Presentation of the SMTP AUTH and STARTTLS email protocols and their application in the Sendmail Mail Transport Agent. JeremyMates 2002-01-10 Copyright 2001, 2002 Jeremy Mates. Distributed under the Open Publication License. $Id: smtpauth-starttls.xml,v 1.2 2004/09/27 05:07:48 jmates Exp $

Standards-based protocols that add authentication and encryption to SMTP.

SMTP 821 (August 1982) - Simple Mail Transport Protocol.

SMTP Service Extensions 1869 (November 1995).

SMTP AUTH 2554 (March 1999) - Authentication for SMTP.

STARTTLS 2487 (January 1999) - Secure SMTP over TLS.

SMTP is an old protocol, written in a different age.

Mail servers historically set to relay openly.

Unsolicited email (spam) now a problem.

Need to support roaming users without becoming open relay.

In a secure manner.

With minimum hassle client-side.

ESMTP allows extensions to solve such problems.

Various approaches, no best solution.

Require use of ISP’s local mail server.

Allowing internal access.

Terminal mail via SSH (mutt, PINE).

Web-based email solutions.

VPN - extending trusted network.

SSH port forwarding (ssh -L 2525:localhost:25).

IPSec.

“POPPost Office Protocol before SMTP,” for example via DRAC.

SMTP AUTH (and/or STARTTLS).

Extension of Simple Authentication and Security Layer (SASL) 2222.

Allows clients to authenticate with server.

Open relay rights to authorized users.

Access to otherwise disabled services (e.g. EXPN, VRFY).

Implemented through AUTH keyword.

telnet localhost 25 … EHLO localhost … 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN AUTH cram-md5 334 SGVsbG8sIFdvcmxk…

Multiple authentication mechanisms are supported, of varied security.

Mechanisms supported vary by implementation, configuration.

LOGIN, PLAIN are common, but insecure (plaintext password on network).

CRAM-MD5, DIGEST-MD5 more secure (can be harder to support).

GSSAPI (kerberos) and others have poorer support (especially on clients).

Mechanism for negotiating TLS 2246 over a SMTP connection.

TLS (essentially SSLv3) provides link authenticity, privacy.

Uses X.509 Certificates 2459.

Works over regular SMTP link via “upwards negotiation.”

Implemented through STARTTLS keyword.

Also (disfavored) smtps protocol, equivalent of https— the IESGInternet Engineering Steering Group recommends protocol designers to use upwards negotiation over alternate ports.

Does not handle virtual hosts well.

Slow (especially on the server side).

Can be susceptible to man-in-the-middle attacks.

Does not provide end-to-end confidentiality or message integrity.

That task is better met by PGP or S/MIME.

Good against passive attackers.

Protects message envelope (PGP or S/MIME do not).

Received: from mail.example.edu (IDENT:smmsp@mail.example.edu [10.0.0.11]) by example.org (8.12.1/8.12.1) with ESMTP id fBA0M7gU038106 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified FAIL) for <user@example.org>; Sun, 9 Dec 2001 16:22:10 -0800 (PST) Received: from grue.example.edu (sender@grue.example.edu [10.0.0.13]) (authenticated bits=0) by mail.example.edu (8.12.1/8.12.1) with ESMTP id fBA0M3rD003797 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <user@example.org>; Sun, 9 Dec 2001 16:22:07 -0800 Sender: sender@example.edu Message-ID: <3C14002A.FAB442A3@example.edu> Date: Sun, 09 Dec 2001 16:22:02 -0800 From: Sender <sender@example.edu> To: user@example.org Subject: test

Some degree of overlap between the two standards.

Can authenticate TLS clients with certificates.

Provisions in SASL to renegotiate to a secure link.

SMTP AUTH for users, STARTTLS for machines.

Users probably more comfortable with passwords.

Could use TLS client certificates to authenticate machines.

Determine your needs and requirements before implementation!

Need to support roaming users.

Clients use common GUI MUAs (e.g. Netscape).

Client setup should be easy as possible.

Want to interoperate with existing accounts.

Fast machines and few users, so TLS performance not an issue.

Use sendmail as MTA on server side.

Sendmail use widespread on Internet.

Has native support for SMTP AUTH, STARTTLS, smtps, etc.

Use LOGIN/PLAIN AUTH for client (and server) compatibility.

STARTTLS with server certificate to protect passwords.

Need trusted third-party signed TLS certificate.

