On 12 Feb 2002, Stephan Bösebeck wrote:

Hi list!

Is there a way to get SMPT after POP or something so that sendmail (or an other smtp-server) only accepts connections after a POP3-auth? Or is there a way to auth the users who want to send mail?

thx, Stephan

Please see the following instructions for setting up authentication with sendmail. This will allow LOGIN PLAIN to be authenticated using PAM. While not the greatest (clear text) it works for win clients by just checking their "server requires authentication" box and uses PAM for authentication with user id/password. pine clients can authenticate by adding "/user=userid" after the smtp server. pine will automatically pick the best level of authentication. This is also the first step to setting up you sendmail server for authentication with an ISP that has started using authentication. If you want to use more encrypted passwords using Cyrus-SASL then check the archives for a message titled "sendmail-tls" posted on 12/16/01. *******************************************************************

From rpaiz@indahaus.com Tue Feb 12 17:42:20 2002 Date: Tue, 29 Jan 2002 13:39:53 +0000 From: Rodolfo J. Paiz Reply-To: redhat-list@redhat.com To: enigma-list@redhat.com, redhat-list@redhat.com Subject: SMTP AUTH Micro-HOWTO v2 (corrected)

All: The following are basic instructions on enabling SMTP AUTH on a late-model server. These instructions have been tested with Red Hat Linux 7.0 and 7.2, using sendmail versions 8.11.0 through 8.11.6 obtained in RPM form from Red Hat updates. They *should* work; however, if they don't, I will *ONLY* attempt to help people resolve issues with SMTP AUTH on redhat-list or enigma-list, so that everyone gets the benefit of the questions & answers. No questions in private email will be answered. Also, note that I am not an expert so I may not even know the answers. Give me feedback and I might just post this on the Web so people can get at it more conveniently. Having said that... 1. Make sure all your clients are configured to authenticate to the mail server. They will not be able to send mail at all if they don't. Double-check; many people somehow check the wrong box. In Outlook or Outlook Express, in the section "Outgoing Mail" of each Internet Mail account, there is a checkbox labeled "My server requires authentication." Check that; the settings do not need to be changed since they are the same username/password they need to get mail. In Eudora, every Personality has a checkbox labeled "Authentication allowed". Eudora being somewhat more intelligent, this box is checked by default. 2. Make sure you are root. If you logged in as a normal user, make sure you became root using "su -" to get the full login environment. "su" alone misses some things. 3. Backup your sendmail.mc file by: # cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak 4. The file /etc/mail/sendmail.mc needs to contain the following three lines: define(`confAUTH_OPTIONS', `A')dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl Please note these are three lines only, be careful of the word wrap. Also, those are *directed quotes* not normal quotes. The left directed quote is typed with the backtick or "accent grave" key (for those French among us), and the right directed quote is typed with the apostrophe. 5. Backup the /etc/sendmail.cf (the file sendmail actually uses to run) by: # cp /etc/sendmail.cf /etc/sendmail.cf.bak 6. Generate a new sendmail.cf file: # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf 7. Copy your new sendmail.cf file over the old one: # cp /etc/mail/sendmail.cf /etc/sendmail.cf Overwrite /etc/sendmail.cf? y 8. Verify that you have an /etc/pam.d/smtp file with the following contents: #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth 9. Verify that you have a /usr/lib/sasl/Sendmail.conf file with the following contents: pwcheck_method:pam 10. Test that sendmail has correctly configured AUTH. Since you do not yet have any encrypted authentication mechanisms available, the only ones shown when you issue an EHLO command should be LOGIN and PLAIN. # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 dude.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 29 Jan 2002 07:24:49 -0600 ehlo localhost 250-dude.com Hello dude.com [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH LOGIN PLAIN 250 HELP quit 221 2.0.0 dude.com closing connection Connection closed by foreign host. 10. Test removing all relaying in the access map at 2:00 AM then trying to send mail. Do this by backing up your current /etc/mail/access and using something like this: # Check the /usr/share/doc/sendmail-8.11.6/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail-8.11.6/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY 11. Ensure that your file /etc/mail/relay-domains contains *only* the domains you host. 12. Ensure that your sendmail.mc does not enable relaying in funny forms like "accept unresolvable domains", "relay by domain", or any of that crap. An example (complete) sendmail.mc which is relay-safe is included here: divert(-1) dnl This is the sendmail macro config file. If you make changes to this file, dnl you need the sendmail-cf rpm installed and then have to generate a dnl new /etc/sendmail.cf by running the following command: dnl dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf dnl include(`/usr/share/sendmail-cf/m4/cf.m4') VERSIONID(`linux setup for Red Hat Linux')dnl OSTYPE(`linux') define(`confDEF_USER_ID',``8:12'')dnl undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST',true)dnl define(`confDONT_PROBE_INTERFACES',true)dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa',`dnl')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl dnl Change sendmail to only listen on the loopback interface and dnl the internal network interface; never accept outside traffic. dnl Add "dnl" to both DAEMON_OPTIONS lines to accept mail from dnl all network interfaces. dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.1, Name=MTA') dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires dnl a kernel patch dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6') dnl We strongly recommend to comment this one out if you want to protect dnl yourself from spam. However, the laptop and users on computers that do dnl not have 24x7 DNS do need this. dnl FEATURE(`accept_unresolvable_domains')dnl dnl FEATURE(`relay_based_on_MX')dnl MAILER(smtp)dnl MAILER(procmail)dnl Cwlocalhost.localdomain 13. Hover anxiously over the server for a couple of days and check for "Relaying denied" errors. Track them down aggressively as most will be your own customers. :) Fix their mail client configurations which they didn't fix before when you told them to. 14. Get some sleep. -- Rodolfo J. Paiz rpaiz@indahaus.com -- Gerry "The lyfe so short, the craft so long to learne" Chaucer