It occurred to me after my Debian SMTP/AUTH/TLS blog that perhaps I should have introduced myself first. I have been at Foundstone for about 3 years as a principal consultant, and before that I was at Internet Security Systems (ISS) for about 5 years, and various places doing contract work before that. Mostly, I get paid to break stuff which is a pleasant departure from supporting, or even designing stuff... While at work I have had assignments ranging from the somewhat odd ("Hey, we just want you to hang out for 6 months and learn the network and look around.. talk to folks.. err.. yeah...") to the more straight forward ("Let's see how much control an attacker could gain over the network with no prior knowledge and a hot network jack - Oh.. you already have Domain Admin you say... =( ").
You might see me in Vegas towards the end of July each year. I am on staff for Defcon and Blackhat, and I have participated at Toorcon (*waves at Tim and Hikari), Shmoocon (<--don't love me anymore), and Phreaknic (shouts to Bro. Skydog and Bro. Decode, and the Lady Merlin [oh-ex-oh]).
And now that I've made a complete infantile fool of myself... peas out... =)
Carric Dooley
Meatshield
23B Goon Security Squad, Las Vegas, NV
"Buy this goon a beer!"
Saturday, April 26, 2008
Debian Sendmail SMTP Auth and TLS
So, after pulling out my hair for a week, I wanted to note down my journey of pain with getting my domain moved after my colo pulled the plug a little early on me. I read about 20 different bits and pieces of blogs/faq's out there and nothing had all the info in one place.
Overview
First off, I'm not a Debian guy. I was quite frustrated by this new challenge, but it was not my choice. It was my lot to just make it all work when my co-lo pulled the plug on us. If you see something that should have been obvious because you ARE a Debian guy, please feel free to email me your contempt and ridicule at carric@/dev/null. (for i in self; do debian != like; done)
I wanted to have SMTP (with AUTH), IMAP, and POP all over TLS/SSL. Why? Well, IMAP lets you leave your mail on the server so you can check it from anywhere (all you need is an IMAP client), SMTP with AUTH lets you authenticate to the server so you can send mail regardless of your IP address, and the TLS/SSL component protects your passwords while in transit (provided you are not the victim of an MITM attack.. this is a topic for another blog)
Daemons
Sendmail - apt-get it and then you will want run 'sendmailconfig'; run that command before you try any ".mc diddling", then go through the sendmail.mc after u have run it once to add things if needed:
<--- snip --->
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`redirect')dnl
FEATURE(`mailertable')dnl
FEATURE(`smrsh')dnl
FEATURE(`sasl')dnl
include(`/etc/mail/tls/starttls.m4')dnl
<--- snip --->
What this is doing is reading "m4" files from (mostly) /usr/share/sendmail/cf/. Look in there and add FEATURE lines for the things you want. In the cf dirs, you will see file names like "sasl.m4", "starttls.m4", and "smrsh.m4", etc.
Dovecot imapd/popd - The apt-get install was pretty straightforward EXCEPT for
<--- snip --->
auth_username_format = %n
<-- snip --->
Until I set this line this way, it was trying to hand "user @ domain.com" instead of just "user" to PAM - no worky..... I highly suggest upping the debug options (mail_debug = yes) in the dovecot.conf until you get it working so you can see what the hell is going on in /var/log/mail.log. That was really the breakthrough for me.
saslauthd - THIS is what ties authentication through IMAP, POP, and SMTP to your local user accounts via PAM (so this is indeed what you want to use over passwd or shadow when choosing authentication mechanisms). MAKE SURE YOU DON'T SKIP: apt-get libsasl2-modules. OMG!! I spent hours trying to figure out why the hell a valid account couldn't authenticate. It was like it didn't understand what I was sending ... (SURPRISE!! It didn't understand what I was sending...) I did NOT see this step anywhere on my "man-page/howto" pilgrimage.
Spamassassin - I may actually remove this. Within the first 5 days or so, I had gotten around 2,000 e-mails (maybe 40 were actually real), and this is with Spamassassin running. I didn't do any customization to the install, it was pure defaults, but what I find REALLY cuts down the spam is the dnsbl feature in sendmail. Read Jeff's stuff:
http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html
He appears to be updating VERY frequently, so you won't be putting in servers that haven't updated since 2002 (be careful!!). If the blacklist isn't updating, don't use them. This trimmed down the e-mail volume from about 400+/day to, well.. I haven't had it running like this long, but the "you have mail" dings frequency on my e-mail client have dropped DRASTICALLY. Here are the servers I'm using in April 2008 (yes, I got them from that site above - EPIC SHOUTZ to Jeff Makey!!):
FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"550 Mail from " $`'&{client_addr} " refused - see http://www.dul.dnsbl.sorbs.net/"')
FEATURE(`dnsbl', `sbl.spamhaus.org', `"550 Mail from " $`'&{client_addr} " refused - see http://www.spamhaus.org/sbl/"')
FEATURE(`dnsbl', `list.dsbl.org', `"550 Mail from " $`'&{client_addr} " refused - see http://dsbl.org/"')
FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"')
What I learned
What I learned is that all the required info doesn't live in one place - not to make all the components work seamlessly, that is. It was a challenge, so hopefully what I posted will fill in some of the missing pieces. In retrospect, it was just a couple of tidbits, that were kind of hard to google (google: "#*$%ing sendmail not working like I want gonna snap"). Feel free to mail me if you run into similar issues, and I'll try to help.
carric_*at*_com2usa.com
P.S. Spammers; please die. As a friend of mine says, "I hope your legs grow together!"
