Freebsd 12.1-RELEASE Sendmail SMTP-Auth Configuration
// Total time 5-10 minutes
// Important: Remove any modifications you make to /etc/mail/freebsd.mc
NOTE: This documents explains how to compile default sendmail to support smtp-auth however; you also have the option to install sendmail pkg from packages collection. This way you don't have to compile sendmail, sendmail version in pkg collection is already compiled with smtp auth enabled!!! When you install sendmail from pkgs collection, system will also install necessary additional pkgs (cyrus-sasl & cyrus-sasl-saslauthd) All you have to do is;
root@freebitch12:/ # pkg install sendmail root@freebitch12:/ # cd /usr/local/etc/mail && cp mailer.conf.sendmail mailer.conf You still need to follow below configurations in order to enable smtp-auth for sendmail; Except you do NOT need to compile sendmail and install cyrus-sasl cyrus-sasl-saslauthd
// check sendmail compiled options
root@freebitch12:/etc/mail # sendmail -d0.1 -bv root
Version 8.15.2 Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG Warning: Option: AuthMechanisms requires SASL support (-DSASL) ============ SYSTEM IDENTITY (after readcf) ============ (short domain name) $w = freebitch12 (canonical domain name) $j = freebitch12.localrouter (subdomain name) $m = localrouter (node name) $k = freebitch12 ======================================================== root... deliverable: mailer local, user root
// No SASLv2 support
root@freebitch12:/etc # pkg install cyrus-sasl cyrus-sasl-saslauthd
Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. Checking integrity... done (0 conflicting) The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: cyrus-sasl: 2.1.27_1 cyrus-sasl-saslauthd: 2.1.27_1 Number of packages to be installed: 2 The process will require 8 MiB more space. Proceed with this action? [y/N]: y [1/2] Installing cyrus-sasl-2.1.27_1... *** Updated user `cyrus'. [1/2] Extracting cyrus-sasl-2.1.27_1: 100% [2/2] Installing cyrus-sasl-saslauthd-2.1.27_1... [2/2] Extracting cyrus-sasl-saslauthd-2.1.27_1: 100% .....
// Enable sendmail and saslauthd
root@freebitch12:/etc # vim /etc/rc.conf
sendmail_enable="YES" saslauthd_enable="YES"
// copy freebsd source tree to /usr/src
// required to compile sendmail
root@freebitch12:/etc # svnlite checkout https://svn.freebsd.org/base/releng/12.1/ /usr/src
.... A /usr/src/tools/bus_space/Python/Makefile A /usr/src/tools/bus_space/C/libbus.h A /usr/src/tools/bus_space/bus.c A /usr/src/tools/sched A /usr/src/tools/ifnet A /usr/src/tools/LibraryReport .... A /usr/src/README A /usr/src/Makefile.sys.inc U /usr/src Checked out revision 366374.
// create sendmail make.conf file
root@freebitch12:/etc # vim /etc/make.conf
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDADD=/usr/local/lib/libsasl2.so
//compile sendmail with auth support, takes 2-3 minutes
root@freebitch12:/etc # cd /usr/src/lib/libsmutil
root@freebitch12:/usr/src/lib/libsmutil # make cleandir && make obj && make
root@freebitch12:/usr/src/lib/libsmutil # cd /usr/src/lib/libsm
root@freebitch12:/usr/src/lib/libsm # make cleandir && make obj && make
root@freebitch12:/usr/src/lib/libsm # cd /usr/src/usr.sbin/sendmail
root@freebitch12:/usr/src/usr.sbin/sendmail # make cleandir && make obj && make && make install
root@freebitch12:/usr/src/usr.sbin/sendmail # cd /etc/mail
root@freebitch12:/etc/mail # make
// this will create copy of freebsd.mc, freebsd.submit.cf … as hostname.mc, hostname.submit.cf …
// dont make changes to freebsd.mc, make changes to hostname.mc
// in my case freebitch12.mc ……
root@freebitch12:/etc/mail # vim freebitch12.mc
define(`confSMTP_LOGIN_MSG', `freebitch12')dnl define(`confAUTH_OPTIONS', `A p y')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
// add any other option you require to hostname.mc
// no need to add DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA’)dnl
// When you enable sendmail in rc.conf it starts listening all interfaces
// Actually if you add this option sendmail wont be able to bind address and would not start
// define(`confAUTH_OPTIONS’, `A p y’)dnl
// this option forces LOGIN/PLAIN SMTP-AUTH after encryption has been established in a TLS tunnel.
// this means you will not see 250-AUTH LOGIN PLAIN if you telnet to port 25
// A is a workaround for broken MTAs that do not implement RFC 2554.
// p option tells sendmail: “don’t permit mechanisms susceptible to simple passive attack (e.g., LOGIN, PLAIN), unless a security layer (think TLS tunnel) is active.”
// you need to use # openssl s_client -connect localhost:25 -starttls smtp to see:
// 250-AUTH LOGIN PLAIN
// y option prohibits anonymous logins
root@freebitch12:/etc/mail # make install
// for each change to mc file you need to run make install like old linux or you can add make install to sendmail start script
// check if SASLv2 support is added
root@freebitch12:/etc/mail # sendmail -d0.1 -bv root
Version 8.15.2 Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS TLS_EC TLS_VRFY_PER_CTX USERDB XDEBUG ============ SYSTEM IDENTITY (after readcf) ============ (short domain name) $w = freebitch12 (canonical domain name) $j = freebitch12.localrouter (subdomain name) $m = localrouter (node name) $k = freebitch12 ======================================================== root... deliverable: mailer local, user root
root@freebitch12:/etc/mail # service sendmail restart
// test AUTH LOGIN PLAIN support with plain telnet, returns no support
root@freebbitch12:~ # telnet localhost 25
Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 freebbitch12 ESMTP ehlo test 250-freebbitch12.localrouter Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP quit
// test AUTH LOGIN PLAIN support with openssl, returns support
root@freebbitch12:~ # openssl s_client -connect localhost:25 -starttls smtp
.... lots of certificate info .... Extended master secret: no Max Early Data: 0 --- read R BLOCK ehlo test 250-freebbitch12.localrouter Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP quit 221 2.0.0 freebbitch12.localrouter closing connection
Had problem with compilation from FreeBSD handbook. This works on FreeBSD 12.2-RELEASE-p3 , Thank you