Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Turning sendmail off and sending email through an authenticationg relay
332 views
Skip to first unread message
Josep Queraltó
Oct 31, 2011, 6:58:17 AM10/31/11
to
Since I can use an external smtp server to send my email to, I want to
turn the sendmail daemon off on my local Fedora 15 machine.
At the file submit.mc I changed:
FEATURE(`msp', `[127.0.0.1]')dnl
to:
FEATURE(`msp', `[smtp.domain.tld]')dnl
and it works like a charm.
The problem begins when I try to authenticate:
1) CONFIGURING
-----------------------
I configured the submit.mc and compiled with m4, including all the
masquerade part, but my relay host requires authentication.
Note: The authentication worked fine when I did it from the
sendmail.mc/sendmail.cf but it does not work when I set it up at
submit.mc/submit.cf.
The 3 lines I included in the submit file:
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/authinfo')dnl
Of course I have my authinfo file configured as follows:
AuthInfo:smtp.domain.tld "I:username" "P:password"
and then I compile it as follows:
makemap hash /etc/mail/authinfo.db < /etc/mail/authinfo
I copy the output of the ll here for you to see the owners and permissions:
ll auth*
-rw-------. 1 root root 53 Oct 26 16:36 authinfo
-rw-r-----. 1 root root 12288 Oct 26 18:48 authinfo.db
2) SENDING EMAIL THROUGH THE RELAY
--------------------------------------------------------
Then I try to email myself at yahoo.com (therefore relaying through
smtp.domain.tld) and this is what I get in the maillog:
Oct 27 17:16:09 myhostname sendmail[15767]: p9RFG2jo015767:
SYSERR(root): hash map "authinfo": unsafe map file
/etc/mail/authinfo.db: Permission denied
I have tried changing file authinfo.db permissions (chmod) to 0600,
0400, 0000, 0660 and I get the same result.
Changing file authinfo.db permissions (chmod) to 0666, gives me a even
worse result:
The same happens if chmod back to 0640 but chown the owner of the
authinfo.db file to smmsp:
Oct 27 17:24:25 myhostname sendmail[15851]: p9RFONgq015851:
AUTH=client, available mechanisms do not fulfill requirements
Oct 27 17:24:25 myhostname sendmail[15851]: AUTH=client,
relay=smtp.primari.net., temporary failure, connection abort
The very same configuration in sendmail.mc/sendmail.cf works but it
doesn't in submit.mc/cf
Please let me know what you think about it.
turn the sendmail daemon off on my local Fedora 15 machine.
At the file submit.mc I changed:
FEATURE(`msp', `[127.0.0.1]')dnl
to:
FEATURE(`msp', `[smtp.domain.tld]')dnl
and it works like a charm.
The problem begins when I try to authenticate:
1) CONFIGURING
-----------------------
I configured the submit.mc and compiled with m4, including all the
masquerade part, but my relay host requires authentication.
Note: The authentication worked fine when I did it from the
sendmail.mc/sendmail.cf but it does not work when I set it up at
submit.mc/submit.cf.
The 3 lines I included in the submit file:
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/authinfo')dnl
Of course I have my authinfo file configured as follows:
AuthInfo:smtp.domain.tld "I:username" "P:password"
and then I compile it as follows:
makemap hash /etc/mail/authinfo.db < /etc/mail/authinfo
I copy the output of the ll here for you to see the owners and permissions:
ll auth*
-rw-------. 1 root root 53 Oct 26 16:36 authinfo
-rw-r-----. 1 root root 12288 Oct 26 18:48 authinfo.db
2) SENDING EMAIL THROUGH THE RELAY
--------------------------------------------------------
Then I try to email myself at yahoo.com (therefore relaying through
smtp.domain.tld) and this is what I get in the maillog:
Oct 27 17:16:09 myhostname sendmail[15767]: p9RFG2jo015767:
SYSERR(root): hash map "authinfo": unsafe map file
/etc/mail/authinfo.db: Permission denied
I have tried changing file authinfo.db permissions (chmod) to 0600,
0400, 0000, 0660 and I get the same result.
Changing file authinfo.db permissions (chmod) to 0666, gives me a even
worse result:
The same happens if chmod back to 0640 but chown the owner of the
authinfo.db file to smmsp:
Oct 27 17:24:25 myhostname sendmail[15851]: p9RFONgq015851:
AUTH=client, available mechanisms do not fulfill requirements
Oct 27 17:24:25 myhostname sendmail[15851]: AUTH=client,
relay=smtp.primari.net., temporary failure, connection abort
The very same configuration in sendmail.mc/sendmail.cf works but it
doesn't in submit.mc/cf
Please let me know what you think about it.
Joe Zeff
Oct 31, 2011, 2:01:17 PM10/31/11
to
On Mon, 31 Oct 2011 10:58:17 +0000, Josep Queraltó wrote:
> AuthInfo:smtp.domain.tld "I:username" "P:password"
I set sendmail up with a smarthost and smtpauth to send reports to the
> AuthInfo:smtp.domain.tld "I:username" "P:password"
Linux Counter. (Of course, the new one doesn't use email.) My authinfo
file looks like this:
AuthInfo:smtp.domain.tld "U:username" "I:username" "P:password" "M:PLAIN"
It worked fine. I'm not sure that I needed both U and I, but I couldn't
see how it could hurt. Most likely, what you need is M.
