Instructions for setting up DRAC under RedHat Linux 7.x/8.x
(Dynamic Relay Authorization Control)
SYNOPSIS
If you have found this page then you likely already know what DRAC is
used for, however a brief description is included for completeness.
The use of DRAC allows users who use your SMTP server to use it from
anywhere without the necessity of opening up the relay for public use
and hence subjecting yourself to the possibility of being blacklisted
or ending up in other databases such as ORBS. This method does not
replace SMTP authentication to permit relaying - it is an augmentation
if anything. Not all email clients support the use of SMTP auth yet
and the server side setup is not yet intuitive, to say the least.
DRAC will allow users who successfully authenticate via POP3, (ie.
check their mail) to relay through your mail server for a preset
duration, currently a default of 30 minutes. After the authentication
part of a successful mail check, the POP3 daemon calls the dracauth()
function to update an internal database with the originating IP
address of the user. Each time a relay is attempted, sendmail will
consult this same database to verify permission. Any addresses that
you wish to permanently permit (or deny) can be done so in the standard
sendmail access files & will always override DRAC.
REQUIRED PACKAGES
Standard RedHat distribution packages:
- xinetd (NOTE: Get the updated package! The stock one has known vulnerabilities.)
- db3-devel (7.x) OR db4-devel (8.0)
- sendmail
- portmap
Additional packages:
- drac (RedHat 7.0)(RedHat 7.1)(RedHat 7.2)(RedHat 7.3)(RedHat 8.0)(RedHat 9)
- qpopper w/drac (RedHat 7.0)(RedHat 7.1)(RedHat 7.2)(RedHat 7.3)
- Go here if you need a pop3 daemon that supports the Maildir format.
- Baba Buehler has contributed some DRAC-aware IMAP packages including
an RPM for (RedHat 7.3). Thanks!
- And similarly, IMAP/DRAC packages for (RedHat 8.0) and (RedHat 9.0).
Thanks again to Erik Thauvin for these contributions.
PREPARATION & INSTALLATION
- Make sure you have all the prerequisite RH7 packages installed
(ie. 'rpm -q db3-devel', etc.) If any are missing, download and
install with 'rpm -Uvh {package_name}'.
- Download and install the additional packages above in the order
that they appear.
NOTE: This version of qpopper will automatically install the necessary
xinetd startup file and restart the daemon. If xinetd is not already
running you will see "FAILED" on the shutdown part. This is fine.
SETTING UP DRAC FOR REMOTE SMTP SERVER
NOTE: SKIP this step if your SMTP and POP3 daemons are on the
SAME machine (this will be most installations of DRAC)
- Make sure DRAC is installed on your SMTP server
NOTE: You will need to install DRAC on your POP3 server as well if
you are compiling it from source rather than using the binary version
since the popper build relies on libdrac.a
- Open /etc/xinetd.d/popper on your POP3 server and add '-D 192.168.1.2'
to the end of the server_args= line. Substitute the 192.x address above
with the IP address of your SMTP/DRAC server.
- Create /etc/mail/dracd.allow on your SMTP/DRAC server and add an entry
for your POP3 server as follows (replacing the 192.x address with your
POP3 server IP):
[root@spork tmp]# cat /etc/mail/dracd.allow
255.255.255.255 192.168.1.3
- Restart xinetd on your POP3 server with your new
settings ('/etc/rc.d/init.d/xinetd restart')
* Thanks to Yang Jianmin for telling me about the -D option to qpopper
GETTING SYSTEM READY & DRACD STARTUP
- Make sure that portmap is running ('/etc/rc.d/init.d/portmap status')
If portmap is not running, run '/etc/rc.d/init.d/portmap start'
- Test the daemon startup ('/etc/rc.d/init.d/dracd start')
Make sure that drac is running ('/etc/rc.d/init.d/dracd status')
- A new file should be created: /etc/mail/dracd.db
PREPARING & TESTING THE POP3 SERVER
- Make sure TCP wrappers aren't blocking pop-3 (add a line
to /etc/hosts.allow: 'popper: ALL' if you get 'Connection closed
by foreign host.' when executing the next step below)
- Test pop-3 service and dracd updates by authing as a local user:
NOTE: You will type what appears in GREEN.
[root@spork qpopper3.1.2]# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK QPOP (version 3.1.2) at mail.my.net starting.
user foo
+OK Password required for foo.
pass bar
+OK foo has 0 visible messages (0 hidden) in 0 octets.
quit
+OK Pop server at mail.my.net signing off.
- 'ls -l /etc/mail/dracd.db' - time stamp should be same as current date
on machine ('date') now.
