Link to home
Start Free TrialLog in
Avatar of belranjan
belranjan

asked on

step by step sendmail SMTP AUTHENTICATION in linux 7.3 and linux 9

step by step information for configuration sendmail SMTP AUTHENTICATION in linux 7.3 and linux 9

Avatar of jlevie
jlevie

By the reference to "linux 7.3 and linux 9" I'd guess you are talking about RedHat 7.3 & 9. The procedures are similar for both of those versions, but not identical since 7.3 uses cyrus-sasl-1.5.24/sendmail-8.11.6 and 9 uses cyrus-sasl-2.1.10/sendmail-8.12.8.

The first step is to configure sendmail to do authetication and that's accomplished by editing /etc/mail/sendmail.mc and including:

define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

The next step is to edit Sendmail.conf and specify an auth mechanism.  For Senmail to be able to use the secure mechs in addition to LOGIN & PLAIN the auth mechanism must be a SASL DB or LDAP. Since SASL DB is the easiest that's the one I'm showing here. That does mean that you must create sasldb auth information for each user. This is all Cyrus SASL version dependant, as follows:

RedHat 9:

file: /usr/lib/sasl2/Sendmail.conf
contents: pwcheck_method:auxprop
sasldb commands: saslpasswd2 (create/delete auth info) sasldblistuser2 (list auth info)

RedHat 7.3:

file: /usr/lib/sasl/Sendmail.conf
contents: pwcheck_method: sasldb
sasldb commands: saslpasswd (create/delete auth info) sasldblistuser (list auth info)

Create at least one user in sasldb (so /etc/sasldb2 or /etc/sasldb exists) then rebuild sendmail.cf and restart sendmail.

More information about SMTP AUTH  can be found at http://www.sendmail.org/~ca/email/auth.html and information about SASL is available at http://asg.web.cmu.edu/sasl/
Avatar of belranjan

ASKER

I find this line in my sendmail configuration in sendmail.mc.

dnl define(`confAUTH_OPTIONS', `A p')dnl

dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA
IN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     make -C /usr/share/ssl/certs usage
dnl #


dnl # guaranteed secure.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA
IN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     make -C /usr/share/ssl/certs usage



What i have to edit in sendmail.mc now.I also seen /usr/lib/sasl2 ther is  no sendmail.conf file is present.
Change:

dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA
IN')dnl

to:
define(`confAUTH_OPTIONS', `A p')dnl
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

/usr/lib/sasl2/Sendmail.conf won't exist until you create it. Note that it is Sendmail.conf, not sendmail.conf/
This want i get when i run your command.I created sendmail.conf in /usr/lib/sasl2/

[root@mail2 sasl2]# contents: pwcheck_method:auxprop
-bash: contents:: command not found
[root@mail2 sasl2]# saslpasswd2 (create/delete auth info) sasldblistuser2 (l
ist auth info)
-bash: syntax error near unexpected token `create/delete'
file: /usr/lib/sasl2/Sendmail.conf
contents: pwcheck_method: auxprop
sasldb commands: saslpasswd2 (create/delete auth info) sasldblistuser2 (list auth info)

Wasn't meant to be taken as literal commands. I was trying to show the differences between the RH 9 and Rh7.3 implementations is a clear and concise manner.

You must create the "file:" /usr/lib/sasl2/Sendmail.conf with an editor and place the "contents:" of pwcheck_method: auxprop in that file. In a like manner the "sasldb commands:"  of interest are saslpasswd2, used for creating and deleting user information and sasdblistusers, used to list out the contents of sasldb. See 'man saslpasswd2' and 'man sasldblistsers' for more information.
1. I changed the line sendmail.mc `EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN' to `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
2. I have created a file sendmail.conf in /usr/lib/sasl2/.
3. I entered "pwcheck_method: auxprop" in /usr/lib/sasl2/sendmail.conf.By using vi.
4. I regenerated sendmail.cf by using  " m4 sendmail.mc < /etc/mail/sendmail.cf "
5. Restart sendmail .