--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info
Computers work in strange and wonderful ways,
Their marvels to avoid performing.
Josep Queraltó
Nov 1, 2011, 6:55:38 AM11/1/11
to
On 31/10/2011 18:01, Joe Zeff wrote:
>
>> AuthInfo:smtp.domain.tld "I:username" "P:password"
>
> I set sendmail up with a smarthost and smtpauth to send reports to the
> Linux Counter. (Of course, the new one doesn't use email.) My authinfo
> file looks like this:
>
> AuthInfo:smtp.domain.tld "U:username" "I:username" "P:password" "M:PLAIN"
>
> It worked fine. I'm not sure that I needed both U and I, but I couldn't
> see how it could hurt. Most likely, what you need is M.
>
I tried the file authinfo:
>
>> AuthInfo:smtp.domain.tld "I:username" "P:password"
>
> I set sendmail up with a smarthost and smtpauth to send reports to the
> Linux Counter. (Of course, the new one doesn't use email.) My authinfo
> file looks like this:
>
> AuthInfo:smtp.domain.tld "U:username" "I:username" "P:password" "M:PLAIN"
>
> It worked fine. I'm not sure that I needed both U and I, but I couldn't
> see how it could hurt. Most likely, what you need is M.
>
with and without the U,
with and without the M,
with M:PLAIN and M:LOGIN,
with the domain dame, with de IP address, and with the IP address
included in brackets,
I tried to compile authinfo with:
make authinfo.db
makemap hash /etc/mail/authinfo < /etc/mail/authinfo
but it never works.
############################################
I can authenticate through telnet
telnet smtp.domain.tld 25
Trying xxx.xxx.xxx.xxx...
Connected to smtp.domain.tld.
Escape character is '^]'.
220 domain.tld ESMTP Sendmail 8.14.4/8.14.3; Tue, 1 Nov 2011 11:28:18 +0100
EHLO localhost
250-domain.tld Hello machine.domain.tld [xxx.xxx.xxx.xxx] (may be
forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdA==
334 UGFzc3dvcmQ6
dGVzdDEyMzQ=
235 2.0.0 OK Authenticated
#############################################
But when I try sendmail it doesn't seem to work
sendmail -v my_testi...@yahoo.com
kk
.
my_testi...@yahoo.com... Connecting to smtp.domain.tld. via relay...
220 domain.tld ESMTP Sendmail 8.14.4/8.14.3; Tue, 1 Nov 2011 11:37:18 +0100
>>> EHLO machine.domain.tld
250-domain.tld Hello machine.domain.tld [xxx.xxx.xxx.xxx] (may be
forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
>>> MAIL From:<m...@domain.tld> SIZE=3 AUTH=m...@machine.domain.tld
250 2.1.0 <m...@domain.tld>... Sender ok
>>> RCPT To:<my_testi...@yahoo.com>
>>> DATA
550 5.7.1 <my_testi...@yahoo.com>... Relaying denied. IP name
possibly forged [xxx.xxx.xxx.xxx]
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
.
.
.
(I would like to see AUTH LOGIN after the "250 HELP" line)
###############################################
my submit.mc is fairly simple
divert(-1)
#
# Copyright (c) 2001-2003 Sendmail, Inc. and its suppliers.
# All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#
#
# This is the prototype file for a set-group-ID sm-msp sendmail that
# acts as a initial mail submission program.
#
divert(0)dnl
sinclude(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`linux setup')dnl
define(`confCF_VERSION', `Submit')dnl
define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
define(`confTIME_ZONE', `USE_TZ')dnl
define(`confDONT_INIT_GROUPS', `True')dnl
define(`confPID_FILE', `/var/run/sm-client.pid')dnl
FEATURE(`use_ct_file')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
FEATURE(`authinfo')dnl
LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN')dnl
FEATURE(`msp', `[smtp.domain.tld]')dnl
#################################################
Any ideas ?
thank you in advanced
Joe Zeff
Nov 1, 2011, 2:29:23 PM11/1/11
to
On Tue, 01 Nov 2011 10:55:38 +0000, Josep Queraltó wrote:
> Any ideas ?
Yes, as it happens I do have an idea. I originally joined this group to
learn how to get sendmail to work with a smarthost and smtpauth, and
stayed out of curiosity. And, as it happens, I recently had to write up a
quick and dirty walkthrough of this for a friend, which you can see at
http://www.zeff.us/SMTPAuth.txt You need to tell sendmail to use your
smarthost and use Port 587 to get this to work.
BTW, if anybody else in this group has any comments or suggestions about
this walkthrough, I'd appreciate them as I'm thinking of making a proper
HOWTO out of it for my website.
Actually, I quite enjoy getting "snarfed"
> Any ideas ?
