periodic mails over sendmail/DMA with AUTH to smarthost TLS submission (587)

[VladiBG]

Note: This is not a guide/how to.
Sending periodic cron mails using sendmail listening only on localhost 127.0.0.1:25 via smarthost TLS submission 587 from private server

Shipped sendmail version in base doesn't have SASL enabled which is required for auth so we need to use sendmail from pkg or build it manually from ports with SASL option which will install cyrus-sasl cyrus-sasl-saslauthd. There's no need to be enabled in /etc/rc.conf as we won't accept/listening for any outside connections.

If you don't have valid DNS/rDNS record for that host add it into /etc/hosts otherwise gethostbyaddr(3) will fail to resolve the hostname.

/etc/hosts

AAA.BBB.CCC.DDD hostname.example.com hostname

pkg install sendmail ca_root_nss
cp /usr/local/etc/mail/mailer.conf.sendmail /usr/local/etc/mail/mailer.conf
openssl dhparam -out /etc/mail/certs/dh.param 4096

service sendmail restart

check for SASLv2
sendmail -d0.1 -bv root

Check supported AUTH options
openssl s_client -connect smtp.example.com:587 -starttls smtp

ehlo test
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
quit

ee /etc/mail/authinfo

AuthInfo: "U:root" "I:user@example.com" "P:PASSWORD"

makemap hash authinfo < authinfo
chmod 600 authinfo authinfo.db

cp /usr/share/sendmail/cf/domain/generic.m4 /usr/share/sendmail/cf/domain/mydomain.m4
ee /usr/share/sendmail/cf/domain/mydomain.m4

comment exposed user using dnl or delete the line. Otherwise we can't masquerade the domain name for that user and the periodic mails will be send as root@host.example.com instead of root@example.com

dnl EXPOSED_USER(`root')

ee /etc/mail/freebsd.mc

DOMAIN(mydomain)

define(`SMART_HOST',`[smtp.example.com]')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl
MASQUERADE_DOMAIN(`host.example.com')dnl
MASQUERADE_AS(`example.com')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl

note: MASQUERADE_DOMAIN should be (canonical domain name) $j reported from sendmail -d0.1 -bv root this is the FQDN which we want to rename during outgoing e-mails.

Forward all e-mails from root to user@example.com
ee /etc/mail/alises

root: user@example.com

cd /etc/mail
make
make install
make aliases
service sendmail restart
This will create the FQDN .mc and .cf files also will build the aliases database and restart the sendmail.
refer to the /etc/mail/Makefile for detailed info. If you need to rebuild only the aliases.db then you can use newaliases(1)

echo "test mail" | mail -s "test mail" user@example.com
or send to root
echo "test mail" | mail -s "test mail" root

And for the postfix users:
all you need to do is to change
myorigin = $mydomain

---

For FreeBSD-14.0 the default MTA is DMA. The example configuration is:


/etc/dma/dma.conf

SMARTHOST smtp.example.com
PORT 587
ALIASES /etc/aliases
AUTHPATH /etc/dma/auth.conf
SECURETRANSFER
STARTTLS
MAILNAME host.domain.com
MASQUERADE root@example.com

Note: If your FQDN on your server match the domain name of the smarthost then use "NULLCLIENT" option in dma.conf


/etc/dma/auth.conf

user@example.com|smarthost.example.com:password

Send a test message using:

mail -s "test message" root@example.com
test
CTRL+D

The DMA spooler is in

/var/spool/dma


If you want to delete some stuck queue from the spooler you can delete it's content using:

rm /var/spool/dma/*.*


 

[dmitrij]

Does dma support AUTH PLAIN?
Creator man page (https://leaf.dragonflybsd.org/cgi/web-man?command=dma&section8) says it supports only CRAM-MD5, which is not acceptable for security reasons:
auth.conf
SMTP authentication can be configured in auth.conf. Each line has the
format "user|smarthost:password".

dma uses the recipient MTA hostname and finds the first entry in the
auth.conf file that matches the smarthost value or the hostname of the
recipient address. It then uses the user and password to authenticate
with the smarthost.

Note, that the only authentication method supported is CRAM-MD5. The
receiving MTA must be configured to accept CRAM-MD5 authentication.

