###################################### # # $Id: howto-sendmail_tls-imap_sasl-ldap-kerberosV.pod,v 1.1 2003/01/27 09:12:52 jonen Exp $ # ###################################### # # $Log: howto-sendmail_tls-imap_sasl-ldap-kerberosV.pod,v $ # Revision 1.1 2003/01/27 09:12:52 jonen # + create new # # # ###################################### =pod =head2 Sendmail TLS + Cyrus IMAP/SASL + LDAP + AMaViS + Kerberos V HowTo Sebastian Utz S B Revision 1.1 2003/01/27 09:11:05 jonen + create new =head3 Description Install and configure Sendmail with TLS, Cyrus IMAP/SASL, LDAP, and Kerberos V support The installation instructions described here are mainly debian only. For detailed installation instructions take a look at L, e.g. the "OpenLDAP, OpenSSL, SASL and KerberosV HOWTO" from Turbo Fredriksson explains a lot (great stuff!)... =head3 Prerequisites To use all described features to sendmail the following have to be installed: - Cyrus SASL v1 http://asg.web.cmu.edu/cyrus/sasl/ - Cyrus IMAP v1 http://asg.web.cmu.edu/cyrus/sasl/ - OpenLDAP 2 http://www.openldap.org/ - AMaViS (Milter) http://www.amavis.org/ - MIT Kerberos V http://web.mit.edu/kerberos/www/ - OpenSSL http://www.openssl.org/ =head3 AMaViS =head4 install debian testing/unstable: - apt-get install amavis-milter debian woody/stable: - dowload latest amavis-milter_*.deb which could found at http://packages.debian.org/testing/mail/amavis-milter.html - dpkg -i amavis-milter_*.deb other systems sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google. will try write some docu here soon, too.... =head4 configure & start amavisd - edit /etc/amavid.conf to configure your local settings e.g. your used anti-virus scanner - start amavid with: /etc/init.d/amavid start note: you should always start amavid *before* sendmail as the amavis docu explained... =head3 Install Sendmail =head4 debian - apt-get install sendmail if software described at L isn't installed yet, look at - http://www.netfrag.org/~jonen/computing/install_cyrus_sasl_v1.html - http://www.netfrag.org/~jonen/computing/mini-howto-cyrus_imapd_v1-pam-kerberosV.html - others comming soon..... after installing required packages, run - sendmail config or some more specifing scripts under '/usr/share/sendmail/' (e.g. /usr/share/update_auth to update SASL support) and follow the instructions printed, e.g. for updating TLS support: - run: /usr/share/sendmail/update_tls - insert at sendmail.mc - debian stable/testing: include(`/etc/mail/starttls.m4')dnl - debian unstable: include(`/etc/mail/tls/starttls.m4')dnl - cd /etc/mail - run: make - restart sendmail: /etc/init.d/sendmail restart - test supported features: - telnet localhost 25 - enter: ehlo - should do some output like: 250-mail.netfrag.org Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI CRAM-MD5 PLAIN LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP the 'AUTH GSSAPI CRAM-MD5 PLAIN LOGIN' and 'STARTTLS' is most important to us cause this means, gssapi, digestmd5 and plain authentication is supported and also TLS is enabled. =head4 other systems sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google. will try write some docu here soon, too.... =head3 Configure Sendmail =head4 general sendmail.mc configurations: comming soon.... =head3 Configure Sendmail + SASL v1 =head4 debian - run /usr/share/sendmail/update_auth =head4 sendmail.mc configurations(not needed at debian) TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl =head3 Configure Sendmail + Cyrus IMAP v1 =head4 sendmail.mc configurations dnl # Cyrus Imap dnl # define(`confLOCAL_MAILER', `cyrus') define(`CYRUS_MAILER_FLAGS', `A5@/:|')dnl define(`CYRUS_MAILER_PATH', `/usr/sbin/cyrdeliver')dnl define(`CYRUS_MAILER_ARGS', `cyrdeliver -e -q -m $h -- $u ')dnl define(`CYRUS_MAILER_USER', `cyrus:mail')dnl define(`CYRUS_BB_MAILER_FLAGS', `')dnl define(`CYRUS_BB_MAILER_ARGS', `cyrdeliver -e -q -m $u ')dnl dnl # MAILER(cyrus)dnl LOCAL_CONFIG ## Custom configurations below (will be preserved) LOCAL_RULE_0 R$=I $: $#cyrus $: $1 R$=I < @ $=w . > $: $#cyrus $: $1 R$=I < @ $=R . > $: $#cyrus $: $1 Rbb + $+ < @ $=w . > $#cyrusbb $: $1 =head3 Configure Sendmail + TLS =head4 debian - run /usr/share/sendmail/update_tls & place 'include(`/etc/mail/starttls.m4')dnl' at sendmail.mc - make & restart sendmail - see "Install Sendmail" for details... =head4 other systems comming soon...... =head4 sendmail.mc configurations(not needed at debian) TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl =head3 PAM + LDAP + MIT Kerberos V =head4 Authentication/Authorizisation via pam_ldap - edit /etc/pam.d/smtp as follow: auth reqired pam_ldap.so account required pam_ldap.so =head4 Authentication via MIT Kerberos V - gssapi and pam_krb5 =head5 Some note on MIT Kerberos V If SASL is compiled with 'gssapi' support, sendmail would support KerberosV/gssapi Authentication, but as I can't found any documentation about kerberosV support at up-to-date mail-clients (Evolution does kerberos4, but no gssapi... ;-( ), i'm using pam_krb5 with a lots of drawbacks against real gssapi! Short quote from Kerberos V5 Installation Guide (http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.7/doc/install.html#SEC3): "Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client's