Hi all,
I know, its normally a sendmail question (sendmail mailing list). But I don't want to subscribe me for this only one question. I hope, here are also many sendmail freaks ;-)
many Thanks.
Now my problem.
We are running sendmail-8.13.8-8.el5 on a CentOS release 5.5 (Final) Box.
We have to setup relaying for a person, which is connected to the internet with a dailup connection. So every x days the IP and the hostname will change.
Is there a solution how to set up /etc/mail/access to relay there Emails permanent (maybe: FQDN from the 'mail from' domain, which is permantly - <ourdomain>.at?)
Configure our access file with wildcards (IP: xxx.xxx.) is to insecure for us.
At the moment, after there IP was changed, I also have to change the access file.
Or is there another way to fix my problem.
pop3 before smtp (our client fetches there emails with POP3s) isn't an option for us.
many, many thanks Richard
Richard,
The safest way to do this is to enable and configure SMTP AUTH. This is based on SASL, and you'll need to yum list "*cyrus-sasl*" to see the packages you need. You can use plain text auth over starttls and the user can then authenticate with their username and password securely. If you don't use starttls, you'll need a more secure authorization mechanism.
This will allow the user to authenticate and relay mail no matter what IP address or network they are accessing your server from. Here's a link for more information.
http://www.sendmail.org/~ca/email/auth.html
Lonnie
On 09/11/2010 10:58 PM, Richard Gliebe wrote:
We have to setup relaying for a person, which is connected to the internet with a dailup connection. So every x days the IP and the hostname will change.
Is there a solution how to set up /etc/mail/access to relay there Emails permanent (maybe: FQDN from the 'mail from' domain, which is permantly - <ourdomain>.at?)
Configure our access file with wildcards (IP: xxx.xxx.) is to insecure for us.
At the moment, after there IP was changed, I also have to change the access file.
Or is there another way to fix my problem.
pop3 before smtp (our client fetches there emails with POP3s) isn't an option for us.
many, many thanks Richard
On 9/12/10 7:11 AM Lonnie Maynard wrote:
Richard,
Hi Lonnie,
The safest way to do this is to enable and configure SMTP AUTH. This is based on SASL, and you'll need to yum list "*cyrus-sasl*" to see the packages you need. You can use plain text auth over starttls and the user can then authenticate with their username and password securely. If you don't use starttls, you'll need a more secure authorization mechanism.
This will allow the user to authenticate and relay mail no matter what IP address or network they are accessing your server from. Here's a link for more information.
many thanks for your reply.
OK. I've set up cyrus-sasl.
cyrus-sasl.x86_64 2.1.22-5.el5_4.3 installed
and created a new entry for one of our Users with "saslpasswd2".
[root@mail mail]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.ourdomain.at ESMTP Sendmail 8.13.8/8.13.8; Sun, 12 Sep 2010 07:41:14 +0200 ehlo localhost 250-mail.ourdomain.at Hello tfefw1.tfe.local [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP
Now I need the right sendmail.cf entries for SASL-AUTH (we don't work with *.mc Files or similar. We directly edit the sendmail.cf files ;-)
many thanks Richard
On Sun, September 12, 2010 07:42, Richard Gliebe wrote:
Now I need the right sendmail.cf entries for SASL-AUTH (we don't work with *.mc Files or similar. We directly edit the sendmail.cf files ;-)
I don't know if this is complete, but you could try the following:
# list of authentication mechanisms O AuthMechanisms=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
# Authentication realm #O AuthRealm
# default authentication information for outgoing connections #O DefaultAuthInfo=/etc/mail/default-auth-info
# SMTP AUTH flags O AuthOptions=A p
# SMTP AUTH maximum encryption strength #O AuthMaxBits
On 9/12/10 9:21 AM Giles Coochey wrote:
I don't know if this is complete, but you could try the following:
# list of authentication mechanisms O AuthMechanisms=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
# Authentication realm #O AuthRealm
# default authentication information for outgoing connections #O DefaultAuthInfo=/etc/mail/default-auth-info
# SMTP AUTH flags O AuthOptions=A p
# SMTP AUTH maximum encryption strength #O AuthMaxBits
Hi,
thanks,
I inserted into sendmail.cf and restarted sendmail.
'250-AUTH' still missing
[root@mail mail]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.tfe.at ESMTP Sendmail 8.13.8/8.13.8; Sun, 12 Sep 2010 09:29:40 +0200 ehlo localhost 250-mail.tfe.at Hello tfefw1.tfe.local [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP quit
But, when I'm trying to send an email, the user still becames:
Relaying denied. Proper authentication required.
Before SASL, the user becomes only "Relaying denied"
In Outlook 2003 in Email Preferences, the authentication for smtp is activ.
"the outgoing server (SMTP) needed Authentification - same entries as the Incoming Server"
same UID and password on outgoing and incoming Server.
I love it on Sunday to work ;-(
many thanks Richard
But, when I'm trying to send an email, the user still becames:
Relaying denied. Proper authentication required.
Before SASL, the user becomes only "Relaying denied"
In Outlook 2003 in Email Preferences, the authentication for smtp is activ.
"the outgoing server (SMTP) needed Authentification - same entries as the Incoming Server"
same UID and password on outgoing and incoming Server.
I love it on Sunday to work ;-(
Well, yes, my sendmail.cf is configured via sendmail.mc... which makes it pretty easy... there will be an authenticated handling process in sendmail.cf that sendmail.mc inserts automagically...
e.g.
# authenticated? R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL R$* $| $#$+ $#$2 R$* $| $* $: $1
R<> $@ <OK> we MUST accept <> (RFC 1123) R$+ $: <?> $1 R<?><$+> $: <@> <$1> R<?>$+ $: <@> <$1> R$* $: $&{daemon_flags} $| $1 R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > R$* u $* $| <@> < $* > $: <?> < $3 > R$* $| $* $: $2
On 9/12/10 10:28 AM Giles Coochey wrote:
Well, yes, my sendmail.cf is configured via sendmail.mc... which makes it pretty easy...
ok, I retourned to mc Files.
dnl # guaranteed secure. dnl # Please remember that saslauthd needs to be running for AUTH. dnl # define(`confAUTH_OPTIONS', `A')dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
restarted sendmail and checked sendmail.cf
Now, but I'm still missing the "250-AUTH". I think this will be my problem.
[root@mail mail]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.<ourdomain>.at ESMTP Sendmail 8.13.8/8.13.8; Sun, 12 Sep 2010 11:05:34 +0200 ehlo localhost 250-mail.<ourdomain>.at Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP quit
saslauthd is running.
[root@mail mail]# ps -ef |grep -i sasl root 29633 1 0 10:03 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam root 29635 29633 0 10:03 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam root 29636 29633 0 10:03 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam root 29637 29633 0 10:03 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam root 29638 29633 0 10:03 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
SASL is compiled in:
[root@mail mail]# sendmail -d0.1 < /dev/null Version 8.13.8 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT
it makes me stupid ....
many thanks Richard
On 9/12/10 11:13 AM Richard Gliebe wrote:
restarted sendmail and checked sendmail.cf
Now, but I'm still missing the "250-AUTH". I think this will be my problem.
oh my god, I get it running ;-)
problem was a missing Useraccount on CentOS and my access file with:
[...] Srv_Features: A [...]
which meens: Don't offer SMTP AUTH on this mx server!!!
thanks all and have a nice sunday ;-)
cheers Richard
-
Giles Coochey -
Lonnie Maynard -
Richard Gliebe