#### NOTICE #### This document was written for OpenBSD 3.6. #### While it may have useful information, it is most certainly out of #### date. #### #### TLS/SSL is now included in OpenBSD as is libmilter. #### CLAMAV is available in ports/packages #### SMTP AUTH is very easy to add. #### OpenBSD sendmail + auth + tls/ssl + libmilter + clamav + clamav-milter This document describes recompiling Sendmail on OpenBSD with SMTP AUTH, TLS/SSL, and ClamAV anti-virus support (via milter). Website references: Sendmail/AUTH/SSL http://www.dorkzilla.org/~dlg/sendmail/ http://www.backwatcher.org/writing/howtos/obsd-sendmail+sasl.html Sendmail/ClamAV/milter http://unixscout.0xfce3.net/cgi-bin/show.pl?such=faq_clamav.html http://activeintra.net/projects/clamav/openbsd/ http://www.fatbsd.com/openbsd/index.php http://www.clamav.net/ - Install the Cyrus SASL v2 package or port. - Tweak and configure the SASL installation: # cd /usr/local/lib; ln -s libsasl2.so.2.11 libsasl2.so # echo pwcheck_method: saslauthd > /usr/local/lib/sasl2/Sendmail.conf # mkdir /var/sasl2 - Retrieve the ClamAV port and put it in the ports tree. Example: # cd /usr/ports/security # wget http://www.fatbsd.com/openbsd/clamav-0.67-1_3.4.tar.gz # tar xvzf clamav-0.67-1_3.4.tar.gz # mv clamav-0.67-1 clamav - Add the following to /etc/mk.conf in preparation for recompiling sendmail. # echo WANT_SMTPAUTH=YES >> /etc/mk.conf # echo WANT_LIBMILTER=YES >> /etc/mk.conf - Recompile and reinstall OpenBSD's sendmail (requires OpenBSD source). This also installs libmilter. # cd /usr/src/gnu/usr.sbin/sendmail # make depend # make # make install - Copy some headers necessary for clamav-milter to build correctly. # cd /usr/src/gnu/usr.sbin/sendmail/libmilter # mkdir /usr/include/libmilter # cp /usr/src/gnu/usr.sbin/sendmail/include/libmilter/*.h \ /usr/include/libmilter - Build and install clamav and clamav-milter making sure to set the port environment variable to build clamav-milter (csh example). # cd /usr/ports/security/clamav # setenv FLAVOR milter # make install - A _clamd user was added to the system to make sure to add an alias for the user to root. _clamd: root # /usr/bin/newaliases - Copy over sample configs to /etc AND CUSTOMIZE. See the end of this document for a customized example (see clamav.conf(5)). # cp /usr/local/share/examples/clamav.conf /etc/clamav.conf # cp /usr/local/share/examples/freshclam.conf /etc/freshclam.conf - Make sure that /var/run/clamd exists and is owned by _clamd. This step also needs to happen as system startup (see below) since most things in /var/run are deleted when the system books. - Start clamd, get the latest virus definitions, and start clamav-milter. Note: The patch to the clamav milter socket MUST match what gets defined in the sendmail config (see below). Note: The following options to clamav-milter might want to be customized (see clamav-milter(8)): -q (quiet) will NOT notify anyone a virus has been detected. Otherwise postmaster and the intended recipient will get a message. --noreject will cause the message NOT to be rejected during the SMTP conversation. Otherwise a 500 error is sent to the sending system and the message is rejected during the SMTP conversation. # /usr/local/sbin/clamd # /usr/local/bin/freshclam -l /var/log/clam-update.log \ --daemon-notify # /usr/local/sbin/clamav-milter -loq /var/run/clamd/clmilter.sock - Set up a cron job to get the ClamAV virus definition files on a regular basis. Example: # CLAMAV update 0 8 * * * /usr/local/bin/freshclam --quiet -l \ /var/log/clam-update.log --daemon-notify - Build and install SSL self-signed certificates. # mkdir /etc/mail/certs # cd /etc/mail/certs # openssl req -newkey rsa:1024 -keyout TMP.key \ -nodes -x509 -days 9999 -out TMP.crt # cat TMP.key > sendmail.pem # echo "" >> sendmail.pem # cat TMP.crt >> sendmail.pem # cp TMP.crt ca-bundle.crt # rm TMP.key TMP.crt # chmod 400 sendmail.pem # chmod 400 ca-bundle.crt - Build a new sendmail.cf file via customized mc file. See end of this document for sample mc file with comments that supports clamav milter, SSL, auth, as well as other features. # cd /etc/mail # m4 /usr/share/sendmail/m4/cf.m4 new_config.mc > sendmail.cf - Change sendmail startup parameters in /etc/rc.conf. By default sendmail only listens on localhost. - Set clamd, clamav-milter, and saslauthd to run at startup in /etc/rc.local. Note: /var/run/clamd must be created (and owned properly) since everything in /var/run is deleted in /etc/rc at startup. # SASLAuthd if [ -x /usr/local/sbin/saslauthd ]; then echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a getpwent fi # CLAMD & CLAMAV-MILTER if [ -x /usr/local/sbin/clamd ]; then mkdir /var/run/clamd chown _clamd /var/run/clamd /usr/local/sbin/clamd echo -n ' clamd' if [ -x /usr/local/sbin/clamav-milter ]; then # Remove stale socket file if present because # clamav-milter will not start if an old socket # is there. rm -f /var/run/clamd/clmilter.sock /usr/local/sbin/clamav-milter -loq \ /var/run/clamd/clmilter.sock > /dev/null 2>&1 echo -n ' clamav-milter' fi fi END OF INSTRUCTIONS SAMPLE clamav.conf CONFIGURATION -----CUT HERE-----CUT HERE-----CUT HERE-----CUT HERE----- LogFile /var/log/clamd.log LogTime PidFile /var/run/clamd/clamd.pid DatabaseDirectory /usr/local/share/clamav LocalSocket /var/run/clamd/clamd.sock FixStaleSocket StreamSaveToDisk MaxThreads 10 MaxDirectoryRecursion 15 FollowDirectorySymlink FollowFileSymlinks User _clamd AllowSupplementaryGroups ScanOLE2 ScanMail ScanArchive ScanRAR ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxCompressionRatio 200 ArchiveLimitMemoryUsage -----CUT HERE-----CUT HERE-----CUT HERE-----CUT HERE----- SAMPLE SENDMAIL M4 CONFIGURATION -----CUT HERE-----CUT HERE-----CUT HERE-----CUT HERE----- divert(-1) # # Copyright (c) 1998 Sendmail, Inc. All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 # The Regents of the University of California. All rights reserved. # # By using this file, you agree to the terms and conditions set # forth in the LICENSE file which can be found at the top level of # the sendmail distribution. # ######### Following 4 lines are default from the OpenBSD prototype file divert(0)dnl OSTYPE(openbsd) FEATURE(nouucp, `reject') FEATURE(`no_default_msa') dnl ##### Use a local-host-names file to define local hosts/domains dnl ##### Alternatively, use LOCAL_DOMAIN directives: dnl ##### LOCAL_DOMAIN(`fqdn.of.machine.org') dnl ##### LOCAL_DOMAIN(`domain.org') FEATURE(`use_cw_file') dnl ##### Use an access db file to allow/reject hosts/domains FEATURE(access_db) dnl ##### Use DNSBL lists to thwart spammers FEATURE(blacklist_recipients)dnl FEATURE(dnsbl, `sbl-xbl.spamhaus.org', `Rejected - see http://www.spamhaus.org')dnl FEATURE(dnsbl, `dnsbl.njabl.org', `Rejected - see http://www.njabl.org')dnl dnl ##### The following two lines enable SMTP AUTH dnl ##### Additionally the a line can be used to block PLAIN and dnl ##### LOGIN if there is not STARTTLS dnl ##### define(`confAUTH_OPTIONS',`p,y')dnl define(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl dnl ##### Use SSL via STARTTLS define(`confCACERT_PATH',`/etc/mail/certs') define(`confCACERT',`/etc/mail/certs/ca-bundle.crt') define(`confSERVER_CERT',`/etc/mail/certs/sendmail.pem') define(`confSERVER_KEY',`/etc/mail/certs/sendmail.pem') dnl ##### Disable EXPN VRFY and VERB define(`confPRIVACY_FLAGS',`goaway') dnl ##### Customize the greeting banner define(`confSMTP_LOGIN_MSG', `intlcom.org - ESMTP service ready')dnl dnl ##### Use the clamav milter to access clamav. Note the path to dnl ##### clamav milter socket MUST match exactly. INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamd/clmilter.sock, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clmilter') dnl ##### Back to default OpenBSD settings. MAILER(local) MAILER(smtp) dnl ##### Customize which addesses/ports sendmail should listen on. DAEMON_OPTIONS(`Family=inet, address=0.0.0.0, Name=MTA')dnl DAEMON_OPTIONS(`Family=inet, address=0.0.0.0, Port=587, Name=MSA, M=E') CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl dnl dnl Some broken nameservers will return SERVFAIL (a temporary failure) dnl on T_AAAA (IPv6) lookups. define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl dnl dnl Enforce valid Message-Id to help stop spammers dnl LOCAL_RULESETS HMessage-Id: $>CheckMessageId SCheckMessageId R< $+ @ $+ > $@ OK R$* $#error $: 553 Header Error -----CUT HERE-----CUT HERE-----CUT HERE-----CUT HERE-----