SMTP AUTH and STARTTLS

Standards-based protocols that add authentication and encryption to SMTP.

SMTP [RFC 821] (August 1982) - Simple Mail Transport Protocol.
SMTP Service Extensions [RFC 1869] (November 1995).
SMTP AUTH [RFC 2554] (March 1999) - Authentication for SMTP.
STARTTLS [RFC 2487] (January 1999) - Secure SMTP over TLS.

Problems with SMTP

SMTP is an old protocol, written in a different age.
Mail servers historically set to relay openly.
Unsolicited email (spam) now a problem.

Need to support roaming users without becoming open relay.

In a secure manner.
With minimum hassle client-side.

ESMTP allows extensions to solve such problems.

“Users Good, Spammers Bad” — Solutions

Various approaches, no best solution.

Require use of ISP’s local mail server.
Allowing internal access.

Terminal mail via SSH (mutt, PINE).
Web-based email solutions.

VPN - extending trusted network.

SSH port forwarding (ssh -L 2525:localhost:25).
IPSec.

“POPPost Office Protocol before SMTP,” for example via DRAC.
SMTP AUTH (and/or STARTTLS).

SMTP AUTH

Extension of Simple Authentication and Security Layer (SASL) [RFC 2222].
Allows clients to authenticate with server.

Open relay rights to authorized users.
Access to otherwise disabled services (e.g. EXPN, VRFY).

Implemented through AUTH keyword.

$ telnet localhost 25
…
EHLO localhost
…
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN
AUTH cram-md5
334 SGVsbG8sIFdvcmxk…

SMTP AUTH - Mechanisms

Multiple authentication mechanisms are supported, of varied security.
Mechanisms supported vary by implementation, configuration.

LOGIN, PLAIN are common, but insecure (plaintext password on network).
CRAM-MD5, DIGEST-MD5 more secure (can be harder to support).
GSSAPI (kerberos) and others have poorer support (especially on clients).

STARTTLS

Mechanism for negotiating TLS [RFC 2246] over a SMTP connection.

TLS (essentially SSLv3) provides link authenticity, privacy.
Uses X.509 Certificates [RFC 2459].

Works over regular SMTP link via “upwards negotiation.”
Implemented through STARTTLS keyword.

Also (disfavored) smtps protocol, equivalent of https— the Internet Engineering Steering Group (IESG) recommends protocol designers to use upwards negotiation over alternate ports.

STARTTLS - Bad News, Good News

Does not handle virtual hosts well.
Slow (especially on the server side).
Can be susceptible to man-in-the-middle attacks.
Does not provide end-to-end confidentiality or message integrity.

That task is better met by PGP or S/MIME.

Good against passive attackers.
Protects message envelope (PGP or S/MIME do not).

Received: from mail.example.edu (IDENT:smmsp@mail.example.edu [10.0.0.11])
by example.org (8.12.1/8.12.1) with ESMTP id fBA0M7gU038106
(using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified FAIL)
for <user@example.org>; Sun, 9 Dec 2001 16:22:10 -0800 (PST)
Received: from grue.example.edu (sender@grue.example.edu [10.0.0.13])
(authenticated bits=0)
by mail.example.edu (8.12.1/8.12.1) with ESMTP id fBA0M3rD003797
(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT)
for <user@example.org>; Sun, 9 Dec 2001 16:22:07 -0800
Sender: sender@example.edu
Message-ID: <3C14002A.FAB442A3@example.edu>
Date: Sun, 09 Dec 2001 16:22:02 -0800
From: Sender <sender@example.edu>
To: user@example.org
Subject: test

SMTP AUTH versus STARTTLS

Some degree of overlap between the two standards.

Can authenticate TLS clients with certificates.
Provisions in SASL to renegotiate to a secure link.

SMTP AUTH for users, STARTTLS for machines.

Users probably more comfortable with passwords.
Could use TLS client certificates to authenticate machines.

Determine your needs and requirements before implementation!

Small Workgroup Implementation

Need to support roaming users.
Clients use common GUI MUAs (e.g. Netscape).
Client setup should be easy as possible.
Want to interoperate with existing accounts.
Fast machines and few users, so TLS performance not an issue.

Design Overview

Use sendmail(8) as MTA on server side.

Sendmail use widespread on Internet.
Has native support for SMTP AUTH, STARTTLS, smtps, etc.

Use LOGIN/PLAIN AUTH for client (and server) compatibility.
STARTTLS with server certificate to protect passwords.
Need trusted third-party signed TLS certificate.

Sendmail Protocol Support

SMTP AUTH first added in Sendmail 8.10 (2000-03-01).
Uses Cyrus SASL authentication libraries.

