Kroko Just another WordPress weblog

March 29, 2009

RUNNING A SECURE DDNS SERVICE WITH BIND

Filed under: Linux — Tags: , , — admin @ 5:22 pm
Posted on March 12, 2007, 21:54, by Julien.
Last updated on January 17, 2009, 12:11.

This article will give you a short introduction to DDNS, and will only apply to a precise example. I will not detail the reasons of my choice. However, the links provided at the end of the document will allow you further understand the uses that can be made of DDNS.

REQUIREMENTS

  • 2 machines running GNU/Linux: one at home with a dynamic IP, the other elsewhere with a fix IP
  • BIND 9.2.0 or newer should be installed on the external machine (and act as primary DNS for your domain – the setup won’t be detailed here)
  • the nsupdate utility on your router at home. This comes as part of the dnsutilsDebian package.

GENERATING THE KEY

Updates being initiated from the client, the process needs to be secured by a TSIG key:”(TSIG keys are symmetric HMAC-MD5 keys; although asymmetric SIG keys can also be used, the set up is a bit more complicated)”:.

On the external machine running BIND 9, run as root:

dnssec-keygen -a HMAC-MD5 -b 512 -n HOST <keyname>

where <keyname> should be replaced by a whatever name you want, and 512 is the key size (512 is the maximum with the HMAC-MD5 algorithm).

This will generate 2 files like Kkeyname.+157+12505.key andKkeyname.+157+12505.private. Both files should remain private (remember, we work with symmetric key).

ON THE SERVER SIDE

Both files created before do contain the secret key, which needs to be set up on the BIND configuration file (eg.named.conf or named.conf.local in Debian) as follows:

key "keyname." {
  algorithm hmac-md5;
  secret "v9BhsbwDu4q95g/Gf/EiXA==";
};

Once this is defined, you can start using this shared secret in the definition of your zone:

zone "example.com" {
  type master;
  file "master/db.example.com";
  allow-update { key "keyname."; };
};

The BIND service should obviously be reloaded to start using the new configuration:

# /etc/init.d/bind9 reload

ON THE CLIENT SITE

UPDATING THE ZONE WHEN YOUR DSL PROVIDER IP CHANGES – NSUPDATE

If you can’t get a fix IP address from your xDSL provider and still want to host your server at home, you can use third services companies like DynDNS.org or Zonedit.com, but did you know you can set up a secure DDNS service using the BIND DNS server and the nsupdate utility. Still, you need to have control on a machine with a static IP somewhere on the public Internet.

nsupdate is the tool needed to update the IP on the DNS server. You can use it manually whenever you want (see manpage for additional information), or in scripts run automatically by cron or, better, directly by ppp through the ppp-ip facilty.

In Debian, save the following script as /etc/ppp/ip-up.d/ddupdate, change the options at the top of the file and make it executable:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
#!/bin/bash
# Script to update DNS zones on a remote server
# Copyright © 2005-2007 - Julien Valroff <julien@kirya.net>
# Parts of the script Copyright © 2001-2002 - Dag Wieers <dag@wieers.com>

KEY="/root/Kkeyname.+157+29630.private"
SERVER="ns.domain.com"
LOGFILE="/var/log/syslog"
PPP_IFACE="ppp0"

if [ "$PPP_LOCAL" != '' ]; then
   if [ "$PPP_IFACE" != "$PPP_IFACE" ]; then
      echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: ABORTED: Not updating dynamic IP \
        address $PPP_LOCAL (already done for $(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }'))" >>$LOGFILE 2>&1
      exit 0
   fi
   IPADDR=$PPP_LOCAL
   sleep 3
else
   IPADDR=$(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }')
fi

(
cat <<EOF | nsupdate -k "$KEY"
server $SERVER
zone example.com
update delete example.com. A
update add example.com. 60 A $IPADDR
update delete mail.example.com. A
update add mail.example.com. 60 A $IPADDR
send
EOF

  RC=$?

  if [ $RC != 0 ]; then
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: FAILURE: Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    (
        echo "Subject: DDNS update failed"
        echo
        echo "Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    ) | /usr/sbin/sendmail root
  else
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: SUCCESS: Updating dynamic IP $IPADDR on $SERVER succeeded"
  fi
) >>$LOGFILE 2>&1

exit $RC

Next time your connection will be restarted, the IP will be updated on your DNS server, and you’ll see an entry in your log file:
Mar 12 18:43:26 athena ddupdate[14507]: SUCCESS: Updating dynamic IP 81.13.52.124 on ns.domain.com succeeded
An e-mail will alert the system administrator in case the update fails.

