Basic anti-Spammer Auth for Sendmail  SMTP AUTH @proofpoint

Views: 1204

I added this code to the end of my sendmail.mc at the beginning, right after the notes before

include(/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(
setup for linux’)dnl

Be sure that the space in the middle that looks like a tab really is a tab and not spaces

This is what I added:

SLocal_check_rcpt
R$*     $: $&{auth_type}
R$+     $# OK

then I ran make all

from

/etc/mail

restarted sendmail and the sendmail agreed to send off the mail after authenticating the user via text. It also promptly returned the email if I turned auth off in my Outlook Client.


Source: Sendmail 8.12.3 cf/README – SMTP AUTH

 

SMTP Authentication

The macros ${auth_authen}, ${auth_author}, and ${auth_type} can be used in anti-relay rulesets to allow relaying for those users that authenticated themselves. A very simple example is:

SLocal_check_rcpt
R$*     $: $&{auth_type}
R$+     $# OK

which checks whether a user has successfully authenticated using any available mechanism. Depending on the setup of the CYRUS SASL library, more sophisticated rulesets might be required, e.g.,

SLocal_check_rcpt
R$*     $: $&{auth_type} $| $&{auth_authen}
RDIGEST-MD5 $| $+@$=w   $# OK

to allow relaying for users that authenticated using DIGEST-MD5 and have an identity in the local domains.

The ruleset trust_auth is used to determine whether a given AUTH= parameter (that is passed to this ruleset) should be trusted. This ruleset may make use of the other ${auth_*} macros. Only if the ruleset resolves to the error mailer, the AUTH= parameter is not trusted. A user supplied ruleset Local_trust_auth can be written to modify the default behavior, which only trust the AUTH= parameter if it is identical to the authenticated user.

  Per default, relaying is allowed for any user who authenticated via a “trusted” mechanism, i.e., one that is defined via TRUST_AUTH_MECH(`list of mechanisms’) For example:

TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5')

If the selected mechanism provides a security layer the number of bits used for the key of the symmetric cipher is stored in the macro ${auth_ssf}.

If sendmail acts as client, it needs some information how to authenticate against another MTA. This information can be provided by the ruleset authinfoor by the option DefaultAuthInfo. The authinfo ruleset looks up {server_name} using the tag AuthInfo: in the access map. If no entry is found, {server_addr} is looked up in the same way and finally just the tag AuthInfo: to provide default values.

Notice: the default configuration file causes the option DefaultAuthInfo to fail since the ruleset authinfo is in the .cf file. If you really want to use DefaultAuthInfo (it is deprecated) then you have to remove the ruleset.

The RHS for an AuthInfo: entry in the access map should consists of a list of tokens, each of which has the form: “TDstring” (including the quotes). T is a tag which describes the item, D is a delimiter, either ‘:’ for simple text or ‘=’ for a base64 encoded string. Valid values for the tag are:

U  user (authorization) id
I   authentication id
P   password
R   realm
M   list of mechanisms delimited by spaces

Example entries are:

AuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5" AuthInfo:more.dom "U:user" "P=c2VjcmV0"

User or authentication id must exist as well as the password. All other entries have default values. If one of user or authentication id is missing, the existing value is used for the missing item. If “R:” is not specified, realm defaults to $j. The list of mechanisms defaults to those specified by AuthMechanisms.

Since this map contains sensitive information, either the access map must be unreadable by everyone but root (or the trusted user) or FEATURE(`authinfo‘) must be used which provides a separate map. Notice: It is not checked whether the map is actually group/world-unreadable, this is left to the user.

 

 

Here is the sendmail.mc

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # /etc/mail/make
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4′)dnl
VERSIONID(`setup for linux’)dnl
OSTYPE(`linux’)dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG’, `$j Sendmail; $b’)dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL’, `9′)dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST’, `smtp.your.provider’)dnl
dnl #
define(`confDEF_USER_ID’, “8:12”)dnl
dnl define(`confAUTO_REBUILD’)dnl
define(`confTO_CONNECT’, `1m’)dnl
define(`confTRY_NULL_MX_LIST’, `True’)dnl
define(`confDONT_PROBE_INTERFACES’, `True’)dnl
define(`PROCMAIL_MAILER_PATH’, `/usr/bin/procmail’)dnl
define(`ALIAS_FILE’, `/etc/aliases’)dnl
define(`STATUS_FILE’, `/var/log/mail/statistics’)dnl
define(`UUCP_MAILER_MAX’, `2000000′)dnl
define(`confUSERDB_SPEC’, `/etc/mail/userdb.db’)dnl
define(`confPRIVACY_FLAGS’, `authwarnings,novrfy,noexpn,restrictqrun’)dnl
define(`confAUTH_OPTIONS’, `A’)dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS’, `A p’)dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /etc/pki/tls/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /etc/pki/tls/certs usage
dnl #
dnl define(`confCACERT_PATH’, `/etc/pki/tls/certs’)dnl
dnl define(`confCACERT’, `/etc/pki/tls/certs/ca-bundle.crt’)dnl
dnl define(`confSERVER_CERT’, `/etc/pki/tls/certs/sendmail.pem’)dnl
dnl define(`confSERVER_KEY’, `/etc/pki/tls/certs/sendmail.pem’)dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP’s
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL’, `groupreadablekeyfile’)dnl
dnl #
dnl define(`confTO_QUEUEWARN’, `4h’)dnl
dnl define(`confTO_QUEUERETURN’, `5d’)dnl
dnl define(`confQUEUE_LA’, `12′)dnl
dnl define(`confREFUSE_LA’, `18′)dnl
define(`confTO_IDENT’, `0′)dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa’, `dnl’)dnl
FEATURE(`smrsh’, `/usr/sbin/smrsh’)dnl
FEATURE(`mailertable’, `hash -o /etc/mail/mailertable.db’)dnl
FEATURE(`virtusertable’, `hash -o /etc/mail/virtusertable.db’)dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 20.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN’, `20′)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE’, `3′)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail, `’, `procmail -t -Y -a $h -d $u’)dnl
FEATURE(`access_db’, `hash -T<TMPF> -o /etc/mail/access.db’)dnl
FEATURE(`blacklist_recipients’)dnl
EXPOSED_USER(`root’)dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER’, `cyrusv2′)dnl
dnl define(`CYRUSV2_MAILER_ARGS’, `FILE /var/lib/imap/socket/lmtp’)dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA’)dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can’t reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl # DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea’)dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea’)dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can’t
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn’t support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled– STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6′)dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6′)
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24×7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains’)dnl
dnl #
dnl FEATURE(`relay_based_on_MX’)dnl
dnl #
dnl # Also accept email sent to “localhost.localdomain” as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain’)dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com’)dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
FEATURE(`relay_hosts_only’)dnl
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
SLocal_check_rcpt
R$* $: $&{auth_type}
R$+ $# OK

Leave a Reply