STARTTLS available in Sendmail 8.11 (2000-07-19).
Uses OpenSSL to provide SSL/TLS services.

Sendmail 8.12 improved support and features (2001-09-08).
Support generally requires recompiling Sendmail.
Vendor supplied Sendmail may have required features.

Use the following command to determine your sendmail version and compile features.

$ sendmail -d0 < /dev/null

OpenSSL Overview

OpenSSL homepage, the source code, and my config notes.
Strong entropy source mandatory (e.g. /dev/urandom).
Typical ./config installation.
May be available as package/port for your system.

TLS Certificates

Need Third Party Certificate Authority signed certificate.
Expensive, but client setup easier and generally more secure.
“Common Name” must match Fully Qualified Domain Name (FQDN) of the server.

# openssl genrsa 1024 > host.key
# chmod 400 host.key
# openssl req -new -key host.key > host.csr
…
Common Name (eg, YOUR name) []:mail.example.edu

host.key and host.cert (from Certificate Authority) used later.

Self-signed certificate or own Certificate Authority may be an alternative (but client support for custom certificates varies, and may be insecure).

Compiling Cyrus SASL

Sendmail uses cyrus sasl 1.5 at time of writing.

Cryus SASL homepage, the source code, and my config notes.
Typical ./configure installation.

--enable-login - legacy support of LOGIN.
--with-pwcheck - optional daemon.

May need to fiddle with library file locations.
May be available as package/port for your system.

Cyrus SASL Configuration

Setup the /usr/lib/sasl/Sendmail.conf for Sendmail.

Specify a pwcheck_method: method.

passwd - use system getpwent(3) interface.
sasldb - /etc/sasldb.
pwcheck - talk to pwcheck daemon.

Check documentation for more options.

Example Sendmail.conf from production Linux system:

$ cat /usr/lib/sasl/Sendmail.conf
pwcheck_method: shadow

SASL Database Setup (Optional)

Allows support for DIGEST-MD5, CRAM-MD5 mechanisms.
Not compatible with system accounts (uses /etc/sasldb).
May require setting Sendmail's GroupReadableSASLDBFile parameter to the DontBlameSendmail option for compatibility with Cyrus IMAP.
Add users via saslpasswd(8) utility.

# saslpasswd -a Sendmail -c -u mail.example.org user

May need to enable PLAIN support.

# echo "pwcheck_method: sasldb" > /usr/lib/sasl/saslpasswd.conf

pwcheck Daemon (Optional)

Allows unprivileged Sendmail or Cyrus IMAP users access to system account data.
Or an easy tie-in to custom accounts system (database, etc.).
Only LOGIN, PLAIN mechanisms available.

Run pwcheck daemon as super-user at startup.
/var/pwcheck should only be accessible by required users.
pwcheck creates socket under /var/pwcheck.

Sendmail 8.12 Compile Overview

m4(1) macro files used to control source build.
Setup devtools/Site/site.config.m4 under source to modify build.

Add smmsp user/group to system first!
sh Build and sh Build install.
Copy source cf/* files to system location.
Make sure resulting binary supports features you need.

$ sendmail -d0.12 < /dev/null
Version 8.12.3
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASL SCANF STARTTLS
USERDB XDEBUG
…

Compile support for Cyrus SASL

Add the following to your site.config.m4.

APPENDDEF(`confENVDEF', `-DSASL')
APPENDDEF(`confLIBS', `-lsasl -lcrypt')

dnl allows AUTH_OPTIONS to prevent LOGIN/PLAIN over non-TLS link
APPENDDEF(`confENVDEF', `-D_FFR_SASL_OPTS')
define(`confAUTH_OPTIONS', `p')

May need Cyrus SASL defines (-lcrypt) above OpenSSL’s (-lcrypto) to prevent function name conflicts.

Compile support for OpenSSL

Add the following to your site.config.m4.

APPENDDEF(`confENVDEF', `-DSTARTTLS')
APPENDDEF(`confLIBS', `-lssl -lcrypto')

APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib')
APPENDDEF(`confINCDIRS', `-I/usr/local/ssl/include')

Sendmail Config File Locations

Files under cf/ are used to help build sendmail.cf.

/usr/share/sendmail/conf - Darwin (a.k.a. Mac OS X).
/usr/share/sendmail - OpenBSD.
/usr/lib/sendmail-cf - RedHat 6 (via sendmail-cf RPM).
/usr/lib/mail - Solaris.

If unsure: find / -name cf.m4 -print or locate cf.m4.
Or invent a site-local location (NFS share).

