Home > bsd > Freebsd 12.1-RELEASE Sendmail SMTP-Auth Configuration

Freebsd 12.1-RELEASE Sendmail SMTP-Auth Configuration

October 2, 2020 Leave a comment Go to comments

// Total time 5-10 minutes
// Important: Remove any modifications you make to /etc/mail/freebsd.mc

NOTE:
This documents explains how to compile default sendmail to support smtp-auth however;
you also have the option to install sendmail pkg from packages collection.
This way you don't have to compile sendmail, sendmail version in pkg collection is already compiled with smtp auth enabled!!!
When you install sendmail from pkgs collection, system will also install necessary additional pkgs (cyrus-sasl & cyrus-sasl-saslauthd)
All you have to do is;

root@freebitch12:/ # pkg install sendmail
root@freebitch12:/ # cd /usr/local/etc/mail && cp mailer.conf.sendmail mailer.conf

You still need to follow below configurations in order to enable smtp-auth for sendmail;
Except you do  NOT need to compile sendmail and install cyrus-sasl cyrus-sasl-saslauthd

// check sendmail compiled options
root@freebitch12:/etc/mail # sendmail -d0.1 -bv root

Version 8.15.2
Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS
PIPELINING SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
Warning: Option: AuthMechanisms requires SASL support (-DSASL)

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = freebitch12
(canonical domain name) $j = freebitch12.localrouter
(subdomain name) $m = localrouter
(node name) $k = freebitch12
========================================================

root... deliverable: mailer local, user root

// No SASLv2 support

root@freebitch12:/etc # pkg install cyrus-sasl cyrus-sasl-saslauthd

Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	cyrus-sasl: 2.1.27_1
	cyrus-sasl-saslauthd: 2.1.27_1

Number of packages to be installed: 2

The process will require 8 MiB more space.

Proceed with this action? [y/N]: y
[1/2] Installing cyrus-sasl-2.1.27_1...
*** Updated user `cyrus'.
[1/2] Extracting cyrus-sasl-2.1.27_1: 100%
[2/2] Installing cyrus-sasl-saslauthd-2.1.27_1...
[2/2] Extracting cyrus-sasl-saslauthd-2.1.27_1: 100%
.....

// Enable sendmail and saslauthd
root@freebitch12:/etc # vim /etc/rc.conf

sendmail_enable="YES"
saslauthd_enable="YES"

// copy freebsd source tree to /usr/src
// required to compile sendmail
root@freebitch12:/etc # svnlite checkout https://svn.freebsd.org/base/releng/12.1/ /usr/src

....
A    /usr/src/tools/bus_space/Python/Makefile
A    /usr/src/tools/bus_space/C/libbus.h
A    /usr/src/tools/bus_space/bus.c
A    /usr/src/tools/sched
A    /usr/src/tools/ifnet
A    /usr/src/tools/LibraryReport
....
A    /usr/src/README
A    /usr/src/Makefile.sys.inc
 U   /usr/src
Checked out revision 366374.

// create sendmail make.conf file
root@freebitch12:/etc # vim /etc/make.conf

SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDADD=/usr/local/lib/libsasl2.so

//compile sendmail with auth support, takes 2-3 minutes
root@freebitch12:/etc # cd /usr/src/lib/libsmutil
root@freebitch12:/usr/src/lib/libsmutil # make cleandir && make obj && make
root@freebitch12:/usr/src/lib/libsmutil # cd /usr/src/lib/libsm
root@freebitch12:/usr/src/lib/libsm # make cleandir && make obj && make
root@freebitch12:/usr/src/lib/libsm # cd /usr/src/usr.sbin/sendmail
root@freebitch12:/usr/src/usr.sbin/sendmail # make cleandir && make obj && make && make install

root@freebitch12:/usr/src/usr.sbin/sendmail # cd /etc/mail
root@freebitch12:/etc/mail # make

// this will create copy of freebsd.mc, freebsd.submit.cf … as hostname.mc, hostname.submit.cf …
// dont make changes to freebsd.mc, make changes to hostname.mc
// in my case freebitch12.mc ……

root@freebitch12:/etc/mail # vim freebitch12.mc

define(`confSMTP_LOGIN_MSG', `freebitch12')dnl
define(`confAUTH_OPTIONS', `A p y')dnl

TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

// add any other option you require to hostname.mc
// no need to add DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA’)dnl
// When you enable sendmail in rc.conf it starts listening all interfaces
// Actually if you add this option sendmail wont be able to bind address and would not start
// define(`confAUTH_OPTIONS’, `A p y’)dnl
// this option forces LOGIN/PLAIN SMTP-AUTH after encryption has been established in a TLS tunnel.
// this means you will not see 250-AUTH LOGIN PLAIN if you telnet to port 25
// A is a workaround for broken MTAs that do not implement RFC 2554.
// p option tells sendmail: “don’t permit mechanisms susceptible to simple passive attack (e.g., LOGIN, PLAIN), unless a security layer (think TLS tunnel) is active.”
// you need to use # openssl s_client -connect localhost:25 -starttls smtp to see:
// 250-AUTH LOGIN PLAIN
// y option prohibits anonymous logins

root@freebitch12:/etc/mail # make install
// for each change to mc file you need to run make install like old linux or you can add make install to sendmail start script

// check if SASLv2 support is added
root@freebitch12:/etc/mail # sendmail -d0.1 -bv root

Version 8.15.2
Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS
PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS TLS_EC
TLS_VRFY_PER_CTX USERDB XDEBUG

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = freebitch12
(canonical domain name) $j = freebitch12.localrouter
(subdomain name) $m = localrouter
(node name) $k = freebitch12
========================================================

root... deliverable: mailer local, user root

root@freebitch12:/etc/mail # service sendmail restart

// test AUTH LOGIN PLAIN support with plain telnet, returns no support
root@freebbitch12:~ # telnet localhost 25

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 freebbitch12 ESMTP
ehlo test
250-freebbitch12.localrouter Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
quit

// test AUTH LOGIN PLAIN support with openssl, returns support
root@freebbitch12:~ # openssl s_client -connect localhost:25 -starttls smtp


....
lots of certificate info
....
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
ehlo test
250-freebbitch12.localrouter Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 freebbitch12.localrouter closing connection
Categories: bsd Tags: , ,
  1. Peter
    February 14, 2021 at 10:05 am
    Reply

    Had problem with compilation from FreeBSD handbook. This works on FreeBSD 12.2-RELEASE-p3 , Thank you

  1. No trackbacks yet.

Leave a comment