---------- Forwarded message ---------- Date: Fri, 28 Feb 2003 10:26:37 +0800 From: Alex Wan To: comp.mail.sendmail@lists.cm.nu Newsgroups: comp.mail.sendmail Subject: Re: HOWTO: setup AUTH with sendmail and cyrus SASL Stefan Arts wrote: >HOWTO: setup AUTH with sendmail and cyrus SASL > >--------- >Date: 25 feb 2003 >Author: Stefan Arts, Holland. > >This setup was tested on Linux Slackware 7.1 with default installations of sendmail 8.12.7 and Cyrus >1.5.28. It should work on all Linux distributions. Clients tested: Outlook Express 6/Windows XP. > > >This document is open source and maybe be published/distributeed freely (can someone put this on a >webpage somewhere for me? I don't have one.) >--------- > > >STEP 1: Install the Cyrus SASL (Simple Authentication and Security Layer) library: > >1. Get the Cyrus SASL library from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-1.5.28.tar.gz >and unpack it. > >2. Install Cyrus: > > cd /usr/src/cyrus-sasl-1.5.28 > ./configure --enable-login > make > make install > ln -s /usr/local/lib/sasl /usr/lib/sasl > >The LOGIN mechanism is necessary for Outlook Express. This default installation will install a few >methods (mechanisms) for authentication. For Outlook Express you need PLAIN and LOGIN. For other >clients, you may need other mechanisms, see also >http://www.sendmail.org/~ca/email/mel/SASL_ClientRef.html. If you want to setup other mechanisms, >check the docs that came with Cyrus. > >3. Cyrus installs a library in /usr/local/lib (libsasl.so). Sendmail needs this, but sometimes fails >to load/find it. Check if /usr/local/lib is in /etc/ld.so.conf and type: > > ldconfig > > 4. Create /usr/lib/sasl/Sendmail.conf with only one line: > > pwcheck_method: sasldb > >5. Create a user for smtp login: > > saslpasswd -u smtp.somewhere.com -c user > >Example: > > saslpasswd -u smtp.pc184.nl -c john > >6. Set permissions for this password file: > > chmod 600 /etc/sasldb > >7. Next, type: > > sasldblistusers > >Output example: > >root@server:/# sasldblistusers >user: john realm: smtp.pc184.nl mech: CRAM-MD5 >user: john realm: smtp.pc184.nl mech: DIGEST-MD5 >user: john realm: smtp.pc184.nl mech: PLAIN > >This is good. > > >STEP 2: Sendmail AUTH setup: > >1. Insert two lines in file sendmail /usr/src/sendmail-8.12.7/devtools/Site/site.config.m4: > > APPENDDEF(`confENVDEF', `-DSASL') > APPENDDEF(`conf_sendmail_LIBS', `-lsasl') > >2. Recompile sendmail: > > cd /usr/src/sendmail-8.12.7 > ./Build -c > ./Build install > >3. Insert two lines in /usr/src/sendmail-8.12.7/cf/cf/sendmail.mc: > > TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl > define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl > >The AUTH_MECHANISMS defines which mechanisms may be used for authentication. The TRUST_AUTH_MECH >defines which mechanisms may be used for relaying. > >4. Regenerate sendmail.cf: > > cd /usr/src/sendmail-8.12.7/cf/cf > ./Build sendmail.cf > ./Build install-cf > >5. Test your setup: > > /usr/sbin/sendmail -d0.1 -bp > >Check if SASL is build in. You should see something like: > > root@server:/usr/local/lib# sendmail -d0.1 > Version 8.12.7 > Compiled with: DNSMAP LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND > NETINET NETUNIX NEWDB PIPELINING SASL SCANF STARTTLS USERDB XDEBUG > ... > >5. Run sendmail as a daemon: > > kill `head -1 /var/run/sendmail.pid` > /usr/sbin/sendmail -bd -q30m > >6. Connect to smtp server: > > telnet localhost 25 > >and issue a EHLO localhost. The line 250-AUTH LOGIN PLAIN .... must be in your output: > > root@server:/usr/lib/sasl# telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 server.pc184.nl ESMTP Sendmail 8.12.7/8.12.7; Tue, 25 Feb 2003 14:37:57 +0100 > EHLO localhost > 250-server.pc184.nl Hello root@localhost [127.0.0.1], pleased to meet you > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-EXPN > 250-VERB > 250-8BITMIME > 250-SIZE > 250-DSN > 250-ETRN > 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5 > 250-STARTTLS > 250-DELIVERBY > 250 HELP > QUIT > 221 2.0.0 server.pc184.nl closing connection > >7. If everything is ok, remove all external relayers from relay-domains and/or access_map and >restart sendmail. > > >STEP 3: Client setup: > >1. Enable smtp server authentication for your account. > >2. Use this for your login: > > user@host > password > >Example: john@smtp.pc184.nl. The host must be the same as you see with sasldblistusers. > >3. Now send a mail to someone who is not a members of your mailserver. That's because you want to >relay. > >4. If it works, create users for all your clients with saslpasswd as used above. > > >If you have problems, start sendmail with: > > /usr/sbin/sendmail -O LogLevel=14 -X /var/log/sendmail.traffic -bd -q15m > >and check your logfiles. > > > >You can find more information on: > >http://asg.web.cmu.edu/sasl/sasl-library.html >http://www.sendmail.org/~ca/email/auth.html > > >Now, that's it. I hope this document is usefull and correct, don't mail me >for suggestion/corrections but please follow-up to this post. > > >Stefan Arts >Internet Opleidingscentrum >Ede, Holland. > > > > > _______________________________________________ Comp.mail.sendmail mailing list Comp.mail.sendmail@lists.cm.nu http://www.cm.nu/cgi-bin/mailman/listinfo/comp.mail.sendmail