[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Relay of smtp server



edwardspl ita org mo schrieb:

> Hello Alex,
> 
> So, how to modify the mc file for using sasl ?
> 
> Edward.

Edward,

the sendmail.mc shipping with Fedora already contains the required
"switches" to configure Sendmail providing SMTP AUTH (which makes use of
SASL). Besides one of those lines they all are commented by a leading
"dnl" (M4 syntax). What is set active is

define(`confAUTH_OPTIONS', `A')dnl

>From cf/README that setting says:

If this option is 'A' then the AUTH= parameter for the MAIL FROM command
is only issued when authentication succeeded. Other values (which should
be listed one after the other without any intervening characters except
for space or comma) are a, c, d, f, p, and y.
See doc/op/op.me for details.

A different setting of confAUTH_OPTIONS is pre-defined but commented as
well, which will Sendmail instruct to only allow plaintext
authentication if the connection is TLS/SSL protected, so does not
transport the auth credentials in readable plain text over the wire.
That is a good and recommended choice but requires to have a working
STARTTLS configuration setup as well.

The other 2 pre-definitions Sendmail needs to provide AUTH as part of
ESMTP are

dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLA
IN')dnl

As you see, they are by default commented. TRUST_AUTH_MECH is related to
the trust_auth ruleset. The ruleset trust_auth is used to determine
whether a given AUTH= parameter (that is passed to this ruleset) should
be trusted. Per default, relaying is allowed for any user who
authenticated via a "trusted" mechanism, i.e., one that is defined via
TRUST_AUTH_MECH(`list of mechanisms'). So it is ok to set this to a full
list of mechs which you would like to have available for advanced AUTH
setups.

The confAUTH_MECHANISMS is a list of authentication mechanisms for AUTH
(separated by spaces). The advertised list of authentication mechanisms
will be the intersection of this list and the list of available
mechanisms as determined by the CYRUS SASL library. By default those
mechs are set to GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5. To not confuse
the clients which will try to make use of AUTH that list of auth
mechanisms should be set to what your system really can handle. As said
in my previous posting, using saslauthd from cyrus-sasl, you can not
make use of DIGEST-MD5 and CRAM-MD5 due to the way those work. Using
sasldb as a backend you on the other hand could provide -MD5 mechs.
EXTERNAL would delegate the authentication to a different service.
Offering GSSAPI practically means you have a working Kerberos setup.

Of course you too will have to make sure that all required cyrus-sasl
rpms are installed. I.e. for providing LOGIN and/or PLAIN you need to
have cyrus-sasl-plain installed. For the 2 -MD5 mechs you need
cyrus-sasl-md5.

So far about the settings inside the sendmail.mc. Please install the
sendmail-doc rpm to be able to read your own through the cf/README and
op.me documents. To be able to apply the changes within the sendmail.mc
to the sendmail.cf, which is the configuration which Sendmail really is
operating with, you need to have the sendmail-cf rpm being installed.
Then you can run "make -C /etc/mail" to get a freshly regenerated
sendmail.cf. Or just run "service sendmail restart". This is required
anyway to have read in the new config, and this will automatically
detect if a change to one of the 2 .mc files has been made and whether a
.cf regeneration is required.

Alexander


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]