Sendmail+TLS+SMTP-AUTH - A Quick and Dirty howto
Reliable, flexible, and configurable enough to solve any mail routing needs, sendmail
has withstood the test of time, but has become no less daunting in its complexity.
Even the most experienced system administrators have found it challenging to
configure and difficult to understand. We cut through the chase and describe
how to setup sendmail with industry standard encryption and discourage spam
in less than an hour. Although described as a Slackware specific howto,
the actual setup is similar for all UNIX's.
This HOWTO is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.
Copyright (C) 2006 Strykar: s_at_hackerzlair_dot_org
Sendmail server configuration achieved by this howto:

SMTP-AUTH based relay for authorized users only.
Encrypted SMTP-AUTH client/server transaction preventing sniffing of username and passwords.
Configure and use Cyrus SASL to verify user credentials against the UNIX shadow file.
Create and use your own SSL certificates. Get them signed at no charge by cacert.org
    and use their CRL.
Disable using the old SSLv2 protocol and support SSLv3 and TLSv1.
Enable/Disable use and verification of client certificates for user identification.
Throttle the number of connections sendmail will accept and limit the number of
    child processes it spawns.
Use features like delay checks to make full use of the versatile access_db.
Enable blacklisting recipients and use DNSBL for real-time blackisting of known spam hosts.
Use regular expressions and the MAP_REGEX feature to ease complicated header processing
    and re-writing. -- TBD
The ability to add any missing/desired sendmail feature to itself by mailing the author a
    postcard with pictures of mountains in your area.

Prerequisites:

Untouched Slackware 12 or updated to Slackware-current install Sendmailwise.
Latest version of sendmail - v 8.14.1 at the time of writing. You can check your
    version by sendmail -d0.1 -bt < /dev/null Just wget && upgradepkg
    the latest version from your favorite Slackware mirror.
Make sure the output of the command above at least includes:
Compiled with: DNSMAP LOG MAP_REGEX SASLv2 STARTTLS USERDB
Ensure you have the latest version of Cyrus-SASL - v 2.1.22 at the time of writing.
See that our required password mechanisms are allowed by doing:

root@john:~# saslauthd -v
saslauthd 2.1.22
authentication mechanisms: getpwent rimap shadow

shadow is what we will use.
A real hostname that is available when you: host myhost.org
Reset any configurations you may have played with for Cyrus-SASL and sendmail.
    Keep your pack of smokes and mug of coffee handy.
    Figure out why your system won't play nice if it doesn't meet any of the
    above prerequisites.
Call that friend who told you to move to Postfix and ask him to call you back
    in an hour.

Diving right in:
For the purpose of this HOWTO, we will assume the FQDN of the host is
       john.doe.org.
First, start by creating your CA and certificates by making a CA.pl.diff file
   exactly as below:
root@john:~# cat CA.pl.diff
--- CA.pl 2003-09-30 16:59:10.000000000 -0500
+++ CA1.pl 2003-11-07 09:06:54.000000000 -0600
@@ -58,12 +58,12 @@
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
- system (&quot;$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS&quot;);
+ system (&quot;$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS&quot;);
$RET=$?;
print &quot;Certificate (and private key) is in newreq.pem\n&quot;
} elsif (/^-newreq$/) {
# create a certificate request
- system (&quot;$REQ -new -keyout newreq.pem -out newreq.pem $DAYS&quot;);
+ system (&quot;$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS&quot;);
$RET=$?;
print &quot;Request (and private key) is in newreq.pem\n&quot;;
} elsif (/^-newreq-nodes$/) {
Now copy /etc/ssl/misc/CA.pl to a new directory.
In this directory: patch -o CA1.pl &lt; CA.pl.diff
Running the modified CA1.pl will give you two files, newreq.pem and newkey.pem.
 Leave these aside for now.
1. Make sure you have the user smmsp, sendmail will not start up unless it has
it's own userid:
root@john::~# cat /etc/passwd | grep smmsp
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
If not, create one:
root@john:~# groupadd -g 25 smmsp
root@john:~# useradd -u 25 -g 25 -c smmsp -d /var/spool/clientmqueue -s /usr/bin/true smmsp
root@john:~# mkdir -p /var/spool/clientmqueue /var/spool/mqueue
root@john:~# chmod 770 /var/spool/clientmqueue
root@john:~# chown smmsp /var/spool/clientmqueue
root@john:~# chgrp smmsp /var/spool/clientmqueue
root@john:~# chmod 700 /var/spool/mqueue
root@john:~# chown root /var/spool/mqueue
root@john:~# chgrp daemon /var/spool/mqueue

