Introduction

What follows are the steps I took to implement the policies we’ve established at work for our authenticated mail relay, currently running CentOS 5:

1. All inbound connections except those originating on the localhost must authenticate against our local password map. We rely on the Pluggable Authentication Modules (PAM)—not Kerberos or SASL—for authentication and authorization, so passwords are sent over the wire with the LOGIN or PLAIN authentication mechanism.

2. All inbound connections must be transported over an SSL connection with a key length of at least 128 bits.

Configure sendmail.cf

There are two key elements in a sendmail.cf that’ll work as I intended: authentication mechanisms and SSL path information. I’m not a hardcore sendmail guru, so I rely completely on the m4 macro mechanism for building my configuration. Here are the key bits that need to get pushed into /etc/mail/sendmail.mc. (If you’re new to SSL, you might find my instructions for building a self-signed certificate helpful.)

dnl
dnl  The following allows relaying if the user authenticates,
dnl  and disallows plaintext authentication (PLAIN/LOGIN) on
dnl  non-TLS links.
dnl
define(`confAUTH_OPTIONS', `A p y')dnl
dnl
dnl  Accept PLAIN and LOGIN authentications.
dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
dnl
dnl  Define paths to directory hosting certs of trusted certificate
dnl  authorities (like VeriSign) and path to local certificate.
dnl
define(`confCACERT_PATH',`/etc/pki/tls/certs')dnl
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`localCERT', `/etc/pki/tls/certs/our-cert.pem')dnl
define(`confCLIENT_CERT',`localCERT')dnl
define(`confCLIENT_KEY',`localCERT')dnl
define(`confSERVER_CERT',`localCERT')dnl
define(`confSERVER_KEY',`localCERT')dnl

On CentOS 4 and 5 (and RHEL 4 and 5), it’s necessary to install the cyrus-sasl-plain RPM to allow SASL to process LOGIN and PLAIN authentication requests.

For our purposes, sendmail absolutely must have an access map. It’s almost always part of a standard configuration, but here’s the macro just in case.

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl

Once the macro file has been updated, regenerate sendmail.cf.

make sendmail.cf -C /etc/mail

Configure access.db

The access map is configured to enforce the 128-bit-key policy. Our /etc/mail/access is quite simple. Mail originating on the local host is relayed, while everyone wanting to connect via SSL (which is everyone) must have 128-bit crypto.

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
TLS_Clt:                        ENCR:128

Note: You may find that that the TLS_Clt setting breaks your configuration. Deleting it probably won’t hurt anything.

After updating the text version of the access map, then rebuild the binary version.

make access.db -C /etc/mail

Configure saslauthd

sendmail is linked to version 2 of the Cyrus SASL libraries and relies on saslauthd to handle plaintext authentication. On CentOS systems, the default authentication mechanism is the local shadow password file. In our environment, however, I need to use PAM. Implementing the change is a simple matter of altering the MECH setting in /etc/sysconfig/saslauthd.

MECH=pam
# these two settings are the defaults
SOCKETDIR=/var/run/saslauthd
FLAGS=

CentOS’s sendmail package ships with a SASL configuration file, Sendmail.conf, that should work out of the box. It’s a one-liner.

pwcheck_method:saslauthd

Note: Over the years, Cyrus SASL has changed where it will look for Sendmail.conf. Historically, it looked in /usr/lib/sasl2/ (32-bit system) or /usr/lib64/sasl2/ (64-bit systems). Newer versions, 32- and 64-bit systems alike, will look in /etc/sasl2/.

Also, you’ll want to make sure that saslauthd is started at boot time.

chkconfig saslauthd on

Configure PAM

CentOS’s sendmail package also ships with a working PAM configuration file, /etc/pam.d/smtp, but it’s worthwhile to double-check that it exists and contains the two requisite lines. This listing is from CentOS 5; the version included with CentOS 4 is slightly different.

#%PAM-1.0
auth       include  system-auth
account    include  system-auth

Start it up

With all those configuration files in place, all that’s left to do is start (or restart) the server software.

/sbin/service saslauthd start
/sbin/service sendmail start

Useful links

RFC 2554 defines SMTP AUTH.

SMTP AUTH in sendmail 8.10-8.13 is the more-or-less official HOWTO page on the subject from sendmail.org.

Falko Timme’s Sendmail-SMTP-AUTH-TLS-Howto and John Fullmer’s How to set up SMTP AUTH are more complete and include many more details than this document.