Home > Uncategorized > Using ssmtp securely on CentOS 6

Using ssmtp securely on CentOS 6

sendmail is a mail server.  Maybe you don’t want a mail server to relay mail to your Internet facing mail server, you just want a program that sends mail.  A simple program to send mail using SMTP.

The following is a method to “replace” sendmail with ssmtp so that you can use native clients (like mail) to send mail easily.  No smarthost configs, no MTA relay configs, just send Email using a server.

Add the Fedora repo to be used by yum and install ssmtp:

echo [fedora_repo] >> /etc/yum.repos.d/fedora_repo.repo #allow yum access to the fedora repo
echo name=fedora_repo >> /etc/yum.repos.d/fedora_repo.repo
echo baseurl=http://download1.fedora.redhat.com/pub/epel/\$releasever/\$basearch/ >> /etc/yum.repos.d/fedora_repo.repo
echo enabled=1 >> /etc/yum.repos.d/fedora_repo.repo
echo skip_if_unavailable=1 >> /etc/yum.repos.d/fedora_repo.repo
echo gpgcheck=0 >> /etc/yum.repos.d/fedora_repo.repo
yum -y install ssmtp
sed 's/^enabled=1/enabled=0/' -i /etc/yum.repos.d/fedora_repo.repo #disable fedora repo

If sendmail is installed…
Disable sendmail

service sendmail stop
chkconfig --levels 2345 sendmail off
chkconfig --del sendmail
export tmpsm=$(which sendmail)
mv $tmpsm $(echo $tmpsm.bak)

Create a symlink where sendmail was located…

ln -s $(which ssmtp) $tmpsm

Create a secure user and secure the conf files:

groupadd nogroup
useradd ssmtp -g nogroup -s /sbin/nologin -d /nonexistent -c "sSMTP pseudo-user"
chown ssmtp:wheel /etc/ssmtp/ #http://en.wikipedia.org/wiki/Wheel_(Unix_term)
chmod 4750 /etc/ssmtp/ #https://en.wikipedia.org/wiki/Setuid
chown ssmtp:wheel /etc/ssmtp/ /etc/ssmtp/ssmtp.conf
chmod 640 /etc/ssmtp/ssmtp.conf

Make ssmtp run as the ssmtp:nogroup user no matter how it’s executed:

chown ssmtp:nogroup $(which ssmtp)
chmod 4555 $(which ssmtp)

Configure ssmtp:

sed s/root=postmaster/#root=postmaster/ -i /etc/ssmtp/ssmtp.conf
sed s/mailhub=mail/#mailhub=mail/ -i /etc/ssmtp/ssmtp.conf
echo "root=mbrown@mydomain.com" >> /etc/ssmtp/ssmtp.conf #will route anything that's sent to any user with a UID under 500 (check /etc/passwd) to mbrown@mydomain.com
echo "mailhub=mysmtpserver.com:587" >> /etc/ssmtp/ssmtp.conf 
echo "AuthUser=robot@mydomain.com" >> /etc/ssmtp/ssmtp.conf 
echo "AuthPass=pass" >> /etc/ssmtp/ssmtp.conf 
echo "RewriteDomain=mydomain.com" >> /etc/ssmtp/ssmtp.conf  #will rewrite the domain when destined for a domain
echo "Hostname=mydomain.com" >> /etc/ssmtp/ssmtp.conf 
echo "FromLineOverride=YES" >> /etc/ssmtp/ssmtp.conf 
echo "#UseTLS=YES #?" >> /etc/ssmtp/ssmtp.conf 
echo "#UseSTARTTLS=Yes #?" >> /etc/ssmtp/ssmtp.conf 

Set up “from” aliases:
When an email is sent by one of these users on the left, it will send as the user on the right.

echo "root:robot@mydomain.com" >> /etc/ssmtp/revaliases
echo "icinga:robot@mydomain.com" >> /etc/ssmtp/revaliases

Set up “to” aliases:
To be used with /bin/mail, when an email is sent to people other than root you can adjust this is /etc/aliases:

vim /etc/aliases
#find the user or add who receives email and adjust their destination
#   recipient:		email@mydomain.com

Adjust permissions:
So that only the owner can read /etc/ssmtp/ssmtp.conf where your creds live.

chmod 644 /etc/ssmtp/ssmtp.conf
chmod 644 /etc/ssmtp/revaliases

Test sending mail:

#you must edit /etc/passwd to allow icinga a shell
su icinga
#echo $(netstat -apn | grep :) | mail -v -s "$(date)" root

With reference to:
http://raftaman.net/?p=591
http://raftaman.net/?p=247
http://wiki.freebsd.org/SecureSSMTP
http://www.scottro.net/qnd/qnd-ssmtp.html
http://archive09.linux.com/feature/132006
http://linux.die.net/man/5/ssmtp.conf
http://linux.die.net/man/1/mail

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: