From: Mustafa Akgul (akgul@Bilkent.EDU.TR)
Date: Wed 26 Feb 2003 - 06:25:29 EET
Date: Tue, 25 Feb 2003 16:31:26 +0100
Message-ID: <103225161540.~INN-RMBa00150.comp-news@dl.ac.uk>
From: "Stefan Arts" <stefan@bit.nl>
Sender: "comp.mail.sendmail mail newsgroup" <server-daemon@dl.ac.uk>
To: "comp.mail.sendmail mail newsgroup" <comp-news@dl.ac.uk>
Subject: HOWTO: setup AUTH with sendmail and cyrus SASL
X-Article-Number: comp.mail.sendmail Msg # 86893
HOWTO: setup AUTH with sendmail and cyrus SASL
---------
Date: 25 feb 2003
Author: Stefan Arts, Holland.
This setup was tested on Linux Slackware 7.1 with default installations of sendmail 8.12.7 and Cyrus
1.5.28. It should work on all Linux distributions. Clients tested: Outlook Express 6/Windows XP.
This document is open source and maybe be published/distributeed freely (can someone put this on a
webpage somewhere for me? I don't have one.)
---------
STEP 1: Install the Cyrus SASL (Simple Authentication and Security Layer) library:
1. Get the Cyrus SASL library from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-1.5.28.tar.gz
and unpack it.
2. Install Cyrus:
cd /usr/src/cyrus-sasl-1.5.28
./configure --enable-login
make
make install
ln -s /usr/local/lib/sasl /usr/lib/sasl
The LOGIN mechanism is necessary for Outlook Express. This default installation will install a few
methods (mechanisms) for authentication. For Outlook Express you need PLAIN and LOGIN. For other
clients, you may need other mechanisms, see also
http://www.sendmail.org/~ca/email/mel/SASL_ClientRef.html. If you want to setup other mechanisms,
check the docs that came with Cyrus.
3. Cyrus installs a library in /usr/local/lib (libsasl.so). Sendmail needs this, but sometimes fails
to load/find it. Check if /usr/local/lib is in /etc/ld.so.conf and type:
ldconfig
4. Create /usr/lib/sasl/Sendmail.conf with only one line:
pwcheck_method: sasldb
5. Create a user for smtp login:
saslpasswd -u smtp.somewhere.com -c user
Example:
saslpasswd -u smtp.pc184.nl -c john
6. Set permissions for this password file:
chmod 600 /etc/sasldb
7. Next, type:
sasldblistusers
Output example:
root@server:/# sasldblistusers
user: john realm: smtp.pc184.nl mech: CRAM-MD5
user: john realm: smtp.pc184.nl mech: DIGEST-MD5
user: john realm: smtp.pc184.nl mech: PLAIN
This is good.
STEP 2: Sendmail AUTH setup:
1. Insert two lines in file sendmail /usr/src/sendmail-8.12.7/devtools/Site/site.config.m4:
APPENDDEF(`confENVDEF', `-DSASL')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl')
2. Recompile sendmail:
cd /usr/src/sendmail-8.12.7
./Build -c
./Build install
3. Insert two lines in /usr/src/sendmail-8.12.7/cf/cf/sendmail.mc:
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
The AUTH_MECHANISMS defines which mechanisms may be used for authentication. The TRUST_AUTH_MECH
defines which mechanisms may be used for relaying.
4. Regenerate sendmail.cf:
cd /usr/src/sendmail-8.12.7/cf/cf
./Build sendmail.cf
./Build install-cf
5. Test your setup:
/usr/sbin/sendmail -d0.1 -bp
Check if SASL is build in. You should see something like:
root@server:/usr/local/lib# sendmail -d0.1
Version 8.12.7
Compiled with: DNSMAP LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND
NETINET NETUNIX NEWDB PIPELINING SASL SCANF STARTTLS USERDB XDEBUG
...
5. Run sendmail as a daemon:
kill `head -1 /var/run/sendmail.pid`
/usr/sbin/sendmail -bd -q30m
6. Connect to smtp server:
telnet localhost 25
and issue a EHLO localhost. The line 250-AUTH LOGIN PLAIN .... must be in your output:
root@server:/usr/lib/sasl# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.pc184.nl ESMTP Sendmail 8.12.7/8.12.7; Tue, 25 Feb 2003 14:37:57 +0100
EHLO localhost
250-server.pc184.nl Hello root@localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
QUIT
221 2.0.0 server.pc184.nl closing connection
7. If everything is ok, remove all external relayers from relay-domains and/or access_map and
restart sendmail.
STEP 3: Client setup:
1. Enable smtp server authentication for your account.
2. Use this for your login:
user@host
password
Example: john@smtp.pc184.nl. The host must be the same as you see with sasldblistusers.
3. Now send a mail to someone who is not a members of your mailserver. That's because you want to
relay.
4. If it works, create users for all your clients with saslpasswd as used above.
If you have problems, start sendmail with:
/usr/sbin/sendmail -O LogLevel=14 -X /var/log/sendmail.traffic -bd -q15m
and check your logfiles.
You can find more information on:
http://asg.web.cmu.edu/sasl/sasl-library.html
http://www.sendmail.org/~ca/email/auth.html
Now, that's it. I hope this document is usefull and correct, don't mail me
for suggestion/corrections but please follow-up to this post.
Stefan Arts
Internet Opleidingscentrum
Ede, Holland.