|
Sendmail + TLS + Cyrus IMAP/SASL + LDAP + Kerberos V HowTo |
Sebastian Utz
last changes
Revision 1.1 2003/01/27 09:11:05 jonen
+ create new
Install and configure Sendmail with TLS, Cyrus IMAP/SASL, LDAP, and Kerberos V support
The installation instructions described here are mainly debian only. For detailed installation instructions take a look at Resources, e.g. the ``OpenLDAP, OpenSSL, SASL and KerberosV HOWTO'' from Turbo Fredriksson explains a lot (great stuff!)...
To use all described features to sendmail the following have to be installed:
- Cyrus SASL v1 http://asg.web.cmu.edu/cyrus/sasl/
- Cyrus IMAP v1 http://asg.web.cmu.edu/cyrus/sasl/
- OpenLDAP 2 http://www.openldap.org/
- AMaViS (Milter) http://www.amavis.org/
- MIT Kerberos V http://web.mit.edu/kerberos/www/
- OpenSSL http://www.openssl.org/
debian testing/unstable:
- apt-get install amavis-milter
debian woody/stable:
- dowload latest amavis-milter_*.deb which could found at
http://packages.debian.org/testing/mail/amavis-milter.html
- dpkg -i amavis-milter_*.deb
other systems
sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
will try write some docu here soon, too....
- edit /etc/amavid.conf to configure your local settings e.g. your used anti-virus scanner
- start amavid with: /etc/init.d/amavid start
note: you should always start amavid *before* sendmail as the amavis docu explained...
- apt-get install sendmail
if software described at Prerequisites isn't installed yet, look at
- http://www.netfrag.org/~jonen/computing/install_cyrus_sasl_v1.html
- http://www.netfrag.org/~jonen/computing/mini-howto-cyrus_imapd_v1-pam-kerberosV.html
- others comming soon.....
after installing required packages, run
- sendmail config
or some more specifing scripts under '/usr/share/sendmail/' (e.g. /usr/share/update_auth to update SASL support) and follow the instructions printed, e.g. for updating TLS support:
- run: /usr/share/sendmail/update_tls
- insert at sendmail.mc
- debian stable/testing: include(`/etc/mail/starttls.m4')dnl
- debian unstable: include(`/etc/mail/tls/starttls.m4')dnl
- cd /etc/mail
- run: make
- restart sendmail: /etc/init.d/sendmail restart
- test supported features:
- telnet localhost 25
- enter: ehlo <servername>
- should do some output like:
250-mail.netfrag.org Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI CRAM-MD5 PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
the 'AUTH GSSAPI CRAM-MD5 PLAIN LOGIN' and 'STARTTLS' is most important to us cause this means,
gssapi, digestmd5 and plain authentication is supported and also TLS is enabled.
sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
will try write some docu here soon, too....
comming soon....
- run /usr/share/sendmail/update_auth
TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl
dnl # Cyrus Imap
dnl #
define(`confLOCAL_MAILER', `cyrus')
define(`CYRUS_MAILER_FLAGS', `A5@/:|')dnl
define(`CYRUS_MAILER_PATH', `/usr/sbin/cyrdeliver')dnl
define(`CYRUS_MAILER_ARGS', `cyrdeliver -e -q -m $h -- $u ')dnl
define(`CYRUS_MAILER_USER', `cyrus:mail')dnl
define(`CYRUS_BB_MAILER_FLAGS', `')dnl
define(`CYRUS_BB_MAILER_ARGS', `cyrdeliver -e -q -m $u ')dnl
dnl #
MAILER(cyrus)dnl
LOCAL_CONFIG
## Custom configurations below (will be preserved)
LOCAL_RULE_0
R$=I $: $#cyrus $: $1
R$=I < @ $=w . > $: $#cyrus $: $1
R$=I < @ $=R . > $: $#cyrus $: $1
Rbb + $+ < @ $=w . > $#cyrusbb $: $1
- run /usr/share/sendmail/update_tls & place 'include(`/etc/mail/starttls.m4')dnl' at sendmail.mc
- make & restart sendmail
- see "Install Sendmail" for details...
comming soon......
TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl
- edit /etc/pam.d/smtp as follow:
auth reqired pam_ldap.so
account required pam_ldap.so
If SASL is compiled with 'gssapi' support, sendmail would support KerberosV/gssapi Authentication,
but as I can't found any documentation about kerberosV support at up-to-date mail-clients (Evolution does kerberos4, but no gssapi... ;-( ),
i'm using pam_krb5 with a lots of drawbacks against real gssapi!
Short quote from Kerberos V5 Installation Guide (http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.7/doc/install.html#SEC3):
"Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC).
The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key,
and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password.
If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT,
which indicates proof of the client's identity."
As you read, no passwords would go over the network, so security would be much improved!
If pam_krb5 is used, PAM will request a 'faked' ticket for the deamons which you want authenticate on.
Also only PLAIN passwords are supported, which means, PLAIN passwords will go over your network
what would be very unsecure!
