Re: sendmail SMTP AUTH: question about /etc/mail/auth/client-info file
El día Friday, January 08, 2010 a las 06:44:00AM +, Glyn Millington escribió: Matthias Apitz writes: Hello, Because I was forced by my ISP to do so, I have configured successfully as described in the FBSD docs the sendmail with SMTP AUTH; one question remains: the required file /etc/mail/auth/client-info has the line: AuthInfo:smtp.1blu.de U:root I:Y P:X where the I: value is the userID given by the ISP and P: its password; what does the U: value is good for exactly? thanks in advance Hi Matthias, U = user for details see http://www.sendmail.org/~ca/email/auth.html Hello Glyn, I have read the above page during my configuration but it does not explain to me which user must be configured in U: value; Is it me? Or is it the userID the sendmail daemon is running as? It works with U:root, but what does this mean exactly? Thx matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ Vote NO to EU The Lisbon Treaty: http://www.no-means-no.eu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sendmail SMTP AUTH: question about /etc/mail/auth/client-info file
Matthias Apitz writes: Hello Glyn, I have read the above page during my configuration but it does not explain to me which user must be configured in U: value; Is it me? Or is it the userID the sendmail daemon is running as? It works with U:root, but what does this mean exactly? Sorry, Matthias, I misread your question. I think it can only refer to the uid under which sendmail is running, but can find no proof of that :-) atb Glyn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sendmail SMTP AUTH: question about /etc/mail/auth/client-info file
Matthias Apitz wrote: I have read the above page during my configuration but it does not explain to me which user must be configured in U: value; Is it me? Or is it the userID the sendmail daemon is running as? It works with U:root, but what does this mean exactly? That's a SASL thing -- it has the concept of differentiating between authentication ID (who you are (and you can prove it because you have the password or other security token)) and authorization ID (who you are logging in as, and whose permissions you can use on the remote server). According to /usr/share/sendmail/cf/README: The RHS for an AuthInfo: entry in the access map should consists of a list of tokens, each of which has the form: TDstring (including the quotes). T is a tag which describes the item, D is a delimiter, either ':' for simple text or '=' for a base64 encoded string. Valid values for the tag are: U user (authorization) id I authentication id P password R realm M list of mechanisms delimited by spaces You don't generally need all of these items. For the simplest case, all you'ld need is U:username and P:password -- if you don't give I:authid explicitly it assumes it is the same as U:username (and vice versa, if you give I:authid and not U:username). Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
sendmail SMTP AUTH: question about /etc/mail/auth/client-info file
Hello, Because I was forced by my ISP to do so, I have configured successfully as described in the FBSD docs the sendmail with SMTP AUTH; one question remains: the required file /etc/mail/auth/client-info has the line: AuthInfo:smtp.1blu.de U:root I:Y P:X where the I: value is the userID given by the ISP and P: its password; what does the U: value is good for exactly? thanks in advance matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ Vote NO to EU The Lisbon Treaty: http://www.no-means-no.eu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
sendmail SMTP AUTH: question about /etc/mail/auth/client-info file
Matthias Apitz writes: Hello, Because I was forced by my ISP to do so, I have configured successfully as described in the FBSD docs the sendmail with SMTP AUTH; one question remains: the required file /etc/mail/auth/client-info has the line: AuthInfo:smtp.1blu.de U:root I:Y P:X where the I: value is the userID given by the ISP and P: its password; what does the U: value is good for exactly? thanks in advance Hi Matthias, U = user for details see http://www.sendmail.org/~ca/email/auth.html atb Glyn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IMAP and SMTP-AUTH with sendmail on FreeBSD 7
I'm trying to setup a FreeBSD 7 box to replace a FreeBSD 4 box. We're migrating
web hosting and e-mail hosting from the old server to the new one.
Goal: use sendmail to allow users to point their email clients at
mail.domain.com for in out, with SMTP Authentication so they can use these
accounts from anywhere.
Additional goal: Allow secure or insecure connections for POP3, IMAP, and SMTP
(TLS over port 25)
Currently working: SMTP from localhost (telnet localhost 25), IMAPS (but not
plain IMAP), POP3, POP3S.
