Hello ...never, Tuesday, March 12, 2002, 9:41:21 AM, you wrote:
ne> cum fac sa pot trimite mailuri de pe host-uri care nu apar in ne> /etc/mail/access cu RELAY? acum imi spune doar ca relaying denied cind ne> incerc sa trimit de pe computere din afara lan-ului..dar nu pot sa-i spun ne> sendmailului sa accepte mail de la orice host de la anumiti useri? sau sa ne> fac un fel de autentificare...desi, din ce mai stiu eu de la protocolul ne> smtp, nu prea am sanse..poate stiti voi o varianta la problema mea... poate te ajuta atachmentul meu... nu mai stiu de unde l-am salvat ca iti dadeam direct link-ul -- Best regards, m mailto:[EMAIL PROTECTED] -- HTML Attachment decoded to text by Listar -- -- File: sendmailauth.html SMTP AUTH in sendmail 8.10-8.12 SMTP AUTH in sendmail 8.10-8.12 Last Update 2001-09-10 [Terminology[1]] [Installation[2]] [Configuration[3]] [Operation[4]] [Misc[5]]Introduction sendmail 8.10-8.12[6] support SMTP AUTH as defined in RFC 2554[7] which is based on SASL.[8] This document describes the necessary steps for installation and operation of this feature with sendmail 8.10[9] and later versions. (2000-03-23) If you use sendmail 8.10.0 as client for SMTP AUTH[10], please read the security warning.[11] Terminology SASL defines two terms which are important in this context: authorization identifier and authentication identifer. authorization identifier (userid) The userid is the identifier an application uses to check whether operations are allowed (authorized). authentication identifer (authid) The authentication identifier is the identifier that is being used to authenticate the client. That is, the authentication credentials of the client contain the authentication identifier. This can be used for a proxy server to act as (proxy for) anotheruser. Installation Cyrus SASL Get, compile, and install cyrus-sasl[12] (current (2000-07-21) version: 1.5.24). Read the docs[13] which come with it (as well as README and INSTALL). Make sure the libraries are installed in a location which sendmail[14] uses on your system by default. The libraries must be "safe", i.e., they should beowned by root and only writable by that user. As usual, the whole path mustbe safe too. Next, create a configuration file[15] called Sendmail.conf if needed/wanted. Create a sasldb password file using saslpasswd if you use any mechanism (CRAM-MD5, DIGEST-MD5, PLAIN if pwcheck_method: sasldb[16] is used in the .conf file[17]) that requires it. BTW: sendmail requires sasldb[18] to be owned by root or the trusted user and not be readable by anyone else since the file contains sensitive data (shared secrets). If there is a conflict with other applications that need to read it too, you can try a trick.[19] Compile sendmail Compile sendmail[20] with the correct options, i.e., add APPENDDEF(`confENVDEF', `-DSASL') APPENDDEF(`conf_sendmail_LIBS', `-lsasl') to your site.config.m4 (or OS specific) file in devtools/Site. You maybe needto set: APPENDDEF(`confLIBDIRS', `-L/PATH/TO/SASL/lib') APPENDDEF(`confINCDIRS', `-I/PATH/TO/SASL/include') (obviously you have to replace /PATH/TO/SASL/ with the path on your system) if you haven't installed sasl in a location where the Build tool looks for include and library files. However, this may cause problems during runtime, since the sasl library is dynamically loaded, and most OS don't load libraries from "unknown" locations, esp. since sendmail[21] is usually setuidroot (and hence LD_LIBRARY_PATH is ignored to avoid security problems). If you have a SASL library version before 1.5.10, then you should upgrade. Otherwise you have to set the value for SASL to the version number of the SASL library you use, using a simple conversion: a.b.c -> c + b*100 + a*10000, e.g. 1.5.5 -> 10505. APPENDDEF(`confENVDEF', `-DSASL=10505') Initial test Run sendmail -d0.1 -bv root | grep SASL and make sure SASL appears in the output. Otherwise go back to compiling sendmail[22] and make sure your site.config.m4[23] is really used. Start the sendmail[24] daemon, connect to it and see whether it comes up with250-AUTH in the EHLO response: % telnet localhost 25 Trying 127.0.0.1... Connected to localhost Escape character is '^]'. 