http://www.simpaticus.com/linux/howto/html-single/Sendmail-SMTP-AUTH-HOWTO.html
Rodolfo J. Paiz
rpaiz AT simpaticus DOT com Guatemala City Guatemala
Revision History
Revision 0.3 2003-11-11 Revised by: RJP Corrected several errors and made minor additions to the text. Also added Fedora Core 1 as a supported operating system. Revision 0.2 2003-10-25 Revised by: RJP Converted HTML output to use the LDP stylesheet, which I much prefer aesthetically. Made some minor changes to the text. Revision 0.1 2003-10-20 Revised by: RJP First draft translated into SGML. Made available in several formats (SGML, HTML single- and multiple-page, and PDF).
This is a very brief document, detailing how to setup Sendmail on Red Hat Linux 7.x/8.0/9 or Fedora Core 1 to accept mail connections from the network and demand SMTP AUTH authentication when the sender wishes to relay a message (i.e. ask this machine to deliver a message to a user on some other machine or network).
This document does not yet cover the configuration and use of encrypted AUTH mechanisms such as CRAM-MD5. Instructions on how to accomplish this will be added at some later date.
Back in prehistoric times (about five years ago), most SMTP mail servers on the open Internet would accept connections from anyone, sending mail to anyone else, without knowing for sure or verifying the sender's identity in any way. Now that SPAM (unsolicited commercial email) is such a huge problem, an administrator's failure to lock down a mail server will surely result in being found by spammers and abused heavily. I have actually seen a big spammer attempt to relay over ten million messages through a vulnerable server in just a few hours, destroying the victim's server, network connection, and customer service.
Two major mechanisms were created to stop unauthorized relaying: SMTP AUTH, which is an IETF standard, and POP-before-SMTP, which is not. However, SMTP AUTH required that mail clients such as Outlook and Eudora be rewritten to support the new standard and POP-before-SMTP could be implemented entirely on the server, so at first "PbS" was wildly popular. Today, every single mail client and every single mail server of which I am aware supports SMTP AUTH, and its far better design makes it the preferred choice.
[...]
Your key, critical, most important configuration file is sendmail.mc which is always located in /etc/mail. This file is human-readable, and it is the file which you will edit to make changes; so clearly, you want to make a copy of it before you make any changes. Depending on which operating system you are running, you may also have one or two files called sendmail.cf in /etc and /etc/mail. You also want to back these up.
The following command will look for all those files, and will make a backup of each of them if they exist by adding ".bak" to the end of the filename. Make sure you type this entire command on a single line, only pressing the Enter key until you are done.
[root@mailsrv mail]# for file in /etc/sendmail.cf /etc/mail/sendmail.cf /etc/mail/sendmail.mc ; do [ -f $file ] && cp $file $file.bak ; echo "Backed up $file." ; done
Now that you know what operating system you are using (primarily to make sure that this document supports it), you have made sure that you are running the latest version of the m4, sendmail, and sendmail-cf packages, and you have backed up your configuration files, we can proceed. Remember that you can restore your previous configuration by copying a .bak file back to its original filename.
This section goes through what you need to do step by step. I hope you find it clear and easy to understand, but please note that it does not offer much in the way of comment or explanation. This is so that more advanced users can quickly follow the recipe without swimming through huge amounts of text, and so that explanations for beginners can be added afterwards with more detail.
- Remember that, although you may be or may not be an expert, your users almost surely are not. Of all the popular Windows mail clients, only Eudora comes with SMTP AUTH activated in its default configuration. In particular, Outlook and Outlook Express (or anything by Microsoft) do not have this feature enabled out of the box. You will have to make sure that your users enable SMTP authentication, or else they will no longer be able to relay mail through this server!
- Make sure that you are logged in as root. If you logged in as another user and used the "su" command to become root, make sure that you typed "su -" to get the full login environment. The added space and the dash make sure that you get root's path and shell environment, not just the identity.
Edit /etc/mail/sendmail.mc and look for the following three lines of text somewhere:
define(`confAUTH_OPTIONS', `A')dnl dnlTRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnldefine(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
Any or all of those lines may start with the letters "dnl". That means "delete through newline" and is sendmail's way of either ending a line or starting a comment. You need to eliminate the "dnl" at the start of the line in order to activate the functionality in these lines. When you're done, the three lines should look exactly like this:
define(`confAUTH_OPTIONS', `A')dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
![[Warning]](../../../../../../asciidoc/images/icons/warning.png)
Those are directed quotes. They are not single quotes, double quotes, or smart quotes. You type the left directed quote with the backtick (also known as the "accent grave" key by the French), and you type the right directed quote with the apostrophe.
