AUTH is an SMTP protocol extension. It is defined in RFC 2554, SMTP Service Extension for Authentication. RFC 2554 outlines the negotiations that are used to select an authentication mechanism. The RFC describes three functions for the AUTH keyword:

The AUTH protocol relies on SASL ( the Simple Authentication and Security Layer (SASL) for the actual authentication. RFC 2222, Simple Authentication and Security Layer (SASL), describes the SASL framework and defines how protocols negotiate an authentication method. RFC 2222 identifies four authentication techniques:

Subsequently, several more authentication techniques have been added to the SASL framework. Some examples are:

sendmail does not contain implementations of the various authentication techniques. Instead, sendmail uses the techniques that are implemented and configured in SASL. For this to work, Cyrus SASL must be installed and properly configured on the sendmail system.

Cyrus SASL is implemented as a library. The SASL library standardizes the way in which applications interface with the authentication methods. Many Unix systems come with the SASL libraries preinstalled. Our sample Red Hat Linux system is a good example. Red Hat includes SASL as one of the standard RPMs. An rpm command can check whether it is installed, as in this example:

# rpm -qa cyrus-sasl
cyrus-sasl-1.5.24-25

If SASL is not installed on your system, check to see if it was delivered as part of your Unix software. If it was, install the copy of SASL provided by your Unix vendor. If it is not available from your vendor, go to http://asg.web.cmu.edu/cyrus/download/ or ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ to download the latest version of SASL. Information on SASL is available at http://asg.web.cmu.edu/sasl/.

After Cyrus SASL is installed, the specific authentication techniques must be configured before they can be used. To understand SASL configuration, you must understand SASL terminology. The Cyrus SASL documentation defines four special terms:^[1]

The userid and authid values cause the most confusion. To understand how SASL uses these two values, think of an /etc/passwd file with one entry for craig and another for kathy. In a normal login, when Kathy logs in to the kathy account, she is granted the permissions given to that account. With SASL, it is possible to set authid to kathy and userid to craig, which means that the kathy account password is required for authentication, but the permissions granted to the user are the permissions granted to the craig account.

Several of the strong authentication techniques available through SASL require the configuration of separate authentication services—KERBEROS_V4 and GSSAPI are good examples. This chapter focuses on the strong authentication techniques that can be implemented on a sendmail system without installing any software other than SASL. Two strong authentication techniques, DIGEST-MD5 and CRAM-MD5, are provided with the Cyrus SASL libraries. Both of these techniques can be easily configured for sendmail authentication.

DIGEST-MD5 and CRAM-MD5 are configured through the /etc/sasldb database. This is done using the saslpasswd commands. Use saslpasswd to enter the SASL authid and realm and the password that the connecting host will use during authentication. Recipe 7.1 provides an example of how this is done.

Because these are shared-secret authentication mechanisms, the connecting host must be configured with values that match those entered in the sasldb file on the receiving host. On sendmail 8.12 systems, these values are defined in an AuthInfo: entry. Normally this entry is placed in the access database, as described in Recipe Recipe 7.2. Optionally, an authinfo file can be used to hold the AUTH credentials, as described in Recipe 7.3.

# cat /usr/lib/sasl/Sendmail.conf
pwcheck_method:pam

sendmail can be configured to request optional processing from SASL for the AUTH protocol. The confAUTH_OPTIONS define can set several flags that affect the way that sendmail and SASL interact. These flag are listed in Table 7-1.

The A option controls when the AUTH= parameter is added to the envelope sender information on the SMTP Mail From: command line. The A option is used in Recipe 7.6, which demonstrates how the confAUTH_OPTIONS flag define is used.

The a option increases the checks SASL performs to detect active authentication attacks. SASL is used in a variety of situations. In some applications, higher security is worth the cost in increased processing and authentication delays. Normally, that is not the case for email. Mail hosts are authenticating to prevent spammers from relaying through your server. Spammers do not spend the time and money to launch active authentication attacks against servers that use strong authentication. When increased security is needed for an email connection, it is probably better to use transport layer security, as described in Chapter 8.

The c flag tells SASL to require client credentials when an authentication mechanism is used that supports client credentials. (Although it is not used inside of a SASL session, the TLS protocol, described in Chapter 8, is an example of a protocol that optionally permits the use of client credentials.) Don’t confuse client credentials with AUTH credentials. The AUTH credentials discussed in this chapter are the shared-secret and other AUTH values used for authentication. The DIGEST-MD5 and CRAM-MD5 authentication techniques used by sendmail require AUTH credentials without the c option.

The f option tells SASL to use forward security between sessions. This means that the shared-secret used for one session is not used in the next session. Some technique must be used to negotiate a new secret for each session. Of course this requires an authentication mechanism that can handle forward security. The authentication techniques commonly used by sendmail do not implement forward security; therefore, this flag is not normally used in sendmail configuration.

The three remaining options, d, p, and y, all limit the techniques that can be used for authentication. For example, specifying the p option blocks the use of the PLAIN and LOGIN techniques over an unsecured connection.

These flags pass information to SASL, changing the way that SASL serves sendmail. Values passed from SASL are also used inside sendmail.

sendmail uses the information provided by authentication. sendmail stores authentication data in several macros. The authentication macros are:

In addition to the authentication macros, the hostname and the IP address of the system at the other end of the mail transport connection are stored in macros, which can be useful information for authentication checks. The following values are stored in the macros:

sendmail also provides ruleset hooks that simplify the process of adding authentication checks. The primary hooks used with AUTH are:

In order to require strong authentication before granting special privileges, such as relaying, you have been asked to configure sendmail to offer AUTH authentication.