6. [root@mail2 sasl2]# saslpasswd2 -c helpdesk
    Password:
    Again (for verification):

7.I not getting this command . root@mail2 sasl2# sasldblistuser2
                                                -bash: sasldblistuser2: command not found

6.What i have to now.
I would suggest a restart of sendmail since /etc/sasldb2 didn't exist when you restarted sendmail after rebuilding the sendmail.cf. But otherwise you should be "good to go". A connection to the SMTP port and the trasmission of an EHLO or HELO should result in sendmail listing out the auth methods it has available. That would look something like:

chaos> telnet praetorian.entrophy-free.net 25
Trying 10.1.0.254...
Connected to praetorian.entrophy-free.net.
Escape character is '^]'.
220 praetorian.entrophy-free.net ESMTP Sendmail 8.12.10/8.12.10; Tue, 2 Mar 2004 05:46:16 -0600
EHLO chaos.entrophy-free.net
250-praetorian.entrophy-free.net Hello chaos.entrophy-free.net [10.1.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 50000000
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
 QUIT

The "250-AUTH DIGEST-MD5 CRAM-MD5" indicates that sendmail has those auth mechs available.

sasldblistuser2 is another typo on my part the real command is sasldblistusers2, sorry.
This what iam getting.If i send a mail from outlook It is not asking smtp username passwd.

[root@tnqmail2 test]# telnet 10.0.2.32 25
Trying 10.0.2.32...
Connected to 10.0.2.32.
Escape character is '^]'.
220 mail2.mail.co.in ESMTP Sendmail 8.12.8/8.11.6; Tue, 2 Mar 2004 18:56:
12 +0530
EHLO 10.0.2.32
250-mail2.mail.co.in Hello mail2 [10.0.2.32], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

Send mail doesn't "ask for a password", the client must be configured for SMTP AUTH. What SMTP AUTH does is to bypass the anti-relay provisions allowing an authenticated user to relay mail through the server. Typically one uses SMTP AUTH to allow roaming users relay access through the mail server without making the server a promiscous or open relay (which can lead to the server becoming black listed).

Were you expecting something else from SMTP AUTH?
I using outlook express for client .I not enabled any auth in outlook.But if send a mail is going.But what my thought is .The mail should not go.Because i not enabled smtp AUTH.
ASKER CERTIFIED SOLUTION
Avatar of jlevie
jlevie

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Why i asked this question smtp AUTH .Iam running linux 7.3 as a mail server.It intergrate with trend micro viruswall.It is configured as sandwitch connection.
When i upgraded to linux 7.3 to 9. I was not able to integrate with terndmicro viruswall (ie sandwitch configuration ).But it configure with port 25.
But it make the mailserver openrelay.So what i thought making linux 9 as SMTP AUTH.It prevents from open relay.
Is there any soluation to prevent from open relay.
I think I understand what your problem is. Right now your mail path looks like:

  Internet <-> VirusWall <-> Sendmail

and any test of  your mail server indicates that it is an open relay. It probably isn't actually an open relay if Sendmail is properly configured but any test for an open relay will indicate otherwise. That's because VirusWall doesn't have "knowledge" of your domain and users and just relays everything it receives to your sendmail server. This sort of problem is found in many of the other "pass through" anti-virus or anti-spam filters.

While it possible to convince a reputable black list site that your server isn't really an open relay and get your server removed from a black list that's a battle that never ends in my experience. I don't recommend that sort of anti-virus/anti-spam filter to anyone because of that. When I've encountered this sort of situation and can't change the filter method to something like MailScanner I'll place another box with sendmail configured as a relay in between the mail server and the Internet.

SMTP AUTH can't help in this case because it is the VirusWall product that appears to be the open relay.
I think the soluation is  to change product for virusewall .
Is there any testing software before connecting to internet i can test the openrelay for my mail server.
damn
i am still getting this error

sendmail[1032]: unrecognized plaintext verifier saslauthd

mail.uog.edu.gy