Contributed by
jose
on
from the secure-email dept.
dlg
writes:
"i found a howto for openbsd 2.9 + sendmail + auth + tls on
deadly.org
and this inspired me to create a more updated howto (for OpenBSD 3.3), along with added information on getting STARTTLS and ssmtp running. see
http://www.dorkzilla.org/~dlg/sendmail
for the howto. it doesn't explain the
why
, but i think i got the
what
properly documented."
Interestingly, we've had a manpage for starttls(8) for quite a while now, so you may want to look at those instructions for the STARTTLS portion. This adds SASL and SSMTP to the mix.
it seems alright to me. it's currently on a pentium /200mhz machine, 128mb ram or so. there are only a few users, so i don't know how well it scales up. i was using spamass-milter for a while, but it kept crashing, so i stopped. i'm going to investigate mimedefang in a while, when i get the time. basically, i'd like a milter-based bayesian filtering solution (if anybody knows of a good, stable one, i'd like to hear about it) ... it needs to be milter-based, because not all email users have accounts on the machine, so procmail isn't an alternative.
I've been using SpamAssassin 2.5X from the ports tree (now up to 2.55) and MIMEDefang (started at 2.31, now up to 2.33) hand compiled along with HBEDV - http://www.hbedv.com on my OpenBSD 3.1 (yes I'm going through upgrade testing on a new box) mail server. It's been up and running for about four months on the P133/128MB RAM and it's been working fine with no stability problems.
I'd recommend it to anyone trying to increase signal to noise ratio and stop malware.
Cheers,
Alex.
P.S. I just did the STARTTLS thing myself on the other mail server...
i had terrible luck with spamass-milt. it crashed twice a day on my machine running 3.3 ... i've been meaning to investigate MIMEDefang or amavisd-new but the junk filtering in my mail client is adequate, and i'm lazy.
By
Anonymous Coward ()
on
I emailed the author of the article this, but I'd figure I'd post it as well:
If you want to have sendmail do SMTPS directly, first define "
_FFR_SMTP_SSL
" when you compile sendmail (
i.e.
,
-D_FFR_SMTP_SSL
). Once that's done, put the line
You're done. (I go this from a Usenet posting: Message-ID 3D9C2B4C.EEC98054@Andrzej.Adam.Filip .)
P.S. Can we get a 'preview' button for posting comments? What something looks in a TEXTAREA, and how it renders can be two very different things (especially if you accidentally forget a closing HTML tag.
ah, it must be the _FFR_SMTP_SSL, because i tried a line like that when i was experimenting, but it just gave me a "standard" sendmail response. interesting. i'll have to recompile sometime. stunnel works, but it /is/ an extra piece that can break.
okay, what the above comment /should/ have been:
# sendmail -d0.13 < /dev/null | grep FFR
FFR Defines: _FFR_SMTP_SSL _FFR_USE_SETLOGIN
# nmap localhost -p 465
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.dorkzilla.org (127.0.0.1):
Port State Service
465/tcp open smtps
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
# cat /etc/mail/sendmail.cf |grep MTA-SSL
O DaemonPortOptions=Family=inet, Port=465, Name=MTA-SSL, M=s
#
and yet, when i connect with a mail client, no dice. i'll have to keep googling.
and AGAIN! this is why we need a preview :]
Comments
By
Anonymous Coward ()
on
Try the following:
openssl s_client -connect localhost:smtps
("smtps" is the official IETF name of the port. Do a
grep
for smtp in /etc/services.)
I can connect to the IMAPS port of IMAP-UW doing this getting the "IMAP prompt", so you should get the "SMTP prompt".
The issue may be that the mail client may not know that it has to start an SSL/TLS right away. Which may client are you using?
P.S. I haven't actually done this myself, so this is all (logical) guessing. :)
P.P.S. I'm the original _FFR poster that sent you an email, if you want we can converse over email. I don't know about you, but writing in my email client is much easier for me than writing in a TEXTAREA. :)
i got it working... i was testing it w/o a username and password to verify that stunnel did, in fact, turn it in to an open relay (it does) and when i switched port 465 to sendmail's control, i neglected to re-enable a username and password on my mail client (Mail.app for OS X) and i wasn't getting any error message, just a connection time out. i put my username/password back in and it worked fine.
just a lack of a sensible error message. it's okay now, and i've updated the HOWTO to reflect using sendmail rather than stunnel for ssmtp/smtps/465 (i've seen all three)
If it helps here is another web page with some notes on sendmail, smtp_auth & ssl and applied to ver. 3.3 notes from march 2003 that I typed up for my self when test bedding 3.3 beta and I tried it with uw-imap...
