sendmail authentication instructions

[Gerry Doris]

The following are some instructions I pulled together for another list to 
help some Yahoo folks get authentication working.

*******************

Sorry for the size of this note but I thought you'd like all the info!!!  
Let me know if it helps you.


SuSE includes instructions at the following url to add the authentication 
you want.

http://sdb.suse.de/en/sdb/html/sendmail_smtp_auth.html

Also, I got the following instructions from the Redhat list.  This will 
enable several modes of authentication/encryption that you might find 
interesting.  This allows your clients to authenticate with your sendmail 
server with something other than clear text.

***************
Please see the following instructions for setting up authentication with
sendmail.  This will allow LOGIN PLAIN to be authenticated using PAM.  
While not the greatest (clear text) it works for win clients by just
checking their "server requires authentication" box and uses PAM for
authentication with user id/password.  pine clients can authenticate by
adding "/user=userid" (userid is your real id) after the smtp server.  
pine will automatically pick the best level of authentication.

If you want to use SASL encryption then check out the following link.

http://lists.suse.com/archive/suse-security/2001-Dec/0294.html

******************

This is from Rodolfo J. Paiz, rpaiz at indahaus.com

The following are basic instructions on enabling SMTP AUTH on a late-model 
server. These instructions have been tested with Red Hat Linux 7.0 and 7.2, 
using sendmail versions 8.11.0 through 8.11.6 obtained in RPM form from Red 
Hat updates.

They *should* work; however, if they don't, I will *ONLY* attempt to help 
people resolve issues with SMTP AUTH on redhat-list or enigma-list, so that 
everyone gets the benefit of the questions & answers. No questions in 
private email will be answered. Also, note that I am not an expert so I may 
not even know the answers.

Give me feedback and I might just post this on the Web so people can get at 
it more conveniently.

Having said that...

         1. Make sure all your clients are configured to authenticate to 
the mail server. They will not be able to send mail at all if they don't. 
Double-check; many people somehow check the wrong box.

In Outlook or Outlook Express, in the section "Outgoing Mail" of each 
Internet Mail account, there is a checkbox labeled "My server requires 
authentication." Check that; the settings do not need to be changed since 
they are the same username/password they need to get mail.

In Eudora, every Personality has a checkbox labeled "Authentication 
allowed". Eudora being somewhat more intelligent, this box is checked by 
default.

         2. Make sure you are root. If you logged in as a normal user, make 
sure you became root using "su -" to get the full login environment. "su" 
alone misses some things.

         3. Backup your sendmail.mc file by:

# cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak

         4. The file /etc/mail/sendmail.mc needs to contain the following 
three lines:

define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

Please note these are three lines only, be careful of the word wrap. Also, 
those are *directed quotes* not normal quotes. The left directed quote is 
typed with the backtick or "accent grave" key (for those French among us), 
and the right directed quote is typed with the apostrophe.

         5. Backup the /etc/sendmail.cf (the file sendmail actually uses to 
run) by:

# cp /etc/sendmail.cf /etc/sendmail.cf.bak

         6. Generate a new sendmail.cf file:

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

         7. Copy your new sendmail.cf file over the old one:

# cp /etc/mail/sendmail.cf /etc/sendmail.cf
Overwrite /etc/sendmail.cf? y

         8. Verify that you have an /etc/pam.d/smtp file with the following 
contents:

#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth

         9. Verify that you have a /usr/lib/sasl/Sendmail.conf file with 
the following contents:

pwcheck_method:pam

         10. Test that sendmail has correctly configured AUTH. Since you do 
not yet have any encrypted authentication mechanisms available, the only 
ones shown when you issue an EHLO command should be LOGIN and PLAIN.

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 dude.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 29 Jan 2002 07:24:49 -0600
ehlo localhost
250-dude.com Hello dude.com [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH LOGIN PLAIN
250 HELP
quit
221 2.0.0 dude.com closing connection
Connection closed by foreign host.

         10. Test removing all relaying in the access map at 2:00 AM then 
trying to send mail. Do this by backing up your current /etc/mail/access 
and using something like this:

# Check the /usr/share/doc/sendmail-8.11.6/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail-8.11.6/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY

         11. Ensure that your file /etc/mail/relay-domains contains *only* 
the domains you host.

         12. Ensure that your sendmail.mc does not enable relaying in funny 
forms like "accept unresolvable domains", "relay by domain", or any of that 
crap. An example (complete) sendmail.mc which is relay-safe is included here:

divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl Change sendmail to only listen on the loopback interface and
dnl the internal network interface; never accept outside traffic.
dnl Add "dnl" to both DAEMON_OPTIONS lines to accept mail from
dnl all network interfaces.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.1, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl       a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwlocalhost.localdomain

         13. Hover anxiously over the server for a couple of days and check 
for "Relaying denied" errors. Track them down aggressively as most will be 
your own customers. :) Fix their mail client configurations which they 
didn't fix before when you told them to.

         14. Get some sleep.