Saturday, April 16, 2011

Sendmail SMTP AUTH to bypass DNSBL

Q:
<<
I use DNSBL to filter incoming mail. I also offer SMTP AUTH. The problem I'm having is that, while authenticated users are allowed to relay, they're still subject to DNSBL . Any way to prevent that, so that authenticated users can _always_ relay? 
>>


Apr 15 23:45:37 ftp sendmail[27729]: ruleset=check_relay, arg1=[21.23.10.25], arg2=127.0.0.10, relay=[21.23.10.25], reject=554 5.7.1 Rejected 21.23.10.25 Found in dnsbl.sorbs.net


A:

You may use FEATURE(`delay_checks').
skips DNSBL checks for authenticated users.
URL(s):
http://www.sendmail.org/m4/anti_spam.html#delay_check

<<

Delay all checks

By using FEATURE(`delay_checks') the rulesets check_mail and check_relay will not be called when a client connects or issues a MAIL command, respectively. Instead, those rulesets will be called by the check_rcpt ruleset; they will be skipped if a sender has been authenticated using a "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(). If check_mail returns an error then the RCPT TO command will be rejected with that error. If it returns some other result starting with $# then check_relay will be skipped. If the sender address (or a part of it) is listed in the access map and it has a RHS of OK or RELAY, then check_relay will be skipped.
This has an interesting side effect: if your domain is my.domain and you have


 >>

Apr 16 00:22:08 ftp sendmail[28461]: STARTTLS=server, relay=[21.23.10.25], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Apr 16 00:22:11 ftp dovecot: imap-login: Login: user=, method=PLAIN, rip=21.23.10.25, lip=88.88.18.18, mpid=28463, TLS
Apr 16 00:22:17 ftp sendmail[28461]: AUTH=server, relay=[
21.23.10.25], authid=depit, mech=LOGIN, bits=0
Apr 16 00:22:23 ftp sendmail[28461]: p3FLM5Od028461: from=, size=580, class=0, nrcpts=1, msgid=<201104152122.p3FLM5Od028461@tp.angram.com>, proto=ESMTP, daemon=MTA, relay=[
21.23.10.25]
Apr 16 00:22:30 ftp dovecot: imap(depit): Disconnected: Logged out bytes=9/331
Apr 16 00:22:32 ftp dovecot: imap(depit): Disconnected: Logged out bytes=880/2104
Apr 16 00:23:15 ftp sendmail[28466]: p3FLM5Od028461: to=, ctladdr= (500/500), delay=00:00:55, xdelay=00:00:52, mailer=esmtp, pri=120580, relay=ate.ontebanato.com. [21.10.19.17], dsn=2.0.0, stat=Sent (p3FL32t3031751 Message accepted for delivery)



Sendmail-SMTP-AUTH-TLS-Howto

Sendmail SMTP AUTH Quick Start

 

Using SMTP AUTH and STARTTLS with sendmail


1. We need the following software: openssl, cyrus-sasl2, and sendmail.

2. Create Certificates for TLS
mkdir -p /etc/mail/certs
cd /etc/mail/certs
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365

<- Enter your password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.

openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 365
<- Again, enter your password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.

openssl x509 -noout -text -in sendmail.pem
chmod 600 ./sendmail.pem

Create the file sendmail.mc with the following contents:

dnl ### do SMTPAUTH
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl

dnl ### do STARTTLS
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/sendmail.pem')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl


Then start saslauthd and sendmail:
/etc/init.d/saslauthd start
/etc/init.d/sendmail start


 Test your Configuration
To verify that your sendmail was compiled with the right options type
/usr/sbin/sendmail -d0.1 -bv root
You should see that sendmail was compiled with SASLv2 and STARTTLS:


To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your sendmail mail server type
ehlo localhost
If you see the lines
250-STARTTLS
and
250-AUTH
everything is fine.

Type
quit
to return to the system's shell.

 <<
SMTP AUTH allows users to supply a login and password to a server in order to relay mail to other locations. Until recently, relaying was largely controlled by restricting access to trusted IP addresses or networks. This has turned into an administrative nightmare, however, due to the wide adoption of dynamically allocated IP addresses and the demands of roaming users. It makes more sense to control relaying at the user level, regardless of the host or its location on the Internet, but care must be taken to protect passwords from being sent in the clear. >>


chkconfig saslauthd on
service saslauthd restart


You now have SMTP AUTH with encrypted logins!
Verbose mode In order to provide encrypted logins, you must use a version of sendmail that was compiled to use SASL and STARTTLS. 


The confAUTH_OPTIONS macro allows you to instruct sendmail not to offer plain text authentication until after a secure mechanism such as TLS is active (the p option). We are also prohibiting anonymous logins (the y option). The A option is a workaround for broken MTAs:
define(`confAUTH_OPTIONS’, `A p y’)dnl
Now we define which authentication mechanisms we will trust and use:
TRUST_AUTH_MECH(`LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN’)dnl
Next, we tell sendmail where to find the certificates:
define(`confCACERT_PATH’,`/usr/share/ssl/certs’)
define(`confCACERT’,`/usr/share/ssl/certs/ca-bundle.crt’)
define(`confSERVER_CERT’,`/usr/share/ssl/certs/sendmail.pem’)
define(`confSERVER_KEY’,`/usr/share/ssl/certs/sendmail.pem’)
And finally, it may be useful to increase the log level for debugging purposes (delete or comment out this line after everything is working properly):
define(`confLOG_LEVEL’, `14′)dnl

2 comments:

  1. This has helped to resolve a mystery with Android phones not being able to utilize SMTP via authentication. Thanks!

    ReplyDelete
  2. Works for me on Centos 5.6 with DroidX phone.

    ReplyDelete