NetworkClue.com
NetworkClue Home PageHome Contact UsContact ConsultingConsult
Bulletin Board
Internet Services covers Secrets to hosting websites, Hosting your own web server, and using DNS Servers.Operating Systems leads you through the decision of Linux vs. Windows, ideal installations and setups to create an efficient and redundant environment for your business, and great features to make management easier.Routing & Firewalls contains articles that will allow you to take control of your router. Learn how to protect your company with access lists and advanced firewall techniques.Hardware answers the common questions about Switches vs. Hubs, recommends SysAdmin Tools, and recommendations for adequate power protection.Utilities will cover fighting spam, using Anti-Virus programs effectively and the must haves for every administrator's software toolbox.

DNS
HTTP
SMTP
-Manually Test SMTP
-Server-side Spam Filtering
-Sendmail
Connectivity
Bulletin Board

Sendmail

SMTP Auth

These instructions are known to work on the following platforms, using the listed software:

Fedora Core 3 & CentOS 4

Before you start Check for proper versions

Make sure that sendmail was compiled with the necessary options:

sendmail -d0.1 -bv

STARTTLS and SASL must be present in the output from this command.

Step 1: Back up important files

cd /etc/mail
cp sendmail.mc sendmail.mc.old
cp sendmail.cf sendmail.cf.old

Step 2: Make your certificate

mkdir /etc/mail/certs
cd /usr/share/ssl/certs
make sendmail.pem
mv sendmail.pem /etc/mail/certs/.

Clue: Be sure to keep track of what you declare of as your Distinguished Name.  If you want to provide Relay Access to those that Authenticate, you must add the Distinguished Name to your /etc/mail/access file.

Just follow the prompts and be sure to use the fully qualified domain name of the mail server for the Common Name prompt. Users will still be warned that the certificate is self-signed or not trusted, but you will prevent a warning that the certificate doesn't match the host offering it. This certificate is suitable for testing, but you may want to investigate further about the use of certificates before deploying it in a production environment, a topic that is beyond the scope of this howto.

Step 3: Secure the certificate
Sendmail will not start correctly if the certificate is group readable.

chmod 600 /etc/mail/certs/sendmail.pem

Step 4: Edit sendmail.mc

Add the corresponding lines in /etc/mail/sendmail.mc to match the following: 

dnl ## Use SMTPAUTH
TRUST_AUTH_MECH(`EXTERNAL GSSAPI KERBEROS_V4
            DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI KERBEROS_V4
            DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl ## Use STARTTLS
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH',`/usr/share/ssl/certs')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT', `CERT_DIR/sendmail.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/sendmail.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/sendmail.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/sendmail.pem')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl
If you plan on using a DNSBL, you should add this line: 
FEATURE(delay_checks)dnl

You must also edit this line:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
to:
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

Step 5: Rebuild the Sendmail Config file

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Step 6: Configure SASL authentication to autostart:

chkconfig saslauthd on
service saslauthd restart

Step 7: Restart Sendmail

service sendmail restart

Step 8: Check Sendmail Logfile for errors

tail -n 30 /var/log/maillog

That's it! You now have SMTP AUTH with encrypted logins!

Sendmail Configuration File

Here is a copy of a sample Sendmail configuration file for your reference.

References:

http://aput.net/~jheiss/sendmail/tlsandrelay.shtml

Article last reviewed: 12/14/2006


del.icio.us

Created by: Digital Foundation, inc.

Copyright © 2002-2005 Digital Foundation, inc.   www.networkclue.com

All content of the NetworkClue website is copyrighted. Articles, notes, outlines, and all other materials may not be stored on the Internet or sold or placed by themselves or with other material in any electronic or printed format in whole or part. However materials may be referenced by links to the site.

 

Related Articles:
SMTP Manual TestSMTP Manual Testing
Spam Filtering for Exchange 2003Spam Filtering for Exchange

 

Advertise Here