AUTH requires the SASL library. Configure the SASL authentication technique that you wish to use. See this chapter’s Introduction for information about the SASL library and where it can be obtained.

Use -d0.1 to check the sendmail compiler options. If the “Compiled with:” list displays SASL, restart sendmail to reload the freshly configured SASL libraries and you’re ready to run. If SASL is not included in the “Compiled with:” list, recompile sendmail as shown in Recipe 1.5.

There is no need to add m4 macros to the sendmail configuration to advertise basic AUTH mechanisms. Only a properly installed and configured SASL library and a copy of sendmail that has been compiled with SASL support are needed.

The SASL configuration is driven by which SASL authentication techniques are installed on your system and by which of those techniques are selected for use. Our sample Red Hat system was delivered with SASL preinstalled. Figure 7-1 shows the System Environment/Libraries window from an RPM management tool.

Figure 7-1. Observing the installed SASL libraries in Red Hat Linux

The figure shows the three SASL library modules that came with this Linux system. cyrus-sasl-1.5.24-25 is the basic SASL library. cyrus-sasl-plain-1.5.24-25 is the SASL plug-in that provides the PLAIN and LOGIN authentication techniques. cyrus-sasl-md5-1.5.24-25 is the plug-in that provides the CRAM-MD5 and DIGEST-MD5 SASL authentication techniques. Of these, only CRAM-MD5 and DIGEST-MD5 offer any real security.

The sendmail server will not advertise the DIGEST-MD5 and CRAM-MD5 techniques unless the file /etc/sasldb exists. sasldb stores the names and passwords used for MD5 authentication. The file is built by saslpasswd the first time it is used to create an SASL password. To authenticate a client with the sasldb, add the client’s name and password to the database. Assume we want to authenticate crab using MD5 and that we assign crab the password: It'sasecret!. The following command would accomplish this and make both CRAM-MD5 and DIGEST-MD5 available for sendmail authentication:

# saslpasswd -c -u wrotethebook.com crab
Password: It'sasecret!
Again (for verification): It'sasecret!

The -u argument defines the SASL realm. When creating an SASL account for AUTH authentication, always explicitly define the realm with the -u argument. The realm used on both endpoints must agree in order for authentication to succeed. Take control of this important information by explicitly defining the realm that both the server and the client should use. In the example, the realm is wrotethebook.com, which is the same as the local domain name. The string used to name the realm is arbitrary. It can be any value you choose. While the realm does not have to be a domain name, it usually is for the sake of simplicity.

The -c argument tells saslpasswd to create a new account. The account name, crab in the example, is placed at the end of the command line. saslpasswd then prompts for a password for the crab account. This password is the shared-secret key used for DIGEST-MD5 or CRAM-MD5 authentication.

After configuring SASL, the receiving host responds to the SMTP EHLO command by listing the available AUTH authentication techniques. A telnet test shows this:

# telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 -
0400
ehlo localhost
250-chef.wrotethebook.com Hello IDENT:jlXFenYjCfmga11KxmpDxZFsKgljZB2/@localhost 
[127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
QUIT
221 2.0.0 chef.wrotethebook.com closing connection
Connection closed by foreign host.

The receiving host responds to the EHLO command with a list of the extended services that it supports. The 250-AUTH response shows that the host supports the AUTH protocol, and the response lists the specific authentication techniques that it supports. In the example, the server advertises DIGEST-MD5 and CRAM-MD5, meaning that SASL has been configured for CRAM-MD5 and DIGEST-MD5, and sendmail has been directed to advertise these authentication methods. Recipe 7.4 describes how to control which AUTH techniques are advertised by sendmail.

In the example above, the receiving system responds with 250-AUTH. If you have just configured the receiving system, and it doesn’t issue the 250-AUTH response, there are several things you can do to try to discover the problem. First, check the log to see if any security problems are logged. sendmail may have been unable to open a required file.

If basic logging doesn’t show the problem, increase the LogLevel to 13 and rerun the test shown above. (Recipe 1.10 provides an example of setting the sendmail LogLevel.) Examine the log again.

sendmail only advertises AUTH if some of the authentication mechanisms that it is configured to accept are available from SASL and properly configured. grep the log for the string mech=. The available mech= log entry lists the mechanisms that sendmail believes are offered by SASL. The allowed mech= entry lists the mechanisms that sendmail believes it is allowed to offer. sendmail only issues the 250-AUTH response if these lists share some common items. If the available mech= list identifies some mechanism, you can change the list of mechanisms that sendmail will accept using the confAUTH_MECHANISMS define described in Recipe Recipe 7.6.

If the available mech= list is empty, and the log contains either an error message from SASL that contains the string listmech=0 or the sendmail error message “AUTH warning: no mechanisms,” SASL is not properly installed and configured. SASL must be installed with authentication mechanisms, as noted earlier in the discussion of Figure 7-1. Make sure you download and properly install all of the required libraries.

If SASL is not complaining but sendmail is, perhaps sendmail is looking in the wrong place for SASL libraries. The path to SASL libraries can be set using the environment variable SASL_PATH by adding lines such as the following to the sendmail configuration:

LOCAL_CONFIG
ESASL_PATH=/usr/lib/sasl

Of course, this path is only an example. You would use the path value appropriate to your system.

Installing SASL, configuring the sasldb, and compiling sendmail with SASL support configures sendmail to accept only inbound AUTH connections. If the system must also send out mail using AUTH authentication, the configuration in Recipe 7.2 should be added to this recipe to create a complete configuration.