Remember to use low TTL for the zone which is meant to be updated, 60 seconds seems to be a good value.

UPDATING THE DNS WITH DYNAMIC IP ON YOUR LOCAL NETWORK – DHCPD

DDNS can also be used in conjunction with dhcpd to dynamically update the DNS when a machine is given an IP. A very detailed article was written by Adam Trickett for debian-administration.org to explain this setup.

COMBINE BOTH METHODS WITH A ROADWARRIOR CLIENT

I plan to combine the methods described earlier to allow a roadwarrior to be reachable by its name wherever it is located.

When out of the company, the roadwarrior is connected to the network through a secureOpenVPN tunnel. Thanks to the --client-connect and --client-disconnectdirectives, the OpenVPN server can update the DNS entry for the given host (cf.ifconfig_pool_remote_ip and common_name environmental variables in OpenVPN man page).

When directly connected to the local network, the roadwarrior gets an IP from the DHCP server which updates the DNS.

I haven’t yet worked on this setup, and am not sure it would be very useful, but this is an example of use of dynamic DNS.

OTHER (MORE DETAILED) ARTICLES ON DDNS

As usual, here are some external resources which helped me writing this article, and which will allow you to study the DDNS methods in details:

  • ISC BIND homepage: www.isc.org/index.pl?/sw/bind/
  • ISC DHCP homepage: www.isc.org/index.pl?/sw/dhcp/
  • www.oceanwave.com/technical-resources/unix-admin/nsupdate.html
  • ops.ietf.org/dns/dynupd/secure-ddns-howto.html
  • dag.wieers.com/howto/bits/bind-ddns.php
  • linux.yyz.us/nsupdate/

December 29, 2008

Use wget or curl to download from RapidShare Premium

Filed under: Linux — Tags: , , — admin @ 12:03 am

The last days I needed to download a bunch of medical videos which have been uploaded to RapidShare by many other people. Although RapidShare (and all the other 1-click file-hosting services) is very convenient, it has some strict rules for free accounts, for example a guest has to wait for 120 seconds per 1 MB of downloaded data and – to make it worse – no download managers are allowed. Since “waiting” is not a game I like and since I intended to use either wget or curl to download the files, I decided to sign up for a RapidShare Premium account and then figure out how to use the aforementioned tools. Fortunately, registered users are permitted to use download managers and, as you will read in the following article, the Linux command line downloaders work flawlessly with a Premier account.

 

Theory

Rapidshare uses cookie-based authentication. This means that every time you log into the service, a cookie containing information which identifies you as a registered user is stored in your browser’s cookie cache. Both wget and curl support saving and loading cookies, so before using them to download any files, you should save such a cookie. Having done this, then the only required action in order download from RapidShare is to load the cookie, so that wget or curl can use it to authenticate you on the RapidShare server. This is pretty much the same you would do with a graphical download manager. The difference now is that you do it on the command line.

Below you will find examples about how to perform these actions using both wget and curl.

IMPORTANT: Please note that in order to use these command-line utilities or any other download managers with RapidShare, you will have to check the Direct Downloads option in your account’s options page.

Save your RapidShare Premium Account Cookie

Saving your RapidShare cookie is a procedure that needs to be done once.

The login page is located at:

https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi

The login form requires two fields: login and password. These are pretty self-explanatory.

In the following examples, the RapidShare username is shown as USERNAME and the password as PASSWORD.

Using wget

In order to save your cookie using wget, run the following:

wget \
    --save-cookies ~/.cookies/rapidshare \
    --post-data "login=USERNAME&password=PASSWORD" \
    -O - \
    https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi \
    > /dev/null

–save-cookies : Saves the cookie to a file called rapidshare under the ~/.cookiesdirectory (let’s assume that you store your cookies there)
–post-data : is the POST payload of the request. In other words it contains the data you would enter in the login form.
-O – : downloads the HTML data to the standard output. Since the above command is run only in order to obtain the cookie, this option prints the HTML data to stdout (Standard Output) and then discards it by redirecting stdout to /dev/null. If you don’t do this, wget will save the HTML data in a file called premiumzone.cgi in the current directory. This is just the Rapidshare HTML page, which is absolutely not needed.

