how to install a mail server based on sendmail that is capable of SMTP-AUTH
and TLS. It should work (maybe with slight changes concerning paths etc.) on
all *nix operating systems. I tested it on Debian Woody so far.

This howto is meant
as a practical guide; it does not cover the theoretical backgrounds. They are
treated in a lot of other documents in the web.

This document comes
without warranty of any kind!

1 Get the Sources

We need the following
software: openssl, cyrus-sasl2, and sendmail. We will install the software from
the /tmp directory.

cd /tmp

wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz

wget –passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz

wget –passive-ftp
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.11.tar.gz

2 Install Openssl

tar xvfz openssl-0.9.7c.tar.gz

cd openssl-0.9.7c

./config

make

make install

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

3 Install Cyrus-sasl2

cd /tmp

tar
xvfz cyrus-sasl-2.1.17.tar.gz

cd cyrus-sasl-2.1.17

./configure –enable-anon –enable-plain –enable-login –disable-krb4 –with-saslauthd=/var/run/saslauthd
–with-pam –with-openssl=/usr/local/ssl –with-plugindir=/usr/local/lib/sasl2
–enable-cram –enable-digest –enable-otp
(1
line!)

make

make install

If /usr/lib/sasl2
exists:

mv /usr/lib/sasl2 /usr/lib/sasl2_orig

echo “pwcheck_method:
saslauthd” > /usr/local/lib/sasl2/Sendmail.conf

echo “mech_list: login plain” >> /usr/local/lib/sasl2/Sendmail.conf

mkdir -p /var/run/saslauthd

4 Create Certificates
for TLS

mkdir -p /etc/mail/certs

cd /etc/mail/certs

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365

<- Enter your
password for smtpd.key.

<- Enter your Country Name (e.g., “DE”).

<- Enter your State or Province Name.

<- Enter your City.

<- Enter your Organization Name (e.g., the name of your company).

<- Enter your Organizational Unit Name (e.g. “IT Department”).

<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).

<- Enter your Email Address.

openssl req -nodes -new
-x509 -keyout sendmail.pem -out sendmail.pem -days 365

<- Again, enter
your password for smtpd.key.

<- Enter your Country Name (e.g., “DE”).

<- Enter your State or Province Name.

<- Enter your City.

<- Enter your Organization Name (e.g., the name of your company).

<- Enter your Organizational Unit Name (e.g. “IT Department”).

<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).

<- Enter your Email Address.

openssl x509 -noout -text
-in sendmail.pem

chmod 600 ./sendmail.pem

5 Install Sendmail

cd /tmp

tar xvfz sendmail.8.12.11.tar.gz

cd sendmail-8.12.11/devtools/Site/

Create the
file site.config.m4
(in
devtools/Site/
):

# SASL2 (smtp authentication)
APPENDDEF(`confENVDEF’, `-DSASL=2′)
APPENDDEF(`conf_sendmail_LIBS’, `-lsasl2′)
#
# STARTTLS (smtp + tls/ssl)
APPENDDEF(`conf_sendmail_ENVDEF’, `-DSTARTTLS’)
APPENDDEF(`conf_sendmail_ENVDEF’, `-D_FFR_SMTP_SSL’)
APPENDDEF(`conf_sendmail_LIBS’, `-lssl -lcrypto -L/usr/local/ssl/lib’)

mkdir -p /usr/man

mkdir -p /usr/man/man1

mkdir -p /usr/man/man8

cp -pfr /usr/local/lib/sasl2 /usr/lib/sasl2

echo /usr/lib/sasl2 >> /etc/ld.so.conf

ldconfig

ln -s /usr/local/ssl/include/openssl /usr/include/openssl

Now we can compile
sendmail:

cd /tmp/sendmail-8.12.11/

useradd smmsp

groupadd smmsp

sh Build -c

sh Build install

Let’s create our
sendmail.cf:

cd cf/cf/

Create the file
sendmail.mc with the
following contents:

### do SMTPAUTH
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN DIGEST-MD5 CRAM-MD5′) ;
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5′) ;

