pain in the sasl

swear... couldn't complie cyrus-sasl. pissing me off. finally got it. someone said to export LIBS="-ldb -lcrypto" but really the Makefile is way screwed up. all this just to get sendmail with smtp auth and ssl. as if anyone wants to read the crap i mail anyway.

with thanks to Craig Outcalt for pointing out the original
OpenBSD Sendmail + SMTP AUTH Mini-HOWTO [local ]

This howto will detail how to (durh) set up the version of sendmail included with OpenBSD 3.3 to accept authentication via Cyrus SASL.
install cyrus sasl v2
# cd /usr/ports/security/cyrus-sasl2 ; make install clean
enable SASL in sendmail
# echo WANT_SMTPAUTH= yes >> /etc/mk.conf
set up a "proper" libsasl2
# cd /usr/local/lib; ln -s libsasl2.so.2.11 libsasl2.so
# cd /usr/src/gnu/usr.sbin/sendmail
edit cf/cf/openbsd-proto.mc
after the FEATURE(`no_default_msa') line, add:
MASQUERADE_AS(` domain.org ')
LOCAL_DOMAIN(` fqdn.of.machine.org ')
LOCAL_DOMAIN(` domain.org ')
define(`confAUTH_MECHANISMS',`PLAIN CRAM-MD5 DIGEST-MD5')dnl
TRUST_AUTH_MECH(`PLAIN CRAM-MD5 DIGEST-MD5')dnl
note that if you want to recieve mail for other domains you
can add LOCAL_DOMAIN directives as needed, but be sure to remove all MASQUERADE_AS directives, otherwise it treats every email from squirrelmail (and perhaps other things) as coming from the last MASQUERADE_AS domain. we'll let the mua take care of tacking a domain onto the email.
build sendmail
# make && make install && make clean
install the new config file
# cp cf/cf/openbsd-proto.cf /etc/mail/sendmail.cf
add the SASL config file
we'll be using the sasldb, so...
# echo pwcheck_method: sasldb > /usr/local/lib/sasl2/Sendmail.conf
add users with /usr/local/sbin/saslpasswd2 username
saslpasswd2 may complain about kerberos, it may be helpful to
# touch /etc/kerberosIV/srvtab
to silence some of the warnings
edit /etc/rc.conf
remove -C/etc/mail/localhost.cf from sendmail_flags
kill the existing sendmail
# ps aux | grep [s]endmail | awk '{print $2}' | xargs -n 1 kill
start the new sendmail
# . /etc/rc.conf
# sendmail $sendmail_flags
cross your toes, it might work...
here's the config file i use: dorkzilla.mc

STARTTLS
if you want STARTTLS support, add the following to your .mc file:
define(`confCACERT_PATH',`/etc/mail/certs')
define(`confCACERT',`/etc/mail/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/mail/certs/sendmail.pem')
define(`confSERVER_KEY',`/etc/mail/certs/sendmail.pem')
then run the following commands to generate your self-signed certificates (unless you ponied up $300 to Thatwe)..
# mkdir /etc/mail/certs
# cd /etc/mail/certs
# PEM1=`mktemp /tmp/openssl.XXXXXX`
# PEM2=`mktemp /tmp/openssl.XXXXXX`
# openssl req -newkey rsa:1024 -keyout $PEM1 \
-nodes -x509 -days 365 -out $PEM2
# cat $PEM1 > sendmail.pem
# echo "" >> sendmail.pem
# cat $PEM2 >> sendmail.pem
# cp $PEM2 ca-bundle.crt
# rm $PEM1 $PEM2
# chmod 400 sendmail.pem
# chmod 400 ca-bundle.crt
and, of course, recreate /etc/mail/sendmail.cf and restart sendmail.

thanks to Richard Harms for pulling this information out of a RedHat 8.0 install. see http://flint.kitiara.com/Lists-Archives/l-cialug-0306/msg00023.html [local ] and http://flint.kitiara.com/Lists-Archives/l-cialug-0306/msg00025.html [local ]

SSMTP ssmtp (on port 465) is the other half-assed hack to get encryption on an smtp connection. there's a _FFR (for future release) option you can compile into sendmail to enable this feature.

compile _FFR_SMTP_SSL into sendmail
patch /usr/src/gnu/usr.sbin/sendmail/sendmail/Makefile
--- gnu/usr.sbin/sendmail/sendmail/Makefile Sun Jun 8 15:43:33 2003
+++ gnu/usr.sbin/sendmail/sendmail/Makefile Sun Jun 8 15:05:56 2003
@@ -9,7 +9,7 @@
WANT_LIBSMUTIL=1

# For TLS/SSL support
-ENVDEF+= -DSTARTTLS
+ENVDEF+= -DSTARTTLS -D_FFR_SMTP_SSL
LDADD+= -lssl -lcrypto
DPADD= ${LIBSSL} ${LIBCRYPTO}
re-build sendmail
# cd /usr/src/gnu/usr.sbin/sendmail
# make clean && make
# make install

enable ssmtp in /usr/src/gnu/usr.sbin/sendmail/cf/cf/openbsd-proto.mc
# cd /usr/src/gnu/usr.sbin/sendmail/cf/cf
add the following line to openbsd-proto.cf
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl
rebuild and install the config
# make
# cp openbsd-proto.cf /etc/mail/sendmail.cf

restart sendmail
kill the existing sendmail
# ps aux | grep [s]endmail | awk '{print $2}' | xargs -n 1 kill
start the new sendmail
# . /etc/rc.conf
# sendmail $sendmail_flags
thanks to David Magda for pointing out a post to comp.mail.sendmail [local ] from Andrzej Filip (originally from Krzysztof Oledzki on pl.comp.mail.mta ) to enable this feature

CYRUS-IMAPD
if you'd like an imap and pop3 server, i suggest reading this: http://www.monkey.org/openbsd/archive/ports/0302/msg00266.html [ local ] ... a port of cyrus-imapd 2.1.12 for openbsd. makes life easier (but make sure you install /usr/ports/databases/db first). also note that if you remove libotp.* from /usr/local/lib/sasl2 OTP secrets will not be created and *-MD5 authentication will fail.

copyright ©2003 david l goodrich ... this document may be copied in its entirety if proper credit is given to the author. if anything breaks, it's not my fault. this should work, but i offer no warranty for the usability, etc, etc, of this document.
#include

Posted by skp at junho 09, 2003 03:20 PM | TrackBack