## page was renamed from SecureSSMTP
This article describes '''how to install and use sSMTP in a secure manner''' on a FreeBSD system. It has been tested with FreeBSD 6.2, but will probably work equally with other versions.
Use this guide if you are in the following situation:
* you have some basic knowledge of FreeBSD system maintenance;
* you have an ISP that supports authenticated SMTP over SSL;
* you want to be able to send mail from your machine, via your ISP;
* you want the SMTP authentication details to remain confidential, not readable by all users on the system.
For the example, the following settings will be used:
||Local hostname:||`mybox`||
||SMTP server:||``mail.example.com``||
||SMTP server username:||john||
||SMTP server password:||Secret1||
'''[Step 1]''' Disable Sendmail completely by setting the following in your `/etc/rc.conf` file:
{{{
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
}}}
Note that changes in your `/etc/rc.conf` file will only take effect when you reboot. So the Sendmail daemon (`sendmail`) may still be running.
'''[Step 2]''' Kill the Sendmail daemon if it is running:
{{{
sudo killall sendmail
}}}
Note: I'm assuming you are using [[http://www.freshports.org/ports/security/sudo/|sudo]], but alternatively you could switch to the root account using `su`.
'''[Step 3]''' Install sSMTP:
{{{
cd /usr/ports/mail/ssmtp/
sudo make install replace
}}}
The `install` action installs sSMTP, while the `replace` action replaces sendmail as the default mailer in `/etc/mail/mailer.conf`.
You now have sSMTP installed, and the command `sendmail` will invoke the `ssmtp` executable. But you haven't told sSMTP which SMTP server to use with which credentials. These settings are looked for in the sSMTP configuration file at `/usr/local/etc/ssmtp/ssmtp.conf`. The port does not install this file, it only installs an example in `/usr/local/etc/ssmtp/ssmtp.conf.sample`.
Before doing anything else, we will want to protect the sSMTP configuration files to make sure only the `ssmtp` executable can read it, and not every account on the machine.
'''[Step 4]''' Create an `ssmtp` user:
{{{
sudo pw useradd ssmtp -g nogroup -h - -s /sbin/nologin -d /nonexistent -c "sSMTP pseudo-user"
}}}
This will stick the `ssmtp` user in the `nogroup` group, disallowing password-based logins (`-h`).
'''[Step 5]''' Set the correct owner and permissions on the sSMTP configuration directory. We set the `setuid` bit (see [[http://www.freebsd.org/cgi/man.cgi?query=chmod&sektion=1|chmod(1)]] to make sure new files in the directory will be owned by the user `ssmtp` as well:
{{{
cd /usr/local/etc/ssmtp
chown ssmtp:wheel .
chmod 4750 .
}}}
'''[Step 6]''' Create the sSMTP configuration file with the correct permissions:
{{{
sudo cp ssmtp.conf.sample ssmtp.conf
sudo chown ssmtp:wheel . ssmtp.conf
sudo chmod 640 ssmtp.conf
}}}
'''[Step 7]''' Enter your configuration details in the `ssmtp.conf` file. Modify this example to fit your situation:
{{{
MailHub=mail.example.com:465 # Mail server to connect to (port 465 is SMTP/SSL)
UseTLS=YES # Enable SSL/TLS
AuthUser=john # Username for SMTP AUTH
AuthPass=Secret1 # Password for SMTP AUTH
FromLineOverride=YES # Force the From: address to the user account
Hostname=myhost.example.com # Name of this host
RewriteDomain=myhost.example.com # Where the mail will seem to come from
Root=postmaster # Mail for root@ is redirected to postmaster@
}}}
Now the configuration file is set up and protected from unauthorized eyes, the `ssmtp` executable should be given access to the file. To accomplish this, we will let it run as the `ssmtp` user.
'''[Step 8]''' Make the `ssmtp` executable owned by the `ssmtp` user and mark it SUID:
{{{
chown ssmtp:nogroup /usr/local/sbin/ssmtp
chmod 4555 /usr/local/sbin/ssmtp
}}}
'''[Step 9]''' Run some tests as an unprivileged user:
{{{
$ cat /usr/local/etc/ssmtp/ssmtp.conf
cat: /usr/local/etc/ssmtp/ssmtp.conf: Permission denied
$ sendmail john@example.com < /etc/rc.conf
}}}
<!> Feedback is welcome at <<MailTo(ernst AT ernstdehaan DOT com)>>
----
CategoryHowTo