ORC Owl Logo 2  

Owl River Company

  
   Your IP is: 38.107.191.114
Up More Tips

SMTP-AUTH Outline


   http://www.owlriver.com/tips/smtp-auth/

Well, a pet peeve of mine is people who directly edit the .cf file instead of using the m4 configuration files. Don't do it! [laughs] I treat the .cf file as a binary file - you should too. -- Eric Allman, author of Sendmail, 18 Oct 1999
http://www.sendmail.net/interviews/interview001.shtml

SMTP-AUTH (RFC 2554) is used by a mailserver acting as an MTA to verify that a person proposing to send email through it, is indeed authorized to send email through it. That is, a 'road warrior' with a laptop can use the same outbound SMTP server in the central office bastion segment on the road which they use back at the office.

This mail transfer feature, defined in RFC 2554. is very helpful is allowing a systems administrator to 'lock down' their mailservers against use by a spammer: a spammer knows that many administrators consider it 'too hard' to lock down a mailserver. When the spammer finds an unsecured mailserver, automated programs are 'aimed' at the unsafe mailserver, and the floodgates open, sending a run of unwanted content.

  1. Install Changes

    1. Add the following lines in the file: /etc/mail/sendmail.mc 
      [root@thishost /etc/mail]# grep -i auth sendmail.mc
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
    2. Rebuild the /etc/mail/sendmail.cf control file:
      [root@thishost /etc/mail]# m4 /etc/mail/sendmail.mc \
	> /etc/mail/sendmail.cf
      These instructions are at the top of the default sendmail.mc shipped by Red Hat. (Also, note that in their Raw Hide, at the time this is prepared, Red Hat's next release after Red Hat 7.3 is doing the sendmail.org recommended relocation of /etc/sendmail.cf to /etc/mail/sendmail.cf ). The sendmail which accompanied Red Hat 7.3 (sendmail 8.11.6) was also SMTP-AUTH ready.

    3. This is the point which is missed most easily: Buried in the README.cf for sendmail, in the anti-spam changes since version 8.9, is this: 
      Instead, those rulesets will be called by the check_rcpt
ruleset; they will be skipped if a sender has been 
authenticated using a "trusted" mechanism, i.e., one 
that is defined via TRUST_AUTH_MECH().
      The 'check_rcpt' are the /etc/mail/access and related files -- if one has authenticated by using the SMTP-AUTH changes outlined here, one has 'proved' than one has the authorization to use the mailserver, and one may send email from anywhere. -- Obviously, it does not stop a rogue user from abusing the mailserver, but it does allow the sysadmin to review the log files (see below), and address the matter.

    4. Now we need to be able to safely transfer the password testing information across an insecure internet, filled with sniffers, and spoofers, and other evildoers and Carnivores. This is outside of the scope of this tip, but is addressed separately. We will use pre-built functions in this example.

      The 'cyrus-sasl' packages are consulted, if present, by sendmail, to do this in the securest possible fashion. This is also mentioned in the README.cf thus:
      confAUTH_MECHANISMS   \
          AuthMechanisms  [GSSAPI KERBEROS_V4 DIGEST-MD5
                          CRAM-MD5] List of authentication
                          mechanisms for AUTH (separated by
                          spaces).  The advertised list of
                          authentication mechanisms will be the
                          intersection of this list and the list
                          of available mechanisms as determined
                          by the CYRUS SASL library.
      This red section is really important, and so we set if off to draw attention -- It does NO GOOD to apply the changes to sendmail.mc, if sendmail does not have the needed SASL libraries to perform the authentication.

      We need to verify that at least the following are installed:
      [root@thishost /etc/mail]# rpm -qa | grep sasl | sort
cyrus-sasl-1.5.24-23
cyrus-sasl-gssapi-1.5.24-23
cyrus-sasl-md5-1.5.24-23
cyrus-sasl-plain-1.5.24-23
    5. Time passes, and security gets better:
      In the CentOS series of Community ENTerprise [Linux] Operating System (CentOS), the SASL function has moved to a daemon, which needs to be present and running. This change permits compartmentalizing the need for root access more tightly. /usr/sbin/saslauthd, and its matchine intiscript, were already present in later versions as part of the cyrus-sasl package
      [root@ftp mail]# /sbin/service saslauthd start
      Starting saslauthd: [ OK ]
      [root@ftp mail]# /sbin/chkconfig saslauthd on
    6. Note: The 'access' database hashing function has changed, and be sure to note in the attached sendmail.mc the section:

      dnl dnl dnl -- added for clarification for Teodor Georgiev and dnl dnl Martin Mewes on thread: [RedHat 7.2] sendmail + smtp-auth dnl dnl dnl dnl -- old form access hash pre 8.12 dnl dnl --- FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl dnl dnl
      The old sendmail-8.11 version is blue; the new sendmail-8.12 version is green.

    7. And restart sendmail: 
      [root@thishost /etc/mail]# make
[root@thishost /etc/mail]# service sendmail restart
  2. Testing Schema
    1. Now we test locally. The parts which you type are in blue, and the response to look for is in green:

      [root@swampfox sendmail]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220-swampfox.owlriver.com ESMTP RBL Testing and Publishing Notice Variant
220-         Sendmail 8.11.6/8.11.6/nullclient
220-         ready at Sun, 23 Jun 2002 10:27:54 -0400
220-
220-        ------------ NOTICE - and - TERMS OF USE ----------------------
220-            We reserve the right to test all offerings and intermediate
220-         relay hosts used by you for Open Relay and related status,
220-         and to report for public publishing the results of our tests.
220-            All content offered to this mailserver is done without any
220-         further expectation of privacy by you, and you grant to us
220-         full rights of republication at our sole discretion.
220-            We also infer irrevocable explicit consent to our test of
220-         those hosts, once you have further used our resources.
220-
220-            Do not like these polices?  Okay -- Go away.
220-            Type "quit" to disconnect NOW, and send paper mail
220-         to our domain mailing address if you disagree with any of
220-         these terms and reporting.
220-        ---------------------------------------------------------------
220-         Revised: RPH 020415
220-        ---------------------------------------------------------------
220
EHLO localhost
250-swampfox.owlriver.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH GSSAPI LOGIN PLAIN
250 HELP
QUIT
221 2.0.0 swampfox.owlriver.com closing connection
Connection closed by foreign host.
[root@swampfox sendmail]#

      OK: We see this in summary form:

      EHLO localhost
250-AUTH GSSAPI LOGIN PLAIN
QUIT
    2. Awwk -- what does that mean?