Using curl

In order to save your cookie using curl, run the following:

curl \
    --cookie-jar ~/.cookies/rapidshare \
    --data "login=USERNAME&password=PASSWORD" \
    https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi \
    > /dev/null

–cookie-jar : Saves the cookie to a file called rapidshare under the ~/.cookies directory (it has been assumed previously that cookies are stored there)
–data : contains the data you would enter in the login form.
Curl prints the downloaded page data to stdout by default. This is discarded by sending it to/dev/null.

Download files using your RapidShare Premium Account Cookie

Having saved your cookie, downloading files from RapidShare is as easy as telling wget/curl to load the cookie everytime you use them to download a file.

Downloading with wget

In order to download a file with wget, run the following:

wget -c --load-cookies ~/.cookies/rapidshare <URL>

-c : this is used in order to resume downloading of the file if it already exists in the current directory and is incomplete.
–load-cookies : loads your cookie.

Downloading with curl

In the same manner, in order to download a file with curl, run the following:

curl -L -O --cookie ~/.cookies/rapidshare <URL>

-L : Follows all redirections until the final destination page is found. This switch is almost always required as curl won’t follow redirects by default (read about how to check the server http headers with curl).
-O : By using this switch you instruct curl to save the downloaded data to a file in the current directory. The filename of the remote file is used. This switch is also required or else curl will print the data to stdout, which is something you won’t probably like.
–cookie : loads your Rapidshare account’s cookie.

Setting up a Download Server

Although most users would be satisfied with the above, I wouldn’t be surprised if you would want to go a bit further and try to setup a little service for your downloading pleasure. Here is a very primitive implementation of such a service. All you will need is standard command line tools.

This primitive server consists of the following:

  1. named pipe, called “dlbasket“. You will feed the server with URLs through this pipe. Another approach would be to use a listening TCP socket with NetCat.
  2. A script, which, among others, contains the main server loop. This loop reads one URL at a time from dlbasket and starts a wget/curl process in order to download the file. If dlbasket is empty, the server should just stay there waiting.

So, in short, the service would be the following:

cat <> dlbasket | ( while ... done )

All credit for the “cat <> dlbasket |” magic goes to Zart, who kindly helped me out at the #fedora IRC channel.

So, let’s create that service. The following assume that a user named “downloader” exists in the system and the home directory is /var/lib/downloader/. Of course you can set this up as you like, but make sure you adjust the following commands and the script’s configuration options accordingly.

First, create the named pipe:

mkfifo -m 0700 /var/lib/downloader/dlbasket

If it does not exist, create a bin directory in the user’s home:

mkdir -p /var/lib/downloader/bin

Also, create a directory where the downloaded files will be saved:

mkdir -p /var/lib/downloader/downloads

The following is a quick and dirty script I wrote which actually implements the service. Save it asrsgetd.sh inside the user’s bin directory:

#! /usr/bin/env bash  

#  rsgetd.sh - Download Service

#  Version 0.2

#  Copyright (C) 2007 George Notaras (http://www.g-loaded.eu/)
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License version 2 as
#  published by the Free Software Foundation.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.

# Special thanks to 'Zart' from the #fedora channel on FreeNode

# CONFIG START
HOMEDIR="/var/lib/downloader"
DLBASKET="$HOMEDIR/dlbasket"
DLDIR="$HOMEDIR/downloads/"
LOGFILE="$HOMEDIR/.downloads_log"
CACHEFILE="$HOMEDIR/.downloads_cache"
LIMIT="25k"
WGETBIN="/usr/bin/wget"
# Rapidshare Login Cookie
RSCOOKIE="$HOMEDIR/cookies/.rapidshare"
# CONFIG END