Sendmail will see localhost connections forwarded from anyone by stunnel, be aware of possible relaying problems in case you are not carefull with configuration.
By Darren () darren@dazdaz.NOSPAMM.org on mailto:darren@dazdaz.NOSPAMM.org
Comments
By dlg () dlg@dorkzilla.org on http://www.dorkzilla.org/~dlg
Comments
By Anonymous Coward () on
By Alex () alex@hafey.org on mailto:alex@hafey.org
I'd recommend it to anyone trying to increase signal to noise ratio and stop malware.
Cheers,
Alex.
P.S. I just did the STARTTLS thing myself on the other mail server...
Comments
By dlg () dlg@dorkzilla.org on http://www.dorkzilla.org/~dlg
By Anonymous Coward () on
I emailed the author of the article this, but I'd figure I'd post it as well:
If you want to have sendmail do SMTPS directly, first define " _FFR_SMTP_SSL " when you compile sendmail ( i.e. , -D_FFR_SMTP_SSL ). Once that's done, put the line
in your .mc file.You're done. (I go this from a Usenet posting: Message-ID 3D9C2B4C.EEC98054@Andrzej.Adam.Filip .)
P.S. Can we get a 'preview' button for posting comments? What something looks in a TEXTAREA, and how it renders can be two very different things (especially if you accidentally forget a closing HTML tag.
Comments
By dlg () dlg@dorkzilla.org on http://www.dorkzilla.org/~dlg
By dengue () dengue[at]deadly[dot]org on mailto:dengue[at]deadly[dot]org
By Anonymous Coward () on
Comments
By dlg () dlg@dorkzilla.org on http://www.dorkzilla.org/~dlg
# sendmail -d0.13
and yet, when i connect with a mail client, no dice. i'll have to keep googling.
By dlg () dlg@dorkzilla.org on http://www.dorkzilla.org/~dlg
# sendmail -d0.13 < /dev/null | grep FFR FFR Defines: _FFR_SMTP_SSL _FFR_USE_SETLOGIN # nmap localhost -p 465 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on localhost.dorkzilla.org (127.0.0.1): Port State Service 465/tcp open smtps Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds # cat /etc/mail/sendmail.cf |grep MTA-SSL O DaemonPortOptions=Family=inet, Port=465, Name=MTA-SSL, M=s #
and yet, when i connect with a mail client, no dice. i'll have to keep googling.
and AGAIN! this is why we need a preview :]
Comments
By Anonymous Coward () on
Try the following:
("smtps" is the official IETF name of the port. Do a grep for smtp in /etc/services.)I can connect to the IMAPS port of IMAP-UW doing this getting the "IMAP prompt", so you should get the "SMTP prompt".
The issue may be that the mail client may not know that it has to start an SSL/TLS right away. Which may client are you using?
P.S. I haven't actually done this myself, so this is all (logical) guessing. :)
P.P.S. I'm the original _FFR poster that sent you an email, if you want we can converse over email. I don't know about you, but writing in my email client is much easier for me than writing in a TEXTAREA. :)
Comments
By dlg () dlg@dorkzilla.org on http://www.dorkzilla.org/~dlg
just a lack of a sensible error message. it's okay now, and i've updated the HOWTO to reflect using sendmail rather than stunnel for ssmtp/smtps/465 (i've seen all three)
By Paul Pruett () ppruett@webengr.com on http://www.cocoavillagepublishing.com/development/
If it helps here is another web page with some notes on sendmail, smtp_auth & ssl and applied to ver. 3.3 notes from march 2003 that I typed up for my self when test bedding 3.3 beta and I tried it with uw-imap...
http://www.cocoavillagepublishing.com/development/tools/openbsd/tips/sendmail/
http://www.cocoavillagepublishing.com/development/tools/openbsd/tips/sendmail/notes_33.html
BTW, Thanks for the note on the man page for starttls(8), always check the man pages, doh!
By arkadi () arkadi@it.lv on mailto:arkadi@it.lv
Comments
By dlg () dlg@dorkzilla.org on http://www.dorkzilla.org/~dlg
By Sven Wallman () svenw+deadly@adho.mine.nu on mailto:svenw+deadly@adho.mine.nu
dnl Next line stops sendmail from allowing auth without encryption
dnl define(`confAUTH_OPTIONS', `Ap')dnl
Btw, having EXTERNAL defined as a MECH will allow users equipped with certificates to authenticate.