Sendmail with SASL2, SMTP AUTH and SSL on FreeBSD 6.3Tue 15 January 2008
This was tested on Sendmail 8.14 on FreeBSD 6.3
Some assumptions, first is that you have a basic FreeBSD system's Sendmail up and running on the machine. If you don't then this document isn't going to help you. One other assumption, that you have your system's source installed in /usr/src.
Here are some helpful pages I used to understand the setup:
The Sendmail guide, it's incredibly long, but has tons of information. In most cases the answer to your sendmail question is in this document. I have the O'reilly Sendmail bookand would recommend this document over it anyday.
One port is required, ports/security/cyrus-sasl2-saslauthd.
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL [ -DSTARTTLS ]
SENDMAIL_LDADD=-lsasl2 [ -lssl -lcrypto ]
To rebuild Sendmail go into src/usr.sbin/sendmail and run make clean depend all install.
To setup SMTP AUTH:
Create /usr/local/lib/sasl2/Sendmail.conf with one line:
Add these to rc.conf to enable saslauthd to start on boot:
Add these to your Sendmail mc file in /etc/mail/ . Do NOT put LOGIN here, it is apparently deprecated and when I tried it with LOGIN and PLAIN I couldn't get SMTP AUTH to work at all. If you want to use CRAM-MD5 or DIGEST-MD5 you have to use saslauthd with an actual database separate from the system users. See the saslauthd manual page if you want to change which database you're using. With a stock installation and saslauthd using PAM it will authenticate against the system's user database.
To setup SSL and STARTTLS:
Get a certificate. I used my webserver one - signed by a local CA. Avoid using a self-signed certificate as it will cause problems with some client software. Add the certificate information to your mc file:
If you want an SSL only SMTPS server as well, add this to your mc file:
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
Add Srv_Features: V to access database. V means don't ask for client certificates. Some other popular choices:
v = request a client certificate (this is the default).
s/S = do/don't offer STARTTLS.
l/L = do/don't require AUTH.
For more information see http://www.sendmail.org/doc/sendmail-current/doc/op/op.pdf
That's it. You should now have STARTTLS, SSL and AUTH. One warning; in this configuration people can do plain-text authorization over a non-encrypted connection. If you add "c" to Srv_Features PLAIN AUTH will be disabled when not using a secure channel.