Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SMTP AUTH HOWTO

1 view
Skip to first unread message

Captain Dondo

unread,
Apr 2, 2005, 10:34:56 AM4/2/05
to
I want to configure sendmail to require SMTP AUTH for any relay attempt
coming from the outside (i.e. not from 192.168.*) but to allow traffic
without authentication for any connection originating on the inside. I
want to allow inbound connections to my domains without authentication.

So, I have three conditions:

Traffic from outside to my domains, accept without authentication
Traffic from outside to outside (relay), require authentication
Traffic from inside to outside, accept without authentication

I've read the docs, but I can't quite figure out where to start.

I have 8.13.2 compiled with SASLv2, I am requiring authentication, but I
am stuck.

I would appreciate any pointers to existing docs on the web.... I've read
the <http://www.sendmail.org/~ca/email/auth.html> but I can't figure out
how to do what I need to do...

TIA,

--Yan

--


use munged address above to email me
SpamTrap DoM...@seiner.com

Per Hedeland

unread,
Apr 2, 2005, 1:21:23 PM4/2/05
to
In article <pan.2005.04.02....@NsOeSiPnAeMr.com> Captain

Dondo <y...@NsOeSiPnAeMr.com> writes:
>I want to configure sendmail to require SMTP AUTH for any relay attempt
>coming from the outside (i.e. not from 192.168.*) but to allow traffic
>without authentication for any connection originating on the inside. I
>want to allow inbound connections to my domains without authentication.
>
>So, I have three conditions:
>
>Traffic from outside to my domains, accept without authentication
>Traffic from outside to outside (relay), require authentication
>Traffic from inside to outside, accept without authentication

This is bascially the default, as long as you set things up to allow
"inside to outside" (which is also relaying) without authentication -
e.g. by putting your internal IP addresses in access db with RELAY.
There's no need to specifically "require" authentication, relaying is
denied by default, but allowed (by default) if the client has
authenticated.

--Per Hedeland
p...@hedeland.org

Captain Dondo

unread,
Apr 2, 2005, 3:25:28 PM4/2/05
to
On Sat, 02 Apr 2005 18:21:23 +0000, Per Hedeland wrote:

>>Traffic from outside to my domains, accept without authentication
>>Traffic from outside to outside (relay), require authentication
>>Traffic from inside to outside, accept without authentication
>
> This is bascially the default, as long as you set things up to allow
> "inside to outside" (which is also relaying) without authentication -
> e.g. by putting your internal IP addresses in access db with RELAY.
> There's no need to specifically "require" authentication, relaying is
> denied by default, but allowed (by default) if the client has
> authenticated.

Then I must have something really screwed up.

Here's what happens when I try to send mail out:

Apr 2 11:23:43 tooth sm-mta[24822]: unable to open Berkeley db /etc/sasldb2: No such file or directory
Apr 2 11:23:43 tooth sm-mta[24822]: unable to open Berkeley db /etc/sasldb2: No such file or directory
Apr 2 11:23:43 tooth sm-mta[24822]: no secret in database
Apr 2 11:23:43 tooth sm-mta[24822]: unknown password verifier
Apr 2 11:23:43 tooth sm-mta[24822]: Password verification failed
Apr 2 11:23:43 tooth sm-mta[24822]: unknown password verifier

and the send fails. I get asked for a password, but no authentication
takes place.

I have in my access.db:

seiner.com RELAY
flatoutfitness.com RELAY

which are my two domains.

My .mc file has the following entries:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN PAM')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN PAM')dnl

and my sasl sendmail.conf file has

[root@tooth mail]# cat /usr/lib/sasl2/sendmail.conf
pwcheck_method:pam

I've also tried sasldb2 but that failed as well....

All the checks for sendmail check out:
sendmail -d0.1 -bv root
Version 8.13.2
Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF USERDB
XDEBUG

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = tooth
(canonical domain name) $j = tooth.seiner.lan
(subdomain name) $m = seiner.lan
(node name) $k = tooth.seiner.lan
========================================================

yan... deliverable: mailer local, user yan
[root@tooth mail]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 tooth.seiner.lan ESMTP Sendmail 8.13.2/8.13.2; Sat, 2 Apr 2005 11:24:38 -0800
ehlo localhost
250-tooth.seiner.lan Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 tooth.seiner.lan closing connection

and saslauthd is running. But obviously I am missing something.

Ingo Freund

unread,
Apr 2, 2005, 3:51:12 PM4/2/05
to
Captain Dondo schrieb:

> On Sat, 02 Apr 2005 18:21:23 +0000, Per Hedeland wrote:
>
>
>>>Traffic from outside to my domains, accept without authentication
>>>Traffic from outside to outside (relay), require authentication
>>>Traffic from inside to outside, accept without authentication
>>
>>This is bascially the default, as long as you set things up to allow
>>"inside to outside" (which is also relaying) without authentication -
>>e.g. by putting your internal IP addresses in access db with RELAY.
>>There's no need to specifically "require" authentication, relaying is
>>denied by default, but allowed (by default) if the client has
>>authenticated.
>
>
> Then I must have something really screwed up.
>
> Here's what happens when I try to send mail out:
>

here is your problem:


> Apr 2 11:23:43 tooth sm-mta[24822]: unable to open Berkeley db /etc/sasldb2: No such file or directory
> Apr 2 11:23:43 tooth sm-mta[24822]: unable to open Berkeley db /etc/sasldb2: No such file or directory

[...]


>
> and saslauthd is running. But obviously I am missing something.
>

have a good look into the man pages and use "saslpasswd2" to create the sasl password file

-Ingo.

Alexander Dalloz

unread,
Apr 2, 2005, 3:53:39 PM4/2/05
to
On Sat, 02 Apr 2005 12:25:28 -0800 Captain Dondo wrote:

> and my sasl sendmail.conf file has

It is Sendmail.conf.



