Instructions for setting up DRAC under RedHat Linux 7.x/8.x

(Dynamic Relay Authorization Control)

SYNOPSIS

  If you have found this page then you likely already know what DRAC is
  used for, however a brief description is included for completeness.
  The use of DRAC allows users who use your SMTP server to use it from
  anywhere without the necessity of opening up the relay for public use
  and hence subjecting yourself to the possibility of being blacklisted
  or ending up in other databases such as ORBS.  This method does not
  replace SMTP authentication to permit relaying - it is an augmentation
  if anything.  Not all email clients support the use of SMTP auth yet
  and the server side setup is not yet intuitive, to say the least.

  DRAC will allow users who successfully authenticate via POP3, (ie.
  check their mail) to relay through your mail server for a preset
  duration, currently a default of 30 minutes.  After the authentication
  part of a successful mail check, the POP3 daemon calls the dracauth()
  function to update an internal database with the originating IP 
  address of the user.  Each time a relay is attempted, sendmail will
  consult this same database to verify permission.  Any addresses that
  you wish to permanently permit (or deny) can be done so in the standard 
  sendmail access files & will always override DRAC.

REQUIRED PACKAGES

  Standard RedHat distribution packages:
- xinetd (NOTE: Get the updated package!  The stock one has known vulnerabilities.)
- db3-devel (7.x) OR db4-devel (8.0)
- sendmail
- portmap

