This article describes how to install and use sSMTP in a secure manner on a FreeBSD system. It has been tested with FreeBSD 6.2, but will probably work equally with other versions.

Use this guide if you are in the following situation:

For the example, the following settings will be used:

Local hostname:

mybox

SMTP server:

mail.example.com

SMTP server username:

john

SMTP server password:

Secret1

[Step 1] Disable Sendmail completely by setting the following in your /etc/rc.conf file:

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

Note that changes in your /etc/rc.conf file will only take effect when you reboot. So the Sendmail daemon (sendmail) may still be running.

[Step 2] Kill the Sendmail daemon if it is running:

sudo killall sendmail

Note: I'm assuming you are using sudo, but alternatively you could switch to the root account using su.

[Step 3] Install sSMTP:

cd /usr/ports/mail/ssmtp/
sudo make install replace

The install action installs sSMTP, while the replace action replaces sendmail as the default mailer in /etc/mail/mailer.conf.

You now have sSMTP installed, and the command sendmail will invoke the ssmtp executable. But you haven't told sSMTP which SMTP server to use with which credentials. These settings are looked for in the sSMTP configuration file at /usr/local/etc/ssmtp/ssmtp.conf. The port does not install this file, it only installs an example in /usr/local/etc/ssmtp/ssmtp.conf.sample.

Before doing anything else, we will want to protect the sSMTP configuration files to make sure only the ssmtp executable can read it, and not every account on the machine.

[Step 4] Create an ssmtp user:

sudo pw useradd ssmtp -g nogroup -h - -s /sbin/nologin -d /nonexistent -c "sSMTP pseudo-user"

This will stick the ssmtp user in the nogroup group, disallowing password-based logins (-h).

[Step 5] Set the correct owner and permissions on the sSMTP configuration directory. We set the setuid bit (see chmod(1) to make sure new files in the directory will be owned by the user ssmtp as well:

cd /usr/local/etc/ssmtp
chown ssmtp:wheel .
chmod 4750 .

[Step 6] Create the sSMTP configuration file with the correct permissions:

sudo cp ssmtp.conf.sample ssmtp.conf
sudo chown ssmtp:wheel . ssmtp.conf
sudo chmod 640 ssmtp.conf

[Step 7] Enter your configuration details in the ssmtp.conf file. Modify this example to fit your situation:

MailHub=mail.example.com:465     # Mail server to connect to (port 465 is SMTP/SSL)
UseTLS=YES                       # Enable SSL/TLS
AuthUser=john                    # Username for SMTP AUTH
AuthPass=Secret1                 # Password for SMTP AUTH
FromLineOverride=YES             # Force the From: address to the user account
Hostname=myhost.example.com      # Name of this host
RewriteDomain=myhost.example.com # Where the mail will seem to come from
Root=postmaster                  # Mail for root@ is redirected to postmaster@

Now the configuration file is set up and protected from unauthorized eyes, the ssmtp executable should be given access to the file. To accomplish this, we will let it run as the ssmtp user.

[Step 8] Make the ssmtp executable owned by the ssmtp user and mark it SUID:

chown ssmtp:nogroup /usr/local/sbin/ssmtp
chmod 4555 /usr/local/sbin/ssmtp

[Step 9] Run some tests as an unprivileged user:

$ cat /usr/local/etc/ssmtp/ssmtp.conf
cat: /usr/local/etc/ssmtp/ssmtp.conf: Permission denied
$ sendmail john@example.com < /etc/rc.conf

SecureSSMTP (last edited 2013-01-22 04:18:53 by EitanAdler)