Recipe 7.4 and Recipe 7.5 provide related AUTH configuration examples. The sendmail book covers AUTH configuration in Section 10.9. See the sysadmin.html file in the SASL documentation directory for additional information about SASL configuration.

You have been asked to configure sendmail to use AUTH authentication when sending mail.

Make sure that the SASL libraries are installed and that sendmail is compiled with SASL support. See Recipe 1.5 and this chapter’s Introduction if your system lacks either of these necessary components.

Add the host’s authentication credentials to the access database using an AuthInfo: tag. Use the u: parameter to define the SASL authorization ID, the I: parameter to define the SASL authentication ID, the P: parameter to define the shared secret, the R: parameter to define the SASL realm, and the M: parameter to request an AUTH mechanism. Because the AuthInfo: entry contains a password written in clear text, it is important to make sure that the access database is only readable by root.

Create a sendmail configuration containing the access_db feature. Here is the required FEATURE macro:

dnl Use the access database for AUTH credentials
FEATURE(`access_db')

Following the instructions in Recipe 1.8, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail, and restart sendmail.

To successfully authenticate, a host must be able to provide the receiving system with valid security credentials. These credentials are stored on the connecting host in the access database using the AuthInfo: tag. Here is an example of adding an AuthInfo: entry to the access database:

# cd /etc/mail
# cat >> access
               AuthInfo:chef.wrotethebook.com "U:crab" "I:crab" "P:It'sasecret!" "R:wrotethebook
.com" "M:DIGEST-MD5"
Ctrl-D
# makemap hash access < access
# chmod 600 access access.db

The components of this access database entry are, as follows:

The authentication values defined by the AuthInfo: entry on the sending system must agree with those defined on the receiving system by saslpasswd. If any one of the values does not agree, authentication fails with the following error message:

500 5.7.0 authentication failed

Send mail to the remote host to test the AUTH credentials. Call sendmail with the -v option in order to watch the protocol interactions. Here is a sample test:

$ sendmail -Am -v -t
               To: [email protected]
               From: [email protected]
               Subject: Test

               Please ignore.
Ctrl-D
[email protected]... Connecting to chef.wrotethebook.com. via esmtp...
220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Tue, 7 Jan 2003 13:25:58 -
0500
>>> EHLO crab.wrotethebook.com
250-chef.wrotethebook.com Hello IDENT:iE/rw7zeTz25z3Y8g3qLEbb5uGQ8RtyH@crab [192.168.
0.15], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5
250 HELP
>>> AUTH DIGEST-MD5 =
334 bm9uY2U9ImFZcjB6VERCSWNBYUpFTVhNWGg2THQ5VllPW1kNS1zZXNz
>>> dXNlcm5hbWU9ImNyYWlnIixyZWFsbT0id3JvdGV0aGVib29ryZmU3OTI3NzEzYTg5MGJjZQ==
334 cnNwYXV0aD0zYzMyMTc5YzhiMTQwYzQzNWJiNTgwOTZmOGZjYTQ4Mg==
>>>
235 2.0.0 OK Authenticated
>>> MAIL From:<[email protected]> SIZE=97 [email protected]
250 2.1.0 <[email protected]>... Sender ok
>>> RCPT To:<[email protected]>
250 2.1.5 <[email protected]>... Recipient ok
>>> DATA
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 h07IPxt01997 Message accepted for delivery
[email protected]... Sent (h07IPxt01997 Message accepted for delivery)
Closing connection to chef.wrotethebook.com.
>>> QUIT
221 2.0.0 chef.wrotethebook.com closing connection

In addition to the -v option, this test invokes sendmail with -t and -Am. -t tells sendmail to obtain the recipient address from any To:, CC:, and Bcc: lines in the message. (In the example, we specified the recipient with a To: line in the message.) The first five lines after the sendmail command is our test message, which is terminated by a Ctrl-D end-of-file mark. The -Am option tells sendmail to run as an MTA, using the sendmail.cf configuration. If this option is not specified, sendmail runs as a message submission program (MSP), uses the submit.cf configuration, and displays the interaction between the user’s sendmail command and the local system. Because we want to watch the MTA interaction between our system and a remote system, we need to use the -Am option.^[2]

Every line after the Ctrl-D is output from sendmail. Output lines that start with >>> are SMTP commands coming from the sending system. Lines that start with a numeric response code come from the receiving system.

The local system sends an EHLO command. In response, the remote system displays the list of extended commands that it supports. One of these tells the local host that the remote system supports AUTH and that it offers two authentication techniques, DIGEST-MD5 and CRAM-MD5. The local host sends an AUTH command requesting the DIGEST-MD5 technique to authenticate the connection. The endpoints exchange MD5 challenges and responses, and the remote system displays the message:

235 2.0.0 OK Authenticated

After that message, the mail delivery proceeds normally. The only effect that the recipient might notice is the addition of the word “authenticated” to the mail’s Received: header, as shown below:

Received: from crab.wrotethebook.com
    (IDENT:iE/rw7zeTz25z3Y8g3qLEbb5uGQ8RtyH@crab [192.168.0.15])
        (authenticated)
        by chef.wrotethebook.com (8.12.9/8.12.9) with ESMTP id
    h07IPxt01997
        for <[email protected]>; Tue, 7 Jan 2003 13:25:59 -0500

The tests show that the AuthInfo: entry in the access database works and provides sendmail with the correct information to authenticate the local host to the remote host. However, versions of sendmail prior to sendmail 8.12 cannot store authentication information in the access database. On these older systems, AUTH security credentials are stored in a separate file. The file must be identified in the sendmail m4 configuration using the confDEF_AUTH_INFO define. For example, the following line added to the sendmail configuration tells sendmail that the SASL credentials are stored in a file named /etc/mail/default_auth_info:

define(`confDEF_AUTH_INFO', `/etc/mail/default_auth_info')

