LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 05-30-2006, 02:00 PM   #1
saf
LQ Newbie
 
Registered: Mar 2004
Location: Bucharest
Distribution: Slackware 10.2
Posts: 26

Rep: Reputation: 15
Sendmail secure authentication


Hello. I've been trying to get sendmail to work with SSL. I use Slackware 10.2
I followed the exact steps shown here: http://www.linuxquestions.org/linux/...MTP_AUTH_Howto (using those configuration files), in the server section, not smart host, achieving the following results (client=thunderbird):
- sendmail listens on both 25 and 465
- doesn't work with SSL:

Code:
08310 >>> 220 der.server ESMTP Sendmail 8.13.6/8.13.6; Mon, 29 May 2006 21:41:41 +0300
08310 <<< g..08310 >>> 500 5.5.1 Command unrecognized: "
08310 <<< 08310 >>> 500 5.5.1 Command unrecognized: ""
08310 <<< [EOF]
08310 >>> 421 4.4.1 der.server Lost input channel from da.test [xxx.xxx.xxx.xxx]
- works with TLS and No secure connection (although it shouldn't allow the login until after STARTTLS), but I am not required to write anything in the user and password fields (the outgoing user is determined from the account). I have seen a lot of this behavior with the default sendmail configs on Slackware, and my fist questions is:
1) how can i force sendmail to force me to set an username and a password? (maybe the username!=lulu@domain)
And some other questions:
2) why do i get that gibberish when choosing SSL?
3) why does it like TLS and not SSL?
4) is there SSL guide for POP3 and/or IMAP?
5) anyone here managed to user the slack built-in scripts for compiling .mc-s? (sh Build config.cf)

Sorry for the ton of questions and poor english. Thanks in advance four your answers and, should you require anymore data, i will be happy to provide it for you.
 
Old 05-31-2006, 05:27 PM   #2
Smillie
LQ Newbie
 
Registered: Aug 2004
Location: Monroeville, PA
Distribution: Slackware
Posts: 22

Rep: Reputation: 15
Oddly enough SAF I've been working on this same project this week. I will warn up front my answers may not be the best ones, but they are currently working for me:>

1) I think your current config (Atleast from what I read in that page) is set so that the only time a user must authenticate is when they plan to relay through your server. At any time a user connects to your server to send an email which actually goes to that server it shouldn't ask for authentication. So if you email yourself it shouldn't ask. If you email your boy over at Yahoo or something it should ask. On my server right now thats the way it is and it also appears on my server right now in order to Authen you must be doing it through TLS.
2) No clue. Sorry.
3) Not sure. I'd like to know the answer on this one too. My server also has Sendmail open on those ports and I can telnet to them. However like you setting my client to SSL to go to that port doesn't work either. No auth challenge or anything like that. It just sits there forever and sooner or later says the server didn't respond. In my logs it says:
May 31 15:02:43 gator sm-mta[747]: k4VJ1g8r000747: [10.0.15.252] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA-SSL
May 31 15:03:20 gator sm-mta[761]: k4VJ3A2i000761: [10.0.15.252]: possible SMTP attack: command=AUTH, count=4

So anyone who knows how to do SSL instead please join in here:>

4) Not that I've seen in reference to the the normal popa3d that comes with Slackware. We are actually in the process of experimenting with DoveCot (http://www.dovecot.org/) which is basically a replacement for the default Imap and Pop3 services. It also offers SSL abilities and some other nicities. I haven't seen a SlackPackage for it yet, but I didn't have a problem making one of my own to use. It does support Shadow Authentication BTW just like the existing deamons.

5) I've never tried. I've always used the M4 stuff in the Webmin Sendmail Module to redo my Sendmail Configs.

Like I said above I don't know if this all helps you, but figured I would try:>
-Smillie
 
Old 06-01-2006, 01:21 AM   #3
saf
LQ Newbie
 
Registered: Mar 2004
Location: Bucharest
Distribution: Slackware 10.2
Posts: 26

Original Poster
Rep: Reputation: 15
Thanks Smillie, and actually your no. 1 answer helped a lot, showing me that the tests i used were flawed (the only tests were ehlo localhost and sending emails to the main domain). Although i cannot test right now, i believe that removing all domains from RELAY (including localhost and localhost.localdomain) will help forcing the authentication. Right now i'm faced with "AUTH: no availabale mechanisms" in logs (coming from sasl i presume) and the lack of 250 AUTH when ehlo-ing the server. If you have anymore pacience, could you please post you cyrus-sasl configuration and the relevand auth-mech lines from sendmail?
Meanwhile, let's hope that someone gives it a try with ssl and posts it here.
 