220 local.sendmail.ORG ESMTPSendmail 8.10.0/8.10.0; Thu, 9 Sep 1999 10:48:44 -0700 (PDT) ehlo localhost 250-local.sendmail.ORG Hello localhost [127.0.0.1], pleased to meetyou 250-ENHANCEDSTATUSCODES 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 250 HELPquit If it doesn't, check your logfile[25] whether any security problems are listed (unsafe files). If this doesn't reveal any problems, increase the LogLevel to 13 and try again. Examples of problems in the logfile[26]: * SASL error: listmech=0, num=0 This means the SASL library didn't find any mechanisms. Check your SASL library configuration and installation. Are any libraries installed in /usr/lib/sasl (or wherever you told SASL to be installed)? * The intersection of the list of available mechanisms and the list of allowed mechanisms[27] might be empty. Check the logfile[28] for entries thatcontain the text "available mech=..., allowed mech=...". Try the examples programs and the saslpasswd utility. Do the libraries in lib/sasl have the extension .so (HP-UX: .sl) or are there at least links for those files? -rw-r--r-- 51240 Mar 11 20:28 libdigestmd5.a -rwxr-xr-x 894 Mar 11 20:28 libdigestmd5.la* lrwxr-xr-x 17 Mar11 20:28 libdigestmd5.so@ -> libdigestmd5.so.0 -rwxr-xr-x 56056 Mar 11 20:28 libdigestmd5.so.0* If not, you may run a script to create the links[29]. You can also set the environment variable SASL_PATH, see the Cyrus SASL docs. In sendmail, you can use LOCAL_CONFIG ESASL_PATH=/PATH/TO/lib/sasl Some tips if authentication still fails: * If you have installed a library or another SASL related file and sendmaildoesn't seem to use it, do the following: make the file group writable and start sendmail -O LogLevel=14 -bs EHLO localhost QUIT and then check the logfile[30]: it must have an error now for that file. If it doesn't, then your configuration is wrong (check your parameters for configure (SASL) and all the paths). * If you want to use DIGEST-MD5 or CRAM-MD5 and it doesn't work despite the previous check, make sure that sasldb actually contains passwords for those mechanism. This can be done by looking at its content (using strings orod -c) and checking that the names of those mechanisms appear in the file. * If the authentication still doesn't succeed, check the dialogue[31] anduse a base64 decoder (like ed64.c[32]) to get a clear text representation of it. It may give you some hints what's going wrong. Configuration There are some options for the .cf (.mc[33]) file which you may want to change from their default values: AuthMechanisms (confAUTH_MECHANISMS) defines a list of mechanisms which are offered at most for authentication. This list is intersected with the list of available (i.e., installed) mechanisms, and the result of the intersection is listed in the AUTH keyword value for the EHLO response. default: GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 C{TrustAuthMech} (TRUST_AUTH_MECH()) defines a list of mechanisms which are used to allow relaying[34]. DefaultAuthInfo (confDEF_AUTH_INFO) specifies a file in which the authorization identity, the authentication identity, the secret, and the realm to be used for authentication are stored. This file must be in a safe directory and unreadable by everyone except root (or TrustedUser). It is usedwhen sendmail[35] acts as a client to authenticate itself to a server. Example: admin admin MySecretPassword example.domain Note: all data is case sensitive (usually) and the entire line is used in each case (including any white space!). recommended filename: /etc/mail/default-auth-info Security Warning: sendmail 8.10.0 uses this data when sending e-mail and tries to authenticate against every server that offers SMTP AUTH. This may reveal the secret