Currently NOT working: SMTP AUTH from external hosts (no encryption or TLS,
although it does attempt the communication), IMAP without SSL
Errors recieved by client (Outlook 2007):
IMAP test: General authentication failed. none of the authentication methods
supported by your IMAP server (if any) are supported on this computer
SMTP AUTH test: The server responded 550 5.1.1 [EMAIL PROTECTED] (rest of
message cut off by Outlook)
maillog when I start the IMAP SMTP test in Outlook:
May 14 15:14:54 BSDPROD imapd[9065]: Unexpected client disconnect, while
reading line user=??? host=MY.PUBLIC.NAME [1.2.3.4]
May 14 15:14:54 BSDPROD sm-mta[9066]: NOQUEUE: connect from MY.PUBLIC.NAME
[1.2.3.4]
May 14 15:14:54 BSDPROD sm-mta[9066]: m4EJEs8k009066: Milter (clamav): init
success to negotiate
May 14 15:14:54 BSDPROD sm-mta[9066]: m4EJEs8k009066: Milter (spamassassin):
init success to negotiate
May 14 15:14:54 BSDPROD sm-mta[9066]: m4EJEs8k009066: Milter: connect to filters
May 14 15:15:00 BSDPROD sm-mta[9066]: STARTTLS=server, relay=MY.PUBLIC.NAME
[1.2.3.4], version=TLSv1/SSLv3, verify=NO, cipher=AES128-SHA, bits=128/128
May 14 15:15:00 BSDPROD sm-mta[9066]: m4EJEs8l009066: AUTH failure
(DIGEST-MD5): authentication failure (-13) SASL(-13): authentication failure:
realm changed: authentication aborted
May 14 15:15:00 BSDPROD sm-mta[9066]: AUTH=server, relay=MY.PUBLIC.NAME
[1.2.3.4], authid=MYUSERNAME, mech=LOGIN, bits=0
Test: testsaslauthd -u MYUSER -p MYPASS
0: OK Success.
[EMAIL PROTECTED] / telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS
LOGINDISABLED] localhost IMAP4rev1 2006j.389 at Wed, 14 May 2008 15:17:41 -0400
(EDT)
Output from openssl s_client localhost:993 (after all the certificate stuff):
* OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS AUTH=PLAIN
AUTH=LOGIN] MY.SERVER.FQDN.COM IMAP4rev1 2006j.389 at Wed, 14 May 2008 15:18:45
-0400 (EDT)
mc file follows:
### freebsd.mc ###
VERSIONID(`@(#)freebsd.mc 2.3 (IXN.com) 3/21/2008')
OSTYPE(freebsd4)dnl
DOMAIN(generic)dnl
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/central.ixn.com.crt')dnl
define(`confSERVER_CERT', `CERT_DIR/central.ixn.com.crt')dnl
define(`confSERVER_KEY',`CERT_DIR/CAkey.key')dnl
TRUST_AUTH_MECH(`GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS',`GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN')dnl
define(`confAUTH_OPTIONS',`p,y')dnl
define(`confMAX_RCPTS_PER_MESSAGE', 500)dnl
define(`confSMTP_LOGIN_MSG', `foobar.com - By establishing a TCP connection to
this host on port 25 you authorize possible relay testing of the connecting
host. If you do not wish to be tested do not establish connections with this
host; $b')dnl
define(`confPRIVACY_FLAGS',`needmailhelo,noexpn,noetrn,novrfy')dnl
define(`confBAD_RCPT_THROTTLE', `1')dnl
define(`confCONNECTION_RATE_THROTTLE', `50')dnl
define(`confMAX_DAEMON_CHILDREN', `200')dnl
define(`confLOG_LEVEL', `10')dnl
define(`confMAX_MESSAGE_SIZE', `50485760')dnl
define(`confTO_IDENT',`0')dnl
define(`confTO_ICONNECT', `15s')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTO_HELO', `20s')dnl
define(`confTO_MAIL', `1m')dnl
define(`confTO_RCPT', `1m')dnl
define(`confTO_DATAINIT', `1m')dnl
define(`confTO_DATABLOCK', `10m')dnl
define(`confTO_DATAFINAL', `5m')dnl
define(`confTO_RSET', `1m')dnl
define(`confTO_QUIT', `1m')dnl
define(`confTO_MISC', `1m')dnl
define(`confTO_COMMAND', `1m')dnl
define(`confTO_STARTTLS', `2m')dnl
define(`MILTER', 1)dnl
