I have been happily chugging away for the past 5 years with my Solaris 8 server on my home network, using sendmail 8.11.7+Sun for a variety of purposes: scraping financial websites and emailing mashups to myself & friends, developing/testing cgi scripts for websites that need to email form data, etc.
Recently my ISP decided that I must use SSL/Auth to send mail through their SMTP server. In addition to breaking my sendmail implementation, it has broken a number of important Wintel utilities, notably my APC Powerchute Business Edition email notifications, my 3ware RAID controller email notifications, and others. I have contacted tech support for each of the products that I'm having this problem with as well as my ISP and the collective response is a shrug of the shoulders.
What this boils down to is, I have two problems I need to solve:
1) I need to get sendmail working again for non-interactive sessions as shown in the perl code snippet attached to this post. 2) Contingent on (1), I would like to be able to use the Solaris box to relay notification emails from the Wintel box. I do not need to have the Solaris box handle all of my outbound mail(e.g. Thunderbird), just the outbound email from applications that do not support SSL/Auth.
Regarding (1), it seems that the obvious starting point would be to yank the Sun sendmail out by the roots and set up sendmail 8.14.3, but from my reading on the subject it seems that I will need to install OpenSSL and possibly BerkelyDB to meet the prerequisites for compiling sendmail with SSL support. Links to details on this would be much appreciated, especially any info pertaining to steps I need to take to pave the way to solving problem (2) above.
Regarding (2), all of the info I've been able to dig up on SMTP/SSL relay configuration assumes that the user wants the client to make an SSL connection to the relay. That's not what I want. What I need is to have my client applications send their mail to the relay on the Solaris box with NO authentication(I suppose I need to set up an SMTP server of some flavor) and have that mail relayed to my ISP's SMTP server using SSL and user/pass authentication (again, this needs to be non-interactive).
Note that security is not the highest priority here; these machines all sit behind a router with built-in firewall/NAT and are essentially invisible to the internet at large(as far as I can tell with grc.com ShieldsUP). So long as it's reasonably secure, that's fine; I don't have to worry about port scans, spammers, etc.
#!/usr/bin/perl -T
.
.
.
open MAIL, "| /usr/lib/sendmail -t -F'$from_name' -f'$from_email'"
or die "Could not open sendmail: $!";
print MAIL <<END_OF_HEADER;
To: $email
Reply-to: $from_email
Subject: $sub
$type_string
END_OF_HEADER
open(FILE, "< ./reports/$rpt_file.$type")
or die "Couldn't open $rpt_file.$type for reading: $!\n";
while (<FILE>) {
chomp($_);
print MAIL "$_\n";
}
close(FILE);
if($type_string) {
print MAIL end_html();
}
close MAIL or die "Error closing sendmail: $!";
print "<li>Sent $sub.</li><br>\n";
}
Don't get me wrong - I've been hacking around Solaris since Solaris v1.4/SunOS v4.1.4. But Sun's sendmail implementation is horribly out-of-date on Solaris 8. They ought to be ashamed of it, and I don't blame your ISP for wanting you to use something more secure. They also tend to hardcode in NIS/NIS+ support and the service.switch file. Yuk. When I was still running Solaris v8, the first thing I did after install was pkgrm the Sun-supplied packages ("pkgrm SUNWsndmr" and "pkgrm SUNWsndmu", I think) and go install my own build.
That said, yes, since Solaris v8 didn't have a *lot* of software now considered "standard", you'd have to install OpenSSL (don't forget the /dev/random patch, too) for SSL support. You could probably get by without installing Berkeley DB, but it's nice to have.
You can get a lot of those things from SunFreeWare. You can also get a sendmail build from there, one from *this* century, rather than the decrepit old garbage that Sun still includes with even the latest Solaris 8 Maintenance Update.
As for SMTP AUTH, I really hate to burden sendmail with that task. Personally, I'd try to approach it using OpenSSH (something else that can be a bear on Solaris v8, because the Sun-supplied version of Zlib is almost as outdated as their sendmail). Allow authenticated users to do port redirection to TCP/25 on the Solaris host. Creates a secure, encrypted and authenticated connection and controls access to sendmail.