if the other side offers a plaintext authentication mechanism. Make sure the secret is not a real password used for an account somewhere. sendmail 8.10.1[36] minimizes this problem. sendmail 8.12[37] offers a significantly better way to specify the client authentication information. See cf/README for details, look in the section SMTP AUTHENTICATION. DaemonPortOptions (DAEMON_OPTIONS()) has now suboptions (called modifiers), one of which is `a'. This tells the daemon to require authentication for all connections to it. Example for a .mc[38] file (listingonly the part relevant for SMTP AUTH): TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5')dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth/auth-info')dnl FEATURE(`no_default_msa')dnl turn off default entry for MSA DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')dnl Operation SMTP AUTH allows relaying for senders who have successfully authenticated themselves. Per default, relaying is allowed for any user who authenticated via a trusted mechanism, i.e., one that is defined via TRUST_AUTH_MECH(`list of mechanisms') This is useful for roaming users and can replace POP-before-SMTP[39] hacks ifthe MUA supports SMTP AUTH. The ruleset trust_auth is used to decide whether the client's authentication identifier (authid[40]) is trusted to act as (proxy for) the requested authorization identity (userid[41]). The provided rules allow authid[42] to act for userid[43] if both are identical and they disallow it if the authentication failed. The ruleset Local_trust_auth can be used to provide further tests. As usual, it can either return the error mailer ($# error) to disallow proxying or $# OK to allow proxying. New macros for SMTP AUTH are {auth_authen}, {auth_author}, and {auth_type}, which hold the client's authentication credentials (authid)[44], the authorization identity (userid)[45] (i.e., the AUTH= parameter of the MAIL command, if supplied), and the mechanism used for authentication. Misc MUA? Now that sendmail[46] provides SMTP AUTHentication, you probably want a MUA that uses it. However, currently there are only a few clients (e.g., MUA)[47] which support SASL. Many MUAs on Unix call sendmail[48] directly, so for roaming users it is sufficient if their sendmail[49] can authenticate itself against the mailserver.[50] Plain text authentication Please don't use PLAIN or LOGIN as authentication mechanisms, unless a strong encryption layer, e.g., via STARTTLS[51] or an external SSL[52] tunnel, is active. Quoting RFC 2595[53] 6. PLAIN SASL mechanism Clear-text passwords are simple, interoperate with almost all existing operating system authentication databases, and are useful for a smooth transition to a more secure password-based authentication mechanism. The drawback is that they are unacceptable for use over an unencrypted network connection. If you use it anyway, and you use Netscape as MUA, then in some cases you may want to turn it off; add user_pref("mail.auth_login", false); to Netscape's preferences file. Patches Note: The current (2000-05-20) version of Cyrus SASL is 1.5.21.If you really want to use the LOGIN mechanism, then apply this patch[54].See also the discussion of realms[55] for some enhancements. Cyrus SASL 1.5.11 requires a patch for[56] PLAIN text authentication. This patch isunofficial and supplied by me, not from the authors of Cyrus SASL (but it has been submitted to them). Version 1.5.10 requires a patch for plugins/digestmd5.c[57]. Note: This is already integrated in Cyrus SASL 1.5.15. For those strange people who want to use products which don't adhere to standards, another plugin is available for LOGIN: plugins/login.c[58]. To compile it, you must patch the Makefile[59]. These patches come without any warranty. Don't ask mehow to apply the patches or how to compile and install them. These patches have been written by Rainer Schoepf from the University of Mainz in Germany. --> More Possible Problems Realms