Mailinglist Archive: opensuse (3644 mails)

< Previous Next >
Re: [SLE] email client and Yahoo smtp
  • From: Gerry Doris <gerry@xxxxxxxxx>
  • Date: Thu, 7 Mar 2002 10:16:27 -0500 (EST)
  • Message-id: <Pine.LNX.4.44.0203070929120.8520-100000@xxxxxxxxxxxxxxxxx>
On Thu, 7 Mar 2002, Derek Fountain wrote:

I'm keen to know more! I don't much care how it works, as long as it does. :)
I only use sendmail because that's what SuSE put on the disk... ;) See my
previous post for details on how I'd like it to work.


Sorry for the size of this note but I thought you'd like all the info!!!
Let me know if it helps you.


SuSE includes instructions at the following url to add the authentication
you want.

http://sdb.suse.de/en/sdb/html/sendmail_smtp_auth.html

Also, I got the following instructions from the Redhat list. This will
enable several modes of authentication/encryption that you might find
interesting. This allows your clients to authenticate with your sendmail
server with something other than clear text.

***************
Please see the following instructions for setting up authentication with
sendmail. This will allow LOGIN PLAIN to be authenticated using PAM.
While not the greatest (clear text) it works for win clients by just
checking their "server requires authentication" box and uses PAM for
authentication with user id/password. pine clients can authenticate by
adding "/user=userid" (userid is your real id) after the smtp server.
pine will automatically pick the best level of authentication.

If you want to use SASL encryption then check out the following link.

http://lists.suse.com/archive/suse-security/2001-Dec/0294.html

******************

This is from Rodolfo J. Paiz, rpaiz@xxxxxxxxxxxx

The following are basic instructions on enabling SMTP AUTH on a late-model
server. These instructions have been tested with Red Hat Linux 7.0 and 7.2,
using sendmail versions 8.11.0 through 8.11.6 obtained in RPM form from Red
Hat updates.

They *should* work; however, if they don't, I will *ONLY* attempt to help
people resolve issues with SMTP AUTH on redhat-list or enigma-list, so that
everyone gets the benefit of the questions & answers. No questions in
private email will be answered. Also, note that I am not an expert so I may
not even know the answers.

Give me feedback and I might just post this on the Web so people can get at
it more conveniently.

Having said that...

1. Make sure all your clients are configured to authenticate to
the mail server. They will not be able to send mail at all if they don't.
Double-check; many people somehow check the wrong box.

In Outlook or Outlook Express, in the section "Outgoing Mail" of each
Internet Mail account, there is a checkbox labeled "My server requires
authentication." Check that; the settings do not need to be changed since
they are the same username/password they need to get mail.

In Eudora, every Personality has a checkbox labeled "Authentication
allowed". Eudora being somewhat more intelligent, this box is checked by
default.

2. Make sure you are root. If you logged in as a normal user, make
sure you became root using "su -" to get the full login environment. "su"
alone misses some things.

3. Backup your sendmail.mc file by:

# cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak

4. The file /etc/mail/sendmail.mc needs to contain the following
three lines:

define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

Please note these are three lines only, be careful of the word wrap. Also,
those are *directed quotes* not normal quotes. The left directed quote is
typed with the backtick or "accent grave" key (for those French among us),
and the right directed quote is typed with the apostrophe.

5. Backup the /etc/sendmail.cf (the file sendmail actually uses to
run) by:

# cp /etc/sendmail.cf /etc/sendmail.cf.bak

6. Generate a new sendmail.cf file:

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

7. Copy your new sendmail.cf file over the old one:

# cp /etc/mail/sendmail.cf /etc/sendmail.cf
Overwrite /etc/sendmail.cf? y

8. Verify that you have an /etc/pam.d/smtp file with the following
contents:

#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth

9. Verify that you have a /usr/lib/sasl/Sendmail.conf file with
the following contents:

pwcheck_method:pam

10. Test that sendmail has correctly configured AUTH. Since you do
not yet have any encrypted authentication mechanisms available, the only
ones shown when you issue an EHLO command should be LOGIN and PLAIN.

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 dude.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 29 Jan 2002 07:24:49 -0600
ehlo localhost
250-dude.com Hello dude.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH LOGIN PLAIN
250 HELP
quit
221 2.0.0 dude.com closing connection
Connection closed by foreign host.

10. Test removing all relaying in the access map at 2:00 AM then
trying to send mail. Do this by backing up your current /etc/mail/access
and using something like this:

# Check the /usr/share/doc/sendmail-8.11.6/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail-8.11.6/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY

11. Ensure that your file /etc/mail/relay-domains contains *only*
the domains you host.

12. Ensure that your sendmail.mc does not enable relaying in funny
forms like "accept unresolvable domains", "relay by domain", or any of that
crap. An example (complete) sendmail.mc which is relay-safe is included here:

divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl Change sendmail to only listen on the loopback interface and
dnl the internal network interface; never accept outside traffic.
dnl Add "dnl" to both DAEMON_OPTIONS lines to accept mail from
dnl all network interfaces.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.1, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwlocalhost.localdomain

13. Hover anxiously over the server for a couple of days and check
for "Relaying denied" errors. Track them down aggressively as most will be
your own customers. :) Fix their mail client configurations which they
didn't fix before when you told them to.

14. Get some sleep.





< Previous Next >
Follow Ups
References