Sendmail Book Sendmail is the default Mail Transfer Agent (MTA) installed with FreeBSD. It accepts mail from mail clients, such as Thunderbird and delivers it to the appropriate mail host, as defined by its configuration. Sendmail can also accept network connections and deliver mail to local mailboxes or to another program.

I will cover the importance of the DNS records in relation with Sendmail. Also recompiling Sendmail under FreeBSD to accept SMTP-AUTH connections. This will involve installing the cyrus-sasl security layer and touching on a few of Sendmail’s configuration files. Finally we will verify that SMTP-AUTH has been implemented.

Sendmail DNS Configuration

This is really important, hostname has to be set. Make sure it is set in /etc/rc.conf then update your dns zone to add an MX Record. Most likely you can do this with your DNS provider as you probably will not be running a DNS server. Your DNS record should contain something similar to the following table:

Host Record Type Preference
mail.pbdigital.org MX 10

Compile Sendmail to support SMTP Auth

We need to complete a couple of steps before we start to recompile Sendmail. First, as with all FreeBSD services, start by updating /etc/rc.conf to allow the Sendmail service to run.

echo 'sendmail_enable="YES"' >> /etc/rc.conf

Secondly we install cyrus-sasl which we will use as the Sendmail authentication mechanism.

pkg install cyrus-sasl

This pkg install method gives us some information, which may be useful later.

Message from cyrus-sasl-2.1.26_12:
You can use sasldb2 for authentication, to add users use:

        saslpasswd2 -c username

If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README

NOTE: This port has been compiled with a default pwcheck_method of
      auxprop.  If you want to authenticate your user by /etc/passwd,
      PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
      set sasl_pwcheck_method to saslauthd after installing the
      Cyrus-IMAPd 2.X port.  You should also check the
      /usr/local/lib/sasl2/*.conf files for the correct
      pwcheck_method.
      If you want to use GSSAPI mechanism, install
      ports/security/cyrus-sasl2-gssapi.
      If you want to use LDAP auxprop plugin, install
      ports/security/cyrus-sasl2-ldapdb.

Fetching source and recompiling

As Sendmail is part of the base system for FreeBSD, we need to fetch the source for our release. This can be done as follows.

fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/10.3-RELEASE/src.txz && tar -C / -xzvf src.txz

The -C flag with the / argument tells tar to change to the root directory before unpacking the tarball. This makes sure the source ends up in /usr/src.

Next, add flags for Sendmail in /etc/make.conf. This tells Sendmail to compile in the sasl features.

SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

Then we recompile Sendmail with the following commands.

cd /usr/src/lib/libsmutil
make cleandir && make obj && make
cd /usr/src/lib/libsm
make cleandir && make obj && make
cd /usr/src/usr.sbin/sendmail
make cleandir && make obj && make && make install

After Sendmail has been compiled and reinstalled, edit /etc/mail/freebsd.mc or the local.mc, depending what is available in the /etc/mail directory. Many administrators choose to use the output from hostname as the name of the .mc file for uniqueness.

Add these lines at the end of your .mc file

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN -p')dnl

These options configure the different methods available to Sendmail for authenticating users. To use a method other than pwcheck, refer to the Sendmail documentation.

The -p flag tells Sendmail to refuse any connections that are not made through a SSL/TLS transport. This post does not cover adding SSL certificates.

Finally, run make whilst in the /etc/mail directory. That will run the .mc file and create a .cf file named either freebsd.cf or the name used for the local .mc. Then, run make install restart, which will copy the file to sendmail.cf, and properly restart Sendmail. For more information about this process, refer to /etc/mail/Makefile.

make
make all install restart

Setup SASL Authentication

Two steps are required, first creating a user in the saslpasswddb, then indicating in the Sendmail.conf file that we will be using the saslpasswddb.

saslpasswd2 philip
echo "pwcheck_method: auxprop" >> /usr/local/lib/sasl2/Sendmail.conf

Confirming SASL is Implemented

You can then check if SASL Auth is working in Sendmail by running telnet and verifying 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN exists.

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 muscleman.thepark ESMTP Sendmail 8.15.2/8.15.2; Sat, 5 Mar 2016 09:53:49 +0100 (CET)
ehlo localhost
250-muscleman.thepark Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
^]
telnet> quit
Connection closed.

Permitting Sendmail to accept emails coming from the SASL Authorized User

We need to allow our domain to send email from the SASL Authorized User. This is accomplished by editing the /etc/mail/access file. Whenever this file is updated, update its database with makemap hash and restart Sendmail.

cd /etc/mail
echo "From:pbdigital.org     OK" >> access
makemap hash /etc/mail/access < /etc/mail/access
service sendmail restart

Now we can send an email from a MUA, for example Thunderbird via SMTP Auth and Sendmail will deliver this to any mail server on the internet.

Note: if your mail server does not have a Fully Qualified Domain Name, the receiving mail server may block this email.

A note on Key permissions for STARTTLS if you are using SSL Certificates

You will need to add the following to your host.mc file to allow use of a group readable private key.

cd /etc/mail
echo "O DontBlameSendmail=GroupReadableKeyFile" >> hostname.mc
make
make all install restart

Wrapping Up

If you want to stick around for my journey with Sendmail & IMAP, I will be adding a couple of more posts, one on a secondary mail/relay server and adding IMAP into the mix.