FEATURE(`access_db')dnl
FEATURE(`greet_pause',6000)
FEATURE(`use_cw_file')dnl
FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl
FEATURE(`genericstable', `hash /etc/mail/genericstable')dnl
FEATURE(`delay_checks',`friend')dnl
FEATURE(`nouucp',`nospecial')dnl
FEATURE(dnsbl,`psbl.surriel.com', `550 5.7.1 ACCESS DENIED to $f from
server ${client_addr} by psbl.surriel.com DNSBL see:
http://psbl.surriel.com/listing?ip=; ${client_addr} ', `')dnl
FEATURE(dnsbl,`sbl-xbl.spamhaus.org', `550 5.7.1 ACCESS DENIED to $f from
server ${client_addr} by sbl-xbl.spamhaus.org DNSBL
(http://www.spamhaus.org/xbl)', `')dnl
FEATURE(dnsbl,`dnsbl.njabl.org', `550 5.7.1 ACCESS DENIED to $f from
server ${client_addr} by njabl.org DNSBL (http://njabl.org)', `')dnl
FEATURE(dnsbl,`list.dsbl.org',`550 5.7.1 ACCESS DENIED to $f from server
Re: IMAP and SMTP-AUTH with sendmail on FreeBSD 7
Have you recompiled your sendmail with SASL support? It's in the handbook: http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html -- Andriy Gapon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail w/ SMTP auth using freebsd port
I used the patches and documents from qmail.jms1.net and built my own qmail, and it works well. I think a port that tracks qmail + jms1's current combined patch set would be well received. BTW, I copied the maintainer of the qmail port on my earlier message, and it eventually bounced: [EMAIL PROTECTED] SMTP error from remote mail server after RCPT TO:[EMAIL PROTECTED]: host mx1.freebsd.org [69.147.83.52]: 450 4.7.1 [EMAIL PROTECTED]: Recipient address rejected: Service is unavailable: retry timeout exceeded Michael P. Soulier wrote: On 10/04/08 Jeff Dickens said: Is there a document on how to set up SMTP auth using the FreeBSD qmail port? I didn't think qmail supported anything as modern as smtp auth. Most likely the expectation would be to proxy qmail through a tool that performs it for you. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail w/ SMTP auth using freebsd port
Jeff Dickens wrote: I used the patches and documents from qmail.jms1.net and built my own qmail, and it works well. I think a port that tracks qmail + jms1's current combined patch set would be well received. For what is worth the mail/qmail-tls port says it supports smtp-auth. I dont use qmail myself though so I havent tried it. Vince BTW, I copied the maintainer of the qmail port on my earlier message, and it eventually bounced: [EMAIL PROTECTED] SMTP error from remote mail server after RCPT TO:[EMAIL PROTECTED]: host mx1.freebsd.org [69.147.83.52]: 450 4.7.1 [EMAIL PROTECTED]: Recipient address rejected: Service is unavailable: retry timeout exceeded Michael P. Soulier wrote: On 10/04/08 Jeff Dickens said: Is there a document on how to set up SMTP auth using the FreeBSD qmail port? I didn't think qmail supported anything as modern as smtp auth. Most likely the expectation would be to proxy qmail through a tool that performs it for you. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
qmail w/ SMTP auth using freebsd port
Is there a document on how to set up SMTP auth using the FreeBSD qmail port? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[Fwd: Re: smtp auth - checkpw or auth_cdb or ?]
I posted the message quoted below to the qmail list, and got a reply
(below) from jms1 asking just which patches I have with the qmail port.
Does the SMTP_AUTH_PATCH config option in the freebsd port use jms1's
patches?
