Securing SMTP

The highest levels of security achievable with SMTP require application-layer cryptography in the form of encryption (for privacy) and digital signatures (for authentication). This functionality is provided by packages such as Pretty Good Privacy (PGP), located at http://www.pgpi.org/ and http://www.pgp.com/, and GNU Privacy Guard (GnuPG), located at http://www.gnupg.org/. Unfortunately, these mechanisms aren't widely deployed. They're difficult to integrate into MUAs, and they present problems of their own, such as key distribution.

A more practical level of security is Transport Layer Security (TLS) using the STARTTLS extension to SMTP. TLS provides both encryption and authentication, but unlike application layer security, it is only in effect between MUAs and MTAs. Once an MTA accepts a message via a TLS SMTP session, it's free to store the message in clear text (unencrypted). And TLS authentication is suitable for determining the authenticity of the remote host—which is useful for relay control—but it won't help the recipient determine the authenticity of the sender.

STARTTLS

The STARTTLS command, when issued to an SMTP server that implements it, activates Secure Sockets Layer (SSL), a form of TLS, on the current session. Using SSL, the client and server can verify each other's identity (authenticate) and communicate secretly.

A patch is available (http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch) that implements the STARTTLS extension to SMTP as described in RFC 2487 (http://www.ietf.org/rfc/rfc2487.txt). The patch requires OpenSSL (available from http://www.openssl.org/). In its basic configuration, it allows STARTTLS-compatible clients to authenticate the server and encrypt the SMTP dialogue. Optionally, it can be used to authenticate clients for granting relay access (see "Relaying" in Chapter 3) or for authenticating/encrypting dialogues with remote servers.

Installing the STARTTLS Patch

Install and test qmail before attempting to install the STARTTLS patch:

1. Download the patch using your Web browser or a command-line utility. For example, using wget, do this:

    $ wget http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch —13:54:50—  http://www.esat.kuleuven.ac.be/%7Evermeule/qmail/tls.patch             => 'tls.patch' Connecting to www.esat.kuleuven.ac.be:80. . . connected! HTTP request sent, awaiting response. . . 200 OK Length: 26,629 [text/plain]     0K -> .. .. . .. . .. . . .. . .. . .. . . .. . .           [100%] 13:54:58 (4.38 KB/s) - 'tls.patch' saved [26629/26629] $ 

2. Install the patch:

    $ cd qmail-1.03 $ patch < ../tls.patch patching file Makefile patching file conf-cc patching file dns.c patching file ipalloc.h patching file qmail-remote.c patching file qmail-smtpd.c $ 

3. Rebuild qmail:

    $ su - Password: rootpassword # qmailctl stop Stopping qmail. . .   qmail-smtpd   qmail-send # make setup check (cat warn-auto.sh; \ echo CC=\''head -1 conf-cc'\'; \ echo LD=\''head -1 conf-ld'\' \ ...lots of output ending with something like: auto_uids.o strerr.a substdio.a error.a str.a fs.a ./install ./instcheck # 

4. Install a certificate. If you don't require a certificate signed by a recognized Certificate Authority (CA), you can generate your own self-signed certificate.

   Note

   The functional difference between a self-signed certificate and a CA-signed certificate is that users may be prompted to accept the self-signed certificate the first time their MUA sees it.

    # make cert openssl req -new -x509 -nodes \ -out /var/qmail/control/servercert.pem -days 366 \ -keyout /var/qmail/control/servercert.pem Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key . . .. . .++++++ . . .. . .. . .. . .. . ..++++++ writing new private key to '/var/qmail/control/servercert.pem' ---- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Tennessee Locality Name (eg, city) []:Oak Ridge Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example, Inc Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:example.com Email Address []:postmaster@example.com chmod 640 /var/qmail/control/servercert.pem chown qmaild.qmail /var/qmail/control/servercert.pem ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem # 

   Note

   Makefile codes the full path to the openssl command, /usr/local/ssl/bin/openssl. If your openssl program is installed in a different directory, you'll need to edit Makefile appropriately. For example, if openssl is in /usr/bin, as in Red Hat Linux 7.1, you can replace the full path name with just openssl.

