?
Solved

Sendmail SMTP configuration question

Posted on 2004-03-25
13
Medium Priority
?
43,797 Views
Last Modified: 2012-05-04
Hi All,

Ok, I'm trying to secure up sendmail's relaying capability.

Here's what I want to do:

Have local users on the network be able to send email thru my email server.

Have remote users on other networks that have local email addressess send email thru my server.  - Remote users must use username/password to be able to have email relayed thru my email server.  most remote clients will be using Outlook Express, a few using Outlook 2000.

Problem:  I can't get it to work right.  I have sasl installed, and have added a dummy user to the database named tom.  He can get pop his email, but he can't send email thru outlook express on an external network.  It comes up prompting for a username and password, but all I get are failures...

here is the error I'm getting in my messages:

Mar 25 10:41:33 mail saslauthd[30740]: do_auth         : auth failure: [user=tom] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

here are the relevant lines in sendmail.mc...

define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #

I know I am fairly close to the solution, but I am just doing something simple wrong.  Any help would be most appreciated.

On a side note - I'm also having to come into sendmail's smtp vi port 587 on my client instead of 25, I don't know why but it won't respond on port 25 to external hosts at all.  I know the firewall isn't blocking it, I've checked several times.

Thanks in advance.
0
Comment
Question by:navigator010897
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 8

Expert Comment

by:da99rmd
ID: 10686590
> On a side note - I'm also having to come into sendmail's smtp vi port 587 on my client instead of 25, I don't know why but it won't respond on port 25 to external hosts at all.

Is this to send mail or to recive mail ?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10689753
It would be most helpful to know what Linux you are using.

A common problem on a RedHat or Fedora system with Sendmail is if you fail to remove the localhost security restriction from /etc/mail/sendmail.mc by commenting out the line that reads:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

after that sendmail.cf must be rebuilt and sendmail restarted. Then check to be sure that Sendmail is listening on the machines IP by trying a 'telnet mail-hostname 25' from another machine on the local LAN. If that works and you get an SMTP welcome banner you know that the mail server and sendmail are listing for connections. Next try the same from an Internet site. If you don't get the banner either your local firewall needs tweaking or your ISP is blocking connections on 25/TCP.

It really isn't a good idea to use saslauthd as a mech if you have Internet users. That limits the authentication method to be PLAIN or LOGIN and thus exposes the user's password to anyone that can sniff the traffic. For security PLAIN & Login should only be used withing an encrypted connection. As far as Sendmail is concerned you can change /usr/lib/sasl/Sendmail.conf to use auxprop instead of saslauthd and create user auth information for each user with saslpasswd2. Then you can tell Sendmail to only offer DIGEST-MD5 or CRAM-MD5. Most modern email clients support those.

The same issue arises with POP or IMAP if you aren't using the  Cyrus or Courier IMAP server. The UW-IMAP only can autheticate against the system passwd/shadow files and that exposes the plaintext password to a sniffer. Cyrus & Courier can be configured to use sasldb via auxprop and be restricted to the secure methods. Otherwise you should only off POP or IMAP via an encrypted connection.
0
 
LVL 1

Author Comment

by:navigator010897
ID: 10695071
Well, I'm still having a problem.

I am using Fedora version of redhat.

The daemon setting about 127.0.0.1 I had already taken care of - I am pretty sure right now that there is a firewall somewhere betwee this box and the net that is causing a problem with regard to port 25, so I'll have to deal with that part on monday.

I am still having trouble with the authentication tho for outbound email.

In outlook express, I get the standard:

The message could not be sent because the server rejected the sender's e-mail address. Protocol: SMTP, Server Response: '530 5.7.0 Authentication required', Port: 587, Secure(SSL): No, Server Error: 530, Error Number: 0x800CCC78

I have tried adjusting the Sendmail.conf file - but I could only find it in the sasl2 directory under /usr/lib, not the sasl directory.

Also, do I need to run another daemon for auxprop, or how does it work?

I'm also not sure if I'm sending the correct command line entries to saslpasswd2...

I'm creating a test user with:

saslpasswd2 -c tom

But I am also not sure if sendmail is querying auxprop....
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:navigator010897
ID: 10695127
I was wondering if the problem was related to what machines are allowed to relay?  Since we want remote clients to be able to send mail even if they are on different ip addresses, we want to make sure relaying is restricted to user/pw authentication..  
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10696012
Typo on my part... I meant /usr/lib/sasl2/Sendmail.conf. No extra daemon is needed for auxprop, just the SASL2 db that has had entries created with saslpasswd2.

For the moment I'd suggest switching sendmail back to the standard SMTP port. I'm not sure if using 587 might create a problem or not. Since you can't at the moment authenticate a remote user, it is of little importance that something is blocking inbound connections on port 25. Andsince that has to be solved before you can receive mail from Internet sites I see no reason to even try 587.

