Cover V11, I12

Article
Figure 1
Figure 2

dec2002.tar

qmail SMTP Authentication Using RADIUS

Blair Rampling

Most ISPs provide a certain range of services to local users including Web, incoming mail and DNS for hosting customers, and Internet access and outgoing mail for connectivity customers. While working at a mid-sized ISP, I ran across a problem where a set of users required mail relaying but there was no apparent solution. We began using an outsourced service that allowed users to dial up to servers anywhere in the world for Internet connectivity and authenticate to a set of RADIUS servers at our data center, thus giving us control of user names and passwords. The problem was that these users required both incoming and outgoing mail services.

Incoming (POP3) mail was no problem because authentication is standard, but our method of providing SMTP was based on the client IP address. The clients accessing our systems through the outsourced dial-up service used a variety of IP address ranges owned by the outsourcing company. If we included these addresses, anyone with access to the dial-up service would have access to our SMTP servers, regardless of whether they were actually customers of our ISP. If we excluded the dial-up service IP addresses, our own customers could not access the SMTP servers through dial-up. We needed a way to directly authenticate access to SMTP.

A solution was found by patching qmail (our standard SMTP server) with a special version of qmail-smtpd.c, which was meant to use the qmail checkpassword program to verify user identities. A special patch to checkpassword, called radcheckpassword, was used to provide RADIUS authentication to the SMTP daemon. You must have a working RADIUS server to use these patches, and not all mail clients support outgoing mail authentication. qmail SMTP relaying works by requiring one of two things. Either the recipient mail domain must be in the rcpthosts file, meaning the domain is hosted on the local server, or the RELAYCLIENT environment variable must be set. Typically this is done based on the client IP address. With the changes made in this article, the qmail SMTP daemon uses an external program to allow or disallow relaying, in this case radcheckpassword.

To set up a qmail SMTP server to use RADIUS authentication, you must have the following (and you may need other packages for your environment):

  • qmail 1.03 source code: ftp://anonymous:@cr.yp.to/software/qmail-1.03.tar.gz
  • checkpassword-0.81 source code: ftp://anonymous:@cr.yp.to/software/checkpassword-0.81.tar.gz
  • Modified qmail-smtpd patch file: http://members.elysium.pl/brush/qmail-smtpd-auth/
  • Radcheckpassword 0.1 patch: http://www.tic.ch/e-image/andrew/software/radcheckpassword/

To begin, download qmail 1.03 and checkpassword and unpack them into a directory. (More information on qmail and checkpassword can be found at http://www.qmail.org). Download the AUTH patch (modified qmail-smtpd patch) file, and the radcheckpassword patch and unpack them as well. It is useful to unpack all of these files in the same directory (such as /usr/src).

The first step is to compile the radcheckpassword program. Note that the current version of checkpassword is 0.90, but you need chkpassword-0.81 for the radchkpassword-0.1 patch. Change to the radcheckpassword-0.1 directory and be sure to read the README file in this directory. It contains some platform-specific changes that must be made if you are not running a Linux system. You also need to edit the Makefile in the radcheckpassword-0.1 directory to reflect the location of the checkpassword source code (it assumes the directory /usr/local/src/checkpassword-0.81).

When you are ready to compile, change to the radcheckpassword-0.1 directory and type make radcheckpassword. Be sure you have root privileges and type make install to install the application. The default installation directory is /usr/local/bin. Note that if you intend to use a service type in your RADIUS database other than Login-User, you must modify the radcheckpassword.c file, as shown in Listing 1.

Install and Configure qmail

qmail has a number of requirements to meet before you can begin to build the software from source. Switch to the directory that contains the qmail software. Read the INSTALL file and follow the procedures. The first step is to create a directory for qmail, typically /var/qmail. Second, you must read the INSTALL.ids file. This file guides you through creating the necessary user groups and accounts for the operation of qmail. This process varies depending on your operating system.

You are now ready to start building the software. Be sure you are in the directory that contains the AUTH patch. Patch the qmail-smtpd.c file using the following commands:

cp README.auth base64.c base64.h ../qmail-1.03
patch -d ../qmail-1.03 < auth.patch
Compile qmail by changing to the qmail-1.03 source directory and typing make setup check. You should now read the INSTALL.ctl and FAQ files to learn how to configure qmail.