Thanks, I do appreciate your comments but they don't seem to address the problem. It's not clear to me how OpenSSH would help, when my ISP requires that outbound mail uses SSL/port 465 and my clients do not support any form of auth -- they are hardcoded to pass, at most, a username to the SMTP server.
To reiterate:
1) My clients need to be able to talk to an SMTP server on my local Solaris box, without authentication/SSL. 2) My Solaris box then needs to be able to forward that mail to my ISP's SMTP server using SSL, port 465, with user/pass auth. I have no control over this whatsoever, and it is a hard requirement.
Also, I do not need to control access to sendmail. My firewall is secure enough that plain old SMTP/Port 25 will not present a security risk, and this machine will never live in the DMZ. If the machine ever does get compromised, I can just restore from one of my periodic backups that I make to a spare drive using dd. It is a development machine after all, so I tend to be prepared for the worst. :)
Note: I would offer more points for this, but I only have 125 to offer.
Well, I wasn't saying what I was saying due to points - I quit tracking my points and rank some time ago. But maybe the extra points might attract some other folx.
Anyway, back to your situation, yes, what you've said makes your specific environment a bit clearer. Given the situation, I'd look at the sendmail on SunFreeware, but as I recall that doesn't have SSL compiled it. Unless I'm mistaken, that means your only real choice would be to build it yourself. Since Solaris 8 doesn't have OpenSSL, you'll need to build/install that first (you could probably get away with the SunFreeware package).
Remember that you really need Solaris 8 patch 112438-03 (or later) to patch Solaris to have /dev/[r,ur]andom. That or use an EGD (I really recommend installing the patch). I dunno if the SunFreeware OpenSSL package checks for the patch or requires it or what. I always build my own OpenSSL.
If I'm correct and you do need to build your own sendmail, be sure to shut down and pkgrm the Sun-supplied sendmail packages. This is *very* important. I neglected to do that at first, and the first Maintenance Update I applied that had new versions of the packages trashed my hand-built sendmail install. Took me most of a day to get everything put back together.
When I built OpenSSL on Solaris 8, I used gcc v3.3.2, which I installed from the SunFreeware package. Also, I replaced /usr/ccs/bin/make with GNU make v3.8x - some software source builds don't get along with Sun's make.
I built OpenSSL without RC5 or IDEA support, due to patent/licensing concerns. I also built with shared libraries. I don't recall any particular issue with building OpenSSL on Solaris 8, once the patch I mentioned had been installed.
You mentioned Berkeley DB - I dunno if sendmail requires it for SMTP AUTH. I do know that it seems to make life easier with sendmail, so I'd recommend installing it. I think it's available as a SunFreeware package. If you end up building it yourself, it shouldn't be a problem. I was building Berkeley DB v4.1 on Solaris 8 and doing it as a vanilla build. Just run the configure script, make and then make install.
If you build sendmail, I'd recommend getting the v8.14.2. Latest is v8.14.3, but I've heard of some bugs, and they changed some of the APIs. v8.14.2 is perfectly good.
Here's the statements I added to ./devtools/Site/site.config.m4 when I was building sendmail on Solaris 8 (your paths may vary):
As for SMTP AUTH, I don't have a lot of experience with that, so I'm probably not the best person to advise you. I'll see if I can't find some decent web resources to point you to.
Thanks, lots of good stuff to chew on. BTW, the comments about points were not so much for you, but to try and attract more attention in general. I'd have done it even if I had seen you profile before making that post. :)
Speaking of out of date, I have my share of out-of date stuff. I do have random, but it needs a patch. In fact, I'm sure that I could stand to go on a patch-a-thon. :)
You were right about the Sun package names for their sendmail. I'll be sure to pull those out first, backing up the .cf file for reference.
I'm still not sure what benefit BerkelyDB offers for my purposes, but I'll read up on it and probably get the compiled package as you suggest, as well as an updated gcc and make. OpenSSL and sendmail I'll compile myself. Hopefully I can just put the creds for SMTP auth in a config file somewhere and twiddle the sendmail.cf file to get the SSL connection up -- once I have a sendmail that supports it.
