# Sendmail AUTH TLS questions



## qsecofr (Apr 27, 2015)

Hi,

I host 2 domains.  One server acts as the primary mail MX for both domains.  I'd like to add the ability for me to relay mail through this host while remote and connected via WiFi to some other public network.  The relaying ability needs to be authenticated, and encrypted.  I don't want an open relay.  And I don't want to force other MTAs to deliver mail bound for these 2 domains to either authenticate or do SSL/TLS.

In searching about sendmail plus SMTP-Authentication and STARTTLS, I thought I remembered coming across a link stating something like "..don't do this, unless your mailer just forwards to your ISP's MTA in something of a smarthost setup.."  I lost the link before I could examine it closely.  I suspect it had some cautionary warning about breaking the expected behavior of communication between MTA & MTA over port 25.   Am I wrong in expecting that secure authentication is OK for relaying my mail through my host bound for some other domain?

And then I also found links describing smpts and ports 465 versus 587.  ( among the links that weren't years old )  Is using port 587 the recommended way to do secure authentication?  I assume sendmail can service both ports 25 and 587.  And I assume MUAs can interface with port 587..

The handbook describes enabling SMTP Authentication.  But I'm not sure those instructions included the secure half of secure authentication.  Did I misunderstand what was written?

I expect it's recommended that sendmail use port 25 to accept mail bound for "this" domain, unauthenticated and unencrypted.  I don't want to break what's already working.  Just add secure auth for my own relay..

If there's a good up-to-date link to a how-to that anyone can point me to, I'd appreciate it.

Thanks in advance


----------



## Deleted member 9563 (Apr 27, 2015)

Forgive me if I'm a little off here, but I found that sending all my local e-mail through a remote postfix server to work fine with this:
`ssh -f user@personal-server.com -L 2000:personal-server.com:25 -N`
It seems to me that you could do the same. I came to this way of doing it by getting suggestions from others in this thread.


----------



## usdmatt (Apr 27, 2015)

The instructions in the handbook should talk you through getting SMTP authentication working.
https://www.freebsd.org/doc/en/books/handbook/SMTP-Auth.html

After that, you should be able to deliver mail to the server normally, but to relay you will need to either be coming from a host in /etc/mail/relay-domains (or sending to a domain in that file), or authenticate.

Then you just need to enable SSL. Maybe I'm forgetting a step but I'm sure I usually just put the following in my servers mc file and rebuild it:


```
dnl TLS
define(`CERT_DIR', `/my/cert/directory')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/ca.crt')
define(`confSERVER_CERT', `CERT_DIR/cert.crt')
define(`confSERVER_KEY', `CERT_DIR/cert.key')
define(`confCLIENT_CERT', `CERT_DIR/cert.crt')
define(`confCLIENT_KEY', `CERT_DIR/cert.key')
```
Then configure your client to use TLS.

Port 25 and 587 both effectively do the same thing. It's a shame they weren't originally split so 587 could only be used by authenticated users, and 25 only for local delivery or configured relays but unfortunately 25 became the standard for everything. As both those ports support non-TLS traffic and TLS by sending the STARTTLS command, I never really have a need for any of the other ports (which I believe were for pure SSL connections?).

Regarding rebuilding the mc file, if you run `make` in /etc/mail, you should end up with a file called hostname.mc. Ideally you should be editing that file, then running `make install restart` to rebuild the sendmail configuration files, install them and restart the service.


----------



## qsecofr (Apr 28, 2015)

> As both those ports support non-TLS traffic and TLS by sending the STARTTLS command


This basically means my sendmail will only demand credentials when relaying, and will not mess up other MTAs when receiving mail bound for the domains it serves?

If so, I like the sound of that.  

re: the VPN..  great idea.  Though, there's just a couple of us on Android phones using the basic mail client..


----------



## usdmatt (Apr 28, 2015)

Seems to work for me. Only authenticated users can relay email but their domains get incoming email from anywhere.


----------



## qsecofr (Apr 28, 2015)

Thanks for clarifying.


----------