Does FreeBSD imported dma without source code modification in regard to AUTH mechanisms?

FreeBSD man page have no comments about supported mechanisms.

I tried to send email via dma to server with AUTH PLAIN configured (and tested), dma claims in logs using configured "user" for authentication, but no auth attempts happens (receiving email server have no comments about auth attempts) and no any complains in logs about auth from dma either.

I assume dma gets response from smtp server, that only AUTH PLAIN is supported and silently ignores it without attempting to AUTH.

 

[VladiBG]

Does dma support AUTH PLAIN?

Yes it support AUTH PLAIN the connection MUST be over TLS or SSL to encrypt the entire communication because AUTH PLAIN or AUTH LOGIN are both in base64

AUTH PLAIN is plaintext password encoded in base64. That's why it should be used only inside a SSL encrypted connection OR TLS. Depending of the e-mail server they may not accept "auth plain" unless encryption is first established. That's why you need to connect to port 465 which is SSL only or submission port 587 which should be TLS enforced.
Example:

AUTH PLAIN
334 (the requested security mechanism is accepted)
(client send plain text NULusername@domain.comNULpassword encoded in base64)
dGVzdAB0ZXN0ADEyMzQ=

AUTH LOGIN
(server ask for Username: encoded in base64)
334 VXNlcm5hbWU6
(client repond with username encoded in base64)
dXNlcg==
(server ask for Password: encoded in base64)
334 UGFzc3dvcmQ6
(client respond with plain text password encoded in base64)
cGFzc3dvcmQ=

 

[dmitrij]

Thanks for your response.

TLS is enforced at the server side for AUTH PLAIN, server is postfix recent version.
I've tested connection to server via tcp/587 via starttls using openssl, authenticated successfully by providing NULL prefixed \0user\0pass credentials in base64 form and sent a test email successfully, so server side is verified, though I was sure it's fine.

dma config:
SMARTHOST and PORT points to my server
SECURETRANSFER and STARTTLS are enabled
AUTHPATH enabled with correct user|smarthost:password

Here is the sender+receiver maillog, just tested to send via dma once again:
2024-05-14T15:29:30.644128 Mail(2) ?️ Info(6) senderhost dma[] 4321 trying remote delivery to receiverhost [rcv ipv6] pref 0
2024-05-14T15:29:31.395848 Mail(2) ?️ Info(6) receiverhost submission/smtpd 12345 Anonymous TLS connection established from unknown[ipv6]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
2024-05-14T15:29:31.491801 Mail(2) ?️ Info(6) senderhost dma[] 4321 using SMTP authentication for user smtpuser
2024-05-14T15:29:31.622576 Mail(2) ?️ Info(6) receiverhost submission/smtpd 12345 NOQUEUE: reject: RCPT from unknown[ipv6]: 554 5.7.1 <unknown[ipv6]>: Client host rejected: Access denied; from=<fromemail> to=<toemail> proto=ESMTP helo=<senderhost>
2024-05-14T15:29:31.658487 Mail(2) ?Error(3) senderhost dma[] 4321 remote delivery to receiverhost [rcv ipv6] failed after RCPT TO: 554 5.7.1 <unknown[sender ipv6]>: Client host rejected: Access denied
2024-05-14T15:29:31.659180 Mail(2) ?Error(3) senderhost dma[] 4321 delivery failed, bouncing as abcd
2024-05-14T15:29:31.683150 Mail(2) ?️ Info(6) receiverhost submission/smtpd 12345 lost connection after RCPT from unknown[sender ipv6]
2024-05-14T15:29:31.683506 Mail(2) ?️ Info(6) receiverhost submission/smtpd 12345 disconnect from unknown[sender ipv6] ehlo=2 starttls=1 mail=1 rcpt=0/1 commands=4/5

As you can see from "ehlo=2 starttls=1 mail=1 rcpt=0/1 commands=4/5"
there was no auth attempts
though dma state:
"using SMTP authentication for user smtpuser"

My server accepts only authenticated connections via 587 port, that's why connection is rejected with Access denied.

PS: sensitive data was replaced with dummy values