Wednesday, October 8, 2008

Authenticated SMTP with SMTP-AUTH

Authenticated SMTP with SMTP-AUTH

SMTP AUTH is particulary useful when you have roaming users as well as users with dynamic IP assigned by their ISPs. These users can now use your SMTP server to relay their mails even if their IP or network is not listed in your allowed list of networks/IPs in qmail-smtpd.cdb file. Authenticated SMTP will allow such users to enter their credentials which are verified against their account entry in qmail-ldap and upon successful authentication they will be granted access to relay mails using your server regardless of their current IP or network. Read more about relaying in my mail relaying document.

In order to qmail-smtpd support this functionality you have to edit current /var/qmail/boot/qmail-smtpd/run script to invoke auth-smtp program installed with qmail-ldap in your installation. Open this file in your favorite editor and look for the following lines towards end of file.
exec \
envuidgid $QUSER \
tcpserver -v -URl $ME -x$QMAIL/control/qmail-smtpd.cdb \
${CONCURRENCY:+"-c$CONCURRENCY"} ${BACKLOG:+"-b$BACKLOG"} 0 smtp \
$PBSTOOL \
$QMAIL/bin/qmail-smtpd

Add command $QMAIL/bin/auth_smtp /usr/bin/true to the last line, so now the last line in your run script become..
exec \
envuidgid $QUSER \
tcpserver -v -URl $ME -x$QMAIL/control/qmail-smtpd.cdb \
${CONCURRENCY:+"-c$CONCURRENCY"} ${BACKLOG:+"-b$BACKLOG"} 0 smtp \
$PBSTOOL \
$QMAIL/bin/qmail-smtpd $QMAIL/bin/auth_smtp /usr/bin/true

Now add these variables to your qmail-smtpd.rules file
:allow,SMTPAUTH="AUTHREQUIRED",NOPBS=""

So now your qmail-smtpd.rules file will look as shown below
127.:allow,RELAYCLIENT=""
:allow,SMTPAUTH="AUTHREQUIRED",NOPBS=""

Now you have to rebuild the cdb file from qmail-smtpd.rules file. For this you have to issue following command as root. The variable SMTPAUTH tells qmail-smtpd that authorization is required before relaying mail from your server. Next variable NOPBS tells smtpd not to use PBS (POP Before SMTP). You do not need this since you are using SMTP AUTH. This may be required when you are using clustered servers but not now.
# tcprules qmail-smtpd.cdb rules.tmp < qmail-smtpd.rules

You have to restart the smtpd service for these changes to take effect. To do this issue following command as root.
# svc -t /service/smtpd

To test this setup try sending mail from some other host using sender's address on mail envelop as your servers default domain. It should ask you for authentication. If this works, you are done with SMTP AUTH. Don't forget to verify the service is running using svstat command as follows before you test.
# svstat /service/smtpd
/service/smtpd: up (pid 26698) 14 seconds
Back to qmail-ldap installation


Securing SMTP with TLS

When you authenticate over internet, auth passwords are in clear text equivalent base64 encoding. So if someone can capture the packets using some packet capturing tool, your users are vulnerable to Identity theft. So a step beyond this authenticated SMTP relaying is the ability to negotiate a secure connection with your SMTP server for secure authentication and privacy of data transferred over the Internet. This will prevent password sniffing. qmail-ldap allows us to use and configure this ability in qmail-smtpd. Remember we have enabled a variable TLS=-DTLS_REMOTE -DTLS_SMTPD -DTLSDEBUG in Makefile before qmail installation. Refer to the Editing Makefile Section. This built the ability in our installation to configure SMTP with TLS option.

Before configuring this abilty you have to make sure you have created certificate by running make cert command in the patched source of qmail.
# cd src/qmail-1.03
# make cert

Read more on make cert.

It will prompt you to supply some vital information that will appear on your certificate. Remember, you need to provide the your server name as Common Name here. This will also change the permissions of the certificate file. Make sure permissions are as shown below:
# ls -lh /var/qmail/control/cert.pem
-rw-r----- 1 qmaild qmail 2.4K 2005-05-25 11:43 /var/qmail/control/cert.pem

~control/smtpcert: This is one this you have to perform before you restart qmail-smtpd. You have to define the path of cert.pem in this this file. It would be appropriate if you specify absolute path to this file as follows.
# echo /var/qmail/control/cert.pem > /var/qmail/control/smtpcert

This certificate will be sent to your clients when they smtp using tls. One this has been done you have to restart smtpd as follows. In my experience smtp with tls WILL NOT work until you add path to cert.pem to ~control/smtpcert file.
# svc -t /service/smtpd

Clients have to select appropriate options in their mail clients for using SSL or TLS with your SMTP server. Ascribe your clients to their email-client documentation if you/they are unsure about how to do it. When they try to send a message to SMTP server, their mail client will receive a certificate notice asking to proceed with encrypted SMTP. qmail-ldap can enforce client SMTP encryption as a mandatory feature by setting. This can be either specific clients or universally. For specific clients you can set this in /var/qmail/control/qmail-smtpd.rules or to set this feature globally you have to set the variable in /var/qmail/boot/qmail-smtpd/env which is same as /service/smtpd/env as it is nothing but symlink to the qmail-smtpd in /var/qmail/boot. You can enforce this globally as follows.
echo TLSREQUIRED > /service/smtpd/env/SMTPAUTH

Else you can do this in qmail-smtpd.rules file by changing last line of /service/smtpd/run as follows.
:allow,SMTPAUTH="TLSREQUIRED",NOPBS=""

Do not forget to create cdb file from qmail-smtpd.rules file. Restart the smtpd service as follows.
# svc -t /service/smtpd

No comments:

Post a Comment