OT Sendmail help on new sendmail/MS/SA install
Quentin Campbell
Q.G.Campbell at NEWCASTLE.AC.UK
Tue Jun 14 17:24:17 IST 2005
Glenn
I recently set up two authenticating SMTP servers on RH AS 3 systems
using Sendmail.
These do not themselves run MailScanner + SpamAsaassin, etc, but simply
relay the mail they receive to other mail relays here that do.
I made some notes of what I did that might be of some assistance.
The two servers authenticate against a Unix password domain served by a
NIS server here. If you are authenticating against a local password file
or using some other authentication mechanism then ignore the NIS steps
and change the sendmail.mc file definitions accordingly.
1. /etc/nsswitch.conf
passwd: compat
shadow: compat
1a. /etc/passwd & /etc/shadow
Add the "+" escape line to end of ecah file.
2. Ensure /etc/yp.conf lists our three NIS servers.
Do once on server "domainname ucs_sys5" to set NIS domain name.
chkconfig ypbind on
service ypbind start
3. Need /etc/init.d/sendmail enabled and /etc/init.d/MailScanner
disabled.
Edited 'sendmail' script to stop rebuild of virtusertable and
friends.
4. Edit /etc/sysconfig/iptables to allow connections to ports 465 & 587
as well as port 25 for SMTP.
service iptables restart
5. /etc/mail/sendmail.mc
The M4 macro definitions below are for a server that requires
STARTTLS to be negotiated first before SMTP AUTH. This is because in
our case plain Unix password have to be exchanged between the clients
and the server.
You will need most of these features in your sendmail.mc file. Change
location
of files as appropriate for your site.
define(`confPRIVACY_FLAGS', `goaway,noetrn')dnl
define(`confDEF_CHAR_SET', `iso-8859-1')dnl
define(`confCACERT_PATH',`/etc/mail/certs')
define(`confCACERT',`/etc/mail/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/mail/certs/sendmail.pem')
define(`confSERVER_KEY',`/etc/mail/certs/sendmail.pem')
define(`confCLIENT_CERT',`/etc/mail/certs/sendmail.pem')
define(`confCLIENT_KEY',`/etc/mail/certs/sendmail.pem')
dnl These AUTH options force a secure link to be negotiated _before_
dnl plain login/password authentication can be used. Thus in the first
dnl EHLO response STARTTLS is offered then a new set of options is
offered
dnl this time including AUTH.
define(`confAUTH_OPTIONS', `A p y')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `')dnl
dnl smtp = 25
DAEMON_OPTIONS(`Port=smtp,Name=MTA,Modify=Ea')
dnl smtps = 465
DAEMON_OPTIONS(`Port=smtps,Name=TLSMTA,Modify=Ea')
dnl submission = 587
dnl There is no way to directly change the settings of MSA in .mc file.
dnl Workaroud below the 'no_default_msa' option prevents automatic
creation
dnl of an mc configuration entry for an MSA. We then insert our own
dnl declaration with our new settings.
FEATURE(`no_default_msa')
DAEMON_OPTIONS(`Port=submission,Name=MSA,Modify=Ea')
6. Need /etc/init.d/sendmail enabled and /etc/init.d/MailScanner
disabled.
Edited 'sendmail' script to stop rebuild of virtusertable and
friends.
7. Edit /etc/sysconfig/iptables to allow connections to ports 465 & 587
as well as port 25 for SMTP.
service iptables restart
8. /etc/mail/smtpauth.mc
Build from MC definition thus: m4 sendmail.mc >sendmail.cf
6. /etc/mail/certs
Location of certs used by sendmail is /etc/mail/certs.
To test the servers (smtpauth1 & smtpauth2), on each machine did:
(i) cd /usr/share/ssl/certs
make sendmail.pem
[Answer the prompts sensibly, Only important one is the server
name which must be the FQDN (ie. smtpauth1.ncl.ac.uk)].
(ii) cp sendmail.pem /etc/mail/certs
(iii) edited /etc/mail/sendmail.cf so that the lines with the strings
/etc/mail/certs/sendmail_cert.pem
/etc/mail/certs/sendmail_key.pem
become
/etc/mail/certs/sendmail.pem
/etc/mail/certs/sendmail.pem
NB: Should update sendmail.mc to make this change permanent.
(iv) service sendmail start
I hope this info might give you some hints as to how to progress things.
Quentin
---
PHONE: +44 191 222 8209 Information Systems and Services (ISS),
University of Newcastle,
Newcastle upon Tyne,
FAX: +44 191 222 8765 United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."
>-----Original Message-----
>From: MailScanner mailing list
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of DNSAdmin
>Sent: 14 June 2005 16:42
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: OT Sendmail help on new sendmail/MS/SA install
>
>Hello All,
>
>I am already knee-deep into a new server that is implementing
>sendmail.
>Yes, I know I will get an earful of "not the appropriate list" or "you
>should really try/use QMail or Postfix." I don't know where
>else I could
>get an expert answer to this.
>
>I have a fresh MailScanner, SpamAssassin, Sendmail install on
>CentOS 3.4
>(equivalent to RedHat 3.0 ES). I just cannot seem to put all
>the pieces of
>SMTP_AUTH together. I have a server that will relay mail if
>you spoof one
>of my addresses. I used to use popb4smtp and qpopper on an
>older sendmail
>installation, but It seems they are quite old and outdated?
>
>I have hit the Search engines and the sendmail.org site. I
>have found all
>kinds of links that have pieces of the puzzle, but no one puts it all
>together in a simple, concise, do this, this and this, TEST
>and be happy. I
>have tried many of the pieces and still get no Relaying at
>all. However,
>I'm anticipating the state where I end up unacceptably insecure and a
>gaping gateway waiting for a SPAMMER to poke holes!
>
>Some examples of my reading thus far:
>http://www.sendmail.org/m4/anti_spam.html
>http://www.sendmail.org/~ca/email/auth.html
>http://www.sendmail.org/~ca/email/check.html
>http://www.sendmail.org/~ca/email/relayingdenied.html
>http://www.linux-sec.net/Mail/Sendmail/
>http://www.centos.org/modules/newbb/viewtopic.php?topic_id=589&
>forum=31&post_id=1967#forumpost1967
>
>So far this appears the most promising:
>http://www.sendmail.org/~ca/email/roaming.html
>
>Is it really that bad??? This does not appear to be simple. It
>looks like a
>good opportunity for me to wreck the server!
>
>Please! Links? Help? Am I suffering TMI?
>
>I am going to have all kinds of Windows Outlook, Mac
>Entourage, Eudora,
>Thunderbird users some of which who will not want to or
>understand how to
>authenticate over SSL. A few might. I will have roaming users.
>I will work
>on TLS/SSL after I get some sort of SMTP authentication
>working. It will
>have to be a plain old ISP-style mail server to start, but I need SMTP
>authentication!
>
>Thanks,
>Glenn Parsons
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>http://www.sng.ecs.soton.ac.uk/mailscanner/
>Configuration by Glenn Parsons dnsadmin-at-1bigthink.com
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list