      ... It tells us that sendmail is willing to use GSSAPI (for Kerberos), a user/password password LOGIN pair (unencrypted), and a fall-back to the PLAIN check_rcpt'' -- the particular cyrus-sasl modules we have on this host do not support DIGEST-MD5 or CRAM-MD5, and so they are not offered by an SMTP-AUTH aware sendmail to the the MUA -- Mail User Agent -- here: the simple 'telnet to port 25' with which we have tested. This is the expression of "interesction" language mentioned above.

    3. A later test on CentOS 4 an an interior test host, varies a bit with the later SASL options: 
      [herrold@centos-4 ~]$ telnet ftp.first.lan 25
Trying 10.16.1.253...
Connected to ftp.first.lan (10.16.1.253).
Escape character is '^]'.
220 ftp.first.lan ESMTP Sendmail 8.13.1/8.13.1; Mon, 19 Feb 2007 11:11:19 -0500
EHLO localhost
250-ftp.first.lan Hello centos-4.first.lan [10.16.1.101], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 ftp.first.lan closing connection
Connection closed by foreign host.
[herrold@centos-4 ~]$

    4. Production testing

      1. Configure the MUA
        Fire up a more conventional MUA -- Netscape navigator can talk SMTP-AUTH just fine, and check its configuration:
           Edit | Preferences | Mail & Newsgroups | Mail Servers
           Set "Outgoing mail server user name:" to the userid by which you are known to the remote "Outgoing mail (SMTP) server".
           Click "OK" to apply the changes.

      2. Test the MUA
        Send yourself a piece of email in the regular fashion.

        During the send process, Netscape sends a EHLO and sees that line saying250-AUTH GSSAPI LOGIN PLAIN, and offers the 'best' credential it can. This means asking you for a valid password for the outgoing SMTP server. Give it.

      3. Check the full headers

        It shows in the mail headers received back: 
        Return-Path: 
Received: from box.xxx.xxx (box.xxx.xxx [198.30.xxx.xxx])
        by swampfox.owlriver.com (8.11.6/8.11.6) with ESMTP id g5N72Ri04393
        for ; Sun, 23 Jun 2002 03:02:27 -0400
Received: from owlriver.com (dhcp065-024-xxx-xxx.columbus.rr.com
    [65.24.xxx.xxx])
        (authenticated bits=0)
        by box.xxx.xxx (8.12.4/8.12.4) with ESMTP id g5N72Q3s001708;
        Sun, 23 Jun 2002 03:02:27 -0400
Sender: herrold@mail.xxx.xxx
Message-ID: <3D157288.8FF41049@owlriver.com>
Date: Sun, 23 Jun 2002 03:02:32 -0400
From: herrold 
X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.18-3 i686)

        and it shows in the mail log of the server handling the transfer: 
        [root@bo dl]# tail -f /var/log/maillog | grep herr
	Jun 23 03:01:38 box sendmail[1682]: AUTH=server,
	relay=dhcp065-024-xxx-xxx.columbus.rr.com [65.24.xxx.xxx],
	authid=herrold, mech=PLAIN, bits=0
Jun 23 03:01:39 box sendmail[1682]: g5N71X3s001682:
	from=, size=351, class=0, nrcpts=1,
	msgid=<3D157252.57F823A5@owlriver.com>, proto=ESMTP, daemon=MTA,
	relay=dhcp065-024-xxx-xxx.columbus.rr.com [65.24.xxx.xxx]
Jun 23 03:01:40 box sendmail[1686]: g5N71X3s001682:
	to=, delay=00:00:02, xdelay=00:00:01,
	mailer=esmtp, pri=30346, relay=swampfox.owlriver.com. [206.21.107.147],
	dsn=2.0.0, stat=Sent (g5N71dG19054 Message accepted for delivery)

  3. All Done

We make this available for non-commercial and individual use. Please respect our copyright, and consider contacting us for all your Open Source and *nix design, architect / systems analysis, and administration needs.

Copyright (C) 2002 R P Herrold
      herrold@owlriver.com  NIC: RPH5 (US)
   My words are not deathless prose,
      but they are mine.

       Owl River Company
   "The World is Open to Linux (tm)"
   ... Open Source LINUX solutions ...
      info@owlriver.com
         Columbus, OH
- rev 030803 RPH - add Other Voices link - rev 020825 RPH - add RFC 2821 link - rev 020614 RPH - color highlighting;
- rev 020814 RPH - added access hash section
http://www.owlriver.com/tips/smtp-auth/

Other voices: joreybump.com - SMTP AUTH with sendmail
 sendmail.org outline
 Simpaticus outline

Up More Tips
       
Back to Top Page
[legal] [ no spam policy ] [ Copyright] © 2008 Owl River Company
All rights reserved.

Last modified: Mon, 19 Feb 2007 11:27:18 -0500
http://www.owlriver.com/tips/smtp-auth/index.php