Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Sendmail SMTP AUTH

88 views
Skip to first unread message

Kwok Hoe Chan

unread,
Sep 14, 2000, 3:00:00 AM9/14/00
to
Hi,

I have been trying to setup sendmail 8.11.0 to only allow SMTP relay for
authenticated user and nothing else. It should allow client connecting from
anywhere in the internet.

So, far with the simplest setting I have been hitting error such as
"Relaying denied. IP name lookup failed". Does sendmail has a ordered
checking before it allows a client to relay email? How do I get sendmail to
only request connecting clients to authenticate themselves before they are
allow to relay emails?

After fooling around with the sendmail.mc and sendmail.cf files. What I have
done is generate the sendmail.cf with the following sendmail.mc file:
include(`/usr/lib/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
FEATURE(promiscuous_relay)dnl
FEATURE(relay_based_on_MX)dnl
TRUST_AUTH_MECH('PLAIN')dnl
MAILER(local)dnl
MAILER(smtp)dnl

This resolve the first error I described above. Then in the sendmail.cf file
I moved the 'trust_auth' rule to 'Local_check_relay' which looked like the
following:
SLocal_check_relay
Scheck_relay
R$* $: $1 $| $>"Local_check_relay" $1
R$* $| $* $| $#$* $#$3
#R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2
#ckh
R$* $| $* $@ $>"trust_auth" $1

# is user trusted to authenticate as someone else?
Strust_auth
R$* $: $&{auth_type} $| $1
# required by RFC 2554 section 4.
R$@ $| $* $#error $@ 5.7.1 $: "550 not authenticated"
R$* $| $&{auth_authen} $@ identical
R$* $| <$&{auth_authen}> $@ identical
R$* $| $* $: $1 $| $>"Local_trust_auth" $1
R$* $| $#$* $#$2
R$* $#error $@ 5.7.1 $: "550 " $&{auth_authen} " not
allowed to act as " $&{auth
_author}

Did I missed anything out? The server is installed with sendmail-8.11.0-1
and cyrus-sasl-1.5.11-2.


Claus Assmann

unread,
Sep 14, 2000, 3:00:00 AM9/14/00
to
Kwok Hoe Chan wrote:

> I have been trying to setup sendmail 8.11.0 to only allow SMTP relay for
> authenticated user and nothing else. It should allow client connecting from
> anywhere in the internet.

> So, far with the simplest setting I have been hitting error such as
> "Relaying denied. IP name lookup failed". Does sendmail has a ordered
> checking before it allows a client to relay email? How do I get sendmail to
> only request connecting clients to authenticate themselves before they are
> allow to relay emails?

AUTH is an optional command, sendmail offers it (if available)
and it's up to the client to use it.
Later on the relay checks are done and if the client has been
authenticated via a trusted mechanism then relaying is allowed.

According to your error description the client didn't fulfill
this requirement.

> After fooling around with the sendmail.mc and sendmail.cf files. What I have
> done is generate the sendmail.cf with the following sendmail.mc file:

> FEATURE(promiscuous_relay)dnl

So why do you want authentication at all? Your system is open
for spamming...

> This resolve the first error I described above. Then in the sendmail.cf file

Great...

> I moved the 'trust_auth' rule to 'Local_check_relay' which looked like the
> following:

Do NOT edit the .cf file.
Sorry, but you don't seem to know what you're doing,
and you screwed up the .cf file completely.

> Did I missed anything out? The server is installed with sendmail-8.11.0-1
> and cyrus-sasl-1.5.11-2.

Instead of mucking around with the .cf file and using
FEATURE(promiscuous_relay)dnl
you should just post two/threee logfile entries that show
the problem.

--
If you feel the urgent wish to send me a courtesy copy of a Usenet
posting, then make sure it's recognizable as such!
The FAQ: http://www.sendmail.org/faq/ Before you ask.

Claus Assmann

unread,
Sep 15, 2000, 12:10:20 AM9/15/00
to
Kwok Hoe Chan wrote:
> You are correct, I am new to sendmail configuration. I shouldn't have touch
> the .cf file in the first place. I guess I was driven to do that on the
> account that the IP address rule check drove me crazy.
>
> Anyway, does anyone has a decent .mc file that can perform a proper SMTP
> AUTH function for email relay?

Just follow the instructions at
http://www.sendmail.org/~ca/email/auth.html

you have to set:
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5')dnl

Of course you have to select whatever you need.

Kwok Hoe Chan

unread,
Sep 15, 2000, 3:00:00 AM9/15/00
to
You are correct, I am new to sendmail configuration. I shouldn't have touch
the .cf file in the first place. I guess I was driven to do that on the
account that the IP address rule check drove me crazy.

Anyway, does anyone has a decent .mc file that can perform a proper SMTP
AUTH function for email relay?

"Claus Assmann" <ca+sendmail(-no-copies-please)@mine.informatik.uni-kiel.de>
wrote in message news:8pqkmv$1dj$1...@zardoc.endmail.org...

Kwok Hoe Chan

unread,
Sep 15, 2000, 3:00:00 AM9/15/00
to
Oh one more thing. The client we are using to connect to the SMTP server is
MS Outlook 2000. Thanks.
0 new messages