The confDEF_AUTH_INFO define is deprecated and should not be used with sendmail 8.12 or later versions of sendmail. In fact, it is ignored when added to a sendmail 8.12 configuration that also includes either the access_db feature or the authinfo feature.^[3] Versions of sendmail before 8.12, however, do use the confDEF_AUTH_INFO file and do not support the AuthInfo: tag for the access database. If you have an older version of sendmail, upgrade to the latest version as described in Chapter 1. You should only use the deprecated file if you have an old version of sendmail that you cannot upgrade. A sample /etc/mail/default_auth_info file created for the confDEF_AUTH_INFO define shown above might contain:

crab
crab
It'sasecret!
wrotethebook.com
DIGEST-MD5

The first line defines the authorization identity, which is equivalent to the U: value in the access database. The second line defines the authentication identity, which is equivalent to the I: value. The third line contains the password, which is the P: value in the access database. The fourth line defines the SASL realm, which is the access database R: value. The fifth line specifies the authentication mechanism that should be used, which is equivalent to the M: value in the access database. (This fifth line is only useful with sendmail versions starting with 8.12; prior versions of sendmail will ignore it.) The file pointed to by confDEF_AUTH_INFO contains only one set of credentials that are used for authentication with all remote systems—the access database permits you to define different credentials for each remote host. The access database is superior and should be used if at all possible.

This recipe configures AUTH for outbound connections. Recipe 7.1 configures inbound connections. Use saslpasswd as described in Recipe 7.1 to configure the passwords for systems that connect to your sendmail system. Use Authinfo: entries in the access database to configure the password your system uses when it connects to an external host. Combine these two recipes when your host both accepts inbound AUTH connections and makes outbound AUTH connections.

Recipe 7.3 provides an alternative way to configure AUTH credentials. Evaluate Recipe 7.3 before implementing this recipe. Recipe 1.5 covers compiling sendmail with SASL support. The access database is used and discussed in Chapter 3 and Chapter 6. The sendmail book covers the AuthInfo: tag in Section 10.9.3.2 and the confDEF_AUTH_INFO define in Section 24.9.27.

Security requirements make it necessary for you to store AUTH authentication credentials in a file separate from the access database.

Create the /etc/mail/authinfo file. Store the client’s authentication credentials in that file using the same AuthInfo: tag used in the access database. Make sure that the authinfo text file and database are not readable by anyone except root.

Add the authinfo feature to the sendmail configuration. Here are the lines that should be added to the sendmail configuration:

dnl Use the authinfo database for AUTH credentials
FEATURE(`authinfo')

Following the guidance of Recipe 1.8, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail, and restart sendmail.

An alternative to defining the AUTH credentials in the access database is to define the credentials in a separate file named /etc/mail/authinfo. The primary reason for doing this is file security. AUTH passwords are stored in the access database and in the authinfo file as clear text. Because the access database holds a wide variety of information, there is a remote possibility that you might grant multiple users read access to that file. If, for some reason, you do grant users other than root read access to the access database, move the AuthInfo: entries from the access database to the authinfo file, and add the authinfo feature to the sendmail configuration. The authinfo feature simply tells sendmail to lookup authentication credentials in the authinfo database instead of in the access database. Here is an example of creating an authinfo file:

# cd /etc/mail
# cat > authinfo
               AuthInfo:chef.wrotethebook.com "U:crab" "I:crab" "P:It'sasecret!" "R:wrotethebook.
com" "M:DIGEST-MD5"
               Ctrl-D
# makemap hash authinfo < authinfo
# chmod 600 authinfo authinfo.db

Entries in the authinfo database are the standard AuthInfo: entries used in the access database. The entries have the same format and contain the same information. The Discussion section of Recipe 7.2 provides details of the AuthInfo: entry format.

Using this recipe’s configuration, run the sendmail -Am -v -t test shown in the Discussion of Recipe 7.2. Again the message:

235 2.0.0 OK Authenticated

is displayed, indicating that sendmail successfully authenticated the local host to the remote system without using the access database. You can prove the access database was not used with a simple sendmail -bt test:

# sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> /map access AuthInfo:rodent.wrotethebook.com
Map named "access" not found
> /map authinfo AuthInfo:rodent.wrotethebook.com
map_lookup: authinfo (AuthInfo:chef.wrotethebook.com) returns "U:crab" "I:crab" "P:
It'sasecret!" "R:wrotethebook.com" "M:DIGEST-MD5" (0)
> /quit

This test shows that the access database does not exist, yet the system was successfully authenticated. Clearly this is because the AuthInfo: entries are stored in the authinfo database. Of course, this is just an example. On a real system, you will have both the access database and the authinfo database. The only reasons to use the authinfo database are to separate the authentication data from the other data already stored in the access database and to secure that data so that the clear text passwords it contains cannot be easily read. In the example above, we were only able to read the authinfo database because we ran the sendmail -bt command as root.

This recipe assumes that the system has the necessary SASL support. If your system does not, see Introduction for information on obtaining the SASL libraries, and see Recipe 1.5 for information on recompiling sendmail with SASL support before attempting to implement this recipe.

