[Terminology] [Installation] [Configuration] [Operation] [Misc]
(2000-03-23) If you use sendmail 8.10.0 as client for SMTP AUTH, please read the security warning.
Make sure the libraries are installed in a location which sendmail uses on your system by default. The libraries must be "safe", i.e., they should be owned by root and only writable by that user. As usual, the whole path must be safe too.
Next, create a configuration file called Sendmail.conf if needed/wanted.
(SASLv1)
Create a
sasldb
password file using
saslpasswd
if you use any mechanism
(CRAM-MD5, DIGEST-MD5, PLAIN if
pwcheck_method: sasldb
is used in the
.conf file)
that requires it.
(SASLv2)
Create a
sasldb2
password file using
saslpasswd2
if you use any mechanism
(CRAM-MD5, DIGEST-MD5, PLAIN if
pwcheck_method: auxprop
is used in the
.conf file)
that requires it.
BTW:
sendmail requires
sasldb[2]
to be owned by root or the trusted user
and not be readable by anyone else
since the file contains sensitive data (shared secrets).
If there is a conflict with other applications that need to read it too,
you can
try a trick.
APPENDDEF(`confENVDEF', `-DSASL') APPENDDEF(`conf_sendmail_LIBS', `-lsasl')for Cyrus SASLv1 or
APPENDDEF(`confENVDEF', `-DSASL=2') APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')for Cyrus SASLv2 to your site.config.m4 (or OS specific) file in devtools/Site. You maybe need to set:
APPENDDEF(`confLIBDIRS', `-L
/PATH/TO/SASL/lib')
APPENDDEF(`confINCDIRS', `-I
/PATH/TO/SASL/include')
If you have a SASL library version before 1.5.10,
then you should upgrade.
Otherwise you have to
set the value for SASL to the version number of the
SASL library you use,
using a simple conversion:
a.b.c -> c + b*100 + a*10000,
e.g. 1.5.5 -> 10505.
APPENDDEF(`confENVDEF', `-DSASL=10505')
sendmail -d0.1 -bv root | grep SASLand make sure SASL appears in the output. Otherwise go back to compiling sendmail and make sure your site.config.m4 is really used.
Start the sendmail daemon, connect to it and see whether it comes up with
250-AUTHin the EHLO response:
% telnet localhost 25 Trying 127.0.0.1... Connected to localhost Escape character is '^]'. 220 local.sendmail.ORG ESMTP Sendmail 8.10.0/8.10.0; Thu, 9 Sep 1999 10:48:44 -0700 (PDT) ehlo localhost 250-local.sendmail.ORG Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 250 HELP quitIf it doesn't, check your logfile whether any security problems are listed (unsafe files). If this doesn't reveal any problems, increase the LogLevel to 13 and try again.
Examples of problems in the logfile:
-rw-r--r-- 51240 Mar 11 20:28 libdigestmd5.a -rwxr-xr-x 894 Mar 11 20:28 libdigestmd5.la* lrwxr-xr-x 17 Mar 11 20:28 libdigestmd5.so@ -> libdigestmd5.so.0 -rwxr-xr-x 56056 Mar 11 20:28 libdigestmd5.so.0*If not, you may run a script to create the links.
You can also set the environment variable SASL_PATH, see the Cyrus SASL docs. In sendmail, you can use
LOCAL_CONFIG ESASL_PATH=/PATH/TO/lib/sasl
Some tips if authentication still fails:
sendmail -O LogLevel=14 -bs -Am EHLO localhost QUITand then check the logfile: it must have an error now for that file. If it doesn't, then your configuration is wrong (check your parameters for configure (SASL) and all the paths).
strings
or od -c
)
and checking that the names of those mechanisms appear in the file.
There are some options for the .cf (.mc) file which you may want to change from their default values:
admin admin MySecretPassword example.domainNotes: all data is case sensitive (usually) and the entire line is used in each case (including any white space!).
Security Warning: sendmail 8.10.0 uses this data when sending e-mail and tries to authenticate against every server that offers SMTP AUTH. This may reveal the secret if the other side offers a plaintext authentication mechanism. Make sure the secret is not a real password used for an account somewhere. sendmail 8.10.1 minimizes this problem.
sendmail 8.12 (and later) offers a significantly better way to specify the client authentication information. See cf/README for details, look in the section SMTP AUTHENTICATION. Notice: the default 8.12 configuration file causes the option DefaultAuthInfo to fail since the ruleset authinfo is in the .cf file. If you really want to use DefaultAuthInfo (it is deprecated) then you have to remove the ruleset.
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5')dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth/auth-info')dnl FEATURE(`no_default_msa')dnl turn off default entry for MSA DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')dnl
The ruleset trust_auth is used to decide whether the client's authentication identifier (authid) is trusted to act as (proxy for) the requested authorization identity (userid). The provided rules allow authid to act for userid if both are identical and they disallow it if the authentication failed. The ruleset Local_trust_auth can be used to provide further tests. As usual, it can either return the error mailer ($# error) to disallow proxying or $# OK to allow proxying.
New macros for SMTP AUTH are {auth_authen}, {auth_author}, and {auth_type}, which hold the client's authentication credentials (authid), the authorization identity (userid) (i.e., the AUTH= parameter of the MAIL command, if supplied), and the mechanism used for authentication.
my.domain RELAYin the access map, then remove the entry from class R (/etc/mail/relay-domains) and use
To:my.domain RELAYin the access map.
Requiring SMTP AUTH for all mails is in general a bad idea, because then you cannot receive mails from other users (since the cannot authenticate). So you must do this only on a server that is solely intended for your own users to send mail, not for a publically advertised (via MX records) server.
If you are using sendmail only to transfer e-mail from your local computer to a mail server that requires SMTP AUTH, follow these instructions. They assume that sendmail 8.12 or later, and other software, is already installed on your computer. You should probably be logged in as root to perform these steps.
# mkdir auth # chmod 700 auth
AuthInfo:your.isp.net "U:root" "I:user" "P:password"filling in your ISP's mail server, your user name, and your password. (Note: Earthlink, and perhaps other ISP's, requires your full e-mail address as a user name.)
# cd auth # makemap hash client-info < client-info # chmod 600 client-info* # cd ..
define(`SMART_HOST',`your.isp.net')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
# m4 sendmail.mc > sendmail.cf
# kill -HUP `cat /var/run/sendmail.pid`
6. PLAIN SASL mechanism Clear-text passwords are simple, interoperate with almost all existing operating system authentication databases, and are useful for a smooth transition to a more secure password-based authentication mechanism. The drawback is that they are unacceptable for use over an unencrypted network connection.If you use it anyway, and you use Netscape as MUA, then in some cases you may want to turn it off; add
user_pref("mail.auth_login", false);to Netscape's preferences file.
Cyrus SASL 2.1.13 - 2.1.17 broke EXTERNAL, 2.1.18 will have a fix (maybe check the CVS server for Cyrus SASL if you need the patch before 2.1.18 is released).
Warning: If you have a Cyrus SASL version older than 1.5.15, make sure you compile the plugins without any encryption, e.g., DIGEST-MD5 without DES etc. sendmail 8.10 does not support encryption within SASL. If the SASL plugins negotiate a security layer, sendmail 8.10 won't be able to talk to the other side if that switches to the encrypted channel. This is a problem with Cyrus SASL which doesn't obey the maximum security settings of sendmail. You may want to apply a patch to plugins/digestmd5.c (1.5.13).
Ken Murchison gave us a patch to support Cyrus-SASL v2 (inofficially available since 8.12.4).