If missing any of the above rpms, please use yum or other methods to install.
· sendmail-cf-8.13.8-2.el5
· sendmail-8.13.8-2.el5
· cyrus-sasl-2.1.22-4
· cyrus-sasl-plain-2.1.22-4
· openssl-0.9.8b-8.3.el5
· m4-1.4.5-3.el5.1
The Procedure
1. Back up your configuration files:
#mkdir /etc/mail/SAVE
#cp –p /etc/mail/sendmail.cf /etc/mail/SAVE
#cp –p /etc/mail/sendmail.mc /etc/mail/SAVE
2. Edit sendmail.mc
Please note that m4 doesn't use the # symbol for comments, instead, it starts a line with dnl, which stands for "delete until new line".
The confAUTH_OPTIONS macro allows you to instruct sendmail not to offer plain text authentication until after a secure mechanism such as TLS is active (the p option). We are also prohibiting anonymous logins (the y option). The A option is a workaround for broken MTAs:
define(`confAUTH_OPTIONS', `A y')dnl
Now we define which authentication mechanisms we will trust and use:
TRUST_AUTH_MECH(`LOGIN PLAIN')dnldefine(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
3. Make a pki certificate
#cd /etc/pki/tls/certs#make sendmail.pem
The current certificate is listed below for future reference:
[root@backup1]# ls -l /etc/pki/tls/certs/sendmail.pem
-rw------- 1 root root 2186 Mar 13 16:18 /etc/pki/tls/certs/sendmail.pem
[root@backup1 etc]# keytool -printcert -file /etc/pki/tls/certs/sendmail.pem
Owner: C=US,ST=FL,L=Tempa,O=markproductions.com,OU=backup1,CN=backup1,1.2.840.113549.1.9.1=markbao123@yahoo.com
Issuer: C=US,ST=FL,L=Tempa,O=markproductions.com,OU=backup1,CN=backup1,1.2.840.113549.1.9.1=markbao123@yahoo.com
Serial number: 0
Valid from: Friday March 13, 2009 AD - 9:18:05;367 o'clock PM GMT-04:00
until: Saturday March 13, 2010 AD - 8:18:05;367 o'clock PM GMT-05:00
Certificate fingerprints
MD5: 39:D7:82:93:03:40:98:FF:89:0C:C7:47:CA:45:62:9E
SHA-160: 8B:3B:F6:D4:0D:69:C2:C2:B7:00:87:65:FD:AD:71:A6:93:79:49:E7
[root@backup1 etc]#
4. Start the saslauthd and the sendmail processes
Start saslauthd
[root@backup1]# chkconfig --level 2345 saslauthd on
[root@backup1]# chkconfig --list saslauthd
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@backup1]# service saslauthd start
[root@backup1]# service saslauthd status
saslauthd (pid 6026 6025 6024 6023 6022) is running...
Start sendmail
[root@backup1]# chkconfig --level 345 sendmail on
[root@backup1]# chkconfig --list sendmail
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@backup1]# service sendmail stop
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
[root@backup1# service sendmail start
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
[root@backup1]# service sendmail status
sendmail (pid 11291 11283) is running...
[root@backup1 mail]#
5. Verify the configuration parameters
NOTE: the compilation options must have “SASLv2” and “STARTTLS”
Also notice that AUTH is offered with the allowed mechanisms (but not STARTTLS, which isn't needed here, as the channel is already encrypted). Authentication takes place, and the message is relayed to its destination.
[root@backup1]# sendmail -d0.10 -bv
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT
OS Defines: ADDRCONFIG_IS_BROKEN HASFCHOWN HASFCHMOD
HASGETDTABLESIZE HASINITGROUPS HASLSTAT HASNICE HASRANDOM
HASRRESVPORT HASSETREGID HASSETREUID HASSETRLIMIT HASSETSID
HASSETVBUF HASURANDOMDEV HASSTRERROR HASUNAME HASUNSETENV
HASWAITPID IDENTPROTO NEEDSGETIPNODE REQUIRES_DIR_FSYNC
USE_DOUBLE_FORK USE_SIGLONGJMP
Kernel symbols: /boot/vmlinux
Conf file: /etc/mail/submit.cf (default for MSP)
Conf file: /etc/mail/sendmail.cf (default for MTA)
Pid file: /var/run/sendmail.pid (default)
Canonical name: backup1.markproductions.com
UUCP nodename: backup1.markproductions.com
Conf file: /etc/mail/sendmail.cf (selected)
Pid file: /var/run/sendmail.pid (selected)
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = backup1
(canonical domain name) $j = backup1.markproductions.com
(subdomain name) $m = markproductions.com
(node name) $k = backup1.markproductions.com
========================================================
Recipient names must be specified
[root@backup1 ~]#
[root@backup1]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 backup1.markproductions.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 20 Mar 2009 17:37:25 -0400
EHLO localhost
250-backup1.markproductions.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
^]
telnet> q
Connection closed.
[root@backup1 ~]
6. Update Linux host based firewall
# /sbin/ iptables -A INPUT -p tcp --dport 25 --syn -j ACCEPT
#service iptables save
# grep 'dport 25' /etc/sysconfig/iptables
-A INPUT -p tcp --dport 25 --syn -j ACCEPT
[root@backup1 sysconfig]# service iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
[root@backup1 sysconfig]# service iptables start
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: [ OK ]
[root@backup1 etc]# service iptables status grep "tcp dpt:25"
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x17/0x02
7. Test with sending an email
[markbao@backup1]# Mail -v markbaoxxx@gmail.com
Subject: test from sendmail smtp gateway to gmail mail
.
Cc:
Null message body; hope that's ok
markbao123@gmail.com... Connecting to [127.0.0.1] via relay...
220 backup1.markproductions.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 20 Mar 2009 18:15:02 -0400
>>> EHLO backup1.markproductions.com
250-backup1.markproductions.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
>>> MAIL From:
250 2.1.0
>>> RCPT To:
>>> DATA
250 2.1.5
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 n2KMF2Xa013041 Message accepted for delivery
markbaoxxx@gmail.com... Sent (n2KMF2Xa013041 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 backup1.markproductions.com closing connection
[markbao@backup1 ~]
-----Original Message-----From: markbao@localhost.localdomain [mailto:markbao@localhost.localdomain] Sent: Friday, March 20, 2009 6:18 PMTo: markbaoxxx@gmail.comSubject: test from sendmail smtp gateway to gmail mail
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.238 / Virus Database: 270.11.20/2013 - Release Date: 03/20/09 06:59:00
8. References:
http://sendmail.org/
http://www.whoopis.com/howtos/sendmail-auth-howto.html
http://www.joreybump.com/code/howto/smtpauth.html
http://www.redhat.com/magazine/025nov06/features/email/index.html
http://www.screaming-penguin.com/node/4214
No comments:
Post a Comment