Recipe 7.2 provides an alternative way to configure AUTH credentials, which should be evaluated before implementing this recipe. Recipe 7.2 also provides information about the format and content of AuthInfo: entries. Recipe 1.5 covers compiling sendmail with SASL support, and Chapter 1 provides general information about compiling sendmail. The sendmail book covers the AuthInfo: tag in Section 10.9.3.2 and the authinfo feature in Section 10.9.3.

Several different SASL authentication techniques are configured for various uses. You wish to control which authentication techniques are advertised for SMTP AUTH authentication.

Add the confAUTH_MECHANISMS define to the sendmail configuration. Use the define to list only those authentication techniques that you wish to advertise. Here is a sample confAUTH_MECHANISMS define that might be added to the sendmail configuration:

dnl Define the acceptable AUTH mechanisms
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5')

Build the new sendmail configuration file, copy it to /etc/mail/sendmail.cf, and restart sendmail, as described in Recipe 1.8.

The confAUTH_MECHANISMS define sets the values assigned to the sendmail.cf AuthMechanisms option. sendmail advertises any SASL authentication technique listed in the AuthMechanisms option that is configured and running on the local host. The AuthMechanisms comment in a basic sendmail.cf file shows the default list of authentication techniques used by sendmail:

$ grep AuthMechanisms generic-linux.cf
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5

By default, sendmail will advertise:

The receiving host advertises the available authentication techniques, but the connecting host selects the technique that will be used. Therein lies the problem. It is possible for the connecting host to select a technique that you really don’t want to use for SMTP authentication, unless you explicitly specify the advertised techniques using the confAUTH_MECHANISMS define. For example:

# telnet rodent smtp
Trying 192.168.0.3...
Connected to rodent.
Escape character is '^]'.
220 rodent.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 -
0400
ehlo chef
250-rodent.wrotethebook.com Hello IDENT:/tNy4XlJuCgfwrxksOjP9e2Hm3dZuOiC@chef [192.
168.0.8], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250 HELP
quit
221 2.0.0 rodent.wrotethebook.com closing connection
Connection closed by foreign host.

This telnet test shows that rodent.wrotethebook.com advertises Kerberos 5 as a technique that can be used for SMTP authentication. If the connecting system is a Kerberos 5 client, it may choose this technique to authenticate itself, which is all well and good if the administrator of rodent really wants to use Kerberos 5 for SMTP authentication. If not, the confAUTH_MECHANISMS define shown in the Solution section can be used to limit the list of advertised authentication techniques. After installing that confAUTH_MECHANISMS define on rodent, it displays the following line in its EHLO response:

250-AUTH DIGEST-MD5 CRAM-MD5

The confAUTH_MECHANISMS define can also be used to increase the list of advertised authentication techniques. For example, the default SASL configuration on a Red Hat Linux system includes PLAIN and LOGIN as well as DIGEST-MD5 and CRAM-MD5. If the administrator of a Red Hat system placed the following confAUTH_MECHANISMS define in the sendmail configuration:

define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')

the server would display the following advertisement in its EHLO response:

250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN

In most cases, this is not a good thing to do. PLAIN and LOGIN are not secure authentication techniques, and they should not be used with sendmail over an unsecured link. PLAIN sends clear text passwords over the network—where they are vulnerable to snooping. LOGIN implements nonstandard, undocumented, and unsupported authentication techniques used by older, broken SMTP clients, and it also sends clear text passwords. These techniques should only be used if the link itself is encrypted to prevent password snooping.

Recipe 7.1 and Recipe 7.5 provide related AUTH configuration examples. The sendmail book covers AUTH configuration in Section 10.9 and the confAUTH_MECHANISMS define in 24.9.5.

You have been asked to configure a mail relay host that cannot rely on IP addresses or hostnames to grant relaying privileges.

Compile sendmail with AUTH support as described in Recipe 1.5. Install and configure SASL as described in the chapter Introduction and in Recipe 7.1.

Add the TRUST_AUTH_MECH macro to the sendmail configuration to list the authentication mechanisms trusted to authorize relaying. Here is a sample TRUST_AUTH_MECH macro that could be added to the sendmail configuration:

dnl List mechanisms trusted to authorize relaying
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5')

Build the new sendmail configuration file, copy it to /etc/mail/sendmail.cf, and restart sendmail with the new configuration. See the example in Recipe 1.8.

AUTH authentication sets a variety of macros that can be examined by sendmail and used inside sendmail.cf rulesets. (Several of these macros are discussed in Introduction.) However, AUTH authentication does not grant special privileges. An authenticated host that is not granted relaying privileges by traditional means will have its mail rejected by sendmail if it attempts to relay mail. The following excerpt from an SMTP exchange shows this:

235 2.0.0 OK Authenticated
>>> MAIL From:<[email protected]> SIZE=96 [email protected]
250 2.1.0 <[email protected]>... Sender ok
>>> RCPT To:<[email protected]>
550 5.7.1 <[email protected]>... Relaying denied

The 235 response shows that the connecting host has been successfully authenticated. The 550 response shows that, regardless of authentication, the host is not granted relaying privileges.

Use the TRUST_AUTH_MECH macro to permit relaying by AUTH authenticated clients. The TRUST_AUTH_MECH macro adds the $={TrustAuthMech} class to the sendmail.cf file and defines the values for that class. The TRUST_AUTH_MECH example shown in the Solution section adds the following line to the sendmail.cf file:

C{TrustAuthMech}DIGEST-MD5 CRAM-MD5

The $={TrustAuthMech} class is used in the Rcpt_ok ruleset to authorize relaying. This test is added to the standard group of relaying tests. A host that is granted relaying privileges based on its IP address or hostname is allowed to relay even if it is not authenticated by AUTH. A host that would normally be denied relaying, however, is allowed to relay if it is authenticated by AUTH using one of the techniques listed in the $={TrustAuthMech} class.