Find the line near the bottom that says:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
This line does not begin with a "dnl", which means it is active. If you read it through, you will note the "Addr=127.0.0.1" text which tells Sendmail to listen for connections only on that IP address, also known as the loopback address. Since the loopback address is used to process connections to/from the same machine, this is the line that effectively tells Sendmail not to accept any connections from anywhere else.
Since you're going through this document, you do want to allow other systems to connect to yours to send mail. To deactivate this line, you could delete it, but the safer way (in case you ever want to know what you did or temporarily lock out outside users) is to comment it out by adding a "dnl" at the beginning of the line.
Remember, previously we removed "dnl" characters. In this case, we need to add them.
Create and place your new sendmail.cf file using the following commands. Some of these operating systems require the file to be placed in /etc and others in /etc/mail, so for safety's sake place the file in both locations (it won't hurt you):
[root@mailsrv etc]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf [root@mailsrv etc]# cp /etc/mail/sendmail.cf /etc/sendmail.cf
Verify that your system contains an /etc/pam.d/smtp file with the following contents:
#%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth
Verify that you have a /usr/lib/sasl/Sendmail.conf file with the following contents:
pwcheck_method:pam
Restart the sendmail service:
[root@mailsrv mail]# service sendmail restart
Test that authentication has in fact been enabled and that the server now accepts mail connections from the outside by issuing the following command (from another machine, of course!):
[user@otherbox user]$ telnet mailsrv 25
This will initiate a connection to the SMTP service on mailsrv, which is handled by Sendmail. If your sendmail daemon is now accepting network connections, you will see the following text:
Trying 192.168.0.1... Connected to mailsrv. Escape character is '^]'. 220 dude.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 29 Jan 2002 07:24:49 -0600
Carefully and without making mistakes, type in "ehlo localhost" and then press Enter. You will get back something similar to the following lines of text:
250-dude.com Hello dude.com [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH LOGIN PLAIN 250 HELP
If you see a line like the one above, saying "250-AUTH LOGIN PLAIN" or something similar, you have successfully set up unencrypted SMTP AUTH as a first step on the road to greater mail security. You can now simply type "quit" then press Enter to cancel this SMTP session.
- If you have previously allowed any relaying, whether by IP address or any other method, wait until very late at night to make sure you don't disrupt your users and then disable it. In your /etc/mail/access file, for example, make sure that you only allow relaying from localhost which is 127.0.0.1.
Ensure that your /etc/mail/relay-domains file contains only your domains and the domains you host on this server; that is, only those domains which really have users on this server, and who will use this server to send all their mail.
If you do not have an /etc/mail/relay-domains file, don't worry; simply create a blank text file with that name, and put all the domains you want in it, one domain per line.
Ensure that your /etc/mail/sendmail.mc file does not enable relaying in funny forms like "accept unresolvable domains", "relay by domain", or any of that crap. An example (complete) sendmail.mc which is relay-safe is included here:
divert(-1) dnl This is the sendmail macro config file. If you make changes to this file, dnl you need the sendmail-cf rpm installed and then have to generate a dnl new /etc/sendmail.cf by running the following command: dnl dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf dnl include(`/usr/share/sendmail-cf/m4/cf.m4') VERSIONID(`linux setup for Red Hat Linux')dnl OSTYPE(`linux') define(`confDEF_USER_ID',``8:12'')dnl undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST',true)dnl define(`confDONT_PROBE_INTERFACES',true)dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa',`dnl')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl dnl Change sendmail to only listen on the loopback interface and dnl the internal network interface; never accept outside traffic. dnl Add "dnl" to both DAEMON_OPTIONS lines to accept mail from dnl all network interfaces. dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.1, Name=MTA') dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires dnl a kernel patch dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6') dnl We strongly recommend to comment this one out if you want to protect dnl yourself from spam. However, the laptop and users on computers that do dnl not have 24x7 DNS do need this. dnl FEATURE(`accept_unresolvable_domains')dnl dnl FEATURE(`relay_based_on_MX')dnl MAILER(smtp)dnl MAILER(procmail)dnl Cwlocalhost.localdomain
- Hover anxiously over the server for a couple of days and check for "Relaying denied" errors. Track them down aggressively, since most of them will be your own customers who didn't fix their mail clients when you told them to do so. Fix them now.
documented on: 2004.06.20