One this that can cause problems with SMTP AUTH is if the networking config doesn't follow Unix, as opposed to RedHat conventions. The hostname of the machine must be the FQDN and be set that way in /etc/sysconfig/network (HOSTNAME=my-mail.my-domain.tld) and the hosts file has to look like:

127.0.0.1         localhost.localdomain localhost
123.4.5.6         my-mail.my-domain.tld  my-mail

The hostname can't change after sendmail starts or there'll be problems. You can check to see that sendmail is using the correct hostname by 'telnet localhost 25' and noting what it claims its hostname is. Typing "HELO my-mail.my-domain.tld" will show you what opetions, including the list of AUTH methods, that you sendmail is offering. After verifying the hostname that sendmail is useing is correct check the SASL DB for the correct auth info by executing "sasldblistusers". You should see "user@my-mail.mydomain.tld: userPassword" entries. If the hostname in the sasldblistusers2 output doesn't match the hostname sendmail is using you won't be able to authenticate.

It won't hurt and may help to make /etc/sasldb be owned by root, group mail to ensure that Sendmail can read the sasldb.
0
 
LVL 1

Author Comment

by:navigator010897
ID: 10696674
Ok, I found my mistake on the port 25.

I am currently working from home on my own t1, and my firewall with regard to this particular computer blocks port 25 traffic to all but one specific server to handle my email, I changed it to access this other server, and that solved that problem.

I have new data though with regard to my problem - it's almost appearing as if it isn't authenticating - it is just rejecting to relay based upon my IP address - which in most cases would be fine for security, but I am needing it to pay attention to the authenticated username / password for relaying.    The error from an OE client looks like now...

Protocol: SMTP, Server Response: '550 5.7.1 <tony@anotherdomain.tld>... Relaying denied. IP name lookup failed [65.171.152.134]', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79

I don't see why it won't authenticate.  Here is what is showing in my maillog...

Mar 27 18:27:11 mail sendmail[2860]: i2S0RBXr002860: ruleset=check_rcpt, arg1=<t
ony@anotherdomain.tld>, relay=[65.171.152.134], reject=550 5.7.1 <tony@anotherdomain.tld>... Relaying denied. IP name lookup failed [65.171.152.134]
Mar 27 18:27:11 mail sendmail[2860]: i2S0RBXr002860: from=<tom@mydomain.tld>, size=
0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[65.171.152.134]

It doesn't seem to test at all.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 1000 total points
ID: 10696786
Protocol: SMTP, Server Response: '550 5.7.1 <tony@anotherdomain.tld>... Relaying denied. IP name lookup failed [65.171.152.134]', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79

That say to me that authentication isn't being attempted. How about trying the telnet test to see if AUTH methods are being offered? On my mail server it looks like:

chaos> telnet praetorian.entrophy-free.net 25
Trying 10.1.0.254...
Connected to praetorian.entrophy-free.net.
Escape character is '^]'.
220 praetorian.entrophy-free.net ESMTP Sendmail 8.12.10/8.12.10; Sat, 27 Mar 2004 19:15:17 -0600
EHLO chaos.entrophy-free.net
250-praetorian.entrophy-free.net Hello chaos.entrophy-free.net [10.1.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 50000000
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
QUIT
                                                                               
And the relevant portion of sendmail.mc looks like:
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

There's no point in including EXTERNAL or GSSAPI using auxprop and sasldb and having them present can confuse some clients. The auth mech in /usr/lib/sasl2/Sendmail.conf looks like:

pwcheck_method: auxprop

And sasldblistusers2 returns entries like:

jim@praetorian.entrophy-free.net: userPassword
0
 
LVL 1

Author Comment

by:navigator010897
ID: 10698809
omg, it just sent.

The problem was with:
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

I changed it to:

define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

Thank you much, I knew it had to be something simple I was overlooking.

0
 
LVL 40

Expert Comment

by:jlevie
ID: 10698827
The problem was that your Outlook client can only do LOGIN as an auth method and you'd explicity told Sendmail not to offer either of the insecure methods (PLAIN & LOGIN) unless the connection was made using a TLS encrypted session.
0
 
LVL 1

Author Comment

by:navigator010897
ID: 10698935
Wierd, I figured having login using secure password authentication checked would make it use some sort of encryption....  well, that's annoying.  I'm testing the system with OE 6.x you'd think it would offer encryption capabilities.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10699027
The server has to be configured for TLS encryption before an Out-of-luck client can use a secure session, as far as I know since it only supports the LOGIN method. Other email clients (Evolution, recent versions of Mozilla or Netscape) can use DIGEST-MD5 or CRAM-MD5 for secure authentication outside of a TLS data stream.
0
 
LVL 1

Author Comment

by:navigator010897
ID: 10699108
Yeah, I'd do that if I could - unfortunately, I don't have enough swing with those in power to get them to change email client ;)

I was working on the TLS encryption, unfortunately, I might have to pull teeth to get a little funding to get a signed cert - doing our own signing certificate wouldn't be a big deal to me, but it seems that the client keeps complaining about it.  I tried adding the CA cert to the client trusted root certs, but it still complained (something along the lines of the names not matching, not sure if I generated the certificate wrong, or I imported the wrong file into the trusted certs DB).

0
 
LVL 40

Expert Comment

by:jlevie
ID: 10699549
I've never tried to use a self-signed cert with Sendmail, but I don't see why it wouldn't work if it was correctly generated. Whether an m$ client will accept it is another issue. If you poke around on the OpenSSL site there's a couple of tools that can be used to create a self-signed root CA and certs generated from fom it.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question