| Current Path : /usr/local/share/doc/cyrus-sasl/ |
FreeBSD hs32.drive.ne.jp 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Wed Jan 14 12:18:08 JST 2015 root@hs32.drive.ne.jp:/sys/amd64/compile/hs32 amd64 |
| Current File : //usr/local/share/doc/cyrus-sasl/Sendmail.README |
How to enable SMTP AUTH with FreeBSD default Sendmail
1) Add the following to /etc/make.conf:
# Add SMTP AUTH support to Sendmail
SENDMAIL_CFLAGS+= -I/usr/local/include/sasl1 -DSASL
SENDMAIL_LDFLAGS+= -L/usr/local/lib
SENDMAIL_LDADD+= -lsasl
NOTE: 1. Sendmail 8.10 - 8.11 needS -D_FFR_UNSAFE_SASL added
to SENDMAIL_CFLAGS, if you need the GroupReadableSASLFile option
Starting with Sendmail 8.12.4, you can also use the security/cyrus-sasl2
port. Then you will not need the SASL V1 port installed.
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
2) Rebuild FreeBSD (make buildworld, ...)
3) Make sure that the pwcheck_method is correct in Sendmail.conf.
Sendmail.conf (${PREFIX}/lib/sasl{,2}/Sendmail.conf) is created by
the cyrus-sasl and cyrus-sasl2 ports during installation. It may have
pwcheck_method set to either pwcheck (V1 only) or saslauthd (V1 & V2) by
default. Change this to what is appropriate for your site.
4) Add the following to your sendmail.mc file:
dnl The group needs to be mail in order to read the sasldb file
define(`confRUN_AS_USER',`root:mail')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5')dnl
define(`confAUTH_MECHANISMS',`DIGEST-MD5 CRAM-MD5')dnl
dnl Use the following for Sendmail 8.12
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl
dnl Use the following for Sendmail 8.10 - 8.11
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLFile')dnl
5) Add the following before FEATURE(msp) in your sendmail 8.12 submit.mc file:
DAEMON_OPTIONS(`Name=NoMTA, Addr=127.0.0.1, M=EA')dnl
This disables SMTP AUTH on the loopback interface. Otherwise you may get
the following error in the log:
error: safesasl(/usr/local/etc/sasldb) failed: Group readable file
when sending mail locally (seen when using pine locally on same server).
----
Additional AUTH Mechanisms are LOGIN, PLAIN, GSSAPI, and KERBEROS_V4.
These can be added to TRUST_AUTH_MECH and confAUTH_MECHANISMS as a space
seperated list. You may want to restrict LOGIN, and PLAIN authentication
methods for use with STARTTLS, as the password is not encrypted when
passed to sendmail.
LOGIN is required for Outlook Express users. "My server requires
authentication" needs to be checked in the accounts properties to
use SASL Authentication.
PLAIN is required for Netscape Communicator users. By default Netscape
Communicator will use SASL Authentication when sendmail is compiled with
SASL and will cause your users to enter their passwords each time they
retreive their mail (NS 4.7).
The DONT_BLAME_SENDMAIL option GroupReadableSASL[DB]File is needed when you
are using cyrus-imapd and sendmail on the same server that requires access
to the sasldb database.
----
To test Authentication with the sendmail server:
You'll need to install the following PERL ports:
converters/p5-MIME-Base64
security/p5-Digest-MD5
security/p5-Digest-HMAC
Then use one of the following procedures to test:
A. PLAIN Mech:
1. Create your Base64 encoded username/password.
#perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=
2. telnet to port 25 of your sendmail server
3. send "EHLO <client.host.name>"
a. check for "250-AUTH *" in the response
b. check that the PLAIN mech is listed.
4. Send "AUTH PLAIN <Base64 username/password>"
AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=
you should now see the following response from the server:
235 Authentication successful
5. Type "QUIT" to close the telnet session to sendmail.
B. LOGIN Mech:
1. Create your Base64 encoded username and password.
#perl -MMIME::Base64 -e 'print encode_base64("username");'
dXNlcm5hbWU=
#perl -MMIME::Base64 -e 'print encode_base64("password");'
cGFzc3dvcmQ=
2. telnet to port 25 of your sendmail server
3. send "EHLO <client.host.name>"
a. check for "250-AUTH *" in the response
b. check that the LOGIN mech is listed.
4. Send "AUTH LOGIN", then the base64 encoded username and passwords.
C: AUTH LOGIN
S: 334 VXNlcm5hbWU6 (base64 encoded "Username:")
C: dXNlcm5hbWU=
S: 334 UGFzc3dvcmQ6 (base64 encode "Password:")
C: cGFzc3dvcmQ=
S: 235 2.0.0 OK Authenticated
5. Type "QUIT" to close the telnet session to sendmail.
C. DIGEST-MD5 Mech:
1. telnet to port 25 of your sendmail server
2. send "EHLO <client.host.name>"
a. check for "250-AUTH *" in the response
b. check that the DIGEST-MD5 mech is listed.
3. Send "AUTH DIGEST-MD5"
C: AUTH DIGEST-MD5
S: 334 ?
4. Calculate the DIGEST-MD5 response (use another telnet, ssh, or X Window)
?
5. Send the DIGEST-MD5 response to the server.
C: ?
S: 235 2.0.0 OK Authenticated
6. Type "QUIT" to close the telnet session to sendmail.
D. CRAM-MD5 Mech:
1. telnet to port 25 of your sendmail server
2. send "EHLO <client.host.name>"
a. check for "250-AUTH *" in the response
b. check that the CRAM-MD5 mech is listed.
3. Send "AUTH CRAM-MD5"
C: AUTH CRAM-MD5
S: 334 PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+
(base64 encoded timestamp and hostname)
4. Calculate the CRAM-MD5 response (use another telnet, ssh, or X Window)
perl '-MDigest::HMAC_MD5 qw(hmac_md5 hmac_md5_hex)' -MMIME::Base64 \
-e 'print encode_base64("username " . hmac_md5_hex(decode_base64("<ticket>"),"password"));'
The "<ticket>" is the response received from the server in step 3.
(i.e. PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+)
Using the above ticket our CRAM-MD5 response is:
dXNlcm5hbWUgMDZkMGEzMjVmMDU0NjQ4NjQ2ZTA3MmNkNGZlYjE3YzQ=
5. Send the CRAM-MD5 response to the server.
C: dXNlcm5hbWUgMDZkMGEzMjVmMDU0NjQ4NjQ2ZTA3MmNkNGZlYjE3YzQ=
S: 235 2.0.0 OK Authenticated
6. Type "QUIT" to close the telnet session to sendmail.