I may be at it for a few days, finding snippets of free time here and there, but it looks like some great stuff to try -- you may have just solved half of the problem by pointing me in the right direction on this. Once I have this much of it working then the next hurdle is the SMTP relay. Nothing else I need to do on this first stage4 to lay the groundwork for that?
Thx,
D
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
# patchk.pl | grep 112438
112438 01 CURRENT SunOS 5.8: /kernel/drv/random patch
# pkginfo | grep mail
system SUNWsndmr Sendmail root
system SUNWsndmu Sendmail user
# pkginfo | grep -i ssl
# gcc -v
Reading specs from /opt/sfw/lib/gcc-lib/sparc-sun-solaris2.8/2.95.2/specs
gcc version 2.95.2 19991024 (release)
#
Any particular reason why you recomment gcc 3.3.2 over 3.4.6? On SunFreeware, gcc 3.3.2 shows a dependency on libiconv, which in turn has a dependency on gcc 3.4.6?? %)
Seems I ought to just go with 3.4.6, unless there are issues with that rev?
I seem to recall an dependency issue that made for problems with gcc v3.4.6. It probably was libiconv, and it was just easier to stay with the older rev. Or at least that's what I recall.
You seem to have gcc v2.95 already, and it may be that'll work fine. As you know, some fraudulent waste-of-oxygen at Sun decided to remove all C compilers from Solaris v2, and when I was building Solaris 8 systems, gcc v3.x was current, and I settled on gcc v3.3.2. If you prefer a different version, go for it.
Modify sendmail.mc and re-build sendmail.cf. There's no reason to get into the guts of sendmail.cf, especially for something like this. Save yourself a lot of hair-pulling and gnashing of teeth and use sendmail.mc.
Well, it can't hurt to install a later compiler. If I have any problems with the gcc version I have I'll go ahead and update - I DL'ed both GCC versions that I mentioned above plus the lib stuff.
I don't have a sendmail.mc file. I have been maintaining sendmail.cf directly, I don't recall any particular problem doing it that way since the changes that I needed were small. I'll take your advice and use your technical paper for guidance there.
Thanks again for all of the help, I'll keep you posted as I progress.
Yesh, Sun didn't bother to include sendmail.mc, or the m4 macro files you need to use it. Again, they ought to have been ashamed of themselves. No excuse for shipping absolute crap as a default config and then not providing the tools needed to properly maintain it. Musta been the same fraudulent waste-of-oxygen who decided to clip the C compiler.
Anyway, you *will* have those things when you build from source (look in ./cf/cf ... and no, that's not a typo), and I think if you take the time to make the switch, you'll wonder why you've been wasting time with hacking sendmail.cf for all those years. That's what happened to me. I started with SunOS v4.1.4_U2 with sendmail (v8.9, I think) and hacking sendmail.cf directly. Did that for 8 or 9 years. Then I discovered sendmail v8.12 and sendmail.mc and started kicking myself. Lotsa wasted time and stomach acid.
Well, things went pretty smoothly for a while, up until I actually started trying to compile sendmail. To be more precise, I was fine up until the "sh ./Build" mentioned in step 3 of the INSTALL file. I am working with 8.14.2 as you recommended.
First off, when I copy and pasted your site.config.m4 contents into a terminal window, it replaced some of the quote characters with ^Y and removed others. I carefully replaced them, always using ` on the left side of a quoted string and ' on the right side of a quoted string. I corrected the path to BerkelyDB and the path to openssl. The ssl lines in this file are seemingly being ignored(see Build output below site.m4.config below.
I tried modifying sendmail.h line 125 from openssl/ssl.h to /usr/local/ssl/include/openssl/ssl.h and Build returned page upon page of errors for my efforts, so I changed it back. Any thoughts as to why my second confINCDIRS directive is being ignored? I have a hunch that is the root of the problem.
I have to run off to work soon, at minimum I will back up site config file, delete everything and untar the source again. I may have run build from the top level directory before setting up site config and maybe there is something screwy that Build can't overwrite.