAUTH_OPTIONS', `A p y')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl# Daemon options after M= below that might need to be changed are:
dnl# s (allow SSL, not only TLS)
dnl# a (require authentication)
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=Esa')dnl
LOCAL_CONFIG
dnl# Do not allow the weak SSLv2:
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL

Create /etc/sasl2/Sendmail.conf with the following content:

pwcheck_method:saslauthd
mech_list: PLAIN LOGIN

Oh, and you can not use CRAM-MD5 and/or DIGEST-MD5, because you'd need to be able to read the password in plaintext somewhere: http://www.phwinfo.com/forum/comp-mail-sendmail/527486-sendmail-cyrus-sasl-authentication-mystery.html