I sort of doubt this is a repeat of the qmailrocks debacle, but I'd
like to know whether there would be any advantage to building qmail from
source without using the port.
On 2008-04-08, at 1739, Jeff Dickens wrote:
I'm trying to set up an authenticated SMTP server. I have the
freebsd qmail 1.03_6 port, built with the SMTP_AUTH_PATCH config
option.
which means what, exactly? what patches are included in that port?
i ask because some of the variables listed in your run script (i.e.
AUTH_CDB, REQUIRE_AUTH, ALLOW_INSECURE_AUTH, FORCE_TLS, DENY_DLS,
etc.) are specific to features which only exist (as far as i know) in
my combined patch.
i've been told that there was an attempt to build a freebsd port
with my patch in it, but (1) i didn't write the port; (2) if this
run script is part of it, it looks like the people who put the port
together wrote their own scripts instead of using the ones from my web
site; (3) the people who wrote the port didn't tell me that they were
releasing it, or offer me a chance to preview what they were releasing
(does the word qmailrocks sound familiar here?) and (4) i don't use
freebsd, so if there is a port out there, i have no way to test it or
provide support for it.
the only things i could suggest would be to contact whoever wrote the
port for assistance, or do the same thing people recommend for debian
linux- build qmail from source, by hand instead of using a package
manager like ports or rpm, so that you KNOW exactly what is and is
not included.
start with http://lifewithqmail.org/ and then, if you need any extra
features which aren't part of netqmail, spend some time reading my
qmail site, as well as the web sites for several of the other mega-
patches out there, and figure out which one is going to best meet
your needs. follow the directions for that patch, and if you run into
problems, ask on the mailing lists for those patches (i have a list, i
know bill shupp's qmail toaster has a list, and i'm pretty sure the
others do as well.)
-
| John M. Simpson -- KG4ZOW -- Programmer At Large |
| http://www.jms1.net/ [EMAIL PROTECTED] |
-
| Hope for America -- http://www.ronpaul2008.com/ |
-
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkf8CjYACgkQEB9RczMG/Pt/bACfbjJlOiW2hFpJrryEF5GCB1GC
tAoAn1j1tyVqd8P0+htuPtNInXh9cHns
=5neJ
-END PGP SIGNATURE-
Here's my original message, fyi:
I'm trying to set up an authenticated SMTP server. I have the freebsd
qmail 1.03_6 port, built with the SMTP_AUTH_PATCH config option.
My run script looks like this:
#!/bin/sh
# qmail-submit/run
exec 21
CONLIMIT=9
#AUTH_CDB=/var/qmail/auth/auth.cdb
CHECKPW=/usr/local/bin/checkpassword-pam
PAM_SERVICE=submit
LOCAL=`head -1 /var/qmail/control/me`
TRUE=`which true`
AUTH=1
REQUIRE_AUTH=1
ALLOW_INSECURE_AUTH=0
PORT=465
#SSL=1
FORCE_TLS=0
DENY_DNS=0
#
echo *** Starting qmail-submit...
exec \
envuidgid qmaild \
softlimit -m 300 -f 1000 \
tcpserver -v -HR \
-U \
-c ${CONLIMIT} \
0 ${PORT} \
/var/qmail/bin/qmail-smtpd ${LOCAL} ${CHECKPW} ${TRUE}
I tried to test it - fear not this test account is not accessible from
the net - SSL is turned off just until I get it working this far:
# perl -MMIME::Base64 -e 'print
encode_base64(\000test\000test)' AHRlc3QAdGVzdA==
# telnet 0 465
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
220 asdf.asdf.com ESMTP
EHLO test
250-asdf.asdf.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250 8BITMIME
AUTH PLAIN AHRlc3QAdGVzdA==
535 authorization failed (#5.7.0)
I should mention this takes a few seconds to fail.
But, the checkpassword-pam does seem to work, and very quickly indeed.