### do STARTTLS
define(`confCACERT_PATH’, `/etc/mail/certs’) ;
define(`confCACERT’, `/etc/mail/certs/cacert.pem’) ;
define(`confSERVER_CERT’, `/etc/mail/certs/sendmail.pem’) ;
define(`confSERVER_KEY’, `/etc/mail/certs/sendmail.pem’) ;
define(`confCLIENT_CERT’, `/etc/mail/certs/sendmail.pem’) ;
define(`confCLIENT_KEY’, `/etc/mail/certs/sendmail.pem’) ;
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s’) ;

###
define(`confDEF_CHAR_SET’, `iso-8859-1′) ;
define(`confMAX_MESSAGE_SIZE’, `15000000′) ; Denial of Service Attacks
define(`confMAX_DAEMON_CHILDREN’, `30′) ; Denial of Service Attacks
define(`confCONNECTION_RATE_THROTTLE’, `2′) ; Denial of Service Attacks
define(`confMAXRCPTSPERMESSAGE’, `50′) ; Denial of service Attacks
define(`confSINGLE_LINE_FROM_HEADER’, `True’) ;
define(`confSMTP_LOGIN_MSG’, `$j’) ;
define(`confDONT_PROBE_INTERFACES’, `True’) ;
define(`confTO_INITIAL’, `6m’) ;
define(`confTO_CONNECT’, `20s’) ;
define(`confTO_HELO’, `5m’) ;
define(`confTO_HOSTSTATUS’, `2m’) ;
define(`confTO_DATAINIT’, `6m’) ;
define(`confTO_DATABLOCK’, `35m’) ;
define(`confTO_DATAFINAL’, `35m’) ;
define(`confDIAL_DELAY’, `20s’) ;
define(`confNO_RCPT_ACTION’, `add-apparently-to’) ;
define(`confALIAS_WAIT’, `0′) ;
define(`confMAX_HOP’, `35′) ;
define(`confQUEUE_LA’, `5′) ;
define(`confREFUSE_LA’, `12′) ;
define(`confSEPARATE_PROC’, `False’) ;
define(`confCON_EXPENSIVE’, `true’) ;
define(`confWORK_RECIPIENT_FACTOR’, `1000′) ;
define(`confWORK_TIME_FACTOR’, `3000′) ;
define(`confQUEUE_SORT_ORDER’, `Time’) ;
define(`confPRIVACY_FLAGS’, `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo’) ;
OSTYPE(linux) ;
FEATURE(`delay_checks’) ;
FEATURE(`generics_entire_domain’) ;
FEATURE(`local_procmail’) ;
FEATURE(`masquerade_envelope’) ;
FEATURE(`nouucp’,`reject’) ;
FEATURE(`redirect’) ;
FEATURE(`relay_entire_domain’) ;
FEATURE(`use_cw_file’)dnl
FEATURE(`virtuser_entire_domain’)dnl

FEATURE(dnsbl,`blackholes.mail-abuse.org’,
` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr}’) ;
FEATURE(dnsbl,`dialups.mail-abuse.org’,
` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm’) ;

FEATURE(`virtusertable’,`hash -o /etc/mail/virtusertable’) ;
FEATURE(access_db) ;
FEATURE(lookupdotdomain) ;
FEATURE(`blacklist_recipients’) ;
FEATURE(`no_default_msa’) ;
DAEMON_OPTIONS(`Port=smtp, Name=MTA’) ;
MAILER(local) ;
MAILER(smtp) ;
MAILER(procmail) ;

In order to create
/etc/mail/sendmail.cf
run the following commands:

sh Build sendmail.cf

cp sendmail.cf /etc/mail/sendmail.cf

Finally we have
to create some files:

cd /etc/mail/

touch /etc/mail/local-host-names

touch /etc/mail/virtusertable

/usr/sbin/makemap hash virtusertable < virtusertable

mkdir -p /var/spool/mqueue

chmod 700 /var/spool/mqueue

chown root:root /var/spool/mqueue

chown root:root /etc/mail/sendmail.cf

chmod 444 /etc/mail/sendmail.cf

chown root:root /etc/mail/submit.cf

chmod 444 /etc/mail/submit.cf

touch /etc/mail/aliases

newaliases

touch /etc/mail/access

/usr/sbin/makemap hash access < access

We need an init
script for sendmail (this should be copied to /etc/init.d/sendmail):

