About
History
Team
Mascot
Images

Community
Download
Mirrors
Mailing Lists

Status
Digest
Bugs

Docs
Developers
FAQ
GitWeb
Goals
Handbook
HowTos
Man pages
Presentations
Users

Security
PGP Keys

Exports
Hammer

handbook-smtp-auth

20.10 SMTP Authentication

*Written by James Gorham. *

Having SMTP Authentication in place on your mail server has a number of benefits. SMTP Authentication can add another layer of security to sendmail , and has the benefit of giving mobile users who switch hosts the ability to use the same mail server without the need to reconfigure their mail client settings each time.

1. Install security/cyrus-sasl from the ports. You can find this port in security/cyrus-sasl. security/cyrus-sasl has a number of compile time options to choose from and, for the method we will be using here, make sure to select the pwcheck option.

2. After installing security/cyrus-sasl, edit /usr/local/lib/sasl/Sendmail.conf (or create it if it does not exist) and add the following line:

   pwcheck_method: passwd

   This method will enable sendmail to authenticate against your DragonFly passwd database. This saves the trouble of creating a new set of usernames and passwords for each user that needs to use SMTP authentication, and keeps the login and mail password the same.

3. Now edit /etc/make.conf and add the following lines:

   SENDMAIL_CFLAGS=-I/usr/pkg/include/sasl -DSASL
   SENDMAIL_LDFLAGS=-L/usr/pkg/lib
   SENDMAIL_LDADD=-lsasl2
   

   These lines will give sendmail the proper configuration options for linking to cyrus-sasl at compile time. Make sure that cyrus-sasl has been installed before recompiling sendmail .

4. Recompile sendmail by executing the following commands:

   # cd /usr/src/usr.sbin/sendmail
   # make cleandir
   # make obj
   # make
   # make install
   

   The compile of sendmail should not have any problems if /usr/src has not been changed extensively and the shared libraries it needs are available.

5. After sendmail has been compiled and reinstalled, edit your /etc/mail/freebsd.mc file (or whichever file you use as your .mc file. Many administrators choose to use the output from hostname(1) as the .mc file for uniqueness). Add these lines to it:

   dnl set SASL options

   TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

   define(confAUTH_MECHANISMS',GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

   define(confDEF_AUTH_INFO',/etc/mail/auth-info')dnl

   These options configure the different methods available to sendmail for authenticating users. If you would like to use a method other than pwcheck , please see the included documentation.

6. Finally, run make(1) while in /etc/mail. That will run your new .mc file and create a .cf file named freebsd.cf (or whatever name you have used for your .mc file). Then use the command make install restart, which will copy the file to sendmail.cf, and will properly restart sendmail . For more information about this process, you should refer to /etc/mail/Makefile.

If all has gone correctly, you should be able to enter your login information into the mail client and send a test message. For further investigation, set the LogLevel of sendmail to 13 and watch /var/log/maillog for any errors.

You may wish to add the following lines to /etc/rc.conf so this service will be available after every system boot:

sasl_pwcheck_enable="YES"

sasl_pwcheck_program="/usr/local/sbin/pwcheck"

This will ensure the initialization of SMTP_AUTH upon system boot.

For more information, please see the sendmail page regarding SMTP authentication.

CategoryHandbook

CategoryHandbook-email

Site copyright © 2003-2009