Posts tagged sendmail
This is a re-post of an old tutorial I wrote with some minor updates for more recent versions of OpenBSD.
One of the greatest challenges in migrating my server from a managed FreeBSD server to the new OpenBSD server was learning how to implement support for SASL on SMTP connections. This seems like something so elementary in a mail server that it should be really simple. Unfortunately, simply installing the cyrus-sasl package doesn’t handle the integration with sendmail for you nor is there any really good documentation online. I was particularly disappointed that OpenBSD’s documentation was completely silent on how to do it.
After searching online nearly all searches for SASL on OpenBSD were for Postfix. Fortunately I did come across an article on how to do it. While it was written for OpenBSD 3.3 nearly all of the steps also apply to 4.7 and later. You can find the original article here.
First we’re going to need to install the cyrus-sasl package. We’re going to be using the plain vanilla version which allows us to use OpenBSD’s Unix style authentication from /etc/master.passwd. There are other flavors for LDAP, MySQL, and db4.
Here we’ll choose option 1.
Next we want to let saslauthd (the Cyus SASL 2 daemon) know that it’s going to be working with sendmail and what types of authentication we want to support. This is done by creating a file called Sendmail.conf in /usr/local/lib/sasl2 like this. The cat command listed first allows you to enter the contents into the file without opening an editor such as vi.
# cat > /usr/local/lib/sasl2/Sendmail.conf
mech_list: LOGIN PLAIN
(hit ctrl-d to save)
There are other authentication methods than just LOGIN and PLAIN that you can use such as DIGEST-MD5 and CRAM-MD5 that you can also add on the second line of the file if you plan on using them. Since we’re using OpenBSD’s own authentication mechanism we’ll omit them from the line.
Before we forget, let’s add our startup script to /etc/rc.local to ensure that saslauthd is started with the server:
if [ -x /usr/local/sbin/saslauthd ]; then
echo -n ‘ saslauthd’; /usr/local/sbin/saslauthd -a getpwent
On OpenBSD 5.0 and later*, saslauthd will be started using the rc.d(8) mechanism. You will need to add the following line to /etc/rc.conf.local:
* Substitute “pkg_scripts” for “rc_scripts” if you’re using 4.9.
Worth noting here is that we are using getpwent(3) as our authentication method. This is basically just saying that we’re authenticating against /etc/master.passwd. Since saslauthd defaults to starting up 5 threads or processes each time it runs, we can limit this by adjusting the startup command with a -n option followed by the desired number of threads we want to limit to. This may be desirable on an older machine with fewer resources.
Recently I’ve had this really nagging issue where I could no longer send email from Roundcube. Mail would send just fine from any email client. A review of the mail logs for the failed message being sent from Roundcube gave a puzzling error about an unbalanced “< ” proceeding the recipient’s name with the email address. I did find that removing the person’s name proceeding the email address from the “To” line allowed me to send the message. Basically, removing the name when the field looks like this:
John Doe <firstname.lastname@example.org>
I tried playing around with a few things including re-installations of Roundcube and did a really thorough glean of my sendmail config files comparing them to the defaults. Looking through the MySQL database showed no extra angle brackets in any of the stored contacts. I did find a post on the Roundcube forums about the same error but for an older version. I tried messing around with some of the PHP files as the fix mentioned in the article was no longer applicable due to filename changes, but had no change in behavior. Thinking that perhaps there was some bug in the PHP code itself I tried installing later versions but I still got the same error about the message failing to send. I had no issues with the 0.3.x releases. This issue cropped up in the 0.5.x branch.
Finally on a hunch I began to suspect that mini_sendmail-chroot was the culprit. It turns out that I was exactly right. A search of the OpenBSD mailing list archives pointed me to a replacement called femail-chroot which was described as being less problematic. I tried it out and problem resolved! I’m not sure what it was about mini_sendmail that breaks with newer PHP scripts. Unfortunately, the project is apparently no longer maintained with the last release being from 2005.
Femail is basically a drop-in replacement for mini_sendmail. The only work involved is to just point PHP to it in your php.ini and restart Apache. You can install femail-chroot as a package (run pkg_add femail-chroot as root) or from ports (mail/femail). If you install it from ports please note that the chrooted version is available as a flavor.
What’s PHP without mail? Well, it’s quite the pain to get working inside a chroot with Apache. After a week of searching online and trying out different things in php.ini I’ve found the answer.
First, it’s important to know that PHP can’t call the server’s copy of sendmail inside the chroot. Therefore, you’re going to need one that it can use. Luckily it’s available as a package or a port (mail/mini_sendmail). To install the package simply run:
Second, you need a copy of the Bourne shell for the chroot. Grab a copy like this:
cp /bin/sh /var/www/bin/sh
Lastly, we need to tell PHP where to find mini_sendmail. So, we are going to edit our php.ini in (/var/www/conf/php.ini) and change the sendmail_path line like this:
sendmail_path = “/bin/mini_sendmail -t -i”
Stop (if running) and start Apache:
apachectl stop; apachectl start
Have fun and use this for good, not spamming!