SMTP AUTH first added in Sendmail 8.10 (2000-03-01).

Uses Cyrus SASL authentication libraries.

STARTTLS available in Sendmail 8.11 (2000-07-19).

Uses OpenSSL to provide SSL/TLS services.

Sendmail 8.12 improved support and features (2001-09-08).

Support generally requires recompiling Sendmail.

Vendor supplied Sendmail may have required features.

Use the following command to determine your sendmail version and compile features. sendmail -d0 < /dev/null

OpenSSL homepage, the source code, and my config notes.

Strong entropy source mandatory (e.g. /dev/urandom).

Typical ./config installation.

May be available as package/port for your system.

Need Third Party Certificate Authority signed certificate.

Expensive, but client setup easier and generally more secure.

“Common Name” must match FQDNFully Qualified Domain Name of the server.

openssl genrsa 1024 > host.key chmod 400 host.key openssl req -new -key host.key > host.csr … Common Name (eg, YOUR name) []:mail.example.edu host.key and host.cert (from Certificate Authority) used later. Self-signed certificate or own Certificate Authority may be an alternative (but client support for custom certificates varies, and may be insecure).

Sendmail uses cyrus sasl 1.5 at time of writing.

Cryus SASL homepage, the source code, and my config notes.

Typical ./configure installation.

--enable-login - legacy support of LOGIN.

--with-pwcheck - optional daemon.

May need to fiddle with library file locations.

May be available as package/port for your system.

Setup the /usr/lib/sasl/Sendmail.conf for Sendmail.

Specify a pwcheck_method: method.

passwd - use system getpwent interface.

sasldb - /etc/sasldb.

pwcheck - talk to pwcheck daemon.

Check documentation for more options.

Example Sendmail.conf from production Linux system: cat /usr/lib/sasl/Sendmail.conf pwcheck_method: shadow

Allows support for DIGEST-MD5, CRAM-MD5 mechanisms.

Not compatible with system accounts (uses /etc/sasldb).

May require setting Sendmail's GroupReadableSASLDBFile parameter to the DontBlameSendmail option for compatibility with Cyrus IMAP.

Add users via saslpasswd utility.

saslpasswd -a Sendmail -c -u mail.example.org user

May need to enable PLAIN support.

echo "pwcheck_method: sasldb" > /usr/lib/sasl/saslpasswd.conf

Allows unprivileged Sendmail or Cyrus IMAP users access to system account data.

Or an easy tie-in to custom accounts system (database, etc.).

Only LOGIN, PLAIN mechanisms available.

Run pwcheck daemon as super-user at startup.

/var/pwcheck should only be accessible by required users.

pwcheck creates socket under /var/pwcheck.

m4 macro files used to control source build.

Setup devtools/Site/site.config.m4 under source to modify build.

Add smmsp user/group to system first!

sh Build and sh Build install.

Copy source cf/* files to system location.

Make sure resulting binary supports features you need.

sendmail -d0.12 < /dev/null Version 8.12.3 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASL SCANF STARTTLS USERDB XDEBUG …

Add the following to your site.config.m4. APPENDDEF(`confENVDEF', `-DSASL') APPENDDEF(`confLIBS', `-lsasl -lcrypt') dnl allows AUTH_OPTIONS to prevent LOGIN/PLAIN over non-TLS link APPENDDEF(`confENVDEF', `-D_FFR_SASL_OPTS') define(`confAUTH_OPTIONS', `p') May need Cyrus SASL defines (-lcrypt) above OpenSSL’s (-lcrypto) to prevent function name conflicts.

Add the following to your site.config.m4. APPENDDEF(`confENVDEF', `-DSTARTTLS') APPENDDEF(`confLIBS', `-lssl -lcrypto') APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib') APPENDDEF(`confINCDIRS', `-I/usr/local/ssl/include')

Files under cf/ are used to help build sendmail.cf.

/usr/share/sendmail/conf - Darwin (a.k.a. Mac OS X).

/usr/share/sendmail - OpenBSD.

/usr/lib/sendmail-cf - RedHat 6 (via sendmail-cf RPM).

/usr/lib/mail - Solaris.

If unsure: find / -name cf.m4 -print or locate cf.m4.

Or invent a site-local location (NFS share).

Different due to non-suid operation; see sendmail/SECURITY for details.

Modify startup flags, e.g. /etc/rc.conf on OpenBSD.

sendmail_flags="-L sm-mta -bd -q15m"

Cron job (crontab) to clear /var/spool/clientmqueue.

