Solved

Sendmail SMTP configuration question

Posted on 2004-03-25
13
43,763 Views
Last Modified: 2012-05-04
Hi All,

Ok, I'm trying to secure up sendmail's relaying capability.

Here's what I want to do:

Have local users on the network be able to send email thru my email server.

Have remote users on other networks that have local email addressess send email thru my server.  - Remote users must use username/password to be able to have email relayed thru my email server.  most remote clients will be using Outlook Express, a few using Outlook 2000.

Problem:  I can't get it to work right.  I have sasl installed, and have added a dummy user to the database named tom.  He can get pop his email, but he can't send email thru outlook express on an external network.  It comes up prompting for a username and password, but all I get are failures...

here is the error I'm getting in my messages:

Mar 25 10:41:33 mail saslauthd[30740]: do_auth         : auth failure: [user=tom] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

here are the relevant lines in sendmail.mc...

define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #

I know I am fairly close to the solution, but I am just doing something simple wrong.  Any help would be most appreciated.

On a side note - I'm also having to come into sendmail's smtp vi port 587 on my client instead of 25, I don't know why but it won't respond on port 25 to external hosts at all.  I know the firewall isn't blocking it, I've checked several times.

Thanks in advance.
0
Comment
Question by:navigator010897
  • 6
  • 6
13 Comments
 
LVL 8

Expert Comment

by:da99rmd
Comment Utility
> On a side note - I'm also having to come into sendmail's smtp vi port 587 on my client instead of 25, I don't know why but it won't respond on port 25 to external hosts at all.

Is this to send mail or to recive mail ?
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
It would be most helpful to know what Linux you are using.

A common problem on a RedHat or Fedora system with Sendmail is if you fail to remove the localhost security restriction from /etc/mail/sendmail.mc by commenting out the line that reads:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

after that sendmail.cf must be rebuilt and sendmail restarted. Then check to be sure that Sendmail is listening on the machines IP by trying a 'telnet mail-hostname 25' from another machine on the local LAN. If that works and you get an SMTP welcome banner you know that the mail server and sendmail are listing for connections. Next try the same from an Internet site. If you don't get the banner either your local firewall needs tweaking or your ISP is blocking connections on 25/TCP.

It really isn't a good idea to use saslauthd as a mech if you have Internet users. That limits the authentication method to be PLAIN or LOGIN and thus exposes the user's password to anyone that can sniff the traffic. For security PLAIN & Login should only be used withing an encrypted connection. As far as Sendmail is concerned you can change /usr/lib/sasl/Sendmail.conf to use auxprop instead of saslauthd and create user auth information for each user with saslpasswd2. Then you can tell Sendmail to only offer DIGEST-MD5 or CRAM-MD5. Most modern email clients support those.

The same issue arises with POP or IMAP if you aren't using the  Cyrus or Courier IMAP server. The UW-IMAP only can autheticate against the system passwd/shadow files and that exposes the plaintext password to a sniffer. Cyrus & Courier can be configured to use sasldb via auxprop and be restricted to the secure methods. Otherwise you should only off POP or IMAP via an encrypted connection.
0
 
LVL 1

Author Comment

by:navigator010897
Comment Utility
Well, I'm still having a problem.

I am using Fedora version of redhat.

The daemon setting about 127.0.0.1 I had already taken care of - I am pretty sure right now that there is a firewall somewhere betwee this box and the net that is causing a problem with regard to port 25, so I'll have to deal with that part on monday.

I am still having trouble with the authentication tho for outbound email.

In outlook express, I get the standard:

The message could not be sent because the server rejected the sender's e-mail address. Protocol: SMTP, Server Response: '530 5.7.0 Authentication required', Port: 587, Secure(SSL): No, Server Error: 530, Error Number: 0x800CCC78

I have tried adjusting the Sendmail.conf file - but I could only find it in the sasl2 directory under /usr/lib, not the sasl directory.

Also, do I need to run another daemon for auxprop, or how does it work?

I'm also not sure if I'm sending the correct command line entries to saslpasswd2...

I'm creating a test user with:

saslpasswd2 -c tom

But I am also not sure if sendmail is querying auxprop....
0
 
LVL 1

Author Comment

by:navigator010897
Comment Utility
I was wondering if the problem was related to what machines are allowed to relay?  Since we want remote clients to be able to send mail even if they are on different ip addresses, we want to make sure relaying is restricted to user/pw authentication..  
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Typo on my part... I meant /usr/lib/sasl2/Sendmail.conf. No extra daemon is needed for auxprop, just the SASL2 db that has had entries created with saslpasswd2.

For the moment I'd suggest switching sendmail back to the standard SMTP port. I'm not sure if using 587 might create a problem or not. Since you can't at the moment authenticate a remote user, it is of little importance that something is blocking inbound connections on port 25. Andsince that has to be solved before you can receive mail from Internet sites I see no reason to even try 587.

