HPlogo Sendmail 8.13.3: Secure Mailing Solution

Configuring Sendmail 8.13.3 with SASL
» 

Technical documentation

Complete book in PDF

 » Table of Contents

spacerspacerspacer
spacer
spacer
  		 
 

This section addresses the following topics:

Prerequisites

Following are the prerequisites for configuring SASL in Sendmail 8.13.3:

NOTE: The prerequisites are common for both the Sendmail 8.13.3 server and client configurations.

  • The KRNG11i strong random number generator

    NOTE: The KRNG11i strong random number generator is required only for the HP-UX 11i v1 operating system. For the HP-UX 11i v2 and 11i v3 operating systems, the random number generator is available as part of the core HP-UX operating system.

  • The OpenSSL software

    NOTE: You must install the latest version of the OpenSSL software from http://www.software.hp.com, to avoid errors while running the CA.pl script. Table 2 lists the version of OpenSSL that you must install for a particular HP-UX operating system.

    Table 2 OpenSSL Versions

    Operating System NameOpenSSL Version
    HP-UX 11i v1A.00.09.07l
    HP-UX 11i v2A.00.09.07l.001
    HP-UX 11i v3A.00.09.08d.001

     

  • The CyrusSASL version A.06.00-2.1.21 product in the HP-UX Internet Express bundle.

    NOTE: Do not use the latest version of CyrusSASL (A.06.00-2.1.22), because it poses some issues with Sendmail 8.13.3.

  • The latest version of the Sendmail 8.13.3 web upgrade.

    NOTE: For the HP-UX 11i v3 operating system, Sendmail 8.13.3 is available as part of the core HP-UX operating system. For the HP-UX 11i v1 and HP-UX 11i v2 operating systems, Sendmail 8.13.3 is available as a web upgrade at:

    http://www.software.hp.com.

Setting up the Sendmail 8.13.3 Server with SASL

Before setting up the Sendmail 8.13.3 server with SASL, ensure that you have completed the following tasks:

  • The STARTTLS feature is set up, as discussed in “Configuring Sendmail 8.13.3 with TLS and SSL”, before using the DIGEST-MD5 algorithm.

  • The SASL libraries are installed in a default location accessed by Sendmail 8.13.3. The libraries must be safe, that is, they must be owned by the superuser and must be writable only by the superuser. The path of the SASL libraries must also be safe.

  • The existing Sendmail 8.13.3 configuration files (/etc/mail/sendmail.cf and /etc/mail/submit.cf) are backed up so that you can revert to the original state if you encounter any configuration issues and you do not loose any site-specific customized configuration.

Follow this procedure to set up the Sendmail 8.13.3 server with SASL:

  1. Uncomment the following entries in the /etc/mail/sendmail.cf file:

    C{TrustAuthMech}GSSAPI DIGEST-MD5 LOGIN PLAIN
O AuthMechanisms=GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 
 LOGIN PLAIN EXTERNAL
O DefaultAuthInfo=/etc/mail/default-auth-info 
O AuthOptions=A
    NOTE: If these entries are already uncommented, ensure that you assign the previously mentioned values to the TrustAuthMech, AuthMechanisms, DefaultAuthInfo, and AuthOptions options.

  2. Create the /usr/lib/sasl2/Sendmail.conf file with following entries:

    pwcheck_method: auxprop mech_list:
login plain cram-md5 digest-md5

    Ensure that you have provided permission only for the superuser to access the /usr/lib/sasl2/Sendmail.conf file, as follows: 

    # cd /usr/lib/sasl2/ 
# chmod 600 Sendmail.conf

  3. To set the SASL password of the user for server programs and SASL mechanisms that use the standard libsasl database of user secrets, enter the following command:

    saslpasswd2 -a appname -c [–u] <server_domain_name> userid

    The saslpasswd2 command prompts and accepts the SASL password, and creates the /etc/sasldb2 file.

    Example 1 Sample saslpasswd2 Command

    Following is a sample saslpasswd2 command:

    saslpasswd2 -a Sendmail -c –u <domain-name> root

    where:

    Sendmail

    Specifies the application name.

    <domain-name>

    Specifies the domain name of the Sendmail 8.13.3 server.

    root

    Specifies the user ID.

  4. To restart the Sendmail 8.13.3 server, enter the following commands:

    /sbin/init.d/sendmail stop

    /sbin/init.d/sendmail start

Verifying the SASL Configuration

Follow this procedure to ensure that SASL is set up properly on the Sendmail 8.13.3 server:

  1. To establish a Telnet session with the localhost, enter the following command:

    % telnet localhost 25

    The following output displays:

    Trying...
Connected to localhost.<domain-name>
Escape character is '^]'.
220 <hostname> <domain-name>ESMTP Sendmail @(#)Sendmail 
version 8.13.3 - Revision 1.000 
 - 1st August,2006/8.13.3; Thu, 5 Jul 2007 18:37:50 +0530 
(IST)

  2. To send an EHLO message to the Sendmail 8.13.3 server, enter the following at the Telnet prompt:

    EHLO localhost

    The following output displays:

    250-<hostname> <domain-name> Hello localhost [127.0.0.1], pleased to meet you its
250-ENHANCEDSTATUSCODES
250-DSN
250-AUTH CRAM-MD5 LOGIN PLAIN
250-AUTH CRAM-MD5 LOGIN PLAIN 
250 HELP
    NOTE: Ensure that you get a response similar to the previous output from the Sendmail 8.13.3 server

  3. To quit the Telnet session, enter the following command:

    Quit

    The following output displays:

    221 2.0.0 <hostname> <domain-name> closing connection
Connection closed by foreign host.
NOTE: If you encounter any problem while verifying the SASL setup, check the syslog file using the mtail command for any security problems (for example, unsafe files). If you are unable to identify the problem, increase the log level to 13 in the /etc/mail/sendmail.cf, and restart the Sendmail 8.13.3 server using the following commands:
/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start


Configuring Sendmail 8.13.3 with TLS and SSL
  		 


Using Sendmail 8.13.3 with AUTH  
© Hewlett-Packard Development Company, L.P.