# echo -e test\0test\0\timestamp\0 | checkpassword-pam -s submit
--debug --stdout -- /usr/bin/id 30
Reading username and password
Username 'test'
Password read successfully
Initializing PAM library using service name 'submit'
PAM library initialization succeeded
conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = Password:
Authentication passed
Account management succeeded
Setting PAM credentials succeeded
PAM session opened
PAM session closed
Terminating PAM library
Executing /usr/bin/id
uid=1005(test) gid=1005(test) groups=1005(test)
#
I created a vanilla /etc/pam.d/submit file:
# grep -v # /etc/pam.d/submit
auth
RE: Best practice: sendmail and SMTP auth
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Doug Poland Sent: Wednesday, March 12, 2008 11:20 AM To: [EMAIL PROTECTED] Subject: Best practice: sendmail and SMTP auth Hello, Not sure if this is the most appropriate place for this question, but since all my servers are FreeBSD 6.x/7.x, I'll give it a go... I am considering setting up SMTP auth on a number of sendmail instances that I control. After much googling and reading, it is not clear to me that a server with SMTP auth configured/enabled can relay mail in both auth and non-auth modes. Some of the explanations posted have been Rube Goldberg in the extreme, greatly complicating what should have been a very simple response. A standard FreeBSD server determines relaying through use of the access.db file, as you probably already are aware. If you add in SMTP-auth then the ONLY change is that any client that authenticates in, is exempted from checking the access.db file - by default, they are allowed to relay. It is not necessary to turn on an encrypted channel for SMTP-auth. In fact, the most popular mail clients under Windows - Outlook, only support NTLM encryption on authentication which REQUIRES that the password be in cleartext on the mailserver. OR, you can use SSL encryption for Outlook - however it will require a (costly) commerically-rooted certificate on the server to do SSL or your mail clients won't encrypt without a lot of nasty mucking around on the user's side to install a self-signed root cert in their clients. As for 587, by default sendmail will allow auth on either port 25 or 587 and will allow non-encrypted auth on port 587. The fact of the matter is that the most secure way of running a production setup is to use a completely separate mailserver for AUTH-smtp and to use DIFFERENT userID's/passwords on that server than on the primary mailserver. That way spammers that discover the users e-mail address (which for most ISP's is the same as the userID account) cannot launch dictionary attacks against the SMTP-auth server. And, attackers that sniff a cleartext password on the SMTP-auth channel cannot use that userID to spam the mailserver. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Best practice: sendmail and SMTP auth
On Thu, Mar 13, 2008 at 01:43:11AM +, Matthew Seaman wrote: Derek Ragona wrote: At 02:19 PM 3/12/2008, Doug Poland wrote: Hello, Not sure if this is the most appropriate place for this question, but since all my servers are FreeBSD 6.x/7.x, I'll give it a go... I am considering setting up SMTP auth on a number of sendmail instances that I control. After much googling and reading, it is not clear to me that a server with SMTP auth configured/enabled can relay mail in both auth and non-auth modes. If one sendmail configuration cannot accommodate both SMTP auth and access.db, does one setup a dedicated SMTP auth host with a SMART_HOST option and feed incoming email to an non-auth instance of sendmail? Sorry if my terminology is ambiguous, I'm not a sendmail professional by day. You can set up sendmail to do both auth and non-auth. However best practice is to use auth only to control any spam relaying. Check the sendmail.org website FAQ's for setting this up. You will want to probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail. A good solution to this is to use port 587 for Authenticated new mail submission and leave port 25 for the normal MTA-MTA type of (not authenticated) traffic. Firstly, to enable authentication you need to compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's legacy only). Now, you can either do that by installing sendmail from ports, or you can install the cyrus-sasl port and then make the base system sendmail link against it by adding this to /etc/make.conf: SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS+= -L/usr/local/lib SENDMAIL_LDADD+=-lsasl2 I also like to use these two so that any milters etc. I build from ports interoperate with the base system sendmail. SENDMAIL_MILTER_IN_BASE=yes WITH_SENDMAIL_BASE= yes In order to do SMTP AUTH most effectively, you should enable STARTSSL support -- I alway feel better knowing that passwords are sent over an encrypted connection. This is a guide to what you need in your $(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted via port 587, but not provided on port 25: first: turn off the default MSA setup, which we'll provide our own settings for later: FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below [...] second: basic configuration for SMTP AUTH -- what mechanisms are supported Note that LOGIN should only ever be allowed over encrypted connections as it sends passwords in plain text. You can also authenticate by using SSL certificates but that is handled directly by sendmail and you don't need to list EXTERNAL as a SASL mechanism. dnl ## Set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_REALM', `your.domain.name')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl [...] thirdly: insert the IP numbers of your servers into the following rules -- if you don't use IPv6 you can omit the lines for the external address, but you'll find things seem to work rather smoother if you keep the ::1 entries. The M=E flag says 'disable ETRN' and the M=Ea flag says 'require authentication (and disable ETRN)' M=A means 'don't offer authentication here' Note that I'm only requiring authentication on the external interfaces so I implicitly trust myself to submit e-mails via localhost:587 without it. You requirements may differ. See http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html for an explanation of the capabilities of DAEMON_OPTIONS: dnl dnl Where the sendmail daemon should listen dnl DAEMON_OPTIONS(`Name=IPv4, Addr=12.34.56.78, M=A, Family=inet')dnl DAEMON_OPTIONS(`Name=IPv4, Addr=127.0.0.1, M=A, Family=inet')dnl DAEMON_OPTIONS(`Name=IPv6, Addr=::1, M=A, Family=inet6')dnl DAEMON_OPTIONS(`Name=IPv6, Addr=2000:aa:bb:cc::1, M=A, Family=inet6')dnl DAEMON_OPTIONS(`Name=MSA, Addr=12.34.56.78, Port=587, M=Ea')dnl DAEMON_OPTIONS(`Name=MSA, Addr=127.0.0.1, Port=587, M=E')dnl DAEMON_OPTIONS(`Name=MSA, Addr=2000:aa:bb:cc::1, Port=587, M=Ea, Family=inet6')dnl DAEMON_OPTIONS(`Name=MSA, Addr=::1, Port=587, M=E, Family=inet6')dnl fourthly: enable SSL capabilities in sendmail. See http://aput.net/~jheiss/sendmail/tlsandrelay.shtml for a good article on configuring this stuff (although ignore the section on compiling sendmail: you get that automatically built into the base system sendmail already) dnl dnl TLS stuff dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl fifthly
Best practice: sendmail and SMTP auth
Hello, Not sure if this is the most appropriate place for this question, but since all my servers are FreeBSD 6.x/7.x, I'll give it a go... I am considering setting up SMTP auth on a number of sendmail instances that I control. After much googling and reading, it is not clear to me that a server with SMTP auth configured/enabled can relay mail in both auth and non-auth modes. If one sendmail configuration cannot accommodate both SMTP auth and access.db, does one setup a dedicated SMTP auth host with a SMART_HOST option and feed incoming email to an non-auth instance of sendmail? Sorry if my terminology is ambiguous, I'm not a sendmail professional by day. -- Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Best practice: sendmail and SMTP auth
At 02:19 PM 3/12/2008, Doug Poland wrote: Hello, Not sure if this is the most appropriate place for this question, but since all my servers are FreeBSD 6.x/7.x, I'll give it a go... I am considering setting up SMTP auth on a number of sendmail instances that I control. After much googling and reading, it is not clear to me that a server with SMTP auth configured/enabled can relay mail in both auth and non-auth modes. If one sendmail configuration cannot accommodate both SMTP auth and access.db, does one setup a dedicated SMTP auth host with a SMART_HOST option and feed incoming email to an non-auth instance of sendmail? Sorry if my terminology is ambiguous, I'm not a sendmail professional by day. -- Regards, Doug You can set up sendmail to do both auth and non-auth. However best practice is to use auth only to control any spam relaying. Check the sendmail.org website FAQ's for setting this up. You will want to probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Best practice: sendmail and SMTP auth