But if we are using TLS (which is always a good idea), passwords will go through a Secure Transport Layer
which encrypts the whole connection, so pam_krb5 over TLS would be ok for now....
- edit /etc/pam.d/smtp as follow:
auth required pam_krb5.so
account required pam_ldap.so
- read http://www.sendmail.org/m4/ldap_routing.html !!
- i added an 'sendmail' user to ldap like followed which allows sendmail to query request:
uid=sendmail,ou=People,dc=netfrag,c=org
objectClass: top
objectClass: account
objectClass: possixAccount
uid: sendmail
cn: sendmail account
uidNumber: 25
gidNumber: 25
homeDirectory: /etc/mail
userPassword::
- set default bind DN after ' -b'
- set sendmail user, used for query requests after '-d'
- other option, but still not tested/needed (kerberos5/gssapi supported ?)
-m <authentication mechanism> (none | simple | krb4)
-P <passinfo> (/path/to/passwd_containing_file | /path/to/krb4_ticket)
dnl # define LDAP server used for routing
define(`confLDAP_DEFAULT_SPEC',`-h ldap.netfrag.org -b ou=Mail,dc=netfrag,dc=org -d uid=sendmail,ou=People,dc=netfrag,dc=org')dnl
dnl # define path to file which includes routeabled domains
LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl
dnl # switch ldap routing on
FEATURE(ldap_routing)dnl
- example '/etc/mail/ldapdomains':
netfrag.org
example.com
your-domain.com
- To use the default schema, simply use(at sendmail.mc):
define(`ALIAS_FILE', `ldap:')
- By doing so, you will use the default schema which expands to a map declared as follows:
ldap -k (&(objectClass=sendmailMTAAliasObject)
(sendmailMTAAliasGrouping=aliases)
(|(sendmailMTACluster=${sendmailMTACluster})
(sendmailMTAHost=$j))
(sendmailMTAKey=%0))
-v sendmailMTAAliasValue
- Example LDAP LDIF entries might be:
dn: sendmailMTAKey=test-aliases, ou=Mail, dc=netfrag, dc=org
objectClass: top
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
sendmailMTAAliasGrouping: aliases
sendmailMTAHost: mail.netfrag.org
sendmailMTAKey: test-aliases
sendmailMTAAliasValue: jonen
dn: sendmailMTAKey=postmaster, ou=Mail, dc=netfrag, dc=org
objectClass: top
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
sendmailMTAAliasGrouping: aliases
sendmailMTACluster: Servers
sendmailMTAKey: postmaster
sendmailMTAAliasValue: jonen
- read http://www.sendmail.org/m4/ldap.html !!
- example for 'virtusertable' (other map definitions goes near the same way..):
- sendmail.mc:
FEATURE(`virtusertable', `LDAP')
- add sendmailMTAMapName (have to be created for each map definition!!)
dn: sendmailMTAMapName=virtuser, ou=Mail, dc=netfrag, dc=org
objectClass: top
objectClass: sendmailMTA
objectClass: sendmailMTAMap
sendmailMTAHost: mail.netfrag.org
sendmailMTAMapName: virtuser
- example virtuser entries:
dn: sendmailMTAKey=test-virtuser@netfrag.com, ou=Mail, dc=netfrag, dc=org
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
sendmailMTAMapName: virtuser
sendmailMTAHost: mail.netfrag.org
sendmailMTAKey: test-virtuser@netfrag.org
sendmailMTAMapValue: jonen
dn: sendmailMTAKey=no-user@example.com, ou=Mail, dc=netfrag, dc=org
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
sendmailMTAMapName: virtuser
sendmailMTAHost: mail.netfrag.org
sendmailMTAKey: no-user@example.com
sendmailMTAMapValue: error: no-user@example.com doesn't exits here
define(`MILTER', 1)
INPUT_MAIL_FILTER(`milter-amavis',`S=local:/var/run/amavis/amavis-milter.sock, F=T, T=S:10m;R:10m;E:10m')
http://www.sendmail.org/
http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/
http://www.openldap.org/
http://web.mit.edu/kerberos/www/
http://www.upenn.edu/computing/pennkey/sysadmin/d_install_unix/smtp.html
http://logout.sh/computers/sendmail/
http://www.iconimaging.net/~jradford/sendmail/sendmail-ldap.html
http://wwwhomes.uni-bielefeld.de/schoppa/saia-howto.html
http://wwwhomes.uni-bielefeld.de/schoppa/saia-woody-howto.html
http://www.amavis.org/
o seems NO mail-client currently supports kerberos V tickets, DO MORE RESEARCH!
x so use pam_krb5
o if so, seems only PLAIN password authentication works (no Digest-MD5 or others!)
x so usage of TLS/SSL for secure trasport layer is recommend
o docu installation for other distribution than Debian
o check out Cyrus Imapd v2 and SASL v2 more and write howto
o MORE docu !!
|
Sendmail + TLS + Cyrus IMAP/SASL + LDAP + Kerberos V HowTo |