Pverha10: Created page with "I made the following configuration: * Sendmail SMTP (listening on port 25 and SSL port 465)
* Authentication through cyrus-sasl2 (listening on socket /var/state/saslauthd/mux)
* Authentication through pam (with the pam_radius module)
* Authentication with FreeRadius (for now in the users file)
So for this configuration to work you need FreeRadius, pam_radius, Linux-PAM, cyrus-sasl2 and sendmail. N.B.: I did this in my favourite distro Slackware. (13.3..."

2025-05-17T07:41:52Z

Created page with "I made the following configuration: * Sendmail SMTP (listening on port 25 and SSL port 465) * Authentication through cyrus-sasl2 (listening on socket /var/state/saslauthd/mux) * Authentication through pam (with the pam_radius module) * Authentication with FreeRadius (for now in the users file) So for this configuration to work you need FreeRadius, pam_radius, Linux-PAM, cyrus-sasl2 and sendmail. N.B.: I did this in my favourite distro Slackware. (13.3..."

New page

I made the following configuration:

* Sendmail SMTP (listening on port 25 and SSL port 465) 
* Authentication through cyrus-sasl2 (listening on socket /var/state/saslauthd/mux) 
* Authentication through pam (with the pam_radius module) 
* Authentication with FreeRadius (for now in the users file) 

So for this configuration to work you need FreeRadius, pam_radius, Linux-PAM, cyrus-sasl2 and sendmail.

N.B.: I did this in my favourite distro Slackware. (13.37)

=FreeRadius=

I used the slackbuild from http://slackbuilds.org/repository/13.37/network/freeradius-server/

No problems there.
And after installing added a testuser 'testuser' with password 'password' to /etc/raddb/users

Just to be sure it worked I started freeradius and tested the server by using
<pre>
radtest testuser password 127.0.0.1 1812 testing123
</pre>
You should get something like:
<pre>
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=131, length=20
</pre>

=PAM-Linux=

Unfortunately http://slackbuilds.org/mirror/slackware/slackware-13.37/extra/source/pam/pam.SlackBuild didn't work for me, so I built it myself with:
<pre>
wget --no-check-certificate https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-1.1.5.tar.bz2
tar -jxf Linux-PAM-1.1.5.tar.bz2
cd Linux-PAM-1.1.5
./configure --disable-nis --disable-selinux --disable-nls --prefix=/usr
make ; make install
</pre>

=pam_radius=
Download from: http://freeradius.org/pam_radius_auth/

Install:
<pre>
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz
tar -zxf pam_radius-1.3.17.tar.gz
cd pam_radius-1.3.17
make
cp -a pam_radius_auth.so /lib/security/
</pre>

File /etc/raddb/server contains:
<pre>
# pam_radius_auth configuration file. Copy to: /etc/raddb/server
#
# For proper security, this file SHOULD have permissions 0600,
# that is readable by root, and NO ONE else. If anyone other than
# root can read this file, then they can spoof responses from the server!
#
# There are 3 fields per line in this file. There may be multiple
# lines. Blank lines or lines beginning with '#' are treated as
# comments, and are ignored. The fields are:
#
# server[:port] secret [timeout]
#
# the port name or number is optional. The default port name is
# "radius", and is looked up from /etc/services The timeout field is
# optional. The default timeout is 3 seconds.
#
# If multiple RADIUS server lines exist, they are tried in order. The
# first server to return success or failure causes the module to return
# success or failure. Only if a server fails to response is it skipped,
# and the next server in turn is used.
#
# The timeout field controls how many seconds the module waits before
# deciding that the server has failed to respond.
#
# server[:port] shared_secret timeout (s)
127.0.0.1:1812 testing123 1
#other-server other-secret 3

#
# having localhost in your radius configuration is a Good Thing.
#
# See the INSTALL file for pam.conf hints.
</pre>

I also made a file called /etc/pam.d/other with the following content:
<pre>
auth sufficient /lib/security/pam_radius_auth.so
account sufficient /lib/security/pam_radius_auth.so
</pre>

=cyrus-sasl2=

Unfortunately pam support has been excluded from the default cyrus-sasl2 package from slackware 13.37, because the pam package isn't included in slackware.
That's why you need to rebuild it to include pam support. There's a slackbuild you can adapt at:
http://slackbuilds.org/mirror/slackware/slackware-13.37/source/n/cyrus-sasl/

Just include --with-pam \ in the configuration line.

After you start 'saslauthd -a pam', you can test the authentication with 'testsaslauthd -u user -p password -s Sendmail'.

=Sendmail=
Just adapt the sendmail-slackware-tls-sasl.mc a bit. It should contain at least something like:
<pre>
dnl# Allow SASL authentication/relaying:
define(`confAUTH_OPTIONS', `A p y')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl# Daemon options after M= below that might need to be changed are:
dnl# s (allow SSL, not only TLS)
dnl# a (require authentication)
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=Esa')dnl
LOCAL_CONFIG
dnl# Do not allow the weak SSLv2:
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
</pre>

Create /etc/sasl2/Sendmail.conf with the following content:
<pre>
pwcheck_method:saslauthd
mech_list: PLAIN LOGIN
</pre>

Oh, and you can not use CRAM-MD5 and/or DIGEST-MD5, because you'd need to be able to read the password in plaintext somewhere: http://www.phwinfo.com/forum/comp-mail-sendmail/527486-sendmail-cyrus-sasl-authentication-mystery.html

Sendmail Config Authenticated SMTP - Revision history