Yes, as it happens I do have an idea. I originally joined this group to
learn how to get sendmail to work with a smarthost and smtpauth, and
stayed out of curiosity. And, as it happens, I recently had to write up a
quick and dirty walkthrough of this for a friend, which you can see at
http://www.zeff.us/SMTPAuth.txt You need to tell sendmail to use your
smarthost and use Port 587 to get this to work.
BTW, if anybody else in this group has any comments or suggestions about
this walkthrough, I'd appreciate them as I'm thinking of making a proper
HOWTO out of it for my website.
Actually, I quite enjoy getting "snarfed"
Andrzej Adam Filip
Nov 1, 2011, 3:12:32 PM11/1/11
to
make authinfo.db owned by the group and set its permissions
to 640 _FOR submit.cf_
2) Try to use U: instead of I: in authinfo entry
3)
http://www.phinesolutions.com/sendmail-gmail-smtp-relay-howto.html
<quote>
2. Upgrading Cyrus SASL
If your SASL installation doesn’t have the “plain” and “login” lib you
will have authentication problem with Gmail. You can see why when you
get to the sendmail configuration in the later steps. The common error
in the /var/log/maillog is this:
AUTH=client, available mechanisms do not fulfill requirements
</quote>
--
[pl>en Andrew] Andrzej A. Filip : an...@onet.eu : Andrze...@gmail.com
"The one charm of marriage is that it makes a life of deception a necessity."
-- Oscar Wilde
Josep Queraltó
Nov 2, 2011, 9:18:05 AM11/2/11
to
On 31/10/2011 18:01, Joe Zeff wrote:
> On Mon, 31 Oct 2011 10:58:17 +0000, Josep Queraltó wrote:
>
>> AuthInfo:smtp.domain.tld "I:username" "P:password"
>
> I set sendmail up with a smarthost and smtpauth to send reports to the
> Linux Counter. (Of course, the new one doesn't use email.) My authinfo
> file looks like this:
>
> AuthInfo:smtp.domain.tld "U:username" "I:username" "P:password" "M:PLAIN"
>
> It worked fine. I'm not sure that I needed both U and I, but I couldn't
> see how it could hurt. Most likely, what you need is M.
>
You where absolutely right: The "M:" is a requirement otherwise
>
>> AuthInfo:smtp.domain.tld "I:username" "P:password"
>
> I set sendmail up with a smarthost and smtpauth to send reports to the
> Linux Counter. (Of course, the new one doesn't use email.) My authinfo
> file looks like this:
>
> AuthInfo:smtp.domain.tld "U:username" "I:username" "P:password" "M:PLAIN"
>
> It worked fine. I'm not sure that I needed both U and I, but I couldn't
> see how it could hurt. Most likely, what you need is M.
>
authentication doesn't work.
In former versions of sendmail it would fallback until finding the
appropriate working method, but now it just fails.
But what drove completely crazy for the few past days is not that...
If you want to authenticate in either "M:PLAIN" or "M:LOGIN" you MUST
have the package cyrus-sasl-plain installed. This should be in capital
letters in every smtp authentication document!
+-----------------------------------------------+
| MAKE SURE YOU HAVE cyrus-sasl-plain INSTALLED |
+-----------------------------------------------+
Finally in my pursuit of turning the sendmail off and emailing through
an authenticating relay this is how it works:
1) submit.mc file does the masquerading
MASQUERADE_AS(`domain.tld')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
EXPOSED_USER(`root')dnl
2) submit.mc also does the forwarding/authenticating to the smart host
FEATURE(`authinfo')dnl
define(`SMART_HOST', `smtp.domain.tld')dnl
MAILER(smtp)dnl
3) sendmail.mc does nothing
4) the sendmail daemon is stopped
5) There is an entry in the crontab to re-send the client queue
periodically (in the unlikely event that an email is left in the
clientmqueue)
#
# +-------------------------------------- min (0-59)
# | +------------------------------- hour (0-23)
# | | +------------------------ day of month (1-31)
# | | | +----------------- month (1-12)
# | | | | +---------- day of week (0-6, Sunday=0)
# | | | | | +--- Command_to_be_executed
# * * * * * |
#--------------------------------------------------------------
10 * * * * /usr/sbin/sendmail -Ac -q
Joe Zeff
Nov 2, 2011, 1:36:53 PM11/2/11
to
On Wed, 02 Nov 2011 13:18:05 +0000, Josep Queraltó wrote:
> If you want to authenticate in either "M:PLAIN" or "M:LOGIN" you MUST
> have the package cyrus-sasl-plain installed. This should be in capital
> letters in every smtp authentication document!
>
> +-----------------------------------------------+ | MAKE SURE YOU HAVE
> cyrus-sasl-plain INSTALLED |
> +-----------------------------------------------+
Thanx; I'll add that to my walkthrough.
> If you want to authenticate in either "M:PLAIN" or "M:LOGIN" you MUST
> have the package cyrus-sasl-plain installed. This should be in capital
> letters in every smtp authentication document!
>
> +-----------------------------------------------+ | MAKE SURE YOU HAVE
> cyrus-sasl-plain INSTALLED |
> +-----------------------------------------------+
Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering
their time inventing and implementing new, exciting ways for software
to suck.
0 new messages