Sendmail 8.12 Runtime Changes

Different due to non-suid operation; see sendmail/SECURITY for details.

Modify startup flags, e.g. /etc/rc.conf on OpenBSD.

sendmail_flags="-L sm-mta -bd -q15m"

Cron job (crontab(5)) to clear /var/spool/clientmqueue.

*/30 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q

Need to build a submit.cf in addition to sendmail.cf.

Custom Mailer Compile Tips

Be sure to disable vendor supplied mailer.

Beware vendor “updates” that downgrade sendmail.
Set NO_SENDMAIL=true and NO_MAILWRAPPER=true in FreeBSD’s /etc/make.conf.

Could modify/use system’s package/ports instead.

*BSD have ports for above utilities.
Repackage RedHat RPMs with local changes.

Sendmail Configuration Overview

Group all config files under /etc/mail.
Use a Makefile to ease sendmail administration.
Create pre-bundled configurations for easier setup.

Use a sendmail.mc to build sendmail.cf.
sendmail.mc - set of m4(1) macro definitions.
Simple macro definitions result in complex config file.

# m4 /usr/share/sendmail/m4/cf.m4 sendmail.mc > sendmail.cf

Read cf/README under source for configuration details.

Configuration for STARTTLS

Place following in sendmail.mc, rebuild sendmail.cf.

define(`CERT_DIR', `/etc/mail/certs')
define(`confCACERT', `CERT_DIR/cacert.pem')
define(`confCACERT_PATH', `CERT_DIR/CA')

define(`confSERVER_CERT', `CERT_DIR/host.cert')
define(`confSERVER_KEY', `CERT_DIR/host.key')
define(`confCLIENT_CERT', `CERT_DIR/host.cert')
define(`confCLIENT_KEY', `CERT_DIR/host.key')

Restrict permissions on host.key!
Obtain root certificates (as confCACERT) to verify other systems.
Or populate the confCACERT_PATH directory with the individual certificates:

# perl -ple 'select $fh; open $fh, ">$prev.cert" if /^=+\s*$/;' \ -e '($prev = $_) =~ s/[^\w.-]/_/g' ca-root.crt
# for F in *.cert; do ln -s $F `openssl x509 -noout -hash < $F`.0; done

STARTTLS Configuration Tips

Disable client certificates if not using them:

Place following into /etc/mail/access map.

Srv_Features: V

Rebuild access map using makemap(8).

# makemap hash access < access

Additionally, can disable TLS for client connections made by the server in access map:

Try_TLS:example.net NO

Configuration for SMTP AUTH

Place following in sendmail.mc, rebuild sendmail.cf.

define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')

AuthMechanisms specifies allowed SASL mechanisms.
TrustAuthMech opens relay for users authenticated with specified method.

Could also build custom rulesets for more control.

SMTP AUTH Tips

Custom sendmail.mc ruleset to only allow EXPN/VRFY to work for authenticated users:

LOCAL_CONFIG
F{trusty}/etc/mail/trusted-domains

LOCAL_RULESETS
Scheck_expn
R$* $@ $>check_expn_and_vrfy $1

Scheck_vrfy
R$* $@ $>check_expn_and_vrfy $1

Scheck_expn_and_vrfy
R$* $: < $&{client_name} >
R< $={trusty} > $@ OK
R< $+ $={trusty} > $@ OK
R$* $: $&{auth_type}
R$={TrustAuthMech} $@ OK
R$* $#error $@ 5.7.1 $: 550 EXPN/VRFY failed for $&{client_name}

Client Setup Caveats

Straightforward for common GUI clients, but test first.

Do not enable “Secure Password Authentication” (SPA) in Outlook.
Eudora (5.1, Mac OS) requires same password for incoming, outgoing servers.
Outlook Express (5, Mac OS) dislikes self-signed certificates.
Netscape “If Possible” STARTTLS setting open to man-in-middle attack (especially if client certificates disabled).

Real World Issues - draconian ISPs

Some ISPs are now blocking outbound SMTP connections to inhibit spread of Microsoft Malware (Sircam, Nimda).

Add following to your site.config.m4, recompile Sendmail to support smtps.

APPENDDEF(`confENVDEF', `-D_FFR_SMTP_SSL')
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')

Clients will need to connect via raw TLS to the smtps port (465).
Could use Port=2525 if ISP blocking ports <1024.
Some clients may not support alternate port and/or smtps.

Real World Issues - stunnel

stunnel(1) could be used to support clients with poor TLS support.

robust TLS wrapper program.
good if have savvy clients, or you setup the client machines.

Stunnel can create an open relay if used on the server side.

SMTP AUTH and STARTTLS