mardi 3 avril 2012

Secured Sendmail with SMTP Authentication

This was my first step when I decided that I wanted my own mail server.

I'm using FreeBSD for now more than 2 years, and clearly : I'm very happy about it. The OS itself is KISS!. Exactly no less no more.

I know there are a few mail servers out there, but since FreeBSD is shipped (for free) with sendmail, then I decided I'll use nothing but sendmail. It's in the base, it's working, and there are blog posts that are talking about it.

You can read it in the title of this post : I want a secure (through certificate) mail server, and I want people using this server to authenticate themselves. There are reasons for those choices :

  • Through Certificate : things would be encrypted with SSL. I don't want mails and authentications to appear clearly on any network, even if the network I'm on is said to be "Secure".
  • SMTP Authentication : People that want to use my mail server shall have an account on my server. They have to authenticate to send mails. This is meaning I don't want spammers to be able to send spams through my server and this is one step forward it
    • there are other steps that I'll explain in this serie of posts

The order in which I installed my mail server was in fact :

This step is really simple since everything is explained on the FreeBSD documentation :

When you're done with these steps, we can start to configure Sendmail.
Where to start : 

# cd /etc/mail

Now we're there, there are a few files like freebsd.mc, freebsd.cf, freebsd.submit.mc, freebsd.submit.cf.
The .cf ones are complex, but no worries since they are created based on .mc ones.
Let's consider you want to dedicate your server just for mailing services, and that it's called mail.host.com which means your /etc/rc.conf contains :

hostname="mail.host.com"

You first need to create .mc and .cf for your server.

# cd /etc/mail
# make cf

This will create :
  • mail.host.com.mc
    • this is where most of the configuration will be done
  • mail.host.com.submit.mc
    • I don't remember I've ever touched this file, but you can have a look at it since it still can be self-instructive
  • mail.host.com.cf
    • generated from your mail.host.com.mc
  • mail.host.com.submit.cf
    • generated from your mail.host.com.submit.mc
So from 4 files, we can see there's only one we will configure.

Let's say you've created you host "mail.host.com" because you want to have your e-mails in the host.com domain, meaning you want e-mail with @host.com.
You've got to add to /etc/mail/local-host-names "host.com" so that this command will state your domain name :

# cat /etc/mail/local-host-names
host.com
#

From here, you could type "make all install restart" and your server would work. But we're not there yet, since we still have to configure our mail.host.com.mc with the step 6 of SMTP Authentication with Sendmail and SASL2.

Once you've added those, you also want to add this :

define(`confPRIVACY_FLAGS', `authwarnings,noexpn,needvrfyhelo')
MODIFY_MAILER_FLAGS(`LOCAL', `-f')
MAILER(local)
MAILER(smtp)

We are sure that our users will be trusted ones, since they will be authenticated, so it's a step forward security. You can also check sendmail(8).
As for the privacy flags, I think it's better to let other mail servers to check if your user e-mail exists, but you could also put "novrfy" in place of "needvrfyhelo".

saslauthd should be running on your server (step 3 in SMTP Authentication with Sendmail and SASL2), so the last thing you need to do here is :

# cd /etc/mail
# make all install restart

"If all has gone correctly, you should be able to enter your login information into the mail client and send a test message. For further investigation, set the LogLevel of sendmail to 13 and watch /var/log/maillog for any errors."


Now you should be able to create users on your server and to be able to authenticate to receive and send mails.

When it comes about security, I prefer it best with SSL or with features that enables the software to encrypt data.

First thing first : we have to create a self-signed certificate. It is not required that it is self-signed, I just didn't want to lose time signing my cert with a CA.
In this example, the self-signed certificate will expire in 10 years :

# cd /etc/mail
# mkdir certs
# cd certs
# openssl req -newkey rsa:1024 -keyout mail.host.com.key \
-nodes -x509 -days 3650 -out mail.host.com.csr
# cat mail.host.com.key mail.host.com.csr > mail.host.com.pem
# cp mail.host.com.csr mail.host.com.cer
# chmod 400 mail.host.com.pem
# chmod 400 mail.host.com.cer

Once you're done with that, you can add these lines to your /etc/mail/mail.host.com.mc

dnl SSL Options define(`confCACERT_PATH',`/etc/mail/certs')dnl define(`confCACERT',`/etc/mail/certs/mail.host.com.cer')dnl define(`confSERVER_CERT',`/etc/mail/certs/mail.host.com.pem')dnl define(`confSERVER_KEY',`/etc/mail/certs/mail.host.com.pem')dnl define(`confCLIENT_CERT',`/etc/mail/certs/mail.host.com.pem')dnl define(`confCLIENT_KEY',`/etc/mail/certs/mail.host.com.pem')dnl
define(`confAUTH_OPTIONS', `p,y')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl

Lines with your certs are to make your server and clients use these certificates.
The AuthOptions would disallow ANONYMOUS as AUTH mechanism and would allow PLAIN and LOGIN only if a security layer (e.g., provided by STARTTLS) is already active.
And the last line is to tell sendmail not to verify the client certificate, it is not a requirement.

Once you're done editing your /etc/mail/mail.host.com.mc :

# cd /etc/mail
# make all install restart

From here, you should be able to access your SMTP server mail.host.com with SSL enabled. A command to verify that STARTTLS is enabled on your mail server :

$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.host.com ESMTP Sendmail 8.14.5/8.14.5; Tue, 3 Apr 2012 13:09:16 +0200 (CEST) ehlo localhost 250-mail.host.com Hello mail.host.com [111.222.000.111], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP QUIT 221 2.0.0 mail.host.com closing connection Connection closed by foreign host.


Next steps

Next steps will be another post, I'll update this one with a direct link. It should speak about Spams (ClamAV/SpamAssassin), SPF, and DKIM.
Sendmail, the SPF, the DKIM, and the Spam