This is my first post made on this blog and hopefully many more will follow. In this article I will show you how to configure your Ubuntu server to send you emails when someone runs sudo. We will use the sendmail Mail Transfer Agent and configure it to relay through Google Mail SMTP servers. Let’s get started.

In order to configure automatic emails when someone uses the sudo command, we first want to go ahead and do the following:

1. cd /etc/sudoers.d
2. Sudo visudo

Next, we are going to verify the content of the sudoers file and make sure that this last line is present:

sudoers-line

This will allow us to add local content to the sudoers.d directory rather than modifying this file which is not consider best practice to do so. Files that we add to the sudoers.d directory will now be included and processed.

The proper way to create files in the sudoers.d directory is to type the following:

3. Visudo -f /etc/sudoers.d/my_sudoers

You can always create a file by any other means but you run into the risk of corrupting your sudoers file unless you use the visudo command to make changes.

In this file that you have created add the following lines:

Defaults mail_always
Defaults mailerpath=/usr/sbin/sendmail
Defaults mailto="coolsite@13.58.165.98"
Defaults mailerflags="-t"

Note: The “mailto” line should be set to the email address where you want to receive emails to when anyone executes the sudo command.

Here is a brief explanation of the flag used above as well as other ones that can be used:

mail_always: Send mail to the mailto user every time a users runs sudo.  This flag is off by default.

mail_badpass: Send mail to the mailto user if the user running sudo does not enter the correct password.  This flag is off by default.

mail_no_host: If set, mail will be sent to the mailto user if the invoking user exists in the sudoers file, but is not allowed to run commands on the current host.  This flag is off by default.

mail_no_perms: If set, mail will be sent to the mailto user if the invoking user is allowed to use sudo but the command they are trying is not listed in their sudoers file entry or is explicitly denied. This flag is off by default.

mail_no_user: If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file.  This flag is on by default.

4. Save the file when you are done and verify the permissions on the file which should be set to 0440:

mysudoers-permission

5. You will need to install send mail in order for emails to be sent to the specified address. Use the following command to do so.

Sudo apt-get install sendmail

 6. After you install sendmail type the following command to go through the configuration.

Sudo sendmailconfig

I left all my settings at the default and did not need to change anything. My answers were the default selected by the utility which should be yes.

7. Go and ahead and cd to /etc/mail

Do the following:

Mkdir auth
Chmod 700 auth

Change to the “auth” directory and create a client-info file:

cd auth
Touch client-info

8. In the new file created you need to add the following information:

AuthInfo:smtp.gmail.com “U:root” “I:username@gmail.com” “P:password” “M:PLAIN”
AuthInfo:smtp.gmail.com:587 “U:root” “I:username@gmail.com” “P:password” “M:PLAIN”

9. Let’s generate the Authentication database and make both files readable only by root

makemap hash client-info < client-info
chmod 600 client-info
chmod 600 client-info.db

Verify the permissions on the file:

clientinfo-permission

We now need to configure TLS/SSL so that sendmail will be able to upgrade the SMTP connection by using the STARTTLS command.

10. The first step is to create our own certificate authority. I created the following in my home directory.

Mkdir CA
cd CA
Mkdir certs crl newcerts private
Echo "01" > serial
cp /dev/null index.txt

Note:  These files are used by the CA to maintain its database of certificate files. The index.txt file must initially be completely empty, not even containing white spaces.

Let’s go ahead and copy the sample openssl configuration over to our directory so that we can use it.

cp /etc/ssl/openssl.cnf openssl.cnf

We now need to modify the sample openssl configuration to suit our needs

Nano openssl.cnf

I left mine at default values but changed the following line:

Dir = "location where your CA directory is located"

openssl-config

Let’s generate our certificate authority:

    • openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

Answer the questions as you are asked and make sure to remember the passphrase that you used as it will be needed in the future when you need to sign certificates with your CA.

11. With our certificate authority created we can now create our own certificates

    • cd CA        (previous directory that we created)
    • openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf

12. We can now sign our new certificate with the certificate authority:

Note: The certificate and private key are in file newreq.pem

    • cd CA        (previous directory that we created) 
    • openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 
    • openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem 
    • rm -f tmp.pem

Note: newcert.pem contains signed certificate and newreq.pem still contains unsigned certificate and private key

13. We will now copy the ca-certificates.crt file over to our CA directory. This file contains the well-known root Certificate Authorities certificates so that we know who to trust.

cp /etc/ssl/certs/ca-certificates.crt ca-bundle.crt

14. The last thing that we want to do is to modify the sendmail.mc file located in your /etc/mail directory and add the following

FEATURE(`authinfo',`hash /etc/mail/auth/client-info.db')dnl
define(`SMART_HOST',`smtp.gmail.com')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')
define(`ESMTP_MAILER_ARGS', `TCP $h 587')  

define(`CERT_DIR', `/home/glenn/CA')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/ca-bundle.crt')
define(`confCRL', `CERT_DIR/ca-bundle.crt')
define(`confSERVER_CERT', `CERT_DIR/newcert.pem')
define(`confSERVER_KEY', `CERT_DIR/newcert.pem')
define(`confCLIENT_CERT', `CERT_DIR/newcert.pem')
define(`confCLIENT_KEY', `CERT_DIR/newcert.pem')

define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')

Note: Your CERT_DIR is different for you than mine, unless you are also named Glenn 😀

Make sure that all of this goes before the:

MAILER_DEFINITIONS

15. We will now update sendmail.cf using the following command:

m4 sendmail.mc > sendmail.cf

16. Let’s go ahead and restart the sendmail daemon:

service sendmail restart

17. If everything is successful you should see the following warnings in the Gmail account that you are using for SMTP. Make sure that you add the exception after clicking on the link or otherwise it will not work.

gmail-notification

gmail-email

 

Thank you for taking the time to read this article. See you around next time.

Leave a Reply