Linux Security Cookbook [Electronic resources] نسخه متنی

Recipe 8.18 Using an SMTP Server from Arbitrary Clients

8.18.1 Problem

You want your
SMTP server to relay mail from arbitrary places, without creating an
open relay.

8.18.2 Solution

Use SMTP authentication. To set up the server:

1. Find this line in
   /etc/mail/sendmail.mc:

   DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

   and change it to:

   DAEMON_OPTIONS(`Port=smtp, Name=MTA')

   The default setting restricts sendmail to
   accepting connections only from the same host, for security; now it
   will accept connections from elsewhere.




2. Make sure this line in /etc/mail/sendmail.mc
   appears uncommented (i.e., it is not preceded by the comment symbol
   dnl):

   TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')




3. If you have changed /etc/mail/sendmail.mc,
   rebuild your sendmail configuration file^[3] and
   restart sendmail.

   ^[3] You'll need the RPM package
   sendmail-cf installed to do this. Note also that
   some Linux distributions put sendmail.cf in the
   /etc/mail directory.

   Rebuild the configuration:

   # m4 /etc/mail/sendmail.mc > /etc/sendmail.cf

   Restart sendmail:

   # /etc/init.d/sendmail restart




4. Establish an account
   for SMTP authentication, say, with username mailman:

   # /usr/sbin/saslpasswd -c mailman
   Password: ********
   Again (for verification): ********

Your mail server should now be ready to do SMTP authentication. To
set up the email client:

1. Configure your mail client to use SMTP authentication for outbound
   email, using either the
   DIGEST-MD5
   (preferred) or
   CRAM-MD5 authentication types.

   Your client might also have an option nearby for a
   "secure connection" using SSL. Do
   

   not turn it on; that is a separate feature.




2. Try sending a test message via relay: address it to a domain
   considered non-local to your server. Instead of replying with a
   "relay denied" error (which you
   should have gotten previous to this setup), you should be prompted
   for a username and password. Use the mailman account you established
   previously. The mail message should get sent.

8.18.3 Discussion

An SMTP server accepts Internet email. There are two
kinds of email messages it may receive:

Intended to be delivered to a local user
on that host. This mail usually arrives from other mail servers.

Intended to be forwarded to another host for delivery. This mail
usually comes from email programs, such as Pine and Ximian Evolution,
configured to use your SMTP server to send mail.

A mail server that forwards non-local mail is called a
relay. Normally,
you'll want your SMTP server to accept local mail
from anywhere, but restrict who may use your server as a relay for
non-local mail. If you don't restrict it, your SMTP
server is called an open
relay. Open relays invite trouble: spammers
seek them out as convenient drop-off points; your machine could be
co-opted to send unwanted email to thousands of people. Say goodbye
to your good Internet karma... and you will shortly find your mail
server blacklisted by spam-control services, and hence useless. In
fact, you might come home one day to find your ISP has shut down your
Net access, due to complaints of mail abuse! You really
don't want an open relay.

ISP mail servers normally accept relay mail
only from addresses on their network, restricting them to use by
their customers. This makes good business sense, but is inconvenient
for mobile users who connect to various ISPs for Net access at
different times. It's a pain to keep switching email
program settings to use the different required relays (or even to
find out what they are).

Our recipe demonstrates how to set up your SMTP server to get around
this inconvenience, by requiring

authentication
before relaying mail. Thus, a single SMTP server can accept non-local
mail no matter where the client is connected, while still avoiding an
open relay. One caveat: the email clients must support SMTP
authentication, as do Evolution, Pine, the Mail program of Macintosh
OS X, and others.

Our recipe depends on two lines in
/etc/mail/sendmail.mc. The first, once you
disable it, allows
sendmail to accept mail from
other hosts; by default, it only listens on the network loopback
interface and accepts mail only from local processes. The second
line, once enabled, tells
sendmail which
authentication mechanisms to accept as trusted: that is, if a client
authenticates using one of these methods, it will be allowed to relay
mail.

When you send your test message, if your mail client claims the
server does not support SMTP authentication, try this on the server:

# sendmail -O LogLevel=14 -bs -Am
EHLO foo
QUIT
# tail /var/log/maillog

and look for any enlightening error messages.

This configuration by itself does not secure the entire SMTP session,
which is still a plaintext TCP connection. So don't
use simple password authentication, as your passwords can then be
stolen by network eavesdropping. By default,
sendmail accepts only the
DIGEST-MD5 and CRAM-MD5
authentication methods, which do not send the password in plaintext.

It is also possible to configure sendmail
to use SSL to
protect the entire SMTP session. If you understand the security
properties and limitations of the authentication mechanisms mentioned
above, and consider them inadequate for your application, this might
be a necessary step to take. However, don't do it
out of some notion to "protect" the

content of your email. Unless you have a closed
system, your email will be further relayed across other networks on
the way to its destination, so securing this one hop is of little
value. For more security, use an end-to-end approach, encrypting
messages with GnuPG, PGP, or S/MIME (see [Recipe 8.1]
through [Recipe 8.8]).

8.18.4 See Also

Learn more about SMTP authentication at http://www.sendmail.org/~ca/email/authl.
The SASL RFC is at