> [root@tooth mail]# cat /usr/lib/sasl2/sendmail.conf
> pwcheck_method:pam

It can only either be "saslauthd" or "sasldb".

Alexander


--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.771_FC2smp
Serendipity 22:52:37 up 3 days, 20:19, load average: 0.41, 0.47, 0.44

Captain Dondo

unread,
Apr 2, 2005, 6:53:23 PM4/2/05
to
On Sat, 02 Apr 2005 22:51:12 +0200, Ingo Freund wrote:

>> and saslauthd is running. But obviously I am missing something.
>>
> have a good look into the man pages and use "saslpasswd2" to create the sasl password file
>
> -Ingo.

Thanks everyone.

I was trying to authenticate against pam so that I wouldn't have to
maintain a separate user password file in sasldb2.

I got it mostly working, except that pam as failing authentication.

Here's the solution:

PAM may fail to authenticate even if the user
is known to the system if PAM fails to find the service
configuration file in /etc/pam.d. Service configuration files are not
required by PAM, if it does not find a service configuration file it
will default to "other". Since PAM does not consider the absence of a
service configuration file a problem it does not log anything nor does
it return an error to the calling application. In other words it is
completely silent about the fact it did not find a service
configuration file. On Red Hat system the default implementation of
"other" for PAM is to deny access. This means on Red Hat systems the
absence of a PAM service configuration file will mean PAM will
silently fail authentication.

So, I created a smtp.sendmail file with the appropriate stuff in it,
symlinked it to /etc/pam.d/smtp, and bingo, PAM authentication is working.

I'd still like to know why sendmail is requiring authentication for local
users sending mail out, but that's a relatively minor issue. I'll test
from off-site Monday to see if it will relay after authentication.

Is there a web site somewhere that will test for an open relay on your
system? I want to make sure I'm still locked down after all these changes.

--Yan

Per Hedeland

unread,
Apr 2, 2005, 9:12:21 PM4/2/05
to
In article <pan.2005.04.02....@NsOeSiPnAeMr.com> Captain
Dondo <y...@NsOeSiPnAeMr.com> writes:
>On Sat, 02 Apr 2005 18:21:23 +0000, Per Hedeland wrote:
>
>>>Traffic from outside to my domains, accept without authentication
>>>Traffic from outside to outside (relay), require authentication
>>>Traffic from inside to outside, accept without authentication
>>
>> This is bascially the default, as long as you set things up to allow
>> "inside to outside" (which is also relaying) without authentication -
>> e.g. by putting your internal IP addresses in access db with RELAY.
>> There's no need to specifically "require" authentication, relaying is
>> denied by default, but allowed (by default) if the client has
>> authenticated.
>
>Then I must have something really screwed up.

Well, of course I meant that it's the default *once you have
successfully set up SMTP AUTH*:-) - *it* is not set up by default.

--Per Hedeland
p...@hedeland.org

Per Hedeland

unread,
Apr 2, 2005, 9:24:15 PM4/2/05
to
In article <pan.2005.04.02....@NsOeSiPnAeMr.com> Captain
Dondo <y...@NsOeSiPnAeMr.com> writes:
>
>I'd still like to know why sendmail is requiring authentication for local
>users sending mail out, but that's a relatively minor issue. I'll test
>from off-site Monday to see if it will relay after authentication.

Sendmail only requires authentication if you specifically configure it
that way, e.g. by using the 'a' modifier on DAEMON_OPTIONS. However
sendmail can't know "by itself" which your "local users" are, so it has
to be told *somehow*, otherwise the default of denying relaying will
take effect.

Successful authentication is one way for sendmail to be told, another is
for you to configure your local IP address ranges with RELAY in access
db. I believe you had just your domain names there - this can work too,
*if* the client IP addresses succesfully (i.e. including forward-
resolution verification) resolve to names in that domain. Often it's
more convenient/reliable to use the actual IP addresses though, e.g.

Connect:192.168 RELAY

will allow all clients with an IP address of 192.168.x.x to relay,
without requiring authentication.

--Per Hedeland
p...@hedeland.org

Captain Dondo

unread,
Apr 2, 2005, 10:47:30 PM4/2/05
to
On Sun, 03 Apr 2005 02:24:15 +0000, Per Hedeland wrote:

> Connect:192.168 RELAY
>
> will allow all clients with an IP address of 192.168.x.x to relay,
> without requiring authentication.

This is what I understood it to be, but clearly it is not working on my
system.....

I had

192.168. RELAY

in my access.db, and sendmail required authentication. I just tested that
with

Connect:192.168. RELAY

and sendmail still requires authentication....

I have no idea why.... Obviously, somewhere I have something set that
overrides the settings in access.db, but I'm not sure where or what.

Here's what i think are the relevant chunks of my .mc file:

define(`confAUTH_OPTIONS', `A')dnl


TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN PAM')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN PAM')dnl

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl

Claus Aßmann

unread,
Apr 2, 2005, 11:06:13 PM4/2/05
to
Captain Dondo wrote:

> 192.168. RELAY

Please read the fine documentation: cf/README
for the correct syntax.

> Connect:192.168. RELAY

> and sendmail still requires authentication....

Connect:192.168 RELAY

--
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Captain Dondo

unread,
Apr 3, 2005, 10:57:21 AM4/3/05
to
On Sun, 03 Apr 2005 04:06:13 +0000, Claus Aßmann wrote:

>
> Please read the fine documentation: cf/README
> for the correct syntax.

Thanks for that pointer. I went through and sorted out my access.db; all
seems to work fine. I'll test relaying tomorrow... Too many FMs, too
little time.... :-)

0 new messages