This page is meant as a companion to FreeBSD as a Secure Mail Server Using sendmail and imap-uw.
One of FreeBSD's "weaknesses" was a lack of convenient, vendor-supplied binary updates along with a utility to install binary updates. An attempt to correct this oversight is the freebsd-update utility described at FreeBSD Update. This utility allows for easy binary security and errata updates to be applied to the FreeBSD base system without the compile/build/install requirements. freebsd-update also allows for minor and major version updates.
Unfortunately, one of the downsides of freebsd-update is that it will happily overwrite the base-system sendmail if it is recompiled to support SASLv2. Obviously, this is undesired behavior that can cause problems for admins, usually on Friday evening. One solution is to use freebsd-update to update the base system, then recompile and reinstall sendmail as previously done, but this is inelegant at best and complicates the updating process. Another solution is to move to sendmail installed from FreeBSD's Ports Collection. Installing sendmail from Ports lets us manage sendmail updates separately from the base system, still maintain sendmail configs in /etc/mail, still have proper integration with FreeBSD's sendmail configuration and control variables in /etc/rc.conf, plus the added benefit of letting admins update their FreeBSD machines via freebsd-update without breaking sendmail. Complete integration of Ports-installed sendmail with FreeBSD's base system is made easy through FreeBSD's use of the mailwrapper utility, originally found in NetBSD.
The second option seems to be the best solution to the problem, so the goal is sendmail built from Ports with SASLv2 support. Doing so is fairly straightforward, but wasn't documented clearly anywhere...So here it is.
portsnap fetch update
Install mail/sendmail-sasl from the FreeBSD Ports Collection.
cd /usr/ports/mail/sendmail-sasl && make install clean
When asked to select configuration options for the port, the default options are fine. One that may be worth turning off is PICKY_HELO_CHECK. If PICKY_HELO_CHECK is left on, maillog may get extra notices about connecting MTAs that don't send a proper fully-qualified domain name along with their initial HELO/EHLO communication.
mail/sendmail-sasl depends upon two ports, security/cyrus-sasl2 and security/cyrus-sasl2-saslauthd. If these two ports are not already installed, the installation of mail/sendmail-sasl will ask you for configuration options for these two ports, then install these two ports once they are configured. The default configuration options for security/cyrus-sasl2 are acceptable, but you may wish to disable OBSOLETE_CRAM_ATTR, CRAM, DIGEST, NTLM, OTP and SCRAM since those password-authentication schemes are not going to be used. The default configuration options for security/cyrus-sasl2-saslauthd are acceptable; all options are off by default.
Once the dependencies for mail/sendmail-sasl are met, the port will be built and installed. The Ports-installed sendmail will be located at /usr/local/sbin/sendmail, while the base-system-installed sendmail will still reside at /usr/libexec/sendmail/sendmail.
Compare the "Compiled with" optins listed for the two sendmails. Note the version numbers as well. You can do that via command-line sendmail arguments.
/usr/libexec/sendmail/sendmail -d0.1 -bt < /dev/null
/usr/local/sbin/sendmail -d0.1 -bt < /dev/null
The "Compiled with" options listed for both ports should be very similar, with the exception of SASLv2 listed for the Ports-installed sendmail if you're starting with a base-system-installed sendmail that didn't include SASLv2 support. If the lists don't match, stop now and figure out why. Start by checking the mail/sendmail-sasl port config options.
SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf
This line overrides the default location for the m4 configuration files used to build .cf files from .mc files. The m4 files are now supplied by the mail/sendmail-sasl port instead of the base system.cd /etc/mail && make stop
define(`confEBINDIR', `/usr/local/libexec')dnl define(`UUCP_MAILER_PATH', `/usr/local/bin/uux')dnl
cd /usr/ports/mail/sendmail-sasl && make mailer.conf
FreeBSD uses mailwrapper, a mechanism that invokes the appropriate MTA based on configuration options listed in /etc/mail/mailer.conf. mailwrapper's binary (called sendmail) is located at /usr/sbin/sendmail and is a symbolic link to mailwrapper. mailwrapper will invoke whatever MTA file is specified in /etc/mail/mailer.conf, so that's how FreeBSD's base-system sendmail can be functionally replaced easily.cd /etc/mail && make all install start
Jul 7 02:23:53 just sm-mta[24288]: starting daemon (8.14.7): SMTP+queueing@00:30:00 Jul 7 02:23:53 just sm-msp-queue[24291]: starting daemon (8.14.7): queueing@00:30:00If the daemons are not starting, time to start troubleshooting.
Congratulations, at this point you should have a properly-functioning sendmail installed from Ports. If not, see "Troubleshooting" below.
Did mail/sendmail-sasl get its port options set improperly? Check with 'make showconfig'.
Check to see that the ports-based sendmail is actually the one pointed to by mailwrapper by executing 'sendmail -d0.1 -bt < /dev/null', then compare the version number and 'Compiled with' list with the same test performed on the individual sendmail binaries located at /usr/libexec/sendmail/sendmail and /usr/local/sbin/sendmail. If the wrong one is starting, check /etc/mail/mailer.conf. If /etc/mail/mailer.conf isn't pointing to the right one, fix it via the mail/sendmail-sasl port's "make mailer.conf" command or manually edit /etc/mail/mailer.conf.
Did the SENDMAIL_CF_DIR line get added to /etc/make.conf?
Did the two lines get added to your <hostname>.mc?
Did the mail configs get rebuilt properly via "make all install" in /etc/mail? Did the MTA get started or restarted properly with make start or make restart?
If all else fails, back out. Comment out the SENDMAIL_CF_DIR line in /etc/make.conf, remove the two lines in <hostname>.mc, execute "make mailer.base" in mail/sendmail-sasl to switch /etc/mail/mailer.conf back to the base-system sendmail and execute "make stop && make all install start" in /etc/mail. The base-system sendmail should be running again, none the worse for wear.
Page created 20130708 02:35.
Page modified 20130708 16:08.
Comments? Suggestions? Send them to hemi@puresimplicity.net.
© 2013 Josh Tolbert. This page may not be duplicated without permission.