Old 06-01-2006, 11:16 AM   #4
Smillie
LQ Newbie
 
Registered: Aug 2004
Location: Monroeville, PA
Distribution: Slackware
Posts: 22

Rep: Reputation: 15
I think the domains in the relay file only come into play when its not localhost. If you are connecting to the SMTP port on your server and the email is going to a user on that server I don't beleive that file even comes into play. However if you are connecting to the SMTP port on your server and you want to send it from there to another server then the relay file is checked to see if your allowed. Of course Authen bypasses the relay file, but I don't know what order as in if you are allowed to relay is Authen still required? Or is one or the other good enough?

I don't have the relay file created on this test box and it allows me to mail the server but not use the server as a relay point.... unless of course I authen:> My current work horse server which is doing all the districts email doesn't have localhost in the relay file either. I only list the IP ranges of those who are allowed to relay through the server which would be our local users on the 10.0.X.X range.

As of current I only had to change two files to get this to work. I originally copied /usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc to gator-custom.mc and then just addded all my extras. For whatever reason that didn't work quite the way I intended it to. I went back looked at a could different sources and this is what I have currently in my custom.mc file which relates to Auth:
Code:
dnl# You will need to create the certificates below with OpenSSL first:
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/sendmail.pem')dnl
define(`confAUTH_OPTIONS', `A p y')dnl

dnl# Allow SASL authentication/relaying:
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=E')dnl
I beleive those are the only parts which go in there in relation to SASL and all that stuff. Everything else in my config is DNSBL, BitDefender AV Milter stuff, and the common settings.

This part is what TOTALLY screwed me for a day or two. I orignally started this thinking SASL, Sendmail and the configs all came with Slack so I shouldn't have to do much to them:> Yeah bad assumption in some cases. Anyhow I had to create a file at /usr/lib/sasl2/ called Sendmail.conf (Take note of the upper case 'S' in that name) Inside that file I just have these two lines:

Code:
pwcheck_method: saslauthd
mech_list: LOGIN PLAIN
Without the above file in place and case'd properly I was getting all sorts of different Auth error messages.

With all that in place I stopped SASL and Sendmail then started SASL followed by Sendmail and as of current things are still working properly.

Last edited by Smillie; 06-01-2006 at 11:25 AM.
 
Old 06-03-2006, 08:24 AM   #5
saf
LQ Newbie
 
Registered: Mar 2004
Location: Bucharest
Distribution: Slackware 10.2
Posts: 26

Original Poster
Rep: Reputation: 15
I'm sorry, but I followed your exact steps, and I still get
Code:
AUTH warning: no mechanisms
in the maillog file.

Later: ok. I got it. The anwswer is here:
http://archives.neohapsis.com/archiv...4-02/0679.html
and the bottom line is that there aren't any AUTH mechanisms until the TLS session starts.

Last edited by saf; 06-03-2006 at 09:07 AM.
 
Old 06-05-2006, 11:13 AM   #6
Smillie
LQ Newbie
 
Registered: Aug 2004
Location: Monroeville, PA
Distribution: Slackware
Posts: 22

Rep: Reputation: 15
That makes sense. After all you wouldn't want to authenticate without some sort of encryption over top to keep things secure.

I still don't have a clue about the SSL part yet. Having some new issues with bind so thats kinda taken my focus for now:>
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail Authentication sachin0178 Linux - Newbie 0 10-15-2005 04:48 PM
Sendmail authentication dweeb Linux - Newbie 6 07-14-2005 06:24 AM
Secure email (SSL vs. secure authentication) jrdioko Linux - Newbie 2 11-28-2004 02:39 PM
Sendmail Authentication KnightKrawlur Mandriva 0 08-14-2004 12:49 AM
Help setting up postfix secure authentication jglazner Linux - Software 0 11-21-2003 03:25 PM


All times are GMT -5. The time now is 02:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration