grok.org.uk:/#
[ docs | tools | advisories | full-disclosure | about ]

Sendmail: Implementing SMTP AUTH with SASL

John Cartwright | Published: 11th June 2001 | Originally published at netsys.com

Step-by-step instructions for adding SMTP AUTH support to Sendmail using the SASL library, including client setup and server-to-server authentication.

Introduction

This document clearly outlines the steps required to create a copy of Sendmail that implements the SMTP AUTH command (see RFC 2554), using the SASL library (see RFC 2222). This approach has been verified to work with a number of mail clients, including Microsoft Windows clients such as Outlook Express and Pegasus Mail.

Revision History:

2001-06-11 Initial Revision
2002-01-18 Added Sendmail 8.12.x/Solaris 8 information
2002-03-29 Added Server-Server AUTH information

Instructions

1. Download the latest version of Sendmail and the Cyrus SASL library

Available from:

ftp://ftp.sendmail.org/pub/sendmail/

ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

2. Take backups before we start!

cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.old
cp /usr/lib/sendmail /usr/lib/sendmail.old

3. Build the SASL library and install it

gzip -cd cyrus-sasl.1.5.24.tar.gz | tar xvf - 
cd cyrus-sasl.1.5.24 
./configure --enable-login --prefix=/opt/local -includedir=/usr/include -libdir=/usr/lib --with-dbpath=/etc/mail/sasldb
make
make install
cd ..

(Updated: 2002-03-29) On Solaris 8 with gssapi/kerberos, install Sun's supplemental encryption packages. SASL will need: libgssapi_krb5, libkrb5, libk5crypto and libcom_err. Disable with --disable-krb4 --disable-gssapi if desired. --enable-login ensures Outlook Express compatibility (weak encryption). Use /opt/local for installation and symlink to /usr/lib/sasl: 

ln -s /opt/local/lib/sasl/ /usr/lib/sasl

4. Create your site.config.m4 file

gzip -cd sendmail.8.11.4.tar.gz | tar xvf -
cd sendmail.8.11.4
cp devtools/OS/SunOS.5.6 devtools/Site/site.config.m4

5. Add SASL support to Sendmail

vi devtools/Site/site.config.m4
Change confENVDEF to include -DSASL
Change confLIBS to include -lsasl
Add extra features like TCP Wrapper as needed

Example configuration for Solaris 2.6 with SASL and TCP Wrappers:

define(`confCC', `gcc')
define(`confLDOPTS_SO',`-G')
define(`confSONAME',`-h')
define(`confBEFORE', `sysexits.h')
define(`confMAPDEF', `-DNDBM -DNIS -DNISPLUS -DMAP_REGEX')
define(`confENVDEF', `-DSOLARIS=20600 -DTCPWRAPPERS -DSASL')
define(`confLIBS', `-lsocket -lnsl -lkstat -lwrap -lsasl')
define(`confMTLDOPTS', `-lpthread')
define(`confMBINDIR', `/usr/lib')
define(`confEBINDIR', `/usr/lib')
define(`confSBINGRP', `sys')
define(`confINSTALL', `${BUILDBIN}/install.sh')
define(`confDEPEND_TYPE', `CC-M')
PUSHDIVERT(3)
sysexits.h:
        if [ -r /usr/include/sysexits.h ]; 
        then 
                ln -s /usr/include/sysexits.h; 
        fi
POPDIVERT

Updated site.config.m4 examples are available for Sendmail 8.11.6 and 8.12.1 on Solaris 8, including SASL and optional procmail local delivery.

6. Compile Sendmail and verify SASL

cd sendmail
sh Build
cd ../obj.SunOS.5.6.sun4/sendmail/
./sendmail -d0.1 -bt < /dev/null

Look for SASL in the output to confirm compilation.

7. Configure Sendmail

cd ../../cf/cf
cp generic-solaris2.mc myconfig.mc
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN')
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN')dnl
sh Build myconfig.cf

8. Test the new configuration

../../obj.SunOS.5.6.sun4/sendmail/sendmail -C myconfig.cf -bt -d0.15 < /dev/null
/etc/init.d/sendmail stop
cp myconfig.cf /etc/mail/sendmail.cf
cd ../../sendmail/
sh Build install
/etc/init.d/sendmail start

9. Create users and test SMTP AUTH

/opt/local/sbin/saslpasswd -u yourrealm test
/opt/local/sbin/sasldblistusers

10. Mail Client Configuration

Configure your client to authenticate using the username/realm from sasldblistusers and the password set with saslpasswd. Verify with test messages.

11. Server-to-Server Authentication

/opt/local/sbin/saslpasswd -u foo mailrelay
FEATURE(`authinfo',`btree -T<TMPF> /etc/mail/authinfo')
AuthInfo:mailhub.foo.com "U:mailrelay" "I:mailrelay" "P:secret" "R:foo" "M:DIGEST-MD5"

12. Troubleshooting

Use logs with high LogLevel, fix file permissions, and rebuild SASL if authentication mechanisms are missing:

/usr/lib/sendmail -bd -OLogLevel=14
/opt/local/sbin/sasldblistusers

Conclusion

SMTP AUTH allows a closed mail relay to operate while letting authenticated users send mail. This guide provides steps for installation, configuration, testing, and troubleshooting.

John Cartwright <johnc@grok.org.uk>