- Make sure that IP address that you checked from got into dracd.db:
[root@spork mail]# grep 127.0.0.1 dracd.db
Binary file dracd.db matches
SETTING UP SENDMAIL TO UTILIZE DRAC
Automatic Configuration
[Removed] Due to recent security issues with sendmail I have deleted
all sendmail packages from this site. Simply get the latest updated
version for your distribution and use 'Manual' or 'Semi-Automatic'
configuration below.
Manual Configuration
- Edit /etc/sendmail.cf
- Add the following lines under "local info":
# dynamic relay authorization control map
Kdrac btree /etc/mail/dracd
- Add the following lines IMMEDIATELY underneath "SLocal_check_rcpt"
# allow recent POP/IMAP mail clients to relay
R$* $: $&{client_addr}
R$+ $: $(drac $1 $: ? $)
R? $@ ?
R$+ $@ $#OK
- Restart sendmail with '/etc/rc.d/init.d/sendmail restart'
Semi-Automatic Configuration
- This is the recommended method of configuration!
- Add to your cf/m4/proto.m4 file the following lines immediately underneath
"SLocal_check_rcpt"
# allow recent POP/IMAP mail clients to relay
R$* $: $&{client_addr}
R$+ $: $(drac $1 $: ? $)
R? $@ ?
R$+ $@ $#OK
- At the bottom of your existing sendmail.mc file, add:
# dynamic relay authorization control map
Kdrac btree -o /etc/mail/dracd
- Generate your new sendmail.cf using m4 as you normally would, ie:
m4 ${CFDIR}/m4/cf.m4 sendmail.mc > sendmail.cf
- Your new sendmail.cf will now contain the DRAC rules.
* Thank you Dan Myers for contributing this configuration info!
* NOTE: THE SPACES BETWEEN LEFT AND RIGHT HAND SIDE MUST BE REPLACED
WITH "TAB" CHARACTERS, NOT SPACES IN EACH OF THE RULESETS ABOVE!
TESTING SENDMAIL/POPPER WITH DRAC
- First try to relay from non-permitted address - you should be DENIED:
[root@bofh /root]# telnet mail.my.net 25
Trying 192.168.1.1...
Connected to mail.my.net.
Escape character is '^]'.
220 mail.my.net ESMTP Sendmail 8.11.0/8.11.0; Tue, 21 Nov 2000 10:56:01 -0600
helo blah
250 mail.my.net Hello bofh [192.168.1.2], pleased to meet you
mail from: bgates@microsoft.com
250 2.1.0 bgates@microsoft.com... Sender ok
rcpt to: president@whitehouse.gov
550 5.7.1 president@whitehouse.gov... Relaying denied
quit
221 2.0.0 mail.my.net closing connection
- Now check a legitimate pop-3 account from remote host:
[root@bofh /root]# telnet mail.my.net 110
Trying 192.168.1.1...
Connected to mail.my.net.
Escape character is '^]'.
+OK QPOP (version 3.1.2) at mail.my.net starting.
user foo
+OK Password required for foo.
pass bar
+OK foo has 0 visible messages (0 hidden) in 0 octets.
quit
+OK Pop server at mail.my.net signing off.
- Now repeat process above to see if relaying is now permitted:
[root@bofh /root]# telnet mail.my.net 25
Trying 192.168.1.1...
Connected to mail.my.net.
Escape character is '^]'.
220 mail.my.net ESMTP Sendmail 8.11.0/8.11.0; Tue, 21 Nov 2000 10:56:01 -0600
helo blah
250 mail.my.net Hello bofh [192.168.1.2], pleased to meet you
mail from: bgates@microsoft.com
250 2.1.0 bgates@microsoft.com... Sender ok
rcpt to: president@whitehouse.gov
250 2.1.5 president@whitehouse.gov... Recipient ok
quit
221 2.0.0 mail.my.net closing connection
- Cool! "Recipient ok" indicates that the last pop check has
successfully updated dracd.db & relaying is now permitted!
NOTES
- If you are (rightfully) skeptical about unsigned binary packages
and like to roll your own there are source RPM packages of all of
the custom ones I have built in the redhat directory. Instructions
for use of source RPMs are beyond the scope of this document.
- Additional configuration items (such as the actual duration
that relaying is permitted for after pop3 auth) are described
in the documentation of the original package. Please visit
the official page at http://mail.cc.umanitoba.ca/drac.
- Many thanks to Gary Mills for a brilliant piece of software &
for putting up with my constant annoying questions :) He can
be contacted via the main page above.
- These instructions should be relatively easy, however if there are
any suggestions or noted ommissions/errors, etc. feel free to drop
me a note at bofh at ls dash l dot net
Colin Bloch [12/04/2000]
Last updated [12/15/2003]