sendmail with LDAP, TLS and AUTH

For various reasons, I needed a distributed map structure for one of my sendmail installations, so I didn't have to update the maps by hand.

If it could also be used for authentication information, that would be ideal.

Doing a little research turned up, that LDAP was probably the best bet, since that didn't require any patches to sendmail.

Sendmail

I selected the newest version of sendmail, at the time, 8.12.5, and built it with support for LDAP, Cyrus-SASL and TLS

My devtools/Site/site.config.m4 looked like this:

define(`confEBINDIR', `/pack/sendmail-8.12.5/libexec')
define(`confMANROOT', `/pack/sendmail-8.12.5/man/cat')
define(`confMANROOTMAN', `/pack/sendmail-8.12.5/man/man')
define(`confMBINDIR', `/pack/sendmail-8.12.5/sbin')
define(`confSBINDIR', `/pack/sendmail-8.12.5/sbin')
define(`confSHAREDLIBDIR', `/pack/sendmail-8.12.5/lib')
define(`confUBINDIR', `/pack/sendmail-8.12.5/bin')
define(`confSTDIO_TYPE', `portable')
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')
APPENDDEF(`confENVDEF', `-DSASL')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl')
APPENDDEF(`confLIBDIRS', `-L/pack/cyrus-sasl-1.5.24/lib')
APPENDDEF(`confINCDIRS', `-I/pack/cyrus-sasl-1.5.24/include')'
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')
APPENDDEF(`confLIBDIRS', `-L/pack/openssl-0.9.6/lib')
APPENDDEF(`confINCDIRS', `-I/pack/openssl-0.9.6/include')
APPENDDEF(`confMAPDEF', `-DLDAPMAP')
APPENDDEF(`confLIBS', `-lldap -llber')
APPENDDEF(`confINCDIRS', `-I/pack/openldap-2.0.25/include')
APPENDDEF(`confLIBDIRS', `-L/pack/openldap-2.0.25/lib')

As a note, I tried using OpenLDAP 2.1.3 at first, but that didn't work. Sendmail logged this error, when starting up:

sendmail[15105]: g6Q2wVUn015105: SYSERR(root): ldap_init/ldap_bind failed to localhost in map Alias0: Protocol error

When I changed to OpenLDAP 2.0.25, things started working.

Anthony Dean has explained, that this is due to OpenLDAP 2.1.x refusing LDAPv2 conections (which sendmail uses) by default. Adding "allow bind_v2" to slapd.conf, and restarting slapd should enable you to use sendmail with OpenLDAP 2.1.x.

I included sendmail.scheme from the cf/ dir in my slapd.conf, and used it's definitions.

The changes in my .mc file looks like this

define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/ca.example.com.cert')dnl
define(`confSERVER_CERT', `CERT_DIR/smtp.example.com.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/smtp.example.com.cert')dnl
define(`confCLIENT_CERT', `CERT_DIR/smtp.example.com.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/smtp.example.com.cert')dnl
define(`confLDAP_DEFAULT_SPEC', `-h localhost -b dc=example,dc=com -d uid=sendmail,dc=example,dc=com -M simple -P /etc/mail/ldap')dnl
define(`ALIAS_FILE', `ldap:')dnl
FEATURE(virtusertable, `LDAP')dnl
define(`confAUTH_MECHANISMS', `PLAIN')dnl
TRUST_AUTH_MECH(`PLAIN')dnl

LDAP data

/etc/mail/ldap contains the password needed to do the ldap bind, using the info after -d. I had added a sendmail account to my LDAP database, looking like this:

dn: uid=sendmail,dc=example,dc=com
objectClass: account
objectClass: posixAccount
uid: sendmail
cn: sendmail account
uidNumber: 25
gidNumber: 25
homeDirectory: /etc/mail
userPassword::

I assigned a password to the account using ldappasswd.

Then, I added a number of aliases, looking like this:

dn: sendmailMTAKey=testalias, dc=example, dc=com
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
sendmailMTAAliasGrouping: aliases
sendmailMTAHost: smtp.example.com
sendmailMTAKey: testalias
sendmailMTAAliasValue: testperson

And several entries to the virtuser table, like this:

dn: sendmailMTAKey=wronguser@example.com, dc=example, dc=com
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
sendmailMTAMapName: virtuser
sendmailMTAHost: smtp.example.com
sendmailMTAKey: wronguser@example.com
sendmailMTAMapValue: error:nouser No such user here

dn: sendmailMTAKey=otheruser@example.com, dc=example, dc=com
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
sendmailMTAMapName: virtuser
sendmailMTAHost: smtp.example.com
sendmailMTAKey: otheruser@example.com
sendmailMTAMapValue: realuser

These should pretty much speak for themselves.

Authentication

AUTH methods

After studying docs for a while, I came to the conclusion, that the only SMTP AUTH method, that could really work in my environment, was plaintext passwords. CRAM-MD5 would have been nice, but there wasn't enough support.

TLS

Plaintext passwords, sent in the clear over untrusted networks, are unacceptable. Luckily, you can use TLS (aka SSL v.3), and encrypt your entire session. When this is done, there are no significant problems with plaintext passwords.

I had previously set up my own CA, so a few keys & certificates for sendmail were easily generated.

Authentication against LDAP

Sendmail requires cyrus-sasl, to enable AUTH support, so I built cyrus-sasl-1.5.24, and included it in sendmail via the above mentioned devtools/Site/site.config.m4

cyrus-sasl can authenticate via its own database, or via PAM, so I created /pack/cyrus-sasl-1.5.24/lib/Sendmail.conf, containing the line "pwcheck_method: PAM"

PAM support for LDAP may require a extra module, depending on your distribution or OS. My pam was too old to support LDAP, so I used nss_ldap and pam_ldap from padl.com, to compile pam_ldap.so and get things running.

Solaris 8 comes with a pam that supports LDAP, but to get TLS working with ldap, you need nss_ldap from padl.com (thanks to Marc for this information).

The only things I changed in /etc/ldap.conf was host, base and rootbinddn. Once that was done, I added a PAM definition for smtp to /etc/pam.d:

#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass

After this, it All Just Worked™.

TLS enabled clients

Clients, that can use TLS for SMTP encryption are plentiful. Outlook, Netscape, Mozilla, Eudora, Pine, and probably many others.

What is not so common is support for TLS in IMAP clients as well. I've had good luck with Eudora, though. One thing to look out for, is that if you use a certificate you've made yourself, you'll need to add it to Eudoras root certificate file (rootcerts.p7b on windows).

Other uses of LDAP with sendmail

For an interesting look at how you can build mailing lists using LDAP, take a look at Building Sendmail mailing lists in LDAP.


Valid XHTML 1.1! Valid CSS! Powered by Fedora Linux No Software Patents Say NO to corrupt audio discs
Last updated: 2002-11-13 22:32