Thought Bucket: GMail as smarthost for FreeBSD-6.1 Sendmail

Thursday, September 07, 2006

GMail as smarthost for FreeBSD-6.1 Sendmail

Update: This does not work!! FreeBSD 6.1 sendmail does not include TLS (GNU TLS or SSL), so you need to recompile sendmail with TLS support. Easier still is to install Exim 4 from ports that supports all we need.

I run a FreeBSD 6.1 box at home and want to send emails from it by using GMail as my mail relay (smarthost). GMail provides secure mail relaying by using SMTP AUTH and TLS. Hence this setup will work for DSL users on a dynamic IP addresses as well as mobile users.

Here is how you go about setting up all this:

Step 0: DNS settings

If you don't have a fully qualified DNS entry for your box, sendmail will have trouble starting up. I have a Dynamic DNS domain mithila.ath.cx and it's wild carded, ie. *.mithila.ath.cx will all point to mithila.ath.cx. My /etc/resolv.conf looks like this:

search mithila.ath.cx

nameserver 208.67.222.222

nameserver 208.67.220.220

I use OpenDNS as my servers because my ISP DNS servers are unreliable.

Step 1: Editing freebsd.mc

Edit /etc/mail/freebsd.mc and add the following lines to the bottom of the file:

define(`SMART_HOST',`smtp.gmail.com')dnl

define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')

define(`confCACERT_PATH', `CERT_DIR')

define(`confCACERT', `CERT_DIR/CAcert.pem')

define(`confSERVER_CERT', `CERT_DIR/mycert.pem')

define(`confSERVER_KEY', `CERT_DIR/mykey.pem')

define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')

define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')

Step 2: Create client-info with your gmail username/password

[root@mithila /etc/mail] mkdir /etc/mail/auth

[root@mithila /etc/mail] touch /etc/mail/auth/client-info

The contents of /etc/mail/auth/client-info is a single line:

[root@mithila /etc/mail/auth]# cat client-info

AuthInfo:smtp.gmail.com "U:root" "I:GMAILUSER@gmail.com" "P:PASSWORD"

Replace GMAILUSER with your gmail username and PASSWORD with your gmail password. Note that you are storing your gmail password in clear text, so please take the necessary precautions.

To create the client-info hash, run the following:

[root@mithila /etc/mail/auth] makemap hash client-info < client-info

Finish this step by fixing the ownership and permission on your files (sendmail is picky about this):

[root@mithila /etc/mail/auth] chown -R root:wheel /etc/mail/auth

[root@mithila /etc/mail/auth] chmod 700 /etc/mail/auth

[root@mithila /etc/mail/auth] chmod 600 /etc/mail/auth/*

Step 3: Creating SSL certs

The OpenBSD starttls(8) manpage has an excellent walkthrough for creating an SSL certs. Following is just a repeat of the relevant bits of the manpage.

[root@mithila /etc/mail] mkdir /etc/mail/certs

[root@mithila /etc/mail] cd certs

[root@mithila /etc/mail/certs] openssl dsaparam 1024 -out dsa1024.pem

[root@mithila /etc/mail/certs] openssl req -x509 -nodes -days 3650 -newkey dsa:dsa1024.pem -out /etc/mail/certs/mycert.pem -keyout /etc/mail/certs/mykey.pem

[root@mithila /etc/mail/certs] ln -s /etc/mail/certs/mycert.pem /etc/mail/certs/CAcert.pem

[root@mithila /etc/mail/certs] openssl req -x509 -new -days 3650 -key /etc/mail/certs/mykey.pem -out /etc/mail/certs/mycert.pem

Remove temporary files and fix ownership and permissions:

[root@mithila /etc/mail/certs] rm dsa1024.pem

[root@mithila /etc/mail/certs] chown -R root:wheel .

[root@mithila /etc/mail/certs] chmod 700 .

[root@mithila /etc/mail/certs] chmod 600 *

Step 4: Create new sendmail.cf

[root@mithila /etc/mail] make; make install

[root@mithila /etc/mail] /etc/rc.d/sendmail stop

[root@mithila /etc/mail] /etc/rc.d/sendmail start

Watch /var/log/maillog for errors when sendmail is restarted.

Step 5: send test email

[rsubr@mithila ~] mail -s 'MAILTEST' GMAILUSER@gmail.com < /etc/motd

[rsubr@mithila ~] mail -s 'MAILTEST' username@domain.com < /etc/motd

Watch /var/log/maillog for errors. That's all folks!

Issues

Ensure that your box is capable of resolving MX records for domains.

[rsubr@mithila ~] dig -t mx gmail.com

For some strange reason, my DSL router did not want to resolve mx records, and sendmail barfed. Using the right DNS servers in /etc/resolv.conf should do the trick, or you could just run named and point DNS to localhost. I chose the former, and since my ISP (Airtel) has unreliable DNS servers, I use the OpenDNS servers 208.67.222.222, 208.67.220.220.

