OpenBSD Journal

Sendmail + SMTP AUTH + TLS

Contributed by jose on from the secure-email dept.

dlg writes: "i found a howto for openbsd 2.9 + sendmail + auth + tls on and this inspired me to create a more updated howto (for OpenBSD 3.3), along with added information on getting STARTTLS and ssmtp running. see for the howto. it doesn't explain the why , but i think i got the what properly documented."

Interestingly, we've had a manpage for starttls(8) for quite a while now, so you may want to look at those instructions for the STARTTLS portion. This adds SASL and SSMTP to the mix.

(Comments are closed)

    1. By dlg () on

      it seems alright to me. it's currently on a pentium /200mhz machine, 128mb ram or so. there are only a few users, so i don't know how well it scales up. i was using spamass-milter for a while, but it kept crashing, so i stopped. i'm going to investigate mimedefang in a while, when i get the time. basically, i'd like a milter-based bayesian filtering solution (if anybody knows of a good, stable one, i'd like to hear about it) ... it needs to be milter-based, because not all email users have accounts on the machine, so procmail isn't an alternative.

      1. By Anonymous Coward () on

        what about milter for virus filtering....

      2. By Alex () on

        I've been using SpamAssassin 2.5X from the ports tree (now up to 2.55) and MIMEDefang (started at 2.31, now up to 2.33) hand compiled along with HBEDV - on my OpenBSD 3.1 (yes I'm going through upgrade testing on a new box) mail server. It's been up and running for about four months on the P133/128MB RAM and it's been working fine with no stability problems.

        I'd recommend it to anyone trying to increase signal to noise ratio and stop malware.


        P.S. I just did the STARTTLS thing myself on the other mail server...

        1. By dlg () on

          i had terrible luck with spamass-milt. it crashed twice a day on my machine running 3.3 ... i've been meaning to investigate MIMEDefang or amavisd-new but the junk filtering in my mail client is adequate, and i'm lazy.

  2. By Anonymous Coward () on

    I emailed the author of the article this, but I'd figure I'd post it as well:

    If you want to have sendmail do SMTPS directly, first define " _FFR_SMTP_SSL " when you compile sendmail ( i.e. , -D_FFR_SMTP_SSL ). Once that's done, put the line

    DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl
    in your .mc file.

    You're done. (I go this from a Usenet posting: Message-ID 3D9C2B4C.EEC98054@Andrzej.Adam.Filip .)

    P.S. Can we get a 'preview' button for posting comments? What something looks in a TEXTAREA, and how it renders can be two very different things (especially if you accidentally forget a closing HTML tag.

    1. By dlg () on

      ah, it must be the _FFR_SMTP_SSL, because i tried a line like that when i was experimenting, but it just gave me a "standard" sendmail response. interesting. i'll have to recompile sometime. stunnel works, but it /is/ an extra piece that can break.

    2. By dengue () dengue[at]deadly[dot]org on mailto:dengue[at]deadly[dot]org

      We'll take a look at it. Free time is in short supply right now.

    3. By Anonymous Coward () on

      $ sendmail -d0.13 and yet, when i connect with a mail client, no dice. i'll have to keep looking on google.

      1. By dlg () on

        okay, what the above comment /should/ have been:
        # sendmail -d0.13
        and yet, when i connect with a mail client, no dice. i'll have to keep googling.

      2. By dlg () on

        okay, what the above comment /should/ have been:
        # sendmail -d0.13 < /dev/null | grep FFR FFR Defines: _FFR_SMTP_SSL _FFR_USE_SETLOGIN # nmap localhost -p 465 Starting nmap V. 3.00 ( ) Interesting ports on ( Port State Service 465/tcp open smtps Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds # cat /etc/mail/ |grep MTA-SSL O DaemonPortOptions=Family=inet, Port=465, Name=MTA-SSL, M=s #
        and yet, when i connect with a mail client, no dice. i'll have to keep googling.

        and AGAIN! this is why we need a preview :]

        1. By Anonymous Coward () on

          Try the following:

          openssl s_client -connect localhost:smtps
          ("smtps" is the official IETF name of the port. Do a grep for smtp in /etc/services.)

          I can connect to the IMAPS port of IMAP-UW doing this getting the "IMAP prompt", so you should get the "SMTP prompt".

          The issue may be that the mail client may not know that it has to start an SSL/TLS right away. Which may client are you using?

          P.S. I haven't actually done this myself, so this is all (logical) guessing. :)

          P.P.S. I'm the original _FFR poster that sent you an email, if you want we can converse over email. I don't know about you, but writing in my email client is much easier for me than writing in a TEXTAREA. :)

          1. By dlg () on

            i got it working... i was testing it w/o a username and password to verify that stunnel did, in fact, turn it in to an open relay (it does) and when i switched port 465 to sendmail's control, i neglected to re-enable a username and password on my mail client ( for OS X) and i wasn't getting any error message, just a connection time out. i put my username/password back in and it worked fine.

            just a lack of a sensible error message. it's okay now, and i've updated the HOWTO to reflect using sendmail rather than stunnel for ssmtp/smtps/465 (i've seen all three)

  3. By Paul Pruett () on

    Thanks dlg for the input.

    If it helps here is another web page with some notes on sendmail, smtp_auth & ssl and applied to ver. 3.3 notes from march 2003 that I typed up for my self when test bedding 3.3 beta and I tried it with uw-imap...

    BTW, Thanks for the note on the man page for starttls(8), always check the man pages, doh!

  4. By arkadi () on

    Sendmail will see localhost connections forwarded from anyone by stunnel, be aware of possible relaying problems in case you are not carefull with configuration.

  5. By Sven Wallman () on

    The following is useful for those of you that use LOGIN and PLAIN (doesn't make much sense for DIGEST-MD5):

    dnl Next line stops sendmail from allowing auth without encryption
    dnl define(`confAUTH_OPTIONS', `Ap')dnl

    Btw, having EXTERNAL defined as a MECH will allow users equipped with certificates to authenticate.

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]