Sendmail with SASL2, SMTP AUTH and SSL on FreeBSD 6.3

This was tested on Sendmail 8.14 on FreeBSD 6.3

Some assumptions, first is that you have a basic FreeBSD system's Sendmail up and running on the machine. If you don't then this document isn't going to help you. One other assumption, that you have your system's source installed in /usr/src.

Here are some helpful pages I used to understand the setup:

http://www.sial.org/talks/smtpauth-starttls/smtpauth-starttls.xml

http://www.sendmail.org/~ca/

The Sendmail guide, it's incredibly long, but has tons of information. In most cases the answer to your sendmail question is in this document. I have the O'reilly Sendmail bookand would recommend this document over it anyday.

http://www.sendmail.org/doc/sendmail-current/doc/op/op.pdf

One port is required, ports/security/cyrus-sasl2-saslauthd.

After the saslauthd port is installed, change make.conf and rebuild Sendmail.
Add these lines to make.conf. If you don't have /etc/make.conf , create the file. By default the SSL options are enabled - UNLESS you have any of NO_CRYPT , NO_OPENSSL or RELEASE_CRUNCH defined, in which case you will need to add the SSL options:

SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL [ -DSTARTTLS ]

SENDMAIL_LDFLAGS=-L/usr/local/lib

SENDMAIL_LDADD=-lsasl2 [ -lssl -lcrypto ]

To rebuild Sendmail go into src/usr.sbin/sendmail and run make clean depend all install.

To setup SMTP AUTH:

Create /usr/local/lib/sasl2/Sendmail.conf with one line:

pwcheck_method: saslauthd

Add these to rc.conf to enable saslauthd to start on boot:

saslauthd_enable="YES"

saslauthd_flags="-a pam"

Add these to your Sendmail mc file in /etc/mail/ . Do NOT put LOGIN here, it is apparently deprecated and when I tried it with LOGIN and PLAIN I couldn't get SMTP AUTH to work at all. If you want to use CRAM-MD5 or DIGEST-MD5 you have to use saslauthd with an actual database separate from the system users. See the saslauthd manual page if you want to change which database you're using. With a stock installation and saslauthd using PAM it will authenticate against the system's user database.

dnl set SASL options
TRUST_AUTH_MECH(`PLAIN')dnl

define(`confAUTH_MECHANISMS', `PLAIN')dnl

To setup SSL and STARTTLS:

Get a certificate. I used my webserver one - signed by a local CA. Avoid using a self-signed certificate as it will cause problems with some client software. Add the certificate information to your mc file:

define(`confCACERT_PATH', `/etc/mail/ssl/')dnl

define(`confCACERT',`/etc/mail/ssl/ca.crt')dnl

define(`confSERVER_CERT', `/usr/local/apache2/conf/SSL/server-cert.pem')dnl

define(`confSERVER_KEY', `/usr/local/apache2/conf/SSL/server-key.pem')dnl

If you want an SSL only SMTPS server as well, add this to your mc file:

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

Add Srv_Features: V to access database. V means don't ask for client certificates. Some other popular choices:

v = request a client certificate (this is the default).

s/S = do/don't offer STARTTLS.

l/L = do/don't require AUTH.

For more information see http://www.sendmail.org/doc/sendmail-current/doc/op/op.pdf

That's it. You should now have STARTTLS, SSL and AUTH. One warning; in this configuration people can do plain-text authorization over a non-encrypted connection. If you add "c" to Srv_Features PLAIN AUTH will be disabled when not using a secure channel.