LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   sendmail AUTH/SASL2 both an outbound relay and an inbound mail server (http://www.linuxquestions.org/questions/linux-newbie-8/sendmail-auth-sasl2-both-an-outbound-relay-and-an-inbound-mail-server-940897/)

wingman007 04-20-2012 03:27 PM

sendmail AUTH/SASL2 both an outbound relay and an inbound mail server
 
I try to configure sendmail 8.14.5 on Fedora 16.

This is waht I want:
Anyone can connect to the SMTP server to send messages to local domains. However, only authorized users will be allowed to send email to other domains.

For a normal server, one which functions as both an outbound relay and an inbound mail server, AUTH should be required only to enable relaying.

The mail server is a mail hub for at least 5-6 domains.

1) Is this posible with sendmail 8.14.5 on one port 25? Or I have to use port 25 for inbound mail and use another port only to enable relaying after authentication?

2) If this is possible what I have to change in my sendmail.mc (maybe access etc.) configuration files?

If I use "M=A"
DAEMON_OPTIONS(`Port=smtp, Name=MTA, M=A')dnl
I can receive inbound trafic, but there is no authentication.

If I use "M=a"
DAEMON_OPTIONS(`Port=smtp, Name=MTA, M=a')dnl
There is authentication, but I can not receive inboind mails.

I have sendmail and SASL2 working.

Code:

[root@ns1 mail]# /usr/sbin/sendmail -d0.1 -bt < /dev/null

Version 8.14.5

 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX

        MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6

        NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS

        TCPWRAPPERS USERDB USE_LDAP_INIT

============ SYSTEM IDENTITY (after readcf) ============

      (short domain name) $w = ns1

  (canonical domain name) $j = stocluster.com

        (subdomain name) $m = stocluster.com

              (node name) $k = ns1.stocluster.com

========================================================

ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)

Enter <ruleset> <address>

This is my sendmail.mc

Code:

divert(-1)dnl

dnl #

dnl # This is the sendmail macro config file for m4. If you make changes to

dnl # /etc/mail/sendmail.mc, you will need to regenerate the

dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is

dnl # installed and then performing a

dnl #

dnl #    /etc/mail/make

dnl #

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

VERSIONID(`setup for linux')dnl

OSTYPE(`linux')dnl

dnl #

dnl # Do not advertize sendmail version.

dnl #

dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl

dnl #

dnl # default logging level is 9, you might want to set it higher to

dnl # debug the configuration

dnl #

dnl define(`confLOG_LEVEL', `9')dnl

dnl #

dnl # Uncomment and edit the following line if your outgoing mail needs to

dnl # be sent out through an external mail server:

dnl #

dnl define(`SMART_HOST', `smtp.your.provider')dnl

dnl define(`SMART_HOST', `mail.mydomain.com')dnl

dnl #

define(`confDEF_USER_ID', ``8:12'')dnl

dnl define(`confAUTO_REBUILD')dnl

define(`confTO_CONNECT', `1m')dnl

define(`confTRY_NULL_MX_LIST', `True')dnl

define(`confDONT_PROBE_INTERFACES', `True')dnl

define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl

define(`ALIAS_FILE', `/etc/aliases')dnl

define(`STATUS_FILE', `/var/log/mail/statistics')dnl

define(`UUCP_MAILER_MAX', `2000000')dnl

define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl

define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl

dnl # notice without p I have AUTH when the M=a with M=A doesn't work bothe ways

define(`confAUTH_OPTIONS', `A')dnl

dnl define(`confAUTH_OPTIONS', `A p')dnl

define(`confDOMAIN_NAME', `mydomain.com')dnl

FEATURE(`relay_entire_domain')dnl

dnl #

dnl # The following allows relaying if the user authenticates, and disallows

dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links

dnl #

dnl define(`confAUTH_OPTIONS', `A p')dnl

dnl #

dnl # PLAIN is the preferred plaintext authentication method and used by

dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do

dnl # use LOGIN. Other mechanisms should be used if the connection is not

dnl # guaranteed secure.

dnl # Please remember that saslauthd needs to be running for AUTH.

dnl #

dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl # I can have also PAM I saw it in internet but not sure I need it

TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

dnl #

dnl # Rudimentary information on creating certificates for sendmail TLS:

dnl #    cd /etc/pki/tls/certs; make sendmail.pem

dnl # Complete usage:

dnl #    make -C /etc/pki/tls/certs usage

dnl #

dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl

dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl

dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl

dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl

dnl #

dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's

dnl # slapd, which requires the file to be readble by group ldap

dnl #

dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl

dnl #

dnl define(`confTO_QUEUEWARN', `4h')dnl

dnl define(`confTO_QUEUERETURN', `5d')dnl

dnl define(`confQUEUE_LA', `12')dnl

dnl define(`confREFUSE_LA', `18')dnl

define(`confTO_IDENT', `0')dnl

dnl # If you're operating in a DSCP/RFC-4594 environment with QoS

dnl define(`confINET_QOS', `AF11')dnl

dnl FEATURE(delay_checks)dnl

FEATURE(`no_default_msa', `dnl')dnl

FEATURE(`smrsh', `/usr/sbin/smrsh')dnl

FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl

dnl # FEATURE(`virtusertable', `dbm /etc/mail/virtusertable')dnl - this was in internet

dnl # I left the default

FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl

FEATURE(redirect)dnl

FEATURE(always_add_domain)dnl

FEATURE(use_cw_file)dnl

FEATURE(use_ct_file)dnl

dnl #

dnl # The following limits the number of processes sendmail can fork to accept

dnl # incoming messages or process its message queues to 20.) sendmail refuses

dnl # to accept connections once it has reached its quota of child processes.

dnl #

dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl

dnl #

dnl # Limits the number of new connections per second. This caps the overhead

dnl # incurred due to forking new sendmail processes. May be useful against

dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address

dnl # limit would be useful but is not available as an option at this writing.)

dnl #

dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl

dnl #

dnl # The -t option will retry delivery if e.g. the user runs over his quota.

dnl #

FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl

FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl

FEATURE(`blacklist_recipients')dnl

EXPOSED_USER(`root')dnl

dnl #

dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment

dnl # the following 2 definitions and activate below in the MAILER section the

dnl # cyrusv2 mailer.

dnl #

dnl define(`confLOCAL_MAILER', `cyrusv2')dnl

dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl

dnl #

dnl # The following causes sendmail to only listen on the IPv4 loopback address

dnl # 127.0.0.1 and not on any other network devices. Remove the loopback

dnl # address restriction to accept email from the internet or intranet.

dnl #

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

dnl # the following line works perfect but I want to require Authentication

dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

dnl # the following line I hope will require Authentication for everyone

dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA, Modifiers=a')dnl

dnl # !!!! To require auth for users for relay but to allow incoming mail use A instead of a

DAEMON_OPTIONS(`Port=smtp, Name=MTA, M=A')dnl

dnl #

dnl # The following causes sendmail to additionally listen to port 587 for

dnl # mail from MUAs that authenticate. Roaming users who can't reach their

dnl # preferred sendmail daemon due to port 25 being blocked or redirected find

dnl # this useful.

dnl #

dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

dnl #

dnl # The following causes sendmail to additionally listen to port 465, but

dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed

dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't

dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS

dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps

dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.

dnl #

dnl # For this to work your OpenSSL certificates must be configured.

dnl #

dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

dnl #

dnl # The following causes sendmail to additionally listen on the IPv6 loopback

dnl # device. Remove the loopback address restriction listen to the network.

dnl #

dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl

dnl #

dnl # enable both ipv6 and ipv4 in sendmail:

dnl #

dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')

dnl #

dnl # We strongly recommend not accepting unresolvable domains if you want to

dnl # protect yourself from spam. However, the laptop and users on computers

dnl # that do not have 24x7 DNS do need this.

dnl FEATURE(`accept_unresolvable_domains')dnl

dnl #i

dnl FEATURE(`relay_based_on_MX')dnl

FEATURE(`relay_based_on_MX')dnl

dnl #

dnl # Also accept email sent to "localhost.localdomain" as local email.

dnl #

dnl LOCAL_DOMAIN(`localhost.localdomain')dnl

LOCAL_DOMAIN(`mydomain.com')dnl

dnl #

dnl # The following example makes mail from this host and any additional

dnl # specified domains appear to be sent from mydomain.com

dnl #

dnl MASQUERADE_AS(`mydomain.com')dnl

MASQUERADE_AS(`mydomain.com')dnl

dnl #

dnl # masquerade not just the headers, but the envelope as well

dnl #

dnl FEATURE(masquerade_envelope)dnl

FEATURE(masquerade_envelope)dnl

dnl #

dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well

dnl #

dnl FEATURE(masquerade_entire_domain)dnl

dnl #

dnl FEATURE(promiscuous_relay)

dnl MASQUERADE_DOMAIN(localhost)dnl

dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl

dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl

dnl MASQUERADE_DOMAIN(mydomain.lan)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

dnl MAILER(cyrusv2)dnl

I will appreciate any help!
Thank you!


All times are GMT -5. The time now is 07:26 AM.