#! /bin/sh

case “$1″ in
start)
echo “Initializing SMTP port. (sendmail)”
/usr/sbin/sendmail -bd -q1h
;;
stop)
echo “Shutting down SMTP port:”
killall /usr/sbin/sendmail
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo “Usage: $0 {start|stop|restart|reload}”
exit 1
esac
exit 0

chmod 755 /etc/init.d/sendmail

In order to start
sendmail at boot time
do the following:

ln -s /etc/init.d/sendmail
/etc/rc2.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc3.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc4.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc5.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc0.d/K20sendmail

ln -s /etc/init.d/sendmail /etc/rc1.d/K20sendmail

ln -s /etc/init.d/sendmail /etc/rc6.d/K20sendmail

6 Configure
Saslauthd

Create /etc/init.d/saslauthd:

#!/bin/sh -e

NAME=saslauthd
DAEMON=”/usr/sbin/${NAME}”
DESC=”SASL Authentication Daemon”
DEFAULTS=/etc/default/saslauthd

test -f “${DAEMON}” || exit 0

# Source defaults file; edit that file to configure this script.
if [ -e “${DEFAULTS}” ]; then
. “${DEFAULTS}”
fi

# If we’re not to start the daemon, simply exit
if [ “${START}” != “yes” ]; then
exit 0
fi

# If we have no mechanisms defined
if [ “x${MECHANISMS}” = “x” ]; then
echo “You need to configure ${DEFAULTS} with mechanisms to be used”
exit 0
fi

# Add our mechanimsms with the necessary flag
for i in ${MECHANISMS}; do
PARAMS=”${PARAMS} -a ${i}”
done

# Consider our options
case “${1}” in
start)
echo -n “Starting ${DESC}: ”
ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME}
${DAEMON} ${PARAMS}
echo “${NAME}.”
;;
stop)
echo -n “Stopping ${DESC}: ”
PROCS=`ps aux | grep -iw ‘/usr/sbin/saslauthd’ | grep -v ‘grep’ |awk ‘{print $2}’ | tr ‘\n’ ‘ ‘`
if [ “x${PROCS}” != “x” ]; then
kill -15 ${PROCS} &> /dev/null
fi
echo “${NAME}.”
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
echo “${NAME}.”
;;
*)
echo “Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}” >&2
exit 1
;;
esac

exit 0

chmod 755 /etc/init.d/saslauthd

In order to start
saslauthd at boot time
do the following:

ln -s /etc/init.d/saslauthd
/etc/rc2.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd

Then create /etc/default/saslauthd:

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to “pam” for PAM support, but may also include
# “shadow” or “sasldb”
MECHANISMS=shadow

If you find out
that saslauthd is located
in /usr/local/sbin instead
of /usr/sbin create a
symbolic link:

ln -s /usr/local/sbin/saslauthd
/usr/sbin/saslauthd

Then start saslauthd
and sendmail:

/etc/init.d/saslauthd start

/etc/init.d/sendmail start

7 Test your
Configuration

To verify that
your sendmail was compiled with the right options type

/usr/sbin/sendmail -d0.1
-bv root

You should see
that sendmail was compiled with SASLv2
and STARTTLS:

To see if SMTP-AUTH
and TLS work properly now run the following command:

telnet
localhost 25

After you have
established the connection to your sendmail mail server type

ehlo
localhost

If you see the
lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the
system’s shell.

Links

Sendmail MTA: http://www.sendmail.org/

OpenSSL: http://www.openssl.org/

Cyrus-SASL: http://asg.web.cmu.edu/sasl/

Incoming search terms: