[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
sendmail +sasl2 + smtp auth + smtps

To: misc@openbsd.org
Subject: sendmail +sasl2 + smtp auth + smtps
From: "J.C. Roberts" <unknown@abac.com>
Date: Wed, 04 Feb 2004 04:13:25 -0800
Organization: None
This is my first attempt building a mail server and I've spent the last week
reading and learning about sendmail. Along with the official documentation for
sendmail and sasl, I've found two other good sources of documentation:

The basic installation SASL, SMTP AUTH and SMTPS were done as detailed in the link
below, including the generation of RSA keys/certs (rahter than DSA keys suggested
in the starttls man page).
http://www.dorkzilla.org/~dlg/sendmail/

The sendmail.mc files from the "Domain Server 8.12" package were a good starting
point for configuration:
http://sial.org/sendmail/

Though I have things generally working correctly, I keep getting a very strange
message from the mta when sending mail through it:

FEB   4 03:07:28 mta0 sm-mta[238448]: no user in db

I'm running OBSD v3.4-STABLE with source from two days ago.

# uname -a
OpenBSD mta0.millenniumdes.com 3.4 GENERIC#1 i386

This test box currently lives on a private LAN (192.168.*) so my testing doesn't
leave an(other) open relay on the net. The name resolution is set up to use
/etc/hosts before DNS as per section 10.6 of the OpenBSD FAQ:
http://www.openbsd.org/faq/faq10.html

Mail Server IP: 129.168.0.222
Client System: 192.168.042

I've added a single user to sasl2 with /usr/local/sbin/saslpasswd2
>From the client system, I can send mail both through the mail server to outside
world addresses and to accounts on the server (*@millenniumdes.com).

My sendmail flags in /etc/rc.conf
sendmail_flags="-v -L sm-mta -bd -q30m"

There are no relay-domains defined (FAQ 10.4) and the contents of my sendmail.mc
file are beween the lines of asteriskes:

********************************************************************************
divert(-1)
# $Id: sendmail.mc 2489 2003-12-16 00:23:21Z jmates $
#
# Configuration for a sendmail daemon that accepts mail for a domain as
# a primary server (e.g. mail.example.org) and acts as a POP/IMAP host
# with no general user access.  Incoming mail will either be saved
# locally with procmail, or passed on to internal endnode systems for
# power users that need command line mail access.  Mail submitted on the
# command line is processed by sendmail running with the submit.cf
# configuration, note sendmail.cf.
#
# See sendmail's cf/README file for documentation on how to adjust this
# file to suit your needs.
#
# To build sendmail.cf from this file, configure the Makefile for the
# system in question, then run 'make config reload' to rebuild the 
# configuration files and restart Sendmail.
#
divert(0)


dnl#  adjust following for system in question (darwin, linux, solaris2 are
dnl#  common; see the cf/ostype directory for others).
OSTYPE(`openbsd')


dnl#  increasing the log level allows one to debug various things
dnl#  define(`confLOG_LEVEL', 50)


dnl#  keep both a vendor and a local aliases file for better manageability
define(`ALIAS_FILE',
`MAIL_SETTINGS_DIR`'aliases,'`MAIL_SETTINGS_DIR`'aliases.local')
FEATURE(`redirect')


dnl#  Disable .forward to prevent complications (no user access anyhow)
define(`confFORWARD_PATH', `')


dnl#  Only allow user@example.org addresses.  Central mail servers
dnl#  consequently need to handle all accounts for the domain.
MASQUERADE_AS(`millenniumdes.com')
MASQUERADE_DOMAIN(`millenniumdes.com')
dnl#  MASQUERADE_EXCEPTION(`lists.millenniumdes.com')


dnl#  Set masquerade features
FEATURE(`allmasquerade')
FEATURE(`masquerade_envelope')
FEATURE(`masquerade_entire_domain')
FEATURE(`always_add_domain')


dnl#  Set queue failed message delivery warning times
define(`confTO_QUEUEWARN', 30m)
define(`confTO_QUEUEWARN_NORMAL', 30m)
define(`confTO_QUEUEWARN_URGENT', 30m)
define(`confTO_QUEUEWARN_NONURGENT', 30m)


dnl#  Set queue failed message delivery retrun times
define(`confTO_QUEUERETURN', 2h)
define(`confTO_QUEUERETURN_NORMAL', 2h)
define(`confTO_QUEUERETURN_URGENT', 2h)
define(`confTO_QUEUERETURN_NONURGENT', 2h)


dnl#  Assume hostnames canonical already
FEATURE(`nocanonify')


dnl#  some security options, aimed at machines that see light to 
dnl#  meduim traffic.  Tweak to suit your site.
define(`confCONNECTION_RATE_THROTTLE', `8')


dnl#  Slow down username lookup scans.  May also want to patch sendmail
dnl#  to drop the connection after X many BAD_RCPT to keep spammers
dnl#  from consuming server resources:
dnl#
http://lists.roaringpenguin.com/pipermail/mimedefang/2003-January/004171.html
define(`confBAD_RCPT_THROTTLE', `5')


dnl#  prevent huge files being used as DoS attack
dnl#  define(`confMAX_MESSAGE_SIZE', `5242880')


dnl#  max number of children permitted to spawn, connections refused
dnl#  past here.  prevents runaway server under DoS, might need to be
dnl#  increased for a busy mail server
define(`confMAX_DAEMON_CHILDREN', `24')


dnl#  tightest security measures as easier to lax them later...
define(`confPRIVACY_FLAGS',
``authwarnings,goaway,needmailhelo,needvrfyhelo,needexpnhelo,restrictqrun,nobodyreturn,noetrn'')


dnl#  Set this to disable listening on port 587
FEATURE(`no_default_msa')


dnl#  For IPv4 support
dnl#  The normal smtp MTA on port 25
DAEMON_OPTIONS(`Family=inet, Name=MTA')
DAEMON_OPTIONS(`Family=inet, Name=MSA, Port=587, M=E')


dnl#  For IPv6 support
dnl#  DAEMON_OPTIONS(`Family=inet6, Name=MTA6, M=O')
dnl#  DAEMON_OPTIONS(`Family=inet6, Name=MSA6, Port=587, M=O, M=E')
dnl#  define(`confBIND_OPTS', `WorkAroundBrokenAAAA')


dnl#  For  SMTPS  -raw TLS port 465 (compile sendmail with _FFR_SMTP_SSL)
dnl#  DAEMON_OPTIONS(`Family=inet,  Name=SSLMTA, Port=smtps, M=s')
dnl#  DAEMON_OPTIONS(`Family=inet6, Name=SSLMTA6, Port=smtps, M=s')
DAEMON_OPTIONS(`Family=inet,  Name=SSLMTA,  Port=465, M=s')
dnl#  DAEMON_OPTIONS(`Family=inet6, Name=SSLMTA6, Port=465, M=s')


dnl#  TLS configuration -sendmail must be compiled with STARTTLS support
define(`CERT_DIR',        `MAIL_SETTINGS_DIR`'certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT',      `CERT_DIR/CAcert.pem')
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')
define(`confSERVER_KEY',  `CERT_DIR/mykey.pem')
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')
define(`confCLIENT_KEY',  `CERT_DIR/mykey.pem')


dnl#  SASL configuration (for SMTP AUTH)
dnl#  disabled by default, as Sendmail must be compiled with SASL support


dnl#  how folks can authenticate, and which methods are allowed to relay
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
define(`confDEF_AUTH_INFO',   `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')


dnl#  assumes sendmail compiled with _FFR_SASL_OPTS, disables
dnl#  PLAIN and LOGIN over non-TLS links
dnl#  define(`confAUTH_OPTIONS', `p')
define(`confAUTH_OPTIONS', `p,y')


dnl#  sample MIMEDefang support (F=T tempfails mail when filter not available!)
dnl#  INPUT_MAIL_FILTER(`mimedefang',
`S=unix:/var/spool/MIMEDefang/mimedefang.sock, T=S:5m;R:5m')
dnl#  define(`confMILTER_LOG_LEVEL', 1)
dnl#  define(`confMILTER_MACROS_HELO', ``{tls_version}, {cipher}, {cipher_bits},
{cert_subject}, {cert_issuer}, {verify}'')


dnl#  These may improve performace at cost of memory, open connections.
dnl#  Tip: connections will be held open if MILTER is being used.
dnl#  define(`confDELIVERY_MODE', `interactive')
dnl#  define(`confSAFE_QUEUE', `interactive')
dnl#  define(`confDF_BUFFER_SIZE', `16384')
dnl#  define(`confXF_BUFFER_SIZE', `16384')


dnl#  sample support for Spamhaus Blackhole List
dnl#  FEATURE(`enhdnsbl', `sbl.spamhaus.org', `Mail from $&{client_addr} rejected
see http://www.spamhaus.org/SBL', `t', `127.0.0.2.')