Overview
First off, I'm not a Debian guy. I was quite frustrated by this new challenge, but it was not my choice. It was my lot to just make it all work when my co-lo pulled the plug on us. If you see something that should have been obvious because you ARE a Debian guy, please feel free to email me your contempt and ridicule at carric@/dev/null. (for i in self; do debian != like; done)
I wanted to have SMTP (with AUTH), IMAP, and POP all over TLS/SSL. Why? Well, IMAP lets you leave your mail on the server so you can check it from anywhere (all you need is an IMAP client), SMTP with AUTH lets you authenticate to the server so you can send mail regardless of your IP address, and the TLS/SSL component protects your passwords while in transit (provided you are not the victim of an MITM attack.. this is a topic for another blog)
Daemons
Sendmail - apt-get it and then you will want run 'sendmailconfig'; run that command before you try any ".mc diddling", then go through the sendmail.mc after u have run it once to add things if needed:
<--- snip --->
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`redirect')dnl
FEATURE(`mailertable')dnl
FEATURE(`smrsh')dnl
FEATURE(`sasl')dnl
include(`/etc/mail/tls/starttls.m4')dnl
<--- snip --->
What this is doing is reading "m4" files from (mostly) /usr/share/sendmail/cf/. Look in there and add FEATURE lines for the things you want. In the cf dirs, you will see file names like "sasl.m4", "starttls.m4", and "smrsh.m4", etc.
Dovecot imapd/popd - The apt-get install was pretty straightforward EXCEPT for
<--- snip --->
auth_username_format = %n
<-- snip --->
Until I set this line this way, it was trying to hand "user @ domain.com" instead of just "user" to PAM - no worky..... I highly suggest upping the debug options (mail_debug = yes) in the dovecot.conf until you get it working so you can see what the hell is going on in /var/log/mail.log. That was really the breakthrough for me.
saslauthd - THIS is what ties authentication through IMAP, POP, and SMTP to your local user accounts via PAM (so this is indeed what you want to use over passwd or shadow when choosing authentication mechanisms). MAKE SURE YOU DON'T SKIP: apt-get libsasl2-modules. OMG!! I spent hours trying to figure out why the hell a valid account couldn't authenticate. It was like it didn't understand what I was sending ... (SURPRISE!! It didn't understand what I was sending...) I did NOT see this step anywhere on my "man-page/howto" pilgrimage.
Spamassassin - I may actually remove this. Within the first 5 days or so, I had gotten around 2,000 e-mails (maybe 40 were actually real), and this is with Spamassassin running. I didn't do any customization to the install, it was pure defaults, but what I find REALLY cuts down the spam is the dnsbl feature in sendmail. Read Jeff's stuff:
http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html
He appears to be updating VERY frequently, so you won't be putting in servers that haven't updated since 2002 (be careful!!). If the blacklist isn't updating, don't use them. This trimmed down the e-mail volume from about 400+/day to, well.. I haven't had it running like this long, but the "you have mail" dings frequency on my e-mail client have dropped DRASTICALLY. Here are the servers I'm using in April 2008 (yes, I got them from that site above - EPIC SHOUTZ to Jeff Makey!!):
FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"550 Mail from " $`'&{client_addr} " refused - see http://www.dul.dnsbl.sorbs.net/"')
FEATURE(`dnsbl', `sbl.spamhaus.org', `"550 Mail from " $`'&{client_addr} " refused - see http://www.spamhaus.org/sbl/"')
FEATURE(`dnsbl', `list.dsbl.org', `"550 Mail from " $`'&{client_addr} " refused - see http://dsbl.org/"')
FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"')
What I learned
What I learned is that all the required info doesn't live in one place - not to make all the components work seamlessly, that is. It was a challenge, so hopefully what I posted will fill in some of the missing pieces. In retrospect, it was just a couple of tidbits, that were kind of hard to google (google: "#*$%ing sendmail not working like I want gonna snap"). Feel free to mail me if you run into similar issues, and I'll try to help.
carric_*at*_com2usa.com
P.S. Spammers; please die. As a friend of mine says, "I hope your legs grow together!"
Subscribe to:
Posts (Atom)