can cause some problems[60] because they are not standardized for all mechanisms. Interoperability Problems Mercury 1.48 doesn't follow RFC 2554[61] and sends "330" instead of "334" as continuation code. This is fixed in Mercury/32 according to Pegasus[62] tech support. Security Layer SASL[63] means Simple Authentication and Security Layer. sendmail 8.11[64] supports the security layer, while sendmail 8.10[65] only uses the authentication part. open source sendmail[65] only uses the authentication part. Since the code has been developed in a country which does not allow the export of some software, the security layer is not available in source form. Sendmail, Inc[66] sells a binary only version whichhas support for encryption. They also sell a version[67] which supports SMTP STARTTLS[68]. --> Warning: If you have a Cyrus SASL version older than 1.5.15, make sure you compile the plugins without any encryption, e.g., DIGEST-MD5 without DES etc.sendmail 8.10[69] does not support encryption within SASL. If the SASL plugins negotiate a security layer, sendmail 8.10[70] won't be able to talk to the other side if that switches to the encrypted channel. This is a problem with Cyrus SASL which doesn't obey the maximum security settings of sendmail[71]. You may want to apply a patch to plugins/digestmd5.c (1.5.13)[72].Credits The implementation of SMTP AUTH in sendmail 8.10 is based on a patch written by Tim Martin of CMU. He and Larry Greenfield also provided valuable feedback during further development and integrated our patches or implemented features we requested. ---------------------------------------------------------------------------- [(links)[73]] [Hints[74]] [Avoiding UBE[75]] [cf/README[76]] [New[77]] Copyright ©Claus Aßmann [78]Please send comments to: <[EMAIL PROTECTED]>[79] Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me[80] if you find an error. --- Links --- 1 #authterm 2 #authinst 3 #authconf 4 #authop 5 #authmisc 6 http://www.sendmail.org/ 7 ftp://ftp.isi.edu/in-notes/rfc2554.txt 8 ftp://ftp.isi.edu/in-notes/rfc2222.txt 9 http://www.sendmail.org/8.10.html 10 #DefaultAuthInfo 11 #authsecwarn1 12 ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ 13 cyrus/sysadmin.html 14 http://www.sendmail.org/ 15 cyrus/sysadmin.html#saslconf 16 authrealms.html#authpwcheck_method 17 cyrus/sysadmin.html#saslconf 18 auth.html#sasldb 19 tricks.html#FFR_UNSAFE_SASL 20 http://www.sendmail.org/ 21 http://www.sendmail.org/ 22 auth.html#authinstsendmail 23 auth.html#authsiteconfig 24 http://www.sendmail.org/ 25 div.html#LOGFILE 26 div.html#LOGFILE 27 #AuthMechanisms 28 div.html#LOGFILE 29 prgs/crtln.sh 30 div.html#LOGFILE 31 authrealms.html#authexamples 32 prgs/ed64.c 33 http://www.sendmail.org/m4/basics.html 34 #authrelay 35 http://www.sendmail.org/ 36 software.html#MTASM810 37 sm-812.html 38 http://www.sendmail.org/m4/basics.html 39 chk-rcpt5.html#POP 40 #authid 41 #userid 42 #authid 43 #userid 44 #authid 45 #userid 46 http://www.sendmail.org/ 47 mel/SASL_ClientRef.html 48 http://www.sendmail.org/ 49 http://www.sendmail.org/ 50 #DefaultAuthInfo 51 starttls.html 52 http://www.openssl.org/ 53 ftp://ftp.isi.edu/in-notes/rfc2595.txt 54 patches/cyrus-sasl-1.5.15-login.c.p1 55 authrealms.html 56 patches/cyrus-sasl-1.5.11-lib-checkpw.c.p1 57 patches/digestmd5.c.p10 58 patches/login.c 59 patches/patch.schoepf 60 authrealms.html 61 ftp://ftp.isi.edu/in-notes/rfc2554.txt 62 http://www.pmail.com/ 63 ftp://ftp.isi.edu/in-notes/rfc2222.txt 64 http://www.sendmail.org/8.11.html 65 sm-810.html 66 http://www.Sendmail.COM/ 67 http://www2.sendmail.com/products/secureswitch/ 68 starttls.html 69 sm-810.html 70 sm-810.html 71 http://www.sendmail.org/ 72 patches/digestmd5.c.p.ssf 73 misc.html 74 english.html 75 check.html 76 doc8.9/README.cf.html 77 new.html 78 ../index.html 79 mailto:c[EMAIL PROTECTED] 80 mailto:c[EMAIL PROTECTED] --- Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to unsubscribe from this list.