The “Relaying denied” error shown at the start of this discussion occurred when chef attempted to relay mail addressed to crab through rodent. rodent is not configured to allow any relaying from external clients. After the TRUST_AUTH_MECH macro was added to the configuration on rodent, mail sent from chef to crab through rodent produced a different result, as the test below shows:

# sendmail -Cauth.cf -v -t
               To: [email protected]
               From: [email protected]
               Subject: Relay test with auth

               Please ignore.
Crtl-D
[email protected]... Connecting to rodent.wrotethebook.com. via relay...
220 rodent.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Wed, 8 Jan 2003 19:14:35 -
0500
>>> EHLO chef.wrotethebook.com
250-rodent.wrotethebook.com Hello IDENT:ntwzejGL8kWjSvERN8B101kmvotCXzx9@chef [192.
168.0.8], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250 HELP
>>> AUTH DIGEST-MD5 =
334 bm9uY2U9ImdScXZhVjVxYkpVdjJvU3FGWnR2UXJtR2hFhtPW1kNS1zZXNz
>>> dXNlcm5hbWU9ImNoZWYiLHJlYWxtPSJ3cm90ZXRoZWJvb2YWMwZDIxM2QyYmE2MTVmZjY5
334 cnNwYXV0aD0zNzg3ZGI3N2E0M2YyYzhhMDdkZGRiYjg5N2NjNDkxOQ==
>>>
235 2.0.0 OK Authenticated
>>> MAIL From:<[email protected]> SIZE=96 [email protected]
250 2.1.0 <[email protected]>... Sender ok
>>> RCPT To:<[email protected]>
250 2.1.5 <[email protected]>... Recipient ok
>>> DATA
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 h090EZh01410 Message accepted for delivery
[email protected]... Sent (h090EZh01410 Message accepted for delivery)
Closing connection to rodent.wrotethebook.com.
>>> QUIT
221 2.0.0 rodent.wrotethebook.com closing connection

For this test, a special AUTH configuration was created on chef that defined rodent as the SMART_HOST relay. Without this special configuration, chef would just deliver the mail directly to crab—we want to test relaying through rodent.

In this case, chef is authenticated using the DIGEST-MD5 technique. This technique is listed in the $={TrustedAuthMech} class on rodent. Therefore, rodent accepts mail from chef for relaying.

Recipe 7.1 and Recipe 7.4 provide additional AUTH configuration examples. How relaying is controlled through the traditional means of IP address and hostname is covered in Chapter 3, and the SMART_HOST define is discussed in Recipe Recipe 3.2. The sendmail book covers AUTH configuration in Section 10.9 and the TRUST_AUTH_MECH macro in Section 10.9.3.

Because some broken SMTP implementations see the AUTH= parameter as a syntax error, you have decided to configure sendmail to add the AUTH= parameter to the MAIL From: line only when authentication succeeds.

If these steps have not yet been done, compile sendmail with AUTH support as described in Recipe 1.5, and install and configure SASL as described in the chapter Introduction and in Recipe 7.1.

Next, create the AUTH credentials for outbound connections, using either the techniques described in Recipe 7.2 or Recipe 7.3.

Add a confAUTH_OPTIONS define with the A flag set to the sendmail configuration. The required define is:

dnl Send AUTH= only when authenticated
define(`confAUTH_OPTIONS', `A')

Rebuild and install the new sendmail.cf file, and restart sendmail, as shown in Recipe 1.8.

Use the A option of the confAUTH_OPTIONS define to prevent sendmail from adding the AUTH= parameter to the envelope sender address when the local host has not been authenticated. sendmail does not send an AUTH= parameter to a remote system if that system does not advertise AUTH. But, by default, a sendmail system that is configured to support AUTH adds the AUTH= parameter to every mail message sent to a system that advertises AUTH, even if authentication fails, as this excerpt from an actual SMTP exchange shows:

500 5.7.0 authentication failed
>>> MAIL From:<[email protected]> SIZE=111 [email protected]
250 2.1.0 <[email protected]>... Sender ok

In fact, sendmail adds the AUTH= parameter to the MAIL From: line even if authentication is not attempted. If the remote host advertises AUTH, a sendmail host configured for AUTH always sends the AUTH= parameter. In the following test, rodent offers AUTH mechanisms not configured on chef. Therefore, chef does not attempt to authenticate, but because it is configured for other AUTH mechanisms, chef sends the AUTH= parameter:

# sendmail -Am -v -t
               To: [email protected]
               From: [email protected]
               Subject: Test yet again

               Ctrl-D
[email protected]... Connecting to rodent.wrotethebook.com. via esmtp...
220 rodent.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 10 Jan 2003 13:52:32 -
0500
>>> EHLO chef.wrotethebook.com
250-rodent.wrotethebook.com Hello IDENT:UZFl3RUw1vRsWKcZqcKAEudx69KnFn37@chef [192.
168.0.8], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5
250 HELP
>>> MAIL From:<[email protected]> SIZE=92 [email protected]
250 2.1.0 <[email protected]>... Sender ok
>>> RCPT To:<[email protected]>
250 2.1.5 <[email protected]>... Recipient ok
>>> DATA
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 h0AIqW501445 Message accepted for delivery
[email protected]... Sent (h0AIqW501445 Message accepted for delivery)
Closing connection to rodent.wrotethebook.com.
>>> QUIT
221 2.0.0 rodent.wrotethebook.com closing connection