*/30 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q

Need to build a submit.cf in addition to sendmail.cf.

Be sure to disable vendor supplied mailer.

Beware vendor “updates” that downgrade sendmail.

Set NO_SENDMAIL=true and NO_MAILWRAPPER=true in FreeBSD’s /etc/make.conf.

Could modify/use system’s package/ports instead.

*BSD have ports for above utilities.

Repackage RedHat RPMs with local changes.

Group all config files under /etc/mail.

Use a Makefile to ease sendmail administration.

Create pre-bundled configurations for easier setup.

Use a sendmail.mc to build sendmail.cf.

sendmail.mc - set of m4 macro definitions.

Simple macro definitions result in complex config file.

m4 /usr/share/sendmail/m4/cf.m4 sendmail.mc > sendmail.cf

Read cf/README under source for configuration details.

Place following in sendmail.mc, rebuild sendmail.cf. define(`CERT_DIR', `/etc/mail/certs') define(`confCACERT', `CERT_DIR/cacert.pem') define(`confCACERT_PATH', `CERT_DIR/CA') define(`confSERVER_CERT', `CERT_DIR/host.cert') define(`confSERVER_KEY', `CERT_DIR/host.key') define(`confCLIENT_CERT', `CERT_DIR/host.cert') define(`confCLIENT_KEY', `CERT_DIR/host.key')

Restrict permissions on host.key!

Obtain root certificates (as confCACERT) to verify other systems.

Or populate the confCACERT_PATH directory with the individual certificates:

perl -ple 'select $fh; open $fh, ">$prev.cert" if /^=+\s*$/;' -e '($prev = $_) =~ s/[^\w.-]/_/g' ca-root.crt for F in *.cert; do ln -s $F `openssl x509 -noout -hash < $F`.0; done

Disable client certificates if not using them:

Place following into /etc/mail/access map.

Srv_Features: V

Rebuild access map using makemap.

makemap hash access < access Additionally, can disable TLS for client connections made by the server in access map: Try_TLS:example.net NO

Place following in sendmail.mc, rebuild sendmail.cf. define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 PLAIN LOGIN') TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')

AuthMechanisms specifies allowed SASL mechanisms.

TrustAuthMech opens relay for users authenticated with specified method.

Could also build custom rulesets for more control.

Custom sendmail.mc ruleset to only allow EXPN/VRFY to work for authenticated users: LOCAL_CONFIG F{trusty}/etc/mail/trusted-domains LOCAL_RULESETS Scheck_expn R$* $@ $>check_expn_and_vrfy $1 Scheck_vrfy R$* $@ $>check_expn_and_vrfy $1 Scheck_expn_and_vrfy R$* $: < $&{client_name} > R< $={trusty} > $@ OK R< $+ $={trusty} > $@ OK R$* $: $&{auth_type} R$={TrustAuthMech} $@ OK R$* $#error $@ 5.7.1 $: 550 EXPN/VRFY failed for $&{client_name}

Straightforward for common GUI clients, but test first.

Do not enable “Secure Password Authentication” (SPA) in Outlook.

Eudora (5.1, Mac OS) requires same password for incoming, outgoing servers.

Outlook Express (5, Mac OS) dislikes self-signed certificates.

Netscape “If Possible” STARTTLS setting open to man-in-middle attack (especially if client certificates disabled).

Some ISPs are now blocking outbound SMTP connections to inhibit spread of Microsoft Malware (Sircam, Nimda).

Add following to your site.config.m4, recompile Sendmail to support smtps.

APPENDDEF(`confENVDEF', `-D_FFR_SMTP_SSL') DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')

Clients will need to connect via raw TLS to the smtps port (465).

Could use Port=2525 if ISP blocking ports <1024.

Some clients may not support alternate port and/or smtps.

stunnel could be used to support clients with poor TLS support.

robust TLS wrapper program.

good if have savvy clients, or you setup the client machines.

Stunnel can create an open relay if used on the server side.

Sendmail Configurations & Documentation.

Integrating Sendmail with SASL, TLS, and Postgres.

OpenBSD Sendmail + SMTP AUTH Mini-HOWTO.

SSL and TLS: Designing and Building Secure Systems.

Relay control in sendmail for roaming users.

SMTP AUTH in sendmail.

SMTP STARTTLS in sendmail.

Tips and Tricks for sendmail Hackers.