Sendmail is the default Mail Transfer Agent (MTA) installed with FreeBSD. It accepts mail from mail clients, such as Thunderbird and delivers it to the appropriate mail host, as defined by its configuration. Sendmail can also accept network connections and deliver mail to local mailboxes or to another program.
I will cover the importance of the DNS records in relation with Sendmail. Also recompiling Sendmail under FreeBSD to accept SMTP-AUTH connections. This will involve installing the cyrus-sasl security layer and touching on a few of Sendmail’s configuration files. Finally we will verify that SMTP-AUTH has been implemented.
Sendmail DNS Configuration
This is really important, hostname has to be set. Make sure it is set in /etc/rc.conf then update your dns zone to add an MX Record. Most likely you can do this with your DNS provider as you probably will not be running a DNS server. Your DNS record should contain something similar to the following table:
Compile Sendmail to support SMTP Auth
We need to complete a couple of steps before we start to recompile Sendmail. First, as with all FreeBSD services, start by updating /etc/rc.conf to allow the Sendmail service to run.
echo 'sendmail_enable="YES"' >> /etc/rc.conf
Secondly we install cyrus-sasl which we will use as the Sendmail authentication mechanism.
pkg install cyrus-sasl
This pkg install method gives us some information, which may be useful later.
Message from cyrus-sasl-2.1.26_12: You can use sasldb2 for authentication, to add users use: saslpasswd2 -c username If you want to enable SMTP AUTH with the system Sendmail, read Sendmail.README NOTE: This port has been compiled with a default pwcheck_method of auxprop. If you want to authenticate your user by /etc/passwd, PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and set sasl_pwcheck_method to saslauthd after installing the Cyrus-IMAPd 2.X port. You should also check the /usr/local/lib/sasl2/*.conf files for the correct pwcheck_method. If you want to use GSSAPI mechanism, install ports/security/cyrus-sasl2-gssapi. If you want to use LDAP auxprop plugin, install ports/security/cyrus-sasl2-ldapdb.
Fetching source and recompiling
As Sendmail is part of the base system for FreeBSD, we need to fetch the source for our release. This can be done as follows.
fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/10.3-RELEASE/src.txz && tar -C / -xzvf src.txz
The -C flag with the / argument tells tar to change to the root directory before unpacking the tarball. This makes sure the source ends up in /usr/src.
Next, add flags for Sendmail in /etc/make.conf. This tells Sendmail to compile in the sasl features.
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2
Then we recompile Sendmail with the following commands.
cd /usr/src/lib/libsmutil make cleandir && make obj && make cd /usr/src/lib/libsm make cleandir && make obj && make cd /usr/src/usr.sbin/sendmail make cleandir && make obj && make && make install
After Sendmail has been compiled and reinstalled, edit /etc/mail/freebsd.mc or the local.mc, depending what is available in the /etc/mail directory. Many administrators choose to use the output from hostname as the name of the .mc file for uniqueness.
Add these lines at the end of your .mc file
dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN -p')dnl
These options configure the different methods available to Sendmail for authenticating users. To use a method other than pwcheck, refer to the Sendmail documentation.
The -p flag tells Sendmail to refuse any connections that are not made through a SSL/TLS transport. This post does not cover adding SSL certificates.
Finally, run make whilst in the /etc/mail directory. That will run the .mc file and create a .cf file named either
freebsd.cf or the name used for the local .mc. Then, run make install restart, which will copy the file to sendmail.cf, and properly restart Sendmail. For more information about this process, refer to /etc/mail/Makefile.
make make all install restart
Setup SASL Authentication
Two steps are required, first creating a user in the saslpasswddb, then indicating in the Sendmail.conf file that we will be using the saslpasswddb.
saslpasswd2 philip echo "pwcheck_method: auxprop" >> /usr/local/lib/sasl2/Sendmail.conf
Confirming SASL is Implemented
You can then check if SASL Auth is working in Sendmail by running telnet and verifying 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN exists.
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 muscleman.thepark ESMTP Sendmail 8.15.2/8.15.2; Sat, 5 Mar 2016 09:53:49 +0100 (CET) ehlo localhost 250-muscleman.thepark Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP ^] telnet> quit Connection closed.
Permitting Sendmail to accept emails coming from the SASL Authorized User
We need to allow our domain to send email from the SASL Authorized User. This is accomplished by editing the /etc/mail/access file. Whenever this file is updated, update its database with makemap hash and restart Sendmail.
cd /etc/mail echo "From:pbdigital.org OK" >> access makemap hash /etc/mail/access < /etc/mail/access service sendmail restart
Now we can send an email from a MUA, for example Thunderbird via SMTP Auth and Sendmail will deliver this to any mail server on the internet.
Note: if your mail server does not have a Fully Qualified Domain Name, the receiving mail server may block this email.
A note on Key permissions for STARTTLS if you are using SSL Certificates
You will need to add the following to your host.mc file to allow use of a group readable private key.
cd /etc/mail echo "O DontBlameSendmail=GroupReadableKeyFile" >> hostname.mc make make all install restart
If you want to stick around for my journey with Sendmail & IMAP, I will be adding a couple of more posts, one on a secondary mail/relay server and adding IMAP into the mix.