Sendmail Config Authenticated SMTP: Difference between revisions
(Created page with "I made the following configuration: - Sendmail SMTP (listening on port 25 and SSL port 465) - Authentication through cyrus-sasl2 (listening on socket /var/state/saslauthd/mu...") |
|||
(9 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
* Sendmail SMTP (listening on port 25 and SSL port 465)<br> | |||
* Authentication through cyrus-sasl2 (listening on socket /var/state/saslauthd/mux)<br> | |||
* Authentication through pam (with the pam_radius module)<br> | |||
* Authentication with FreeRadius (for now in the users file)<br> | |||
So for this configuration to work you need FreeRadius, pam_radius, Linux-PAM, cyrus-sasl2 and sendmail. | So for this configuration to work you need FreeRadius, pam_radius, Linux-PAM, cyrus-sasl2 and sendmail. | ||
Line 31: | Line 31: | ||
Unfortunately http://slackbuilds.org/mirror/slackware/slackware-13.37/extra/source/pam/pam.SlackBuild didn't work for me, so I built it myself with: | Unfortunately http://slackbuilds.org/mirror/slackware/slackware-13.37/extra/source/pam/pam.SlackBuild didn't work for me, so I built it myself with: | ||
<pre> | <pre> | ||
wget https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-1.1.5.tar.bz2 | wget --no-check-certificate https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-1.1.5.tar.bz2 | ||
tar -jxf Linux-PAM-1.1.5.tar. | tar -jxf Linux-PAM-1.1.5.tar.bz2 | ||
cd Linux-PAM-1.1.5 | cd Linux-PAM-1.1.5 | ||
./configure --disable-nis --disable-selinux --disable-nls --prefix=/usr | ./configure --disable-nis --disable-selinux --disable-nls --prefix=/usr | ||
Line 99: | Line 99: | ||
Just include --with-pam \ in the configuration line. | Just include --with-pam \ in the configuration line. | ||
After you start 'saslauthd -a pam', you can test the authentication with 'testsaslauthd -u user -p password -s Sendmail'. | |||
=Sendmail= | =Sendmail= | ||
Just adapt the sendmail-slackware-tls-sasl.mc a bit | Just adapt the sendmail-slackware-tls-sasl.mc a bit. It should contain at least something like: | ||
<pre> | |||
dnl# Allow SASL authentication/relaying: | |||
define(`confAUTH_OPTIONS', `A p y')dnl | |||
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl | |||
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl | |||
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl | |||
dnl# Daemon options after M= below that might need to be changed are: | |||
dnl# s (allow SSL, not only TLS) | |||
dnl# a (require authentication) | |||
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=Esa')dnl | |||
LOCAL_CONFIG | |||
dnl# Do not allow the weak SSLv2: | |||
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL | |||
</pre> | |||
Create /etc/sasl2/Sendmail.conf with the following content: | |||
<pre> | <pre> | ||
pwcheck_method:saslauthd | pwcheck_method:saslauthd | ||
mech_list: PLAIN LOGIN | mech_list: PLAIN LOGIN | ||
</pre> | </pre> | ||
Oh, and you can not use CRAM-MD5 and/or DIGEST-MD5, because you'd need to be able to read the password in plaintext somewhere: http://www.phwinfo.com/forum/comp-mail-sendmail/527486-sendmail-cyrus-sasl-authentication-mystery.html |
Latest revision as of 15:12, 26 May 2014
I made the following configuration:
- Sendmail SMTP (listening on port 25 and SSL port 465)
- Authentication through cyrus-sasl2 (listening on socket /var/state/saslauthd/mux)
- Authentication through pam (with the pam_radius module)
- Authentication with FreeRadius (for now in the users file)
So for this configuration to work you need FreeRadius, pam_radius, Linux-PAM, cyrus-sasl2 and sendmail.
N.B.: I did this in my favourite distro Slackware. (13.37)
FreeRadius
I used the slackbuild from http://slackbuilds.org/repository/13.37/network/freeradius-server/
No problems there. And after installing added a testuser 'testuser' with password 'password' to /etc/raddb/users
Just to be sure it worked I started freeradius and tested the server by using
radtest testuser password 127.0.0.1 1812 testing123
You should get something like:
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=131, length=20
PAM-Linux
Unfortunately http://slackbuilds.org/mirror/slackware/slackware-13.37/extra/source/pam/pam.SlackBuild didn't work for me, so I built it myself with:
wget --no-check-certificate https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-1.1.5.tar.bz2 tar -jxf Linux-PAM-1.1.5.tar.bz2 cd Linux-PAM-1.1.5 ./configure --disable-nis --disable-selinux --disable-nls --prefix=/usr make ; make install
pam_radius
Download from: http://freeradius.org/pam_radius_auth/
Install:
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz tar -zxf pam_radius-1.3.17.tar.gz cd pam_radius-1.3.17 make cp -a pam_radius_auth.so /lib/security/
File /etc/raddb/server contains:
# pam_radius_auth configuration file. Copy to: /etc/raddb/server # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 3 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] # # the port name or number is optional. The default port name is # "radius", and is looked up from /etc/services The timeout field is # optional. The default timeout is 3 seconds. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # # server[:port] shared_secret timeout (s) 127.0.0.1:1812 testing123 1 #other-server other-secret 3 # # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints.
I also made a file called /etc/pam.d/other with the following content:
auth sufficient /lib/security/pam_radius_auth.so account sufficient /lib/security/pam_radius_auth.so
cyrus-sasl2
Unfortunately pam support has been excluded from the default cyrus-sasl2 package from slackware 13.37, because the pam package isn't included in slackware. That's why you need to rebuild it to include pam support. There's a slackbuild you can adapt at: http://slackbuilds.org/mirror/slackware/slackware-13.37/source/n/cyrus-sasl/
Just include --with-pam \ in the configuration line.
After you start 'saslauthd -a pam', you can test the authentication with 'testsaslauthd -u user -p password -s Sendmail'.
Sendmail
Just adapt the sendmail-slackware-tls-sasl.mc a bit. It should contain at least something like:
dnl# Allow SASL authentication/relaying: define(`confAUTH_OPTIONS', `A p y')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl dnl# Daemon options after M= below that might need to be changed are: dnl# s (allow SSL, not only TLS) dnl# a (require authentication) DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=Esa')dnl LOCAL_CONFIG dnl# Do not allow the weak SSLv2: O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
Create /etc/sasl2/Sendmail.conf with the following content:
pwcheck_method:saslauthd mech_list: PLAIN LOGIN
Oh, and you can not use CRAM-MD5 and/or DIGEST-MD5, because you'd need to be able to read the password in plaintext somewhere: http://www.phwinfo.com/forum/comp-mail-sendmail/527486-sendmail-cyrus-sasl-authentication-mystery.html