The simplest way to configure is to run the ./config script. This script will attempt to determine the fully qualified hostname of your system and configure the files. If it cannot find the systems hostname, you must manually configure the <qmail>/control/me file. This file must contain only the fully qualified hostname of the system.

You must also have a file in /var/qmail/control called rcpthosts. This file lists all the domains for which your mail server will receive mail. If this is an SMTP-only server, this file will be empty but it must exist. If this file is missing, then your server will be an open SMTP relay.

Follow the instructions in the INSTALL file until you reach the step where you add qmail-smtpd to the inetd.conf file. This step will differ from the default configuration. Add this line to your inetd.conf instead:

smtp stream tcp nowait qmaild /var/qmail/bin/qmail-smtpd \
  your.mail.domain /usr/local/bin/radcheckpassword /bin/true
  
Configure RADIUS

Once you have completed the steps in the INSTALL file, you can configure the /etc/radius.conf file. The configuration of the radius.conf file may be different on different operating system but is usually configured as follows:

Server     Shared Secret     Timeout     Retries
For example:

#example radius.conf file
radius1.domain.tld secretcode
radius2.domain.tld secretcode
Be sure that your RADIUS server is now configured. You must add each user to the RADIUS database and configure their service types as configured in the radcheckpassword.c file (shown in Listing 1). If you are using an existing RADIUS user database where the service type is something other than the default of Login-User, you can modify the radcheckpassword.c file with the new value and recompile radcheckpassword.

Configure the Client

Restart the system or run the qmail start script and kill -HUP the inetd service (first ensure that no other MTAs are running). qmail should now be running.

The next step is to configure the client. All clients are different, but typically you will specify the qmail server as the SMTP or outgoing mail server and enable outgoing authentication in the client. It is important to note again that not all clients support outgoing mail authentication. In Microsoft Outlook 2000, for example, you would select Accounts from the Tools menu, select the default account and click the Properties button. Click the Servers tab, ensure the modified qmail server is specified as the outgoing mail server, and select the "My server requires authentication" box (as shown in Figure 1). Click the Settings button next to "My server requires authentication" to open the Outgoing Mail Server dialog (as shown in Figure 2). Unless you are also using the same RADIUS server for incoming mail authentication, select "Log on using" and enter your user name and password.

Testing and Troubleshooting

Test your qmail smtp server by sending an email with the client configured to use outgoing authentication, and an email configured not to use authentication. The server should accept a message with authentication enabled and not accept a message when authentication is disabled. If the message does not go through with authentication enabled, check the following:

  • The user exists in the RADIUS database.
  • The password is correct.
  • The service type is correct according to the value in radcheckpassword.c (Login-User by default).
  • The RADIUS server is configured to allow the qmail server as a RADIUS client.
  • The RADIUS configuration is correct on the qmail server, including the server name or address and shared secret.
  • The inetd.conf entry is correct.

If the server is allowing all messages, check the following:

  • The /var/qmail/control/rcpthosts file exists and contains only the domains for which the mail server will receive messages (it will be empty in the case of a pure SMTP relay).
  • qmail is listening on port 25 and no other MTAs are running on the system.

By following the steps in this article, you can configure a qmail server to use RADIUS to authenticate SMTP mail relaying. Rather than anything new and groundbreaking, this is an example of using existing tools together in a way that they were never meant to be used to produce a required result. It is also possible to leave out the radcheckpassword patch and use the standard checkpassword utility to authenticate from a password file. Documentation on this can be found with the qmail AUTH patch.

Qmail Resource Sites

http://www.qmail.org
http://members.elysium.pl/brush/qmail-smtpd-auth/
http://www.tic.ch/e-image/andrew/software/radcheckpassword/
http://www.lifewithqmail.org/
http://www.palomine.net/qmail/relaying.html
Blair Rampling is the UNIX administrator in a mid-sized resource company. He has extensive Solaris experience as well as experience in Linux, Microsoft Windows, and even VMS.