  Additional packages:
- drac (RedHat 7.0)(RedHat 7.1)(RedHat 7.2)(RedHat 7.3)(RedHat 8.0)(RedHat 9)
- qpopper w/drac (RedHat 7.0)(RedHat 7.1)(RedHat 7.2)(RedHat 7.3)
- Go here if you need a pop3 daemon that supports the Maildir format.
- Baba Buehler has contributed some DRAC-aware IMAP packages including
an RPM for (RedHat 7.3). Thanks! - And similarly, IMAP/DRAC packages for (RedHat 8.0) and (RedHat 9.0). Thanks again to Erik Thauvin for these contributions. PREPARATION & INSTALLATION - Make sure you have all the prerequisite RH7 packages installed (ie. 'rpm -q db3-devel', etc.) If any are missing, download and install with 'rpm -Uvh {package_name}'. - Download and install the additional packages above in the order that they appear. NOTE: This version of qpopper will automatically install the necessary xinetd startup file and restart the daemon. If xinetd is not already running you will see "FAILED" on the shutdown part. This is fine. SETTING UP DRAC FOR REMOTE SMTP SERVER NOTE: SKIP this step if your SMTP and POP3 daemons are on the SAME machine (this will be most installations of DRAC) - Make sure DRAC is installed on your SMTP server NOTE: You will need to install DRAC on your POP3 server as well if you are compiling it from source rather than using the binary version since the popper build relies on libdrac.a - Open /etc/xinetd.d/popper on your POP3 server and add '-D 192.168.1.2' to the end of the server_args= line. Substitute the 192.x address above with the IP address of your SMTP/DRAC server. - Create /etc/mail/dracd.allow on your SMTP/DRAC server and add an entry for your POP3 server as follows (replacing the 192.x address with your POP3 server IP): [root@spork tmp]# cat /etc/mail/dracd.allow 255.255.255.255 192.168.1.3 - Restart xinetd on your POP3 server with your new settings ('/etc/rc.d/init.d/xinetd restart') * Thanks to Yang Jianmin for telling me about the -D option to qpopper GETTING SYSTEM READY & DRACD STARTUP - Make sure that portmap is running ('/etc/rc.d/init.d/portmap status') If portmap is not running, run '/etc/rc.d/init.d/portmap start' - Test the daemon startup ('/etc/rc.d/init.d/dracd start') Make sure that drac is running ('/etc/rc.d/init.d/dracd status') - A new file should be created: /etc/mail/dracd.db PREPARING & TESTING THE POP3 SERVER - Make sure TCP wrappers aren't blocking pop-3 (add a line to /etc/hosts.allow: 'popper: ALL' if you get 'Connection closed by foreign host.' when executing the next step below) - Test pop-3 service and dracd updates by authing as a local user: NOTE: You will type what appears in GREEN. [root@spork qpopper3.1.2]# telnet localhost 110 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK QPOP (version 3.1.2) at mail.my.net starting. user foo +OK Password required for foo. pass bar +OK foo has 0 visible messages (0 hidden) in 0 octets. quit +OK Pop server at mail.my.net signing off. - 'ls -l /etc/mail/dracd.db' - time stamp should be same as current date on machine ('date') now. - Make sure that IP address that you checked from got into dracd.db: [root@spork mail]# grep 127.0.0.1 dracd.db Binary file dracd.db matches SETTING UP SENDMAIL TO UTILIZE DRAC Automatic Configuration [Removed] Due to recent security issues with sendmail I have deleted all sendmail packages from this site. Simply get the latest updated version for your distribution and use 'Manual' or 'Semi-Automatic' configuration below. Manual Configuration - Edit /etc/sendmail.cf - Add the following lines under "local info": # dynamic relay authorization control map Kdrac btree /etc/mail/dracd - Add the following lines IMMEDIATELY underneath "SLocal_check_rcpt" # allow recent POP/IMAP mail clients to relay R$* $: $&{client_addr} R$+ $: $(drac $1 $: ? $) R? $@ ? R$+ $@ $#OK - Restart sendmail with '/etc/rc.d/init.d/sendmail restart' Semi-Automatic Configuration - This is the recommended method of configuration! - Add to your cf/m4/proto.m4 file the following lines immediately underneath "SLocal_check_rcpt" # allow recent POP/IMAP mail clients to relay R$* $: $&{client_addr} R$+ $: $(drac $1 $: ? $) R? $@ ? R$+ $@ $#OK - At the bottom of your existing sendmail.mc file, add: # dynamic relay authorization control map Kdrac btree -o /etc/mail/dracd - Generate your new sendmail.cf using m4 as you normally would, ie: m4 ${CFDIR}/m4/cf.m4 sendmail.mc > sendmail.cf - Your new sendmail.cf will now contain the DRAC rules. * Thank you Dan Myers for contributing this configuration info! * NOTE: THE SPACES BETWEEN LEFT AND RIGHT HAND SIDE MUST BE REPLACED WITH "TAB" CHARACTERS, NOT SPACES IN EACH OF THE RULESETS ABOVE! TESTING SENDMAIL/POPPER WITH DRAC - First try to relay from non-permitted address - you should be DENIED: [root@bofh /root]# telnet mail.my.net 25 Trying 192.168.1.1... Connected to mail.my.net. Escape character is '^]'. 220 mail.my.net ESMTP Sendmail 8.11.0/8.11.0; Tue, 21 Nov 2000 10:56:01 -0600 helo blah 250 mail.my.net Hello bofh [192.168.1.2], pleased to meet you mail from: bgates@microsoft.com 250 2.1.0 bgates@microsoft.com... Sender ok rcpt to: president@whitehouse.gov 550 5.7.1 president@whitehouse.gov... Relaying denied quit 221 2.0.0 mail.my.net closing connection - Now check a legitimate pop-3 account from remote host: [root@bofh /root]# telnet mail.my.net 110 Trying 192.168.1.1... Connected to mail.my.net. Escape character is '^]'. +OK QPOP (version 3.1.2) at mail.my.net starting. user foo +OK Password required for foo. pass bar +OK foo has 0 visible messages (0 hidden) in 0 octets. quit +OK Pop server at mail.my.net signing off. - Now repeat process above to see if relaying is now permitted: [root@bofh /root]# telnet mail.my.net 25 Trying 192.168.1.1... Connected to mail.my.net. Escape character is '^]'. 220 mail.my.net ESMTP Sendmail 8.11.0/8.11.0; Tue, 21 Nov 2000 10:56:01 -0600 helo blah 250 mail.my.net Hello bofh [192.168.1.2], pleased to meet you mail from: bgates@microsoft.com 250 2.1.0 bgates@microsoft.com... Sender ok rcpt to: president@whitehouse.gov 250 2.1.5 president@whitehouse.gov... Recipient ok quit 221 2.0.0 mail.my.net closing connection - Cool! "Recipient ok" indicates that the last pop check has successfully updated dracd.db & relaying is now permitted! NOTES - If you are (rightfully) skeptical about unsigned binary packages and like to roll your own there are source RPM packages of all of the custom ones I have built in the redhat directory. Instructions for use of source RPMs are beyond the scope of this document. - Additional configuration items (such as the actual duration that relaying is permitted for after pop3 auth) are described in the documentation of the original package. Please visit the official page at http://mail.cc.umanitoba.ca/drac. - Many thanks to Gary Mills for a brilliant piece of software & for putting up with my constant annoying questions :) He can be contacted via the main page above. - These instructions should be relatively easy, however if there are any suggestions or noted ommissions/errors, etc. feel free to drop me a note at bofh at ls dash l dot net

Colin Bloch [12/04/2000] Last updated [12/15/2003]