dnl#  for local machine names
FEATURE(`use_cw_file')


dnl#  optional support for trusted users (needed to support mailing list
dnl#  software that munges the from addresses)
define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users')
FEATURE(`use_ct_file')
FEATURE(`smrsh')

dnl#  FEATURE(`genericstable')
dnl#  GENERICS_DOMAIN_FILE(`-o MAIL_SETTINGS_DIR`'generics-domains')

FEATURE(`mailertable')
FEATURE(`virtusertable')
VIRTUSER_DOMAIN_FILE(`-o MAIL_SETTINGS_DIR`'virtual-domains')
FEATURE(`virtuser_entire_domain')

FEATURE(`access_db')
FEATURE(`blacklist_recipients')
dnl#  FEATURE(`delay_checks', `friend')


dnl#  do not wait for ident
define(`confTO_IDENT', `0')


dnl#  disable statistics if not using mailstats(8)
dnl#  define(`STATUS_FILE', `')


dnl#  turn off various protocols; SMTP only by default
undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
undefine(`DECNET_RELAY')
undefine(`FAX_RELAY')
FEATURE(`nouucp', `reject')


dnl#  explicit procmail paths may be required on some systems
dnl#  define(`PROCMAIL_MAILER_PATH', `/usr/local/bin/procmail')
dnl#  FEATURE(`local_procmail', `/usr/local/bin/procmail')


MAILER(`smtp')
MAILER(`procmail')

LOCAL_CONFIG
dnl#  domains treated as local (see also local-host-names file)
Cwlocalhost millenniumdes.com mail.millenniumdes.com

dnl#  set following if internal hostname not resolvable by external
dnl#  systems, but mail.example.org is
dnl#  Djmail.millenniumdes.com

LOCAL_RULESETS
dnl#  HMessage-Id: $>CheckMessageId

dnl#  SCheckMessageId
dnl#  R< $+ @ $+ >		$@ OK
dnl#  R$*			$#error $: 553 Header Error

SLocal_check_rcpt
R$*			$: $&{auth_type}
R$+			$# OK

dnl#  R$*			$: $&{auth_type} $| $&{auth_authen}
dnl#  RDIGEST-MD5 $| $+@$=w	$# OK
dnl#  RGSSAPI     $| $+@$=w	$# OK
dnl#  RCRAM-MD5   $| $+@$=w	$# OK
dnl#  RLOGIN      $| $+@$=w	$# OK
dnl#  R$+			$# OK
********************************************************************************


The contents of my mail log after sending through the server to an outside world
email address (i.e. my account at my local ISP).

********************************************************************************
Feb  4 03:37:45 mta0 sm-mta[19080]: STARTTLS=server, relay=[192.168.0.42],
version=TLSv1/SSLv3, verify=NO, cipher=RC4-SHA, bits=128/128
Feb  4 03:37:45 mta0 sm-mta[19080]: AUTH=server, relay=[192.168.0.42],
authid=jcroberts, mech=CRAM-MD5, bits=0
Feb  4 03:37:45 mta0 sm-mta[19080]: i14Bbju0019080:
from=<jcroberts@millenniumdes.com>, size=450, class=0, nrcpts=1,
msgid=<opr2ugliqrbq26lo@mta0.millenniumdes.com>, proto=ESMTP, daemon=MTA,
relay=[192.168.0.42]
Feb  4 03:39:30 mta0 sm-mta[19080]: i14Bbju0019080: to=<mercury@abac.com>,
ctladdr=<jcroberts@millenniumdes.com> (1000/1000), delay=00:01:45,
xdelay=00:01:45, mailer=esmtp, pri=30359, relay=smtp.abac.com. [216.55.128.5],
dsn=2.0.0, stat=Sent (i14Bd6Fv026575 Message accepted for delivery)
********************************************************************************


