Sendmail TLS

[gpatrick]

I posted this in another OpenBSD forum, but the question isn't [Open|Free]BSD specific, but rather a Sendmail question. Since this forum gets more traffic, I am hoping someone can give me an answer on configuring Sendmail TLS.

Running OpenBSD 4.8 and trying to setup secure Sendmail. Cyrus SASL is installed and [cmd=]sendmail -d0.1 -bv root[/cmd] returns STARTTLS and SASL2. I added

WANT_SMTPAUTH=yes

to /etc/mk.conf before doing a build.

Running testsaslauthd returns OK. I reconfigured the Sendmail ports for SASL. My certs are self-signed and good.

But when I [cmd=]telnet localhost 25[/cmd] I don't return 250-STARTTLS though I have 250-AUTH. Connection is refused on port 465 when I [cmd=]telnet localhost 465[/cmd]

What do I need to change to get TLS working?

Here is my .mc

VERSIONID(`@(#)openbsd-proto.mc $Revision: 1.11 $')dnl
OSTYPE(openbsd)dnl
define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy,nobodyreturn')dnl
define(`confCW_FILE', `-o MAIL_SETTINGS_DIR`'local-host-names')dnl
define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users')dnl
FEATURE(nouucp, `reject')dnl
FEATURE(`access_db', `hash -o -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl
FEATURE(always_add_domain)dnl
FEATURE(redirect)dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Name=MTA, M=A')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Name=MTA6, M=AO')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=465, Name=MTA-TLS, M=a')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Port=465, Name=MTA6-TLS, M=aO')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=AE')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Port=587, Name=MSA6, M=O, M=AE')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
CLIENT_OPTIONS(`Family=inet6, Address=::')dnl
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`GSAPPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/CAcert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
MAILER(local)dnl
MAILER(smtp)dnl
LOCAL_RULESETS
HMessage-Id: $>CheckMessageId

SCheckMessageId
R< $+ @ $+ >		$@ OK
R$*			$#error $: 553 Header Error

 

[soylentgreen]

My /etc/make.conf has the following to enable TLS on sendmail with saslauthd.

#sendmail auth
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

Then go into /usr/src and recompile sendmail, then remake/install sendmail from /etc/mail.

make all install restart

 

[quintessence]

Hello,

Take a look at SSMTP section: http://www.dsrw.org/~dlg/sysadmin/sendmail/.