2. Now edit /etc/access and make sure your hostname is in there:
root@john:~# cat /etc/mail/access
john.doe.org RELAY
doe.org RELAY
3. Now edit /etc/hosts and make sure 127.0.0.1 points to localhost:
root@john:~# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain
1.2.3.4 john.doe.org john
Replace 1.2.3.4 with the actual public IP address of your mailserver.
4. Now edit /etc/resolv.conf and make sure the DNS settings your ISP
   provided you are in there:
root@john:~# cat /etc/resolv.conf
search doe.org
nameserver 1.2.3.4
Replace 1.2.3.4 with the IP address of your ISP's DNS box.
5. Create a directory where sendmail will read your certificates for TLS from:
root@john:~# mkdir /etc/mail/certs
Get newreq.pem signed by CAcert.org or your CA and copy the new signed certificate.
   Name it CA.cert.pem and the newreq.pem and newkey.pem certificates
   to /etc/mail/certs.
Name your certificates anything you like, if you're copy pasting from this
   HOWTO; name them:
Certificate Authority CA: CA.cert.pem
Server certificate: smtp.cert.pem
Server key: smtp.key.pem
Copy all three into /etc/mail/certs
These need strict permissions as they shouldn't be world-readable:
root@john:~# chmod -R 700 /etc/mail/certs
root@john:~# chown -R root:sys /etc/mail/certs
6. Whip up your favorite editor (mine's joe) and edit
/usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc
Make sure it includes all the options below.
CAREFULLY READ the notes after the end of the configuration,
denoted by dnl# EOF to understand the additions
I have made to the default sendmail-slackware-tls-sasl.mc file.
Ensure you know what you're doing if you modify anything.
root@john:~# cat /usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc
dnl# This is the a sendmail .mc file for Slackware with TLS support.
dnl# To generate the sendmail.cf file from this (perhaps after making
dnl# some changes), use the m4 files in /usr/share/sendmail/cf like this:
dnl#
dnl# cp sendmail-slackware-tls.mc /usr/share/sendmail/cf/config.mc
dnl# cd /usr/share/sendmail/cf
dnl# sh Build config.cf
dnl#
dnl# You may then install the resulting .cf file:
dnl# cp config.cf /etc/mail/sendmail.cf
dnl#
include(`../m4/cf.m4')
VERSIONID(`TLS supporting setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
dnl#
dnl# You will need to create the certificates below with OpenSSL first:
define(`confCACERT_PATH', `/etc/mail/certs/')
define(`confCACERT', `/etc/mail/certs/CA.cert.pem')
define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem')
define(`confSERVER_KEY', `/etc/mail/certs/smtp.key.pem')
dnl# define(`confCLIENT_CERT', `/etc/mail/certs/clientcert.pem')dnl
dnl# define(`confCLIENT_KEY', `/etc/mail/certs/clientkey.pem')dnl
define(`confTLS_SRV_OPTIONS', `V')
define(`confCRL', `/etc/mail/certs/revoke.crl')
define(`confCONNECTION_RATE_THROTTLE', `100')
define(`confMAX_DAEMON_CHILDREN',`1000')
dnl# These settings help protect against people verifying email addresses
dnl# at your site in order to send you email that you probably don't want:
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl# Uncomment the line below to send outgoing mail through an external server:
dnl define(`SMART_HOST',`mailserver.example.com')
dnl# No timeout for ident:
define(`confTO_IDENT', `0')dnl
dnl# Enable the line below to use smrsh to restrict what sendmail can run:
dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
dnl# LOCAL_CONFIG
dnl# CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
dnl# See the README in /usr/share/sendmail/cf for a ton of information on
dnl# how these options work:
FEATURE(`delay_checks')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
dnl #FEATURE(`enhdnsbl', `relays.ordb.org', `', `t', `127.0.0.2')
FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected spam as" $&{client_addr} " found in dnsbl.sorbs.net"')dnl
FEATURE(`enhdnsbl', `zen.spamhaus.org', `"Spam blocked see: http://www.abuse.net/sbl.phtml?IP="$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
FEATURE(`enhdnsbl', `list.dsbl.org', `"Spam blocked see: http://dsbl.org"$&{client_addr}', `t')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
FEATURE(`no_default_msa')dnl
dnl# Turn this feature on if you don't always have DNS, or enjoy junk mail:
dnl FEATURE(`accept_unresolvable_domains')dnl
EXPOSED_USER(`root')dnl
dnl# Also accept mail for localhost.localdomain:
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl# Allow SASL authentication/relaying:
define(`confAUTH_OPTIONS', `A p y')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=E')dnl
dnl# EOF