5. Restart qmail:

    # qmailctl start Starting qmail # 

6. Test qmail-smtpd from the local host. You should see something like this:

    # telnet 0 25 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 dolphin.example.com ESMTP ehlo dude 250-dolphin.example.com 250-PIPELINING 250-STARTTLS 250 8BITMIME quit 221 dolphin.example.com Connection closed by foreign host. # 

If you see a line in the response to the ehlo command that mentions "STARTTLS," skip to step 8.

7. If you saw something in step 6 like this:

    # telnet 0 25 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. Connection closed by foreign host. # 

then you probably need to adjust /var/qmail/supervise/qmail-smtpd/run to allow qmail-smtpd to use more memory. The inclusion of the OpenSSL library increases the space required by qmail-smtpd. In qmail-smtpd/run, change the memory limit specified in the softlimit command. For example, if your run script looks like this:

 #!/bin/sh QMAILDUID='id -u qmaild' NOFILESGID='id -g qmaild' MAXSMTPD='head -1 /var/qmail/control/concurrencyincoming' exec /usr/local/bin/softlimit -m 2000000 \      /usr/local/bin/tcpserver -v -p -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \          -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd 2>&1 

change it to something like this:

 #!/bin/sh QMAILDUID='id -u qmaild' NOFILESGID='id -g qmaild' MAXSMTPD='head -1 /var/qmail/control/concurrencyincoming' exec /usr/local/bin/softlimit -m 3000000 \ /usr/local/bin/tcpserver -v -p -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \     -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd 2>&1 

You might need to raise the limit as high as 10000000.

After modifying the run script, tell supervise to restart the service:

 # svc -t /service/qmail-smtpd/run # 

8. Test the STARTTLS functionality using a compatible MUA. Verify that a message sent through the server using STARTTLS contains a Received field like this:

    Received: from dolphin.example.com (HELO dolphin.example.com) (192.168.1.4)   by mail.example.com with DES-CBC3-SHA encrypted SMTP; 3 Jul 2001 08:54:50 -0000 

SSL-Wrapped SMTP

Although the STARTTLS extension is the preferred method of securing SMTP, some MUAs only support the deprecated method of wrapping the SMTP exchange with SSL.

There are a couple of SSL wrapping utilities available, including

• * Stunnel (http://www.stunnel.org/)

• * SSLWrap (http://www.rickk.com/sslwrap/)

Installing Stunnel

To install Stunnel, follow these steps:

1. Download the source tarball using your Web browser or a command-line utility such as wget. At the time of this writing, 3.15 is the current version. For example, using wget:

    $ wget http://www.stunnel.org/download/stunnel/src/stunnel-3.15.tar.gz —13:37:05—  http://www.stunnel.org/download/stunnel/src/stunnel-3.15.tar.gz             => 'stunnel-3.15.tar.gz' Connecting to www.stunnel.org:80. . . connected! HTTP request sent, awaiting response. . . 200 OK Length: 120,633 [application/octet-stream]     0K -> . . .. . .. . .. . . .. . .. . .. . . .. . .. . .. . . .. . .. . .. . . .. . .[ 42%]    50K -> . . .. . .. . .. . . .. . .. . .. . . .. . .. . .. . . .. . .. . .. . . .. . .[ 84%]   100K -> . . .. . .. . .. . . .. . ..                                                 [100%] 13:38:21 (1.76 KB/s) - 'stunnel-3.15.tar.gz' saved [120633/120633] $ 

2. Unpack the tarball:

    $ gunzip stunnel-3.15.tar.gz $ tar xf stunnel-3.15.tar $ cd stunnel-3.15 $ 

3. Build the binaries:

    $ ./configure creating cache ./config.cache checking host system type. . . i686-pc-linux-gnu checking for gcc. . . gcc ...lots of output ending with something like: updating cache ./config.cache creating ./config.status creating Makefile $ make gcc -g -O2 -Wall -I/usr/include -DVERSION=\"3.15\" -DHAVE_OPENSSL=1 -Dssldir=\" /usr\" -DPEM_DIR=\"\" -DRANDOM_FILE=\"/dev/urandom\" -DSSLLIB_CS=0 -DHOST=\" i686 -pc-linux-gnu\" -DHAVE_LIBDL=1 -DHAVE_LIBNSL=1 -DHAVE_LIBPTHREAD=1 -DHAVE_LIBUTI ...lots of output ending with something like: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Country Name (2 letter code) [PL]:US State or Province Name (full name) [Some-State]:Tennessee Locality Name (eg, city) []:Oak Ridge Organization Name (eg, company) [Stunnel Developers Ltd]:Example, Inc Organizational Unit Name (eg, section) []: Common Name (FQDN of your server) []:example.com Common Name (default) []:localhost /usr/bin/openssl x509 -subject -dates -fingerprint -noout \          -in stunnel.pem subject= /C=US/ST=Tennessee/L=Oak Ridge/O=Example, Inc/OU=none/CN=example.com/C N=localhost notBefore=Jul 22 17:41:38 2001 GMT notAfter=Jul 22 17:41:38 2002 GMT MD5 Fingerprint=37:FE:80:F6:20:CC:58:0C:BE:58:B9:54:91:B5:E8:67 $ 

