Sendmail SMTP AUTH Quick Start
First published on July 7, 2004
Last updated on January 26, 2010
What follows are the steps I took to implement the policies we’ve established at work for our authenticated mail relay, currently running CentOS 5:
All inbound connections except those originating on the localhost must authenticate against our local password map. We rely on the Pluggable Authentication Modules (PAM)—not Kerberos or SASL—for authentication and authorization, so passwords are sent over the wire with the LOGIN or PLAIN authentication mechanism.
All inbound connections must be transported over an SSL connection with a key length of at least 128 bits.
There are two key elements in a
sendmail.cf that’ll work as I
intended: authentication mechanisms and SSL path information. I’m not a
sendmail guru, so I rely completely on the
mechanism for building my configuration. Here are the key bits that need
to get pushed into
/etc/mail/sendmail.mc. (If you’re new to SSL, you
might find my instructions for building a self-signed
dnl dnl The following allows relaying if the user authenticates, dnl and disallows plaintext authentication (PLAIN/LOGIN) on dnl non-TLS links. dnl define(`confAUTH_OPTIONS', `A p y')dnl dnl dnl Accept PLAIN and LOGIN authentications. dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl dnl dnl Define paths to directory hosting certs of trusted certificate dnl authorities (like VeriSign) and path to local certificate. dnl define(`confCACERT_PATH',`/etc/pki/tls/certs')dnl define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')dnl define(`localCERT', `/etc/pki/tls/certs/our-cert.pem')dnl define(`confCLIENT_CERT',`localCERT')dnl define(`confCLIENT_KEY',`localCERT')dnl define(`confSERVER_CERT',`localCERT')dnl define(`confSERVER_KEY',`localCERT')dnl
On CentOS 4 and 5 (and RHEL 4 and 5), it’s necessary to install the cyrus-sasl-plain RPM to allow SASL to process LOGIN and PLAIN authentication requests.
For our purposes,
sendmail absolutely must have an access map. It’s
almost always part of a standard configuration, but here’s the macro
just in case.
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
Once the macro file has been updated, regenerate
make sendmail.cf -C /etc/mail
The access map is configured to enforce the 128-bit-key policy. Our
/etc/mail/access is quite simple. Mail originating on the local host
is relayed, while everyone wanting to connect via SSL (which is
everyone) must have 128-bit crypto.
localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY TLS_Clt: ENCR:128
Note: You may find that that the
TLS_Clt setting breaks your
configuration. Deleting it probably won’t hurt anything.
After updating the text version of the access map, then rebuild the binary version.
make access.db -C /etc/mail
sendmail is linked to version 2 of the Cyrus SASL
libraries and relies on
saslauthd to handle plaintext authentication. On CentOS systems, the
default authentication mechanism is the local shadow password file. In
our environment, however, I need to use PAM. Implementing the change is
a simple matter of altering the MECH setting in
MECH=pam # these two settings are the defaults SOCKETDIR=/var/run/saslauthd FLAGS=
CentOS’s sendmail package ships with a SASL configuration file,
Sendmail.conf, that should work out of the box. It’s a one-liner.
Note: Over the years, Cyrus SASL has changed where it will look for
Sendmail.conf. Historically, it looked in
/usr/lib64/sasl2/ (64-bit systems). Newer versions, 32- and
64-bit systems alike, will look in
Also, you’ll want to make sure that
saslauthd is started at boot time.
chkconfig saslauthd on
CentOS’s sendmail package also ships with a working PAM configuration
/etc/pam.d/smtp, but it’s worthwhile to double-check that it
exists and contains the two requisite lines. This listing is from CentOS
5; the version included with CentOS 4 is slightly different.
#%PAM-1.0 auth include system-auth account include system-auth
Start it up
With all those configuration files in place, all that’s left to do is start (or restart) the server software.
/sbin/service saslauthd start /sbin/service sendmail start
RFC 2554 defines SMTP AUTH.
SMTP AUTH in sendmail 8.10-8.13 is the more-or-less official HOWTO page on the subject from sendmail.org.