One this that can cause problems with SMTP AUTH is if the networking config doesn't follow Unix, as opposed to RedHat conventions. The hostname of the machine must be the FQDN and be set that way in /etc/sysconfig/network (HOSTNAME=my-mail.my-domain.tld) and the hosts file has to look like:

127.0.0.1         localhost.localdomain localhost
123.4.5.6         my-mail.my-domain.tld  my-mail

The hostname can't change after sendmail starts or there'll be problems. You can check to see that sendmail is using the correct hostname by 'telnet localhost 25' and noting what it claims its hostname is. Typing "HELO my-mail.my-domain.tld" will show you what opetions, including the list of AUTH methods, that you sendmail is offering. After verifying the hostname that sendmail is useing is correct check the SASL DB for the correct auth info by executing "sasldblistusers". You should see "user@my-mail.mydomain.tld: userPassword" entries. If the hostname in the sasldblistusers2 output doesn't match the hostname sendmail is using you won't be able to authenticate.

It won't hurt and may help to make /etc/sasldb be owned by root, group mail to ensure that Sendmail can read the sasldb.
0
 
LVL 1

Author Comment

by:navigator010897
Comment Utility
Ok, I found my mistake on the port 25.

I am currently working from home on my own t1, and my firewall with regard to this particular computer blocks port 25 traffic to all but one specific server to handle my email, I changed it to access this other server, and that solved that problem.

I have new data though with regard to my problem - it's almost appearing as if it isn't authenticating - it is just rejecting to relay based upon my IP address - which in most cases would be fine for security, but I am needing it to pay attention to the authenticated username / password for relaying.    The error from an OE client looks like now...

Protocol: SMTP, Server Response: '550 5.7.1 <tony@anotherdomain.tld>... Relaying denied. IP name lookup failed [65.171.152.134]', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79

I don't see why it won't authenticate.  Here is what is showing in my maillog...

Mar 27 18:27:11 mail sendmail[2860]: i2S0RBXr002860: ruleset=check_rcpt, arg1=<t
ony@anotherdomain.tld>, relay=[65.171.152.134], reject=550 5.7.1 <tony@anotherdomain.tld>... Relaying denied. IP name lookup failed [65.171.152.134]
Mar 27 18:27:11 mail sendmail[2860]: i2S0RBXr002860: from=<tom@mydomain.tld>, size=
0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[65.171.152.134]

It doesn't seem to test at all.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
Comment Utility
Protocol: SMTP, Server Response: '550 5.7.1 <tony@anotherdomain.tld>... Relaying denied. IP name lookup failed [65.171.152.134]', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79

That say to me that authentication isn't being attempted. How about trying the telnet test to see if AUTH methods are being offered? On my mail server it looks like:

chaos> telnet praetorian.entrophy-free.net 25
Trying 10.1.0.254...
Connected to praetorian.entrophy-free.net.
Escape character is '^]'.
220 praetorian.entrophy-free.net ESMTP Sendmail 8.12.10/8.12.10; Sat, 27 Mar 2004 19:15:17 -0600
EHLO chaos.entrophy-free.net
250-praetorian.entrophy-free.net Hello chaos.entrophy-free.net [10.1.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 50000000
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
QUIT
                                                                               
And the relevant portion of sendmail.mc looks like:
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

There's no point in including EXTERNAL or GSSAPI using auxprop and sasldb and having them present can confuse some clients. The auth mech in /usr/lib/sasl2/Sendmail.conf looks like:

pwcheck_method: auxprop

And sasldblistusers2 returns entries like:

jim@praetorian.entrophy-free.net: userPassword
0
 
LVL 1

Author Comment

by:navigator010897
Comment Utility
omg, it just sent.

The problem was with:
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

I changed it to:

define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

Thank you much, I knew it had to be something simple I was overlooking.

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The problem was that your Outlook client can only do LOGIN as an auth method and you'd explicity told Sendmail not to offer either of the insecure methods (PLAIN & LOGIN) unless the connection was made using a TLS encrypted session.
0
 
LVL 1

Author Comment

by:navigator010897
Comment Utility
Wierd, I figured having login using secure password authentication checked would make it use some sort of encryption....  well, that's annoying.  I'm testing the system with OE 6.x you'd think it would offer encryption capabilities.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The server has to be configured for TLS encryption before an Out-of-luck client can use a secure session, as far as I know since it only supports the LOGIN method. Other email clients (Evolution, recent versions of Mozilla or Netscape) can use DIGEST-MD5 or CRAM-MD5 for secure authentication outside of a TLS data stream.
0
 
LVL 1

Author Comment

by:navigator010897
Comment Utility
Yeah, I'd do that if I could - unfortunately, I don't have enough swing with those in power to get them to change email client ;)

I was working on the TLS encryption, unfortunately, I might have to pull teeth to get a little funding to get a signed cert - doing our own signing certificate wouldn't be a big deal to me, but it seems that the client keeps complaining about it.  I tried adding the CA cert to the client trusted root certs, but it still complained (something along the lines of the names not matching, not sure if I generated the certificate wrong, or I imported the wrong file into the trusted certs DB).

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I've never tried to use a self-signed cert with Sendmail, but I don't see why it wouldn't work if it was correctly generated. Whether an m$ client will accept it is another issue. If you poke around on the OpenSSL site there's a couple of tools that can be used to create a self-signed root CA and certs generated from fom it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now