Wednesday, September 30, 2009

SENDMAIL Notes 14: Sendmail SMTP AUTH


Sendmail SMTP AUTH

      SMTP Auth support allows to relay mails based on the smtp authentication when the client or users IP is getting changed(For a Roaming user).

Inorder to enable the smtp-auth support in sendmail the following packages are needed.
  1. cyrus-sasl    
  2. cyrus-sasl-plain (For Plain Authentication)
  3. cyrus-sasl-devel (Some devel libs are needed by sendmail)
  4. cyrus-sasl-crammd5 (For CRAM MD5 auth)
  5. cyrus-sasl-digestmd5
  6. cyrus-sasl-otp
  7. cyrus-sasl-gssapi

      cyrus-libraries are needed for SMTP-AUTH. After installation the above packages the cyrus-libs will be installed in   /usr/lib

Note:-
      If the distribution is not supporting the cyrus package, then we have to download it compile with all the auth mechanism and install.

Now we need to compile the sendmail with cyrus and install the binaries.

Compiling & installing the sendmail for SMTP AUTH:

Got to the following directory
# cd sendmail-8.14.2/devtools/Site
    Note:-
        The Top Level Build Script (which creates the sendmail binaries) while compiling will consult the Site directory and if it finds the site.config.m4 it will include the contents for compiling. So this file is used to include additional variables or modules or extend the features sendmail. For enabling such features we have to include some derivatives in the site.config.m4.

To test the existing sendmail has SMTP-AUTH enabled:
# telnet localhost 25
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 centos.com ESMTP Sendmail 8.14.2/8.14.2; Thu, 1 Oct 2009 17:41:53 +0400
ehlo localhost
250-centos.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-DELIVERBY
250 HELP
    If the SMTP-AUTH was enabled we could see an extra out put of 250-AUTH for the command ehlo localhost

The other way of testing the sendmail for the feature of SMTP-AUTH is
# sendmail -v -d0.10
    This will echo to shell all the feature of sendmail in debug mode. here look for the sasl in output.

Now we will create some derivatives in the site.config.m4 file and compile & install sendmail again to enable the SMTP-AUTH in sendmail.
APPENDDEF(`confENVDEF', `-DSASL=2')
#This will tell sendmail to include the support sasl version 2
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
#This will tell sendmail to use the given libraries that can be found in the lib directory as mentioned in the next derivative
APPENDDEF(`confLIBDIRS', `-L/usr/lib')
APPENDDEF(`conf_INCDIRS',`-I/usr/include/sasl')
#This will tell sendmail the location of the header files
  # Now save the configuration. re-compile the binary.
    Remove the obj.Linux.2.6.18-128.el5.i686 directory before compiling the sendmail again. Now run the build script
# cd sendmail-8.14.2
# ./Build
    Check the build process to find the sasl2 has been including or not. The build process has to complete successfully
Before copying the sendmail binary to /usr/sbin location we will check whether the new compiled binary has the the option of sendmail SMTP-AUTH
To check this navigate to following directory
# cd sendmail-8.14.2/obj.Linux.2.6.18-128.el5.i686/sendmail
# ./sendmail -v -d0.10
    Here we should get an output similar to
Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF USERDB XDEBUG
Now copy this sendmail binary to the path of running sendmail
# cp sendmail /usr/sbin
    Now we have the new binaries. verify the permission of the binaries
# chown root:smmsp /usr/sbin/sendmail
# chmod g+s /usr/sbin/sendmail
    So this will make the sendmail to execute as the user group (smmsp)
To verify
# ls -ltr /usr/sbin
-r-xr-sr-x 1 root smmsp   678197 Oct  1 18:54 sendmail

Now configure the sendmail.mc file to include the smtp-auth
# cd sendmail-8.14.2/cf/cf
# vi sendmail.mc

TRUST_AUTH_MECH(`LOGIN PLAIN GSSAPI DIGEST-MD5')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN GSSAPI DIGEST-MD5')dnl
    TRUST_AUTH_MECH this will tell sendmail to trust the authentication mechanisms can use for relaying.
    configuration auth mechanism tells sendmail that these are the authentication mechanisms that have been configured.
    This will make sendmail to hands over the authentication to cyrus libs.

Note:-
    Sendmail hands over the control to cyrus libraries for authentication. Cyrus-libs will check the passwd file or ldap for authentication.
# cd sendmail-8.14/cf/cf
# m4 ../m4/cf.m4 sendmail.mc > sendmail.cf

# cp sendmail.cf /etc/mail
# restart the sendmail service
         
Testing the SMTP-AUTH support is turned on
[root@centos ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 centos.com ESMTP Sendmail 8.14.2/8.14.2; Fri, 2 Oct 2009 17:18:57 +0400
ehlo localhost     
250-centos.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN DIGEST-MD5
250-DELIVERBY
250 HELP

Here we are looking for the line "250-AUTH LOGIN PLAIN DIGEST-MD5"
Note:-
      If this test fails even if all the configurations have been made correctly, troubleshoot the issue by rechecking configuration files and binaries time stamp as well use netstat command to verify that the sendmail process is bind to the port 25.  

Now have to configure cyrus to accept the request of sendmail
# cd /usr/lib/sasl2
# vi smtp.conf
or
# vim /etc/sasl2/sendmail.conf

pwcheck_method: saslauthd
# mv smtp.conf Sendmail.conf
    We have to rename the smtp.conf to Sendmail.conf . In filename Sendmail.conf S is capital.

Now start the saslauthd service
# service saslauthd start
    Now test the auth mechanism by connecting MUA like evolution,thunder bird or outlook

Note:
If we are getting any errors like -  AUTH failure (PLAIN): user not found (-20) SASL(-13): user not found: Password verification failed
Try uninstalling all the "cyrus" packages and reinstall one bye one will sort out the issues. It worked for me

No comments:

Post a Comment

tag ur valuable ideas below