Sendmail Authentication

From: Gerry Doris

Date: Monday, 18 March 2002 3:55 PM

The following are some instructions I pulled together for another list to help some Yahoo folks get authentication working.

SuSE includes instructions at the following url to add the authentication you want http://sdb.suse.de/en/sdb/html/sendmail_smtp_auth.html

Also, I got the following instructions from the Redhat list. This will enable several modes of authentication/encryption that you might find interesting. This allows your clients to authenticate with your sendmail server with something other than clear text.

***************

Please see the following instructions for setting up authentication with sendmail. This will allow LOGIN PLAIN to be authenticated using PAM. While not the greatest (clear text) it works for win clients by just checking their "server requires authentication" box and uses PAM for authentication with user id/password. pine clients can authenticate by adding "/user=userid" (userid is your real id) after the smtp server.

pine will automatically pick the best level of authentication. If you want to use SASL encryption then check out the following link. http://lists.suse.com/archive/suse-security/2001-Dec/0294.html

******************

This is from Rodolfo J. Paiz

The following are basic instructions on enabling SMTP AUTH on a late-model server. These instructions have been tested with Red Hat Linux 7.0 and 7.2, using sendmail versions 8.11.0 through 8.11.6 obtained in RPM form from Red Hat updates.

They *should* work; however, if they don't, I will *ONLY* attempt to help people resolve issues with SMTP AUTH on redhat-list or enigma-list, so that everyone gets the benefit of the questions & answers. No questions in private email will be answered. Also, note that I am not an expert so I may not even know the answers.

Give me feedback and I might just post this on the Web so people can get at it more conveniently. Having said that...

1. Make sure all your clients are configured to authenticate to the mail server. They will not be able to send mail at all if they don't. Double-check; many people somehow check the wrong box.

   In Outlook or Outlook Express, in the section "Outgoing Mail" of each Internet Mail account, there is a checkbox labeled "My server requires authentication." Check that; the settings do not need to be changed since they are the same username/password they need to get mail.

   In Eudora, every Personality has a checkbox labeled "Authentication allowed". Eudora being somewhat more intelligent, this box is checked by default.

2. Make sure you are root. If you logged in as a normal user, make sure you became root using "su -" to get the full login environment. "su" alone misses some things.

3. Backup your sendmail.mc file by:

   # cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak

4. The file /etc/mail/sendmail.mc needs to contain the following three lines:

   define(`confAUTH_OPTIONS', `A')dnl
   TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
   define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
   

   Please note these are three lines only, be careful of the word wrap. Also, those are *directed quotes* not normal quotes. The left directed quote is< typed with the backtick or "accent grave" key (for those French among us), and the right directed quote is typed with the apostrophe.

5. Backup the /etc/sendmail.cf (the file sendmail actually uses to run) by:

   # cp /etc/sendmail.cf /etc/sendmail.cf.bak
   

6. Generate a new sendmail.cf file:

   # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
   

7. Copy your new sendmail.cf file over the old one:

   # cp /etc/mail/sendmail.cf /etc/sendmail.cf
   Overwrite /etc/sendmail.cf? y
   

8. Verify that you have an /etc/pam.d/smtp file with the following contents:

   #%PAM-1.0
   auth       required     /lib/security/pam_stack.so service=system-auth
   account    required     /lib/security/pam_stack.so service=system-auth
   

9. Verify that you have a /usr/lib/sasl/Sendmail.conf file with the following contents:

   pwcheck_method:pam
   

10. Test that sendmail has correctly configured AUTH. Since you do not yet have any encrypted authentication mechanisms available, the only ones shown when you issue an EHLO command should be LOGIN and PLAIN.

    # telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.<
    220 dude.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 29 Jan 2002 07:24:49 -0600
    ehlo localhost
    250-dude.com Hello dude.com [127.0.0.1], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ONEX
    250-ETRN
    250-XUSR
    250-AUTH LOGIN PLAIN
    250 HELP
    quit
    221 2.0.0 dude.com closing connection
    Connection closed by foreign host.
    

11. Test removing all relaying in the access map at 2:00 AM then trying to send mail. Do this by backing up your current /etc/mail/access and using something like this:

    # Check the /usr/share/doc/sendmail-8.11.6/README.cf file for a description
    # of the format of this file. (search for access_db in that file)
    # The /usr/share/doc/sendmail-8.11.6/README.cf is part of the sendmail-doc
    # package.
    #
    # by default we allow relaying from localhost...
    localhost.localdomain           RELAY
    localhost                       RELAY
    127.0.0.1                       RELAY
    

12. Ensure that your file /etc/mail/relay-domains contains *only* the domains you host.

13. Ensure that your sendmail.mc does not enable relaying in funny forms like "accept unresolvable domains", "relay by domain", or any of that crap. An example (complete) sendmail.mc which is relay-safe is included here:

    divert(-1)
    dnl This is the sendmail macro config file. If you make changes to this file,
    dnl you need the sendmail-cf rpm installed and then have to generate a
    dnl new /etc/sendmail.cf by running the following command:
    dnl
    dnl        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
    dnl
    include(`/usr/share/sendmail-cf/m4/cf.m4')
    VERSIONID(`linux setup for Red Hat Linux')dnl
    OSTYPE(`linux')
    define(`confDEF_USER_ID',``8:12'')dnl
    undefine(`UUCP_RELAY')dnl
    undefine(`BITNET_RELAY')dnl
    define(`confAUTO_REBUILD')dnl
    define(`confTO_CONNECT', `1m')dnl
    define(`confTRY_NULL_MX_LIST',true)dnl
    define(`confDONT_PROBE_INTERFACES',true)dnl
    define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
    define(`ALIAS_FILE', `/etc/aliases')dnl
    dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
    define(`UUCP_MAILER_MAX', `2000000')dnl
    define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
    define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
    define(`confAUTH_OPTIONS', `A')dnl
    TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    dnl define(`confTO_QUEUEWARN', `4h')dnl
    dnl define(`confTO_QUEUERETURN', `5d')dnl
    dnl define(`confQUEUE_LA', `12')dnl
    dnl define(`confREFUSE_LA', `18')dnl
    dnl FEATURE(delay_checks)dnl
    FEATURE(`no_default_msa',`dnl')dnl
    FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
    FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
    FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
    FEATURE(redirect)dnl
    FEATURE(always_add_domain)dnl
    FEATURE(use_cw_file)dnl
    FEATURE(use_ct_file)dnl
    FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
    FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
    FEATURE(`blacklist_recipients')dnl
    EXPOSED_USER(`root')dnl
    dnl Change sendmail to only listen on the loopback interface and
    dnl the internal network interface; never accept outside traffic.
    dnl Add "dnl" to both DAEMON_OPTIONS lines to accept mail from
    dnl all network interfaces.
    dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
    dnl DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.1, Name=MTA')
    dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
    dnl       a kernel patch
    dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
    dnl We strongly recommend to comment this one out if you want to protect
    dnl yourself from spam. However, the laptop and users on computers that do
    dnl not have 24x7 DNS do need this.
    dnl FEATURE(`accept_unresolvable_domains')dnl
    dnl FEATURE(`relay_based_on_MX')dnl
    MAILER(smtp)dnl
    MAILER(procmai)dnl
    Cwlocalhost.localdomain
    

14. Hover anxiously over the server for a couple of days and check for "Relaying denied" errors. Track them down aggressively as most will be your own customers. :) Fix their mail client configurations which they didn't fix before when you told them to.

15. Get some sleep.

Search