15 comments:

Anonymous said...: Do you have any particular reason for choosing Sendmail over Postfix, Exim et al?; 5:52 pm
raja said...: Sendmail is already in base FreeBSD, and I whenever don't want to move machines away from default config.; 6:01 pm
Anonymous said...: Great! It also works just fine for Fedora Core 6.; 1:51 pm
Anonymous said...: Great work! I struggled to get my sendmail straight ...this one helped a lot...really made SMTP AUTH easy for me. I have one question though...what is the difference between the command sendmail and mail?; 10:45 am
raja said...: @sulo: sendmail is a full blown MTA while mail is a simple MUA. Sendmail is responsible for email receiving, routing, filtering, delivery, etc. Sendmail is the "stuff" that makes the email you send reach its destination. The nicest feature of mail is that you can quickly send emails the command line (think cron jobs). A good alternative for mail is mutt.; 12:49 pm
Anonymous said...: I´m using webmin on CentOs 4.5, and the CERT_DIR feaature is not available.
Should I only define the complete path as /usr/share/ssl/certs ?

thanks,; 2:14 pm
Unknown said...: Hi Raja,

In /var/log/maillog I have always "Deferred".

OS: Freebsd

Could you please explain more the step3 cause when i start sendmail i have :
May 4 19:02:52 lion sm-mta[1088]: gethostbyaddr(192.168.1.16) failed: 1
May 4 19:02:52 lion sm-mta[1089]: starting daemon (8.14.2): SMTP+queueing@00:30:00
May 4 19:02:52 lion sm-mta[1089]: STARTTLS=server, error: SSL_CTX_use_certificate_file(/etc/mail/certs/mycert.pem) failed
May 4 19:02:52 lion sm-msp-queue[1093]: starting daemon (8.14.2): queueing@00:30:00; 9:06 am
Anonymous said...: Is this relaying the same capability that gmail describes as an outbound gateway?

If so, then I understand it isn't supported for non Premier google app accounts. In other words, it won't work on the free accounts.

Anyone else get it to work on a free google app gmail account?; 9:03 pm
Anonymous said...: I don't know if anyone is going to read this because of the date of the threat but I am getting time-out's according to my maillog:

Dec 26 13:43:07 w3 sendmail[7065]: starting daemon (8.14.2): SMTP+queueing@01:00:00
Dec 26 13:43:07 w3 sm-msp-queue[7073]: starting daemon (8.14.2): queueing@01:00:00
Dec 26 13:44:34 w3 sendmail[7102]: mBQCiYB3007102: from=root, size=82, class=0, nrcpts=1, msgid=<200812261244.mBQCiYB3007102@w3.mydomain.nl>, relay=root@localhost
Dec 26 13:44:34 w3 sendmail[7104]: STARTTLS=server, relay=localhost.localdomain [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Dec 26 13:44:34 w3 sendmail[7102]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Dec 26 13:44:34 w3 sendmail[7104]: mBQCiYf7007104: from=[...], size=366, class=0, nrcpts=1, msgid=<200812261244.mBQCiYB3007102@w3.mydomain.nl>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Dec 26 13:44:34 w3 sendmail[7102]: mBQCiYB3007102: to=..., ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30082, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (mBQCiYf7007104 Message accepted for delivery)
Dec 26 13:48:34 w3 sendmail[7106]: mBQCiYf7007104: to=[...], ctladdr=[root@w3.mydomain.nl] (0/0), delay=00:04:00, xdelay=00:04:00, mailer=relay, pri=120366, relay=smtp.gmail.com [74.125.79.111], dsn=4.0.0, stat=Deferred: Connection timed out with smtp.gmail.com

Anyone any ideas...; 5:03 am
Unix Geek said...: Raja,

This writeup is perfect and with little modifications, it worked on my Solaris box as well. I have also posted the screen logs for others reference for those who are looking for its Solaris replica. Here is the link to that:

http://unixadministrator.blogspot.com/2009/03/gmail-as-smarthost-for-solaris-sendmail.html

Appreciate your good work by putting this entry. It helped me a lot!

Cheers,
Unix Geek; 10:54 am
ghantoos said...: thank you for this post!

Just in case some of you have the following error when starting sendmail:
Warning: Option: AuthMechanisms requires SASL support (-DSASL)

The solution I chose was to install /usr/ports/mail/sendmail-sasl

Then edit /etc/mail/mailer.conf and replace "/usr/libexec/sendmail/sendmail" with "/usr/local/sbin/sendmail"

Hope this helps,

Thanks for this post again!

Cheers,
Ignace M -ghantoos-; 8:09 am
the blues said...: when i do make command i get the following error
bash-3.2# /usr/ccs/bin/make
test ! -f local.cf || /usr/bin/mv local.cf local.cf.prev
/usr/ccs/bin/m4 ../m4/cf.m4 local.mc > local.cf

/usr/ccs/bin/m4:local.mc:37 can't open file
include(../feature/authinfo.m4)
*** Error code 1
make: Fatal error: Command failed for target `local.cf'; 11:16 pm
the blues said...: define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/CAcert.pem')
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

how will it recognise the CERT_DIR is it defined anywhere; 11:54 pm
zithromax medication interactions said...: Wow, nice post,there are many person searching about that now they will find enough resources by your post; 7:53 am
hotels airport denver said...: Very informative and helpful post. Finding a new blog that's interesting is always great. Thank you, this was very insightful.; 7:53 pm

Thought Bucket