identity." As you read, no passwords would go over the network, so security would be much improved! =head5 pam_krb5 If pam_krb5 is used, PAM will request a 'faked' ticket for the deamons which you want authenticate on. Also only PLAIN passwords are supported, which means, PLAIN passwords will go over your network what would be very unsecure! But if we are using TLS (which is always a good idea), passwords will go through a Secure Transport Layer which encrypts the whole connection, so pam_krb5 over TLS would be ok for now.... - edit /etc/pam.d/smtp as follow: auth required pam_krb5.so account required pam_ldap.so =head4 sendmail.mc configurations - read http://www.sendmail.org/m4/ldap_routing.html !! - i added an 'sendmail' user to ldap like followed which allows sendmail to query request: uid=sendmail,ou=People,dc=netfrag,c=org objectClass: top objectClass: account objectClass: possixAccount uid: sendmail cn: sendmail account uidNumber: 25 gidNumber: 25 homeDirectory: /etc/mail userPassword:: - set default bind DN after ' -b' - set sendmail user, used for query requests after '-d' - other option, but still not tested/needed (kerberos5/gssapi supported ?) -m (none | simple | krb4) -P (/path/to/passwd_containing_file | /path/to/krb4_ticket) dnl # define LDAP server used for routing define(`confLDAP_DEFAULT_SPEC',`-h ldap.netfrag.org -b ou=Mail,dc=netfrag,dc=org -d uid=sendmail,ou=People,dc=netfrag,dc=org')dnl dnl # define path to file which includes routeabled domains LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl dnl # switch ldap routing on FEATURE(ldap_routing)dnl - example '/etc/mail/ldapdomains': netfrag.org example.com your-domain.com =head4 query 'aliases' against ldap - To use the default schema, simply use(at sendmail.mc): define(`ALIAS_FILE', `ldap:') - By doing so, you will use the default schema which expands to a map declared as follows: ldap -k (&(objectClass=sendmailMTAAliasObject) (sendmailMTAAliasGrouping=aliases) (|(sendmailMTACluster=${sendmailMTACluster}) (sendmailMTAHost=$j)) (sendmailMTAKey=%0)) -v sendmailMTAAliasValue - Example LDAP LDIF entries might be: dn: sendmailMTAKey=test-aliases, ou=Mail, dc=netfrag, dc=org objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject sendmailMTAAliasGrouping: aliases sendmailMTAHost: mail.netfrag.org sendmailMTAKey: test-aliases sendmailMTAAliasValue: jonen dn: sendmailMTAKey=postmaster, ou=Mail, dc=netfrag, dc=org objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject sendmailMTAAliasGrouping: aliases sendmailMTACluster: Servers sendmailMTAKey: postmaster sendmailMTAAliasValue: jonen =head4 query map definitions (e.g. virtusertable, mailertable, access_db, etc.) against ldap - read http://www.sendmail.org/m4/ldap.html !! - example for 'virtusertable' (other map definitions goes near the same way..): - sendmail.mc: FEATURE(`virtusertable', `LDAP') - add sendmailMTAMapName (have to be created for each map definition!!) dn: sendmailMTAMapName=virtuser, ou=Mail, dc=netfrag, dc=org objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAMap sendmailMTAHost: mail.netfrag.org sendmailMTAMapName: virtuser - example virtuser entries: dn: sendmailMTAKey=test-virtuser@netfrag.com, ou=Mail, dc=netfrag, dc=org objectClass: sendmailMTA objectClass: sendmailMTAMap objectClass: sendmailMTAMapObject sendmailMTAMapName: virtuser sendmailMTAHost: mail.netfrag.org sendmailMTAKey: test-virtuser@netfrag.org sendmailMTAMapValue: jonen dn: sendmailMTAKey=no-user@example.com, ou=Mail, dc=netfrag, dc=org objectClass: sendmailMTA objectClass: sendmailMTAMap objectClass: sendmailMTAMapObject sendmailMTAMapName: virtuser sendmailMTAHost: mail.netfrag.org sendmailMTAKey: no-user@example.com sendmailMTAMapValue: error: no-user@example.com doesn't exits here =head3 Configure Sendmail Milter + AMaViS =head4 sendmail.mc configurations define(`MILTER', 1) INPUT_MAIL_FILTER(`milter-amavis',`S=local:/var/run/amavis/amavis-milter.sock, F=T, T=S:10m;R:10m;E:10m') =head3 Resources =over =item Sendmail http://www.sendmail.org/ =item LDAP Implementation HOWTO http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/ =item OpenLDAP http://www.openldap.org/ =item MIT Kerberos V5 http://web.mit.edu/kerberos/www/ =item Kerberos Authenticated SMTP Service Installation Instructions http://www.upenn.edu/computing/pennkey/sysadmin/d_install_unix/smtp.html =item sendmail with LDAP, TLS and AUTH http://logout.sh/computers/sendmail/ =item Sendmail + LDAP HOWTO http://www.iconimaging.net/~jradford/sendmail/sendmail-ldap.html =item Sendmail mit Milter, AMaViS, Cyrus IMAP + SSL, Anti Spam http://wwwhomes.uni-bielefeld.de/schoppa/saia-howto.html =item Sendmail mit Milter, AMaViS, Anti Spam, Cyrus IMAP auf Debian woody Basis http://wwwhomes.uni-bielefeld.de/schoppa/saia-woody-howto.html =item AMaViS http://www.amavis.org/ =back =head3 ToDo o seems NO mail-client currently supports kerberos V tickets, DO MORE RESEARCH! x so use pam_krb5 o if so, seems only PLAIN password authentication works (no Digest-MD5 or others!) x so usage of TLS/SSL for secure trasport layer is recommend o docu installation for other distribution than Debian o check out Cyrus Imapd v2 and SASL v2 more and write howto o MORE docu !! =cut