>From another system on the 192.168.0.* LAN, I'm using a windows NT box to send
email through the mail server. The email client I'm using on to send the mail
through the server is Opera v7.1 which supports SSL/TLS on smtp/pop connections.
Opera has a the ability to generate full session debugging logs of what takes
place on the client side:

********************************************************************************
03:52:33 SMTP IN : 
220 mta0.millenniumdes.com ESMTP Sendmail 8.12.9/8.12.9; Wed, 4 Feb 2004 03:37:45
-0800 (PST)

03:52:33 SMTP OUT : 
EHLO mercury

03:52:33 SMTP IN : 
250-mta0.millenniumdes.com Hello [192.168.0.42], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP

03:52:33 SMTP OUT : 
STARTTLS

03:52:33 SMTP IN : 
220 2.0.0 Ready to start TLS

03:52:33 SMTP OUT : 
EHLO mercury

03:52:33 SMTP IN : 
250-mta0.millenniumdes.com Hello [192.168.0.42], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP

03:52:33 SMTP OUT : 
AUTH CRAM-MD5

03:52:33 SMTP IN : 
334 PDMwNTQ5MTk5NDYuMjE1MjkwNUBtdGEwLm1pbGxlbm5pdW1kZXMuY29tPg==

03:52:33 SMTP OUT : 
amNyb2JlcnRzIDkzYzAxOTRiYzVhYWRmOGYxMjcxYmM4MDJiZDMwYzZm

03:52:33 SMTP IN : 
235 2.0.0 OK Authenticated

03:52:33 SMTP OUT : 
MAIL FROM:<jcroberts@millenniumdes.com>

03:52:33 SMTP IN : 
250 2.1.0 <jcroberts@millenniumdes.com>... Sender ok

03:52:33 SMTP OUT : 
RCPT TO:<mercury@abac.com>

03:52:33 SMTP IN : 
250 2.1.5 <mercury@abac.com>... Recipient ok

03:52:33 SMTP OUT : 
DATA

03:52:33 SMTP IN : 
354 Enter mail, end with "." on a line by itself

03:52:33 SMTP OUT : 
Organization: test
Subject: Super Opera Test 6
To: mercury@abac.com
Message-ID: <opr2ugliqrbq26lo@mta0.millenniumdes.com>
From: JCR test <jcroberts@millenniumdes.com>
Content-Type: text/plain; format=flowed; charset=iso-8859-15
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Date: Wed, 04 Feb 2004 03:52:20 -0800
User-Agent: Opera7.23/Win32 M2 build 3227

Opera Test #6

-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

03:54:18 SMTP IN : 
250 2.0.0 i14Bbju0019080 Message accepted for delivery

03:54:18 SMTP OUT : 
QUIT

03:54:18 SMTP IN : 
221 2.0.0 mta0.millenniumdes.com closing connection

03:54:18 SMTP OUT : 
********************************************************************************

So in other words, I've got it working properly and _only_ with authentication
over SSL/TLS. None the less that darn error message keeps showing up on the root
login of the box (or login screen if no one is logged in):

FEB   4 03:07:28 mta0 sm-mta[238448]: no user in db

Obviously, I've still managed to miss something but before I go messiong around
with spam and anti-virus milters, I want to know things are working perfectly.

Any feedback is appreciated.

Thanks,
JCR
Follow-Ups:
- Re: sendmail +sasl2 + smtp auth + smtps
  - From: Claus Assmann <ca+OpenBSD_misc@zardoc.endmail.org>
- Re: sendmail +sasl2 + smtp auth + smtps
  - From: kbk@shore.net (Kurt B. Kaiser)
- Re: sendmail +sasl2 + smtp auth + smtps
  - From: Paul Codding <paul@codding.net>
Prev by Date: DHCPd General Question
Next by Date: Re: panic: uvm_mapent_alloc: out of static map entries, check MAX_KMAPENT
Prev by thread: Re: DHCPd General Question
Next by thread: Re: sendmail +sasl2 + smtp auth + smtps
Index(es):
- Date
- Thread