Authenticated Relaying | A Practical Guide to Red HatВ® LinuxВ®: Fedoraв„ў Core and Red Hat Enterprise Linux (3rd Edition)

If you travel with a portable computer such as a laptop, you may connect to the Internet through a different connection at each location where you work. Perhaps you travel for work, or maybe you just bring your laptop home at night.

This section does not apply if you always dial in to the network through your ISP. In that case, you are always connected to your ISP's network and it is as though you never moved your computer.

On a laptop you do not use a local instance of sendmail to send email. Instead you use SMTP to connect to an ISP or to a company's SMTP server, which relays the outgoing mail. To avoid relaying email for anyone, including malicious users who would send spam, SMTP servers restrict who they relay email for, based on IP address. By implementing authenticated relaying, you can cause the SMTP server to authenticate, based on user identification. In addition, SMTP can encrypt communication when you send mail from your email client and use the SMTP server.

An authenticated relay provides these advantages over a plain connection:

You can send email from any Internet connection.
The secure connection makes it more difficult to intercept email as it traverses the Internet.
The outgoing mail server requires authentication, preventing it from being used for spam.

You set up authenticated relaying by creating an SSL certificate or using an existing one, enabling SSL in sendmail, and telling your email client to connect to the SMTP server using SSL. If you have an SSL certificate from a company such as Verisign, you can skip the next section, in which you create a self-signed certificate.

Creating a Self-Signed Certificate for sendmail

FEDORA

The default location for SSL certificates is /etc/pki/tls/certs (PKI stands for public key infrastructure). Working as root, use mkdir to create this directory if necessary and then use the Makefile in this directory to generate the required certificates. Apache uses a similar procedure for creating a certificate (page 822).

# cd /etc/pki/tls/certs # make sendmail.pem ... Generating a 1024 bit RSA private key ........................++++++ .......................++++++ writing new private key to '/tmp/openssl.q15963' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:California Locality Name (eg, city) [Newbury]:San Francisco Organization Name (eg, company) [My Company Ltd]:Sobell Associates Inc. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:sobell.com Email Address []:mgs@sobell.com

You can enter any information you wish in the certificate.

RHEL

The default location for SSL certificates is /usr/share/ssl/certs. Before giving the make sendmail.pem command as explained above, use mkdir to create this directory if necessary and then cd to it.

Enabling SSL in sendmail

Once you have a certificate, instruct sendmail to use it by adding the following lines to sendmail.mc:

define('confAUTH_OPTIONS', 'A p') TRUST_AUTH_MECH('EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN') define('confAUTH_MECHANISMS', 'EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')

The first of these lines tells sendmail to allow authenticated users to relay. The next two lines specify the authentication mechanisms.

The first option for confAUTH_OPTIONS, A, instructs sendmail to use the AUTH parameter when sending mail only if authentication succeeded. The second option, P, instructs sendmail, for connections that are not secure, not to allow authentication methods that could be cracked by a packet sniffer.

Now add the following lines to sendmail.mc to tell sendmail where the certificate is:

define('CERT_DIR', '/etc/pki/tls/certs') define('confCACERT_PATH', 'CERT_DIR') define('confCACERT', 'CERT_DIR/sendmail.pem') define('confSERVER_CERT', 'CERT_DIR/sendmail.pem') define('confSERVER_KEY', 'CERT_DIR/sendmail.pem') define('confCLIENT_CERT', 'CERT_DIR/sendmail.pem') define('confCLIENT_KEY', 'CERT_DIR/sendmail.pem')

Encrypted connections are made in one of two ways: SSL (simpler) or TLS. SSL requires a dedicated port and has the client and the server negotiate a secure connection and continue the transaction as if the connection were not encrypted. TLS has the client connect to the server using an insecure connection and then issue a STARTTLS command to negotiate a secure connection. TLS runs over the same port as an unencrypted connection. Because many clients support only SSL, it is a good idea to instruct sendmail to listen on the SMTPS port. The final line that you add to sendmail.mc instructs sendmail to listen on the SSL port:

DAEMON_OPTIONS('Port=smtps, Name=TLSMTA, M=s')

Enabling SSL in the Mail Client

Enabling SSL in a mail client is usually quite simple. For example, KMail provides Settings Configure KMail Accounts Receiving Add/Modify Extras that allows you to choose the type of encryption you want to use: None, SSL, or TLS.