Setting the A option with the confAUTH_OPTIONS define changes this behavior: sendmail does not add the AUTH= parameter unless authentication succeeds. This excerpt shows that AUTH= is not added when authentication fails:

500 5.7.0 authentication failed
>>> MAIL From:<[email protected]> SIZE=111
250 2.1.0 <[email protected]>... Sender ok

However, if authentication succeeds, the AUTH= parameter is still added to the MAIL From: line, as this excerpt shows:

235 2.0.0 OK Authenticated
>>> MAIL From:<[email protected]> SIZE=111 [email protected]
250 2.1.0 <[email protected]>... Sender ok

The AUTH= parameter is propagated on to the next mail relay if the receiving host trusts the AUTH= parameter that it received from the connecting host. sendmail only trusts that parameter if the connecting host was authenticated. The trust_auth ruleset is passed the AUTH= parameter and determines whether this value should be trusted. You can modify the way that the server handles the AUTH= parameter by writing your own Local_trust_auth ruleset.

Recipe 7.2 and Recipe 7.3 provide additional information on configuring AUTH. The sendmail book covers the AUTH= parameter in Section 21.9.6 and the confAUTH_OPTIONS define in Section 24.9.6.

You have a system that is configured for both external encryption and SASL security. On those occasions when strong external encryption is in use, you want to avoid using AUTH encryption.

Create a sendmail configuration that sets the maximum amount of encryption with the confAUTH_MAX_BITS define. Set the maximum number of encryption bits to a value less than the number of bits used by the external encryption; for example, setting this define to 128 turns off AUTH encryption when the transport layer is already encrypted with TLS. The following lines added to the sendmail configuration turns off AUTH encryption when other encryption is used:

dnl Disable double encryption
define(`confAUTH_MAX_BITS', `128')

Build and install sendmail.cf, and then restart sendmail, as shown in Recipe 1.8.

This recipe assumes that AUTH is configured as described in Recipes Recipe 7.1 and Recipe 7.2 and that STARTTLS is configured as described in Chapter 8.

The confAUTH_MAX_BITS define creates the AuthMaxBits option in the sendmail.cf file and assigns a value to that option. For example:

O AuthMaxBits=128

This option tells sendmail that SASL encryption added to any existing encryption should not exceed 128-bits of encryption. Since any existing external encryption will provide at least 128-bits of encryption, this option turns off SASL encryption when the link is already encrypted.

Chapter 8 describes how TLS is used to encrypt the mail transport. When the link is encrypted by an external mechanism, such as TLS, there is no need to add a second layer of encryption with SASL. It is also possible to specify EXTERNAL on the list of advertised authentication techniques using the confAUTH_MECHANISMS define. Doing this avoids adding a second layer of unneeded authentication to a link that has been authenticated by an external protocol, such as TLS.

Recipe 7.4 covers the confAUTH_MECHANISMS define. The sendmail book covers confAUTH_MAX_BITS in Section 24.9.4.

You have an internal mail system that is not advertised to the outside world and never provides service to the outside world. You have been asked to configure that system to always require strong authentication from connecting hosts.

Create a basic AUTH configuration as described in Recipe 7.1 and Recipe 7.2.

Add to the sendmail configuration a DAEMON_OPTIONS macro that specifies the M=a modifier to require AUTH authentication. Adding the following lines requires AUTH for any connection on the SMTP port:

dnl Require AUTH for all incoming SMTP connections
DAEMON_OPTIONS(`Name=MTA, M=a')

Build the sendmail.cf file, copy it to /etc/mail/sendmail.cf, and restart sendmail. Use Recipe 1.8 as a guide.

Use the DAEMON_OPTIONS macro on systems running sendmail 8.12. Prior to sendmail 8.12, daemon port options were set using the confDAEMON_OPTIONS define. confDAEMON_OPTIONS is no longer valid. Attempting to use it with a current release of sendmail produces the following build error:

WARNING: confDAEMON_OPTIONS is no longer valid.
        Use DAEMON_OPTIONS(  ); see cf/README.

If you have an older version of sendmail that uses the confDAEMON_OPTIONS define, we recommend upgrading to a newer version of sendmail. The DAEMON_OPTIONS macro provides more configuration features.

The DAEMON_OPTIONS macro adds values to a sendmail.cf DaemonPortOptions statement or inserts a new DaemonPortOptions statement into the sendmail.cf file. A basic sendmail.cf configuration includes two DaemonPortOptions statements—one for the message submission agent (MSA) and one for the mail transfer agent (MTA). A grep of the generic-linux.cf file shows this:

# grep DaemonPortOptions generic-linux.cf
O DaemonPortOptions=Name=MTA
O DaemonPortOptions=Port=587, Name=MSA, M=E

The DAEMON_OPTIONS macro in the Solution section adds a modifier to the message transfer agent DaemonPortOptions statement, creating the following sendmail.cf command:

O DaemonPortOptions=Name=MTA, M=a

The fact that the MTA is being modified is made clear by the Name=MTA parameter. However, even if that parameter was not specified, the MTA would have been modified because the Port value defaults to smtp, which is the port used by the MTA. To add the a modifier to the MSA configuration, the default MSA configuration needs to be removed with the no_default_msa feature, and the DAEMON_OPTIONS macro needs to explicitly refer to the MSA. For example:

FEATURE(`no_default_msa')
DAEMON_OPTIONS(`Port=587, Name=MSA, M=Ea')

The key = value pairs of the DaemonPortOptions statement select optional characteristics for the sendmail daemon’s ports. key can be any of the following:

By default, a system configured as described in Recipe 7.1 offers authentication, but it does not require it. A simple telnet test of a system running the basic AUTH configuration from Recipe 7.1 shows this:

# telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 -
0400
ehlo localhost
250-chef.wrotethebook.com Hello IDENT:QQqOd8VZzdwOiABzBr3HvETLtxcEaPg1@localhost 
[127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
MAIL From:<[email protected]>
250 2.1.0 <[email protected]>... Sender ok
RCPT TO:<[email protected]>
250 2.1.5 <[email protected]>... Recipient ok
QUIT
221 2.0.0 chef.wrotethebook.com closing connection
Connection closed by foreign host.