DATETIME="`date '+%Y-%m-%d %H:%M:%S'`"

cat <> $DLBASKET | (
        while read url ; do
                # First, check the cache if the file has been already downloaded
                if [ -f "$CACHEFILE" -a -n $(grep -i $(basename $url) "$CACHEFILE") ] ; then
                       echo "$DATETIME File exists in cache. Already downloaded - Skipping: $url" >> $LOGFILE
                else
                        echo "$DATETIME Starting with rate $LIMIT/s: $url" >> $LOGFILE
                        if [ $(expr match "$url" '[rapidshare.com]') = 1 ] ; then
                                # If it is a Rapidshare.com link, load the RS cookie
                                echo "RAPIDSHARE LINK"
                                $WGETBIN -c --limit-rate=$LIMIT --directory-prefix=$DLDIR --load-cookies $RSCOOKIE $url
                        else
                                $WGETBIN -c --limit-rate=$LIMIT --directory-prefix=$DLDIR $url
                        fi
                        echo "$DATETIME Finished: $url" >> $LOGFILE
                        echo $url >> $CACHEFILE
                fi
        done )

exit 0

As you might have already noticed, two extra files are created inside the home directory:.downloads_cache and .downloads_log. The first contains a list of all the urls that have been downloaded. Each new download is checked against this list, so that the particular URL is not processed if the file has already been downloaded. The latter file is a usual logfile stating the start and end times of each download. Feel free to adjust the script to your needs.

Here is some info about how you should start the service:

-1- You can simply start the script as a background process and then feed URLs to it. For example:

rsgetd.sh &
echo "<URL>" > /var/lib/downloader/dlbasket

-2- Use screen in order to run the script in the background but still be able to see its output by connecting to a screen session. Although this is not a screen howto, here is an example:

Create a new screen session and attach to it:

screen -S rs_downloads

While being in the session, run rsgetd.sh

rsgetd.sh

From another terminal feed the download basket (dlbasket) with urls:

echo "<URL>" > /var/lib/downloader/dlbasket
cat url_list.txt > /var/lib/downloader/dlbasket

Watch the files in the screen window as they are being downloaded.

Detach from the screen session by hitting the following:

Ctrl-a   d

Re-attach to the session by running:

screen -r

Note that you do not need to be attached to the screen session in order to add URLs.

Feeding the basket with URLs remotely

Assuming that a SSH server is running on the machine that runs rsgetd.sh, you can feed URLs to it by running the following from a remote machine:

ssh downloader@server.example.org cat \> /var/lib/downloader/dlbasket

Note that the > needs to be escaped so that it is considered as part of the command that will be executed on the remote server.

Now, feel free to add as many URLs as you like. After you hit the [Enter] key the url will be added to the download queue. When you are finished, just press Ctrl-D to end the URL submission.

Conclusion

This article provides all the information you need in order to use wget or curl to download files from your RapidShare Premium account. Also, information on how to set up a service that will assist you in order to commence downloads on your home server from a remote location has been covered.

The same information applies in all cases that wget and curl need to be used with websites that use cookie-based authentication.

The Use wget or curl to download from RapidShare Premium by George Notaras, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. Terms and conditions beyond the scope of this license may be available at www.g-loaded.eu.

November 27, 2008

Sendmail-SMTP-AUTH-TLS-Howto

Filed under: Linux — Tags: , , — admin @ 12:19 am

Sendmail-SMTP-AUTH-TLS-Howto

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 03/11/2004

This document describes how to install a mail server based on sendmail that is capable of SMTP-AUTH and TLS. It should work (maybe with slight changes concerning paths etc.) on all *nix operating systems. I tested it on Debian Woody so far.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind!

 

1 Get the Sources

We need the following software: openssl, cyrus-sasl2, and sendmail. We will install the software from the /tmp directory.

cd /tmp
wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
wget –passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz
wget –passive-ftp ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.11.tar.gz

 

2 Install Openssl

tar xvfz openssl-0.9.7c.tar.gz
cd openssl-0.9.7c
./config
make
make install
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

 

3 Install Cyrus-sasl2

cd /tmp
tar xvfz cyrus-sasl-2.1.17.tar.gz
cd cyrus-sasl-2.1.17
./configure –enable-anon –enable-plain –enable-login –disable-krb4 –with-saslauthd=/var/run/saslauthd –with-pam –with-openssl=/usr/local/ssl –with-plugindir=/usr/local/lib/sasl2 –enable-cram –enable-digest –enable-otp (1 line!)
make
make install

