Monday, June 15, 2009

OpenBSD + SMTP AUTH/TLS + IMAPS Proxy

Problem

I want to securely access my home email from my newly ordered iPhone 3GS. Since my mail repository is at home (vs on some one's webmail/freemail platform) and I want to be able to send email from my domain, I need to connect from essentially anywhere to my home systems.

Solution

I have an existing bastion host running OpenBSD to which I added the mail functions. Documentation that I found was a bit out dated or didn't quite put everything together, so I'm putting it all together here. This article is based on what is available with OpenBSD 4.5.

First, what are the different pieces in this puzzle?
  • Retrieve/view mail: I keep all of my mail on a server at home and provide access via IMAP(S). I extended this by using dovecot as an IMAP proxy on the bastion host. This allows you to view your mail.
  • Sending mail: Sendmail is the base MTA I'm using (it's part of the base install of OpenBSD) and to get the secure authenticated connection for remotely sending mail, two different things are needed.
    • TLS: For my purposes, this encrypts the connection via starttls(8)
    • Authentication: This provides the ability to authenticate users and allow authenticated users to relay mail through the server. This is done via cyrus-sasl.
Dovecot/IMAP Configuration

The configuration for dovecot is rather simple, but I never found it explicitly called out. Acting as a proxy for a particular user is done as part of an entry in the user database. Larger installations with many users can use a database for this, but for a small handful of users, this is more easily done with a passwd-file.
  1. Install dovecot. Either build it from source via ports or install the package. See the OpenBSD FAQ for how to do this.
  2. In /etc/dovecot.conf, find the section specifying the password database as a passwd-file and uncomment it such that you end up with the following. See AuthDatabase/PasswdFile section of the dovecot wiki for more details.
    # passwd-like file with specified location
    # 
    passdb passwd-file {
    # [scheme=] [username_format=]
    # 
    args = username_format=%n /etc/dovecot.passwd
    }
  3. Create the passwd file, /etc/dovecot.passwd, in your favorite editor filling in the fields as described in the Passwd-file documentation. You should end up with something that looks like the following:
    fred:{PLAIN-MD5}b40ac4fe40284c9de587b992c08f167::::::proxy=y host=my.proxy.domain.tld port=143
    The last fields, the extra fields, are the ones that make the proxy actually work. Note that the TLS/SSL options discussed in the dovecot documentation are only available in newer versions (1.2.rc4+) and not in the stable versions. That means I'm stuck with an un-encrypted connection between my bastion host/proxy and my real mail server. This isn't the perfect solution, but I prefer using the proxy to just allowing a direct connection from anywhere on the internet to my internal servers. Create the md5 passphrase hash with the md5(1) command:
    md5 -s password
  4. Configure dovecot to start at boot (if you didn't when you installed it) and start up dovecot. In /etc/rc.local add: 
    if [ -x /usr/local/sbin/dovecot ]; then
     echo -n ' dovecot';  /usr/local/sbin/dovecot
    fi
Sendmail TLS Configuration

This is the easy part to write up. Follow the steps in the starttls(8) man page. Remember, this just gives you encryption when connecting to send mail.

Sendmail Authentication

This requires installing the Cyrus-SASL libraries, configuring users and saslauthd, recompiling sendmail and configuring sendmail.
  1. Install cyrus-sasl. Either build it from source via ports or install the package. See theOpenBSD FAQ for how to do this.
  2. Configure the sasl auth daemon for authentication from sendmail: 
    echo pwcheck_method: saslauthd > /usr/local/lib/sasl2/Sendmail.conf
  3. Create users (these are the users and passwords for sending mail) with saslpasswd2(8) with the following command (you'll be prompted for a password). This will create /etc/sasldb2.db. You will use username@domain as the username for authentication.
    saslpasswd2 -c -u domain username
  4. Configure saslauthd to start at boot by adding the following to /etc/rc.local :
    if [ -x /usr/local/sbin/saslauthd ]; then
     echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a getpwent
    fi
  5. Start saslauthd with /usr/local/sbin/saslauthd -a getpwent
  6. Rebuild sendmail with sasl support:
    • Add WANT_SMTPAUTH=YES to /etc/mk.conf
    • If you don't have the OpenBSD source code installed, install it. See the OpenBSD FAQ for details on doing so if needed.
    • cd to /usr/src/gnu/usr.sbin/sendmail/ and build and install sendmail with make clean obj depend && make && make install
  7. Configure sendmail for all of the new options. Edit /usr/share/sendmail/cf/openbsd-proto.mc as follows:
    • Uncomment (remove the "dnl" from the beginning of the line) the section for TSL/SSL support.
      dnl
      dnl TLS/SSL support; uncomment and read starttls(8) to use.
      dnl
      define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
      define(`confCACERT_PATH', `CERT_DIR')dnl
      define(`confCACERT', `CERT_DIR/mycert.pem')dnl
      define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
      define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
      define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
      define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
    • Add the following options for SMTP AUTH.
      dnl
      dnl Set SMTP AUTH options
      dnl
      define(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
      TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
      define(`confAUTH_OPTIONS',`p,y')dnl
      define(`confPRIVACY_FLAGS',`authwarnings,goaway')dnl
  8. Rebuild the cf files and install them by:
    • cd /usr/share/sendmail/cf
    • make distribution
  9. Configure sendmail to listen for connections over the network (default configuration is to listen only on localhost) by adding sendmail_flags="-L sm-mta -bd -q30m" to /etc/rc.conf.local
  10. Kill the running sendmail, source the new configuration options and restart sendmail:
    kill `head -n1 /var/run/sendmail.pid`
    . /etc/rc.conf
    /usr/sbin/sendmail $sendmail_flags
That's it! You should now have everything setup and working. In trouble shooting and testing my configuration, I found it very handy to watch traffic with tcpdump(8) with a command like tcpdump -n -s 1500 -vvvX port 25 .

Credits:
A good bit of the SMTP AUTH configuration steps where taken from http://www.dsrw.org/~dlg/sysadmin/sendmail/ which was written for OpenBSD 3.3. Some things have changed by OpenBSD 4.5 partly compelling me to write this article.


Posted by theory14 at 20:50

4 comments:

Frederic said...

Nice piece, but since many iphone owners are going to land here, maybe you should add a bit on installing certs and using compatible ciphers (RSA and not DSA for example).

August 25, 2009 6:52 PM
Frederic said...

Also I'm not sure a 'make install' is enough to rebuild sendmail (step 6).

August 25, 2009 6:55 PM
theory14 said...

Thanks for the comment on the "make install". I fixed that -- was late when I started putting this all together and obviously missed that.

As for the part about installing certs, can you provide some more details about what you'd like to see? I'm happy to put together something more that people would find useful.

August 25, 2009 7:58 PM
Frederic said...

Actually you documented that part in your 'getting mail on my iphone' post, it was a bit late too when I checked it last night.
Shame I didn't find your docs before I worked on something similar last week, would have spared me quite some time ;)

August 26, 2009 5:36 PM

Post a Comment

Subscribe to: Post Comments (Atom)