Notice the filenames in define(`confCACERT', `/etc/mail/certs/CA.cert.pem')
   define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem')
   define(`confSERVER_KEY', `/etc/mail/certs/smtp.key.pem')
-- make sure your certificates are named exactly the same as in your mc configuration.
I use free certificates signed by
www.cacert.org and use their
CRL as defined in define(`confCRL', `/etc/mail/certs/revoke.crl') above.
The define(`confAUTH_OPTIONS', `A p y')dnl configures sendmail to:

		
The A is a workaround for broken MTAs that do not implement RFC 2554.
                
The p option tells sendmail: "don't permit mechanisms susceptible
                    to simple passive attack	 (e.g., LOGIN, PLAIN), unless a
                    security layer (think TLS tunnel) is active."
                
The y option prohibits anonymous logins.


Take note that this will only allow LOGIN/PLAIN SMTP-AUTH after encryption has been
   established in a TLS tunnel. Allowing both TLS and non-TLS PLAIN/LOGIN SMTP-AUTH
   is left as an exercise to the reader.
Read:
http://www.sendmail.org/~ca/email/doc8.12/op-sh-5.html#sh-5.6
   for more information.
The define(`confCONNECTION_RATE_THROTTLE', `100') and
define(`confMAX_DAEMON_CHILDREN',`1000') are for my configuration and should be
   set to 50% higher than what your requirements are. If you don't understand what this does
   (sendmail forks); comment those two lines out with a dnl# before them like:
   dnl# define (`confMAX_DAEMON_CHILDREN',`1000')
None of my user's email clients use certificates; this tells sendmail not to ask for them for one:
  define(`confTLS_SRV_OPTIONS', V')
SLACKWARE USERS NOTE line 37:
LOCAL CONFIG
CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
This disables using the older SSLv2 protocol and allows SSLv3 and TLSv1.
You'll need some openssl ciphers and perl-fu to get this going with
Slackware 12 as it's not compiled with _FFR_TLS_1. STARTTLS

Read this for info on setting it up in Slackware, it's trivial.
Some older clients don't speak TLS and you may want to skip this.
7. Now:
root@john:~# cd /usr/share/sendmail/cf/cf
root@john:~# m4 sendmail-slackware-tls-sasl.mc &gt; /etc/mail/sendmail.cf
Also remember that the mc file should always end in a new line. So hit enter at the end of
sendmail-slackware-tls-sasl.mc if m4 crashes with an
m4: INTERNAL ERROR: recursive push_string error.
8. If the previous command gives no errors, you're done!
Simply restart sendmail using /etc/rc.d/rc.sendmail restart
Now see what sendmail is saying by tail -f /var/log/maillog
You can increase log verbosity by adding: -O LogLevel=16
 to /etc/rc.d/rc.sendmail
9. Also: Add hosts for which you receive mail to /etc/mail/local-host-names
root@john:~# cat /etc/mail/local-host-names
# names of hosts for which we receive email
john.doe.org
doe.org
10. Make sure SASL is with you:
root@john:~# cat /usr/lib/sasl2/Sendmail.conf#
pwcheck_method:saslauthd
mech_list:login plain#
root@john:~# testsaslauthd -u yourusername -p yourpassword
If you see:
0: OK! Success!
Congratulations! SASL is now working.
If not, make sure saslauthd is running by: /etc/rc.d/rc.saslauthd start
11. Most errors are because of not following this HOWTO to the T.
Go over each step again and confirm you did everything right.
12. If Google isn't sorting out your issues and you use Slackware,
  mail me: s_at_hackerzlair_dot_org