If /usr/lib/sasl2 exists: 
mv /usr/lib/sasl2 /usr/lib/sasl2_orig

echo “pwcheck_method: saslauthd” > /usr/local/lib/sasl2/Sendmail.conf
echo “mech_list: login plain” >> /usr/local/lib/sasl2/Sendmail.conf

mkdir -p /var/run/saslauthd

 

4 Create Certificates for TLS

mkdir -p /etc/mail/certs
cd /etc/mail/certs
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365

<- Enter your password for smtpd.key.
<- Enter your Country Name (e.g., “DE”).
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. “IT Department”).
<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
<- Enter your Email Address.

openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 365

<- Again, enter your password for smtpd.key.
<- Enter your Country Name (e.g., “DE”).
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. “IT Department”).
<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
<- Enter your Email Address.

openssl x509 -noout -text -in sendmail.pem
chmod 600 ./sendmail.pem

 

5 Install Sendmail

cd /tmp
tar xvfz sendmail.8.12.11.tar.gz
cd sendmail-8.12.11/devtools/Site/

Create the file site.config.m4 (in devtools/Site/):

 

# SASL2 (smtp authentication)
APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
#
# STARTTLS (smtp + tls/ssl)
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS')
APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_SMTP_SSL')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto -L/usr/local/ssl/lib')

 
mkdir -p /usr/man
mkdir -p /usr/man/man1
mkdir -p /usr/man/man8
cp -pfr /usr/local/lib/sasl2 /usr/lib/sasl2
echo /usr/lib/sasl2 >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/ssl/include/openssl /usr/include/openssl

Now we can compile sendmail:

cd /tmp/sendmail-8.12.11/
useradd smmsp
groupadd smmsp
sh Build -c
sh Build install

Let’s create our sendmail.cf:

cd cf/cf/

Create the file sendmail.mc with the following contents:

 

dnl ### do SMTPAUTH
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl

dnl ### do STARTTLS
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/sendmail.pem')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl

dnl ###
define(`confDEF_CHAR_SET', `iso-8859-1')dnl
define(`confMAX_MESSAGE_SIZE', `15000000')dnl Denial of Service Attacks
define(`confMAX_DAEMON_CHILDREN', `30')dnl Denial of Service Attacks
define(`confCONNECTION_RATE_THROTTLE', `2')dnl Denial of Service Attacks
define(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacks
define(`confSINGLE_LINE_FROM_HEADER', `True')dnl
define(`confSMTP_LOGIN_MSG', `$j')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`confTO_INITIAL', `6m')dnl
define(`confTO_CONNECT', `20s')dnl
define(`confTO_HELO', `5m')dnl
define(`confTO_HOSTSTATUS', `2m')dnl
define(`confTO_DATAINIT', `6m')dnl
define(`confTO_DATABLOCK', `35m')dnl
define(`confTO_DATAFINAL', `35m')dnl
define(`confDIAL_DELAY', `20s')dnl
define(`confNO_RCPT_ACTION', `add-apparently-to')dnl
define(`confALIAS_WAIT', `0')dnl
define(`confMAX_HOP', `35')dnl
define(`confQUEUE_LA', `5')dnl
define(`confREFUSE_LA', `12')dnl
define(`confSEPARATE_PROC', `False')dnl
define(`confCON_EXPENSIVE', `true')dnl
define(`confWORK_RECIPIENT_FACTOR', `1000')dnl
define(`confWORK_TIME_FACTOR', `3000')dnl
define(`confQUEUE_SORT_ORDER', `Time')dnl
define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnl
OSTYPE(linux)dnl
FEATURE(`delay_checks')dnl
FEATURE(`generics_entire_domain')dnl
FEATURE(`local_procmail')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`nouucp',`reject')dnl
FEATURE(`redirect')dnl
FEATURE(`relay_entire_domain')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`virtuser_entire_domain')dnl

FEATURE(dnsbl,`blackholes.mail-abuse.org',
` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr}')dnl
FEATURE(dnsbl,`dialups.mail-abuse.org',
` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm')dnl

FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl
FEATURE(access_db)dnl
FEATURE(lookupdotdomain)dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

 

In order to create /etc/mail/sendmail.cf run the following commands:

sh Build sendmail.cf
cp sendmail.cf /etc/mail/sendmail.cf

Finally we have to create some files:

cd /etc/mail/
touch /etc/mail/local-host-names
touch /etc/mail/virtusertable
/usr/sbin/makemap hash virtusertable < virtusertable
mkdir -p /var/spool/mqueue
chmod 700 /var/spool/mqueue
chown root:root /var/spool/mqueue
chown root:root /etc/mail/sendmail.cf
chmod 444 /etc/mail/sendmail.cf
chown root:root /etc/mail/submit.cf
chmod 444 /etc/mail/submit.cf
touch /etc/mail/aliases
newaliases
touch /etc/mail/access
/usr/sbin/makemap hash access < access

We need an init script for sendmail (this should be copied to /etc/init.d/sendmail):

 

#! /bin/sh

case "$1" in
    start)
        echo "Initializing SMTP port. (sendmail)"
        /usr/sbin/sendmail -bd -q1h
        ;;
    stop)
        echo "Shutting down SMTP port:"
        killall /usr/sbin/sendmail
        ;;
    restart|reload)
        $0 stop  &&  $0 start
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|reload}"
        exit 1
esac
exit 0

 

chmod 755 /etc/init.d/sendmail

In order to start sendmail at boot time do the following:

ln -s /etc/init.d/sendmail /etc/rc2.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc3.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc4.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc5.d/S20sendmail
ln -s /etc/init.d/sendmail /etc/rc0.d/K20sendmail
ln -s /etc/init.d/sendmail /etc/rc1.d/K20sendmail
ln -s /etc/init.d/sendmail /etc/rc6.d/K20sendmail

 

6 Configure Saslauthd

Create /etc/init.d/saslauthd:

 

#!/bin/sh -e

NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd

test -f "${DAEMON}" || exit 0

# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
    . "${DEFAULTS}"
fi

# If we're not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
    exit 0
fi

# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
    echo "You need to configure ${DEFAULTS} with mechanisms to be used"
    exit 0
fi

# Add our mechanimsms with the necessary flag
for i in ${MECHANISMS}; do
    PARAMS="${PARAMS} -a ${i}"
done

# Consider our options
case "${1}" in
  start)
        echo -n "Starting ${DESC}: "
        ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME}
        ${DAEMON} ${PARAMS}
        echo "${NAME}."
        ;;
  stop)
        echo -n "Stopping ${DESC}: "
        PROCS=`ps aux | grep -iw '/usr/sbin/saslauthd' | grep -v 'grep' |awk '{print $2}' | tr '\n' ' '`
        if [ "x${PROCS}" != "x" ]; then
          kill -15 ${PROCS} &> /dev/null
        fi
        echo "${NAME}."
        ;;
  restart|force-reload)
        $0 stop
        sleep 1
        $0 start
        echo "${NAME}."
        ;;
  *)
        echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
        exit 1
        ;;
esac

exit 0

 
chmod 755 /etc/init.d/saslauthd

In order to start saslauthd at boot time do the following:

ln -s /etc/init.d/saslauthd /etc/rc2.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd

Then create /etc/default/saslauthd:

 

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb"
MECHANISMS=shadow

 

If you find out that saslauthd is located in /usr/local/sbin instead of /usr/sbin create a symbolic link:

ln -s /usr/local/sbin/saslauthd /usr/sbin/saslauthd

Then start saslauthd and sendmail:

/etc/init.d/saslauthd start

/etc/init.d/sendmail start

 

7 Test your Configuration

To verify that your sendmail was compiled with the right options type

/usr/sbin/sendmail -d0.1 -bv root

You should see that sendmail was compiled with SASLv2 and STARTTLS:

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your sendmail mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system’s shell.

 

Links

Sendmail MTA: http://www.sendmail.org/

OpenSSL: http://www.openssl.org/

Cyrus-SASL: http://asg.web.cmu.edu/sasl/


 

« Newer Posts

Powered by WordPress