4. Install the binaries:

    $ su Password: rootpassword # make install  ./mkinstalldirs /usr/local/sbin /usr/local/lib /usr/local/man/man8 /usr/local/ var/stunnel/ mkdir /usr/local/var/stunnel chmod a=rwx,+t /usr/local/var/stunnel/ /usr/bin/install -c -m 711 stunnel /usr/local/sbin test -s stunnel.so && /usr/bin/install -c -m 755 stunnel.so /usr/local/lib /usr/bin/install -c -m 644 stunnel.8 /usr/local/man/man8 if [ -n "" ] ; then \         /usr/bin/install -c -m 600 stunnel.pem ; \ fi # 

Setting Up an SSL-Wrapped SMTP Service

With qmail, daemontools, and Stunnel installed, you can now set up an SSL-wrapped SMTP service. Follow these steps:

1. Create /var/qmail/supervise directories for the new service:

    # mkdir -p /var/qmail/supervise/smtpsd/log # chmod +t /var/qmail/supervise/smtpsd # 

2. Create /var/qmail/supervise/smtpsd/run containing:

    #!/bin/sh QMAILDUID='id -u qmaild' NOFILESGID='id -g qmaild' MAXSMTPD='head -1 /var/qmail/control/concurrencyincoming' if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" ]; then     echo QMAILDUID, NOFILESGID, or MAXSMTPD is unset in     echo /var/qmail/supervise/qmail-smtpd/run     exit 1 fi exec /usr/local/bin/softlimit -m 3000000 \      /usr/local/bin/tcpserver -v -R -H -l 0 -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \          -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \              /usr/local/sbin/stunnel -f -p /usr/local/etc/stunnel.pem \                  -l /var/qmail/bin/qmail-smtpd 2>&1 

This script is modeled after the /var/qmail/supervise/qmail-smtpd/run script from Chapter 2, "Installing qmail." The changes have been highlighted in bold.

The first change is to raise the memory limit from 2000000 to 3000000. Adding the stunnel process and the SSL encryption code requires more memory. On some platforms, you might have to raise the limit even higher.

The second change is to use port 465 instead of smtp. Port 465, also known as smtps, is the standard port for SSL-wrapped SMTP.

The last change is to replace the qmail-smtpd invocation with a stunnel invocation that runs qmail-smtpd. The stunnel command arguments are

• -f tells stunnel to stay in the foreground—which tcpserver requires.

• -p /usr/local/etc/stunnel.pem specifies the location of the server's Privacy Enhanced Mail (PEM) key.

• -l /var/qmail/bin/qmail-smtpd tells stunnel to run qmail-smtpd to handle the protocol dialogue.

3. Create /var/qmail/supervise/smtpsd/log/run containing

    #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog \   t /var/log/qmail/smtpsd 

4. Set the permissions on the run scripts and create the logging directory:

    # chmod 755 /var/qmail/supervise/smtpsd/run # chmod 755 /var/qmail/supervise/smtpsd/log/run # mkdir /var/log/qmail/smtpsd # chown qmaill /var/log/qmail/smtpsd # 

5. Link the service to /service:

    # ln -s /var/qmail/supervise/smtpsd /service # 

6. Verify that the service is running:

    # svstat /service/smtpsd /service/smtpsd: up (pid 22164) 9 seconds # telnet 0 465  Trying 0.0.0.0. . . Connected to 0. Escape character is '^]'. junk junk Connection closed by foreign host. # 

7. Test the secure SMTP service using a compatible MUA. Check /var/log/qmail/smtpsd to verify that the MUA connected to port 465.