Setting up SMTP AUTH under RedHat 7.3 (Linux)

I recently had to configure a Linux machine to require SMTP AUTH so that we could test a new product at Codonics. So I wanted to provide a little guidance and some insight that I gained while working on this task.

The requirement was “basic” SMTP AUTH… so PLAIN/LOGIN functionality, no need for TLS, and use the existing user accounts on the linux machine. Local email needs to still function (mail from cmd line) but anything from a “remote” user would require a username/password to be verified before allowing the machine to send the email.

Notes:
======
1) need to allow sendmail to talk to more than just localhost (allow network connections)
– firewall (open ports, or disable for testing)
– “dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)” line in the sendmail.mc instead of “DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)” …. adding the dnl in front of the command basically comments it out.

2) need to install from source (for our RedHat 7.3 machine, I used these versions):
– cyrus-sasl (v1.5.24)
– sendmail (8.11.6)
* these versions were selected because they matched the rpms/version that were already installed on machine. I needed to be rebuild to provide support for PLAIN and LOGIN AUTH methods… which I understand are not typically available via RPMs.

3) Important lines in the sendmail.mc:
————————————————————————————————
define(`confAUTH_OPTIONS’, `A’)dnl
TRUST_AUTH_MECH(`LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN’)dnl
————————————————————————————————
make sure that none of these have a dnl in front of them… that would cause them to be ignored (considered comments).

4) There needs to be a file: /usr/lib/sasl/Sendmail.conf (note the upper-case S in filename) with the following line (only line):
– “pwcheck_method: PAM”

5) Not sure if this is actually required, but during my travels, I found that I need the file /etc/sasldb to exist and it can only be read/writeable by root so:
– touch /etc/sasldb (to create it if necessary)
– chown root:root /etc/sasldb (to change it to owner/group root)
– chmod 600 /etc/sasldb (to ensure that only root user can read/write file)

6) I did confirm that these changes will only require AUTH on connections from external mail clients (doesn’t affect mail cmd-line on the host).

7) If you want to test via “telnet host 25” the sequence of events would be:
-> EHLO hostname (doesn’t matter what you use as hostname)
-> AUTH LOGIN
<- 334 VXNlcm5hbWU6 -> anNueWRlcg== (Base64 encoded username, ie: jsnyder thru the base64 encoder)
<- 334 UGFzc3dvcmQ6 -> dGVzdGluZw== (Base64 encoded password for username above)
<- 235 2.0.0 OK Authenticated (this is a good sign... no need to continue) -> QUIT

Useful commands:
==============
– m4 /etc/mail/sendmail.mc > /etc/sendmail.cf (converts the sendmail.mc file into the necessary sendmail.cf for sendmail to use)

– sendmail -d0.1 -bv root (shows if SASL support is available in sendmail in the list of “Compiled with:” items)

– sendmail -d0.20 -bv (shows location it is expecting sendmail.cf … “Def Conf file:” line).

– sendmail -O LogLevel=33 -bs (runs a quick instance of sendmail with logging turned up to level 33, and then you can enter “ehlo localhost” and it should give you back the options for the server… should include the line: “250-AUTH LOGIN PLAIN” when everything is configured correctly).

Helpful Links:
==========
http://www.jonfullmer.com/smtpauth/saslv1.html
http://www.linuxforums.org/forum/servers/5206-smtp-auth-sasl-sendmail-not-getting-along.html
http://linuxgazette.net/153/misc/lg/smtp_auth_problem.html
http://www.sendmail.org/~ca/email/cyrus/sysadmin.html
http://lists.freebsd.org/pipermail/freebsd-questions/2003-June/008118.html
http://www.sendmail.org/~ca/email/auth.html
http://www.joreybump.com/code/howto/smtpauth.html
http://linux.derkeiler.com/Mailing-Lists/Fedora/2006-06/msg03793.html

Sendmail downloads: ftp://ftp.sendmail.org/pub/sendmail/past-releases/

Base64 Encode/Decoder: http://www.motobit.com/util/base64-decoder-encoder.asp

Content of my “sendmail.mc” file for comparison:

divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
dnl Uncomment and edit the following line if your mail needs to be sent out
dnl through an external mail server:
dnl define(`SMART_HOST',`smtp.your.provider')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`LOCAL_RELAY', `mail2.n1.codonics.com')
define(`MAIL_HUB', `mail2.n1.codonics.com.')
define(`SMART_HOST', `mail2.n1.codonics.com')
define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl The '-t' option will retry delivery if e.g. the user runs over his quota.
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwlocalhost.localdomain