Derek Ragona wrote: At 02:19 PM 3/12/2008, Doug Poland wrote: Hello, Not sure if this is the most appropriate place for this question, but since all my servers are FreeBSD 6.x/7.x, I'll give it a go... I am considering setting up SMTP auth on a number of sendmail instances that I control. After much googling and reading, it is not clear to me that a server with SMTP auth configured/enabled can relay mail in both auth and non-auth modes. If one sendmail configuration cannot accommodate both SMTP auth and access.db, does one setup a dedicated SMTP auth host with a SMART_HOST option and feed incoming email to an non-auth instance of sendmail? Sorry if my terminology is ambiguous, I'm not a sendmail professional by day. You can set up sendmail to do both auth and non-auth. However best practice is to use auth only to control any spam relaying. Check the sendmail.org website FAQ's for setting this up. You will want to probably use cyrus-sasl or cyrus-sasl2 ports along with sendmail. A good solution to this is to use port 587 for Authenticated new mail submission and leave port 25 for the normal MTA-MTA type of (not authenticated) traffic. Firstly, to enable authentication you need to compile sendmail against cyrus SASL2 (don't bother with SASL1 -- it's legacy only). Now, you can either do that by installing sendmail from ports, or you can install the cyrus-sasl port and then make the base system sendmail link against it by adding this to /etc/make.conf: SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS+= -L/usr/local/lib SENDMAIL_LDADD+=-lsasl2 I also like to use these two so that any milters etc. I build from ports interoperate with the base system sendmail. SENDMAIL_MILTER_IN_BASE=yes WITH_SENDMAIL_BASE= yes In order to do SMTP AUTH most effectively, you should enable STARTSSL support -- I alway feel better knowing that passwords are sent over an encrypted connection. This is a guide to what you need in your $(hostname).mc to add STARTSSL with AUTH /required/ on mail submitted via port 587, but not provided on port 25: first: turn off the default MSA setup, which we'll provide our own settings for later: FEATURE(no_default_msa)dnl ## overridden with DAEMON_OPTIONS below [...] second: basic configuration for SMTP AUTH -- what mechanisms are supported Note that LOGIN should only ever be allowed over encrypted connections as it sends passwords in plain text. You can also authenticate by using SSL certificates but that is handled directly by sendmail and you don't need to list EXTERNAL as a SASL mechanism. dnl ## Set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_REALM', `your.domain.name')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl [...] thirdly: insert the IP numbers of your servers into the following rules -- if you don't use IPv6 you can omit the lines for the external address, but you'll find things seem to work rather smoother if you keep the ::1 entries. The M=E flag says 'disable ETRN' and the M=Ea flag says 'require authentication (and disable ETRN)' M=A means 'don't offer authentication here' Note that I'm only requiring authentication on the external interfaces so I implicitly trust myself to submit e-mails via localhost:587 without it. You requirements may differ. See http://www.sendmail.org/~gshapiro/8.10.Training/DaemonPortOptions.html for an explanation of the capabilities of DAEMON_OPTIONS: dnl dnl Where the sendmail daemon should listen dnl DAEMON_OPTIONS(`Name=IPv4, Addr=12.34.56.78, M=A, Family=inet')dnl DAEMON_OPTIONS(`Name=IPv4, Addr=127.0.0.1, M=A, Family=inet')dnl DAEMON_OPTIONS(`Name=IPv6, Addr=::1, M=A, Family=inet6')dnl DAEMON_OPTIONS(`Name=IPv6, Addr=2000:aa:bb:cc::1, M=A, Family=inet6')dnl DAEMON_OPTIONS(`Name=MSA, Addr=12.34.56.78, Port=587, M=Ea')dnl DAEMON_OPTIONS(`Name=MSA, Addr=127.0.0.1, Port=587, M=E')dnl DAEMON_OPTIONS(`Name=MSA, Addr=2000:aa:bb:cc::1, Port=587, M=Ea, Family=inet6')dnl DAEMON_OPTIONS(`Name=MSA, Addr=::1, Port=587, M=E, Family=inet6')dnl fourthly: enable SSL capabilities in sendmail. See http://aput.net/~jheiss/sendmail/tlsandrelay.shtml for a good article on configuring this stuff (although ignore the section on compiling