For various reasons, I needed a distributed map structure for one of my sendmail installations, so I didn't have to update the maps by hand.
If it could also be used for authentication information, that would be ideal.
Doing a little research turned up, that LDAP was probably the best bet, since that didn't require any patches to sendmail.
I selected the newest version of sendmail, at the time, 8.12.5, and built it with support for LDAP, Cyrus-SASL and TLS
My devtools/Site/site.config.m4 looked like this:
define(`confEBINDIR', `/pack/sendmail-8.12.5/libexec') define(`confMANROOT', `/pack/sendmail-8.12.5/man/cat') define(`confMANROOTMAN', `/pack/sendmail-8.12.5/man/man') define(`confMBINDIR', `/pack/sendmail-8.12.5/sbin') define(`confSBINDIR', `/pack/sendmail-8.12.5/sbin') define(`confSHAREDLIBDIR', `/pack/sendmail-8.12.5/lib') define(`confUBINDIR', `/pack/sendmail-8.12.5/bin') define(`confSTDIO_TYPE', `portable') APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER') APPENDDEF(`confENVDEF', `-DSASL') APPENDDEF(`conf_sendmail_LIBS', `-lsasl') APPENDDEF(`confLIBDIRS', `-L/pack/cyrus-sasl-1.5.24/lib') APPENDDEF(`confINCDIRS', `-I/pack/cyrus-sasl-1.5.24/include')' APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') APPENDDEF(`confLIBDIRS', `-L/pack/openssl-0.9.6/lib') APPENDDEF(`confINCDIRS', `-I/pack/openssl-0.9.6/include') APPENDDEF(`confMAPDEF', `-DLDAPMAP') APPENDDEF(`confLIBS', `-lldap -llber') APPENDDEF(`confINCDIRS', `-I/pack/openldap-2.0.25/include') APPENDDEF(`confLIBDIRS', `-L/pack/openldap-2.0.25/lib')
As a note, I tried using OpenLDAP 2.1.3 at first, but that didn't work. Sendmail logged this error, when starting up:
sendmail[15105]: g6Q2wVUn015105: SYSERR(root): ldap_init/ldap_bind failed to localhost in map Alias0: Protocol error
When I changed to OpenLDAP 2.0.25, things started working.
Anthony Dean has explained, that this is due to OpenLDAP 2.1.x refusing LDAPv2 conections (which sendmail uses) by default. Adding "allow bind_v2" to slapd.conf, and restarting slapd should enable you to use sendmail with OpenLDAP 2.1.x.
I included sendmail.scheme from the cf/ dir in my slapd.conf, and used it's definitions.
The changes in my .mc file looks like this
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/ca.example.com.cert')dnl define(`confSERVER_CERT', `CERT_DIR/smtp.example.com.cert')dnl define(`confSERVER_KEY', `CERT_DIR/smtp.example.com.cert')dnl define(`confCLIENT_CERT', `CERT_DIR/smtp.example.com.cert')dnl define(`confCLIENT_KEY', `CERT_DIR/smtp.example.com.cert')dnl define(`confLDAP_DEFAULT_SPEC', `-h localhost -b dc=example,dc=com -d uid=sendmail,dc=example,dc=com -M simple -P /etc/mail/ldap')dnl define(`ALIAS_FILE', `ldap:')dnl FEATURE(virtusertable, `LDAP')dnl define(`confAUTH_MECHANISMS', `PLAIN')dnl TRUST_AUTH_MECH(`PLAIN')dnl
/etc/mail/ldap contains the password needed to do the ldap bind, using the info after -d. I had added a sendmail account to my LDAP database, looking like this:
dn: uid=sendmail,dc=example,dc=com objectClass: account objectClass: posixAccount uid: sendmail cn: sendmail account uidNumber: 25 gidNumber: 25 homeDirectory: /etc/mail userPassword::
I assigned a password to the account using ldappasswd.
Then, I added a number of aliases, looking like this:
dn: sendmailMTAKey=testalias, dc=example, dc=com objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject sendmailMTAAliasGrouping: aliases sendmailMTAHost: smtp.example.com sendmailMTAKey: testalias sendmailMTAAliasValue: testperson
And several entries to the virtuser table, like this:
dn: sendmailMTAKey=wronguser@example.com, dc=example, dc=com objectClass: sendmailMTA objectClass: sendmailMTAMap objectClass: sendmailMTAMapObject sendmailMTAMapName: virtuser sendmailMTAHost: smtp.example.com sendmailMTAKey: wronguser@example.com sendmailMTAMapValue: error:nouser No such user here dn: sendmailMTAKey=otheruser@example.com, dc=example, dc=com objectClass: sendmailMTA objectClass: sendmailMTAMap objectClass: sendmailMTAMapObject sendmailMTAMapName: virtuser sendmailMTAHost: smtp.example.com sendmailMTAKey: otheruser@example.com sendmailMTAMapValue: realuser
These should pretty much speak for themselves.
After studying docs for a while, I came to the conclusion, that the only SMTP AUTH method, that could really work in my environment, was plaintext passwords. CRAM-MD5 would have been nice, but there wasn't enough support.
Plaintext passwords, sent in the clear over untrusted networks, are unacceptable. Luckily, you can use TLS (aka SSL v.3), and encrypt your entire session. When this is done, there are no significant problems with plaintext passwords.
I had previously set up my own CA, so a few keys & certificates for sendmail were easily generated.
Sendmail requires cyrus-sasl, to enable AUTH support, so I built cyrus-sasl-1.5.24, and included it in sendmail via the above mentioned devtools/Site/site.config.m4
cyrus-sasl can authenticate via its own database, or via PAM, so I created /pack/cyrus-sasl-1.5.24/lib/Sendmail.conf, containing the line "pwcheck_method: PAM"
PAM support for LDAP may require a extra module, depending on your distribution or OS. My pam was too old to support LDAP, so I used nss_ldap and pam_ldap from padl.com, to compile pam_ldap.so and get things running.
Solaris 8 comes with a pam that supports LDAP, but to get TLS working with ldap, you need nss_ldap from padl.com (thanks to Marc for this information).
The only things I changed in /etc/ldap.conf was host, base and rootbinddn. Once that was done, I added a PAM definition for smtp to /etc/pam.d:
#%PAM-1.0 auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so try_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password sufficient /lib/security/pam_ldap.so password required /lib/security/pam_pwdb.so use_first_pass
After this, it All Just Worked™.
Clients, that can use TLS for SMTP encryption are plentiful. Outlook, Netscape, Mozilla, Eudora, Pine, and probably many others.
What is not so common is support for TLS in IMAP clients as well. I've had good luck with Eudora, though. One thing to look out for, is that if you use a certificate you've made yourself, you'll need to add it to Eudoras root certificate file (rootcerts.p7b on windows).
For an interesting look at how you can build mailing lists using LDAP, take a look at Building Sendmail mailing lists in LDAP.