The default configuration advertises the AUTH protocol, but it allows the mail connect to continue even though the connecting host does not authenticate itself. This is not just the default, it is also a requirement of the AUTH standard. If a mail system is advertised to the outside world, it cannot require authentication. Specifically, mail exchangers are forbidden to require authentication. The reason is simple. MX records advertise the mail exchanger as available for mail delivery. It cannot then refuse the mail for which it advertises.

Only mail hosts that are not advertised to the outside world are permitted to require authentication. An example of such a system might be a corporate mail relay located behind a firewall. This recipe could be used on such a system.

Rerunning the telnet test, after the DaemonPortOptions modifier is installed, shows the following result:

# telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 -
0400
ehlo localhost
250-chef.wrotethebook.com Hello IDENT:DXXGyJYPz7FDqe1dqRJVCgvxLAaoFgWP@localhost 
[127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
MAIL From:<[email protected]>
530 5.7.0 Authentication required
QUIT
221 2.0.0 chef.wrotethebook.com closing connection
Connection closed by foreign host.

In this case, when the connecting host attempts to start a mail dialogue without authentication, an “Authentication required” error is issued.

The limitation of the DAEMON_OPTIONS macro is that it applies to all inbound connections. If more flexibility is required by your configuration, see Recipe 7.9.

Recipe 7.1 and Recipe 7.2 cover basic AUTH configuration. The sendmail book covers the DAEMON_OPTIONS macro in Section 24.9.24. See TCP/IP Network Administration, Third Edition, by Craig Hunt (O’Reilly), for information on well-known ports and the /etc/services file.

You have a mail host that cannot be configured to require strong authentication from every connecting host, yet you have been asked to configure that system to always require strong authentication from certain connecting hosts.

Make sure that the basic AUTH configuration requirements described in Recipe 7.1 are met.

Create Srv_Features: access database entries for all hosts that are required to authenticate using AUTH. The key field of each entry begins with the tag Srv_Features:, which is followed by the domain name, hostname, or IP address that identifies the system that is required to authenticate itself. The return value of each entry is the letter l.

Add the access_db feature to the sendmail configuration. Here is the required FEATURE macro:

dnl Enable the access database
FEATURE(`access_db')

Following the instructions in Recipe 1.8, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail, and restart sendmail.

Srv_Features: access database entries allow you to control the extended features offered to the connecting host based on the domain name or IP address of the connecting host. The syntax of the Srv_Features: entry is:

Srv_Features:name     
               flags

Srv_Features: is the required tag. name is the name of the connecting host, which can be defined by a full or partial domain name or a full or partial IP address. A full domain name or IP address matches a single host. A partial domain name matches all hosts in that domain, and a partial IP address matches all hosts on the specified network. When the name field is blank, the entry applies to all inbound mail connections that do not have a more specific Srv_Features: match. The precedence of matches is from the longest (the most specific) to the shortest (the least specific).

The flags field is a list of one or more single-letter flags that indicate whether an extended service should be enabled or disabled for the specified connecting host. When the flags field contains more than one flag, the individual flags are separated by whitespace. A lowercase letter in the flags field enables an SMTP extension, and an uppercase letter disables the extension. All of the flags, except t, come in upper/lower case pairings. Table 7-2 lists the letters that enable and disable SMTP extensions.

The a/A flag and the l/L flag are the flags that relate directly to the AUTH protocol extension. In particular, this recipe uses the l flag to selectively require authentication. For example, assume that you want to require AUTH authentication from any host connecting from the dialin.wrotethebook.com domain. You could do that by adding the following entry to the access database:

Srv_Features:dialin.wrotethebook.com      l

Now, a connection attempt from any host in the dialin.wrotethebook.com domain is refused if the host does not authenticate. All other hosts, however, are still allowed to connect without authenticating because there are no other Srv_Features: entries in the access database that relate to AUTH authentication. AUTH is still advertised to all hosts, and any host that chooses to is allowed to authenticate because that is the default sendmail behavior. In the absence of an applicable Srv_Features: entry, the default sendmail behavior applies. This is exactly what we want for this recipe, but it can be more clearly documented in the access database by using two entries instead of the one shown above:

Srv_Features:dialin.wrotethebook.com      l
Srv_Features:                             L

In this case, authentication is still required from the hosts in the dialin.wrotethebook.com domain. But this time, we explicitly show that we do not require authentication from anyone else by using a Srv_Features: entry with a blank name field and an L flag.

This configuration could be taken a step further. Using the A flag in the second Srv_Features: entry would prevent sendmail from advertising AUTH to any hosts except those in the dialin.wrotethebook.com domain. Here is that variation:

Srv_Features:dialin.wrotethebook.com      l
Srv_Features:                             L A

In this case, hosts outside of the dialin.wrotethebook.com domain are not required to authenticate and are not even given a chance to do so.

Recipe 7.1 describes the basic configuration that needs to be done before this recipe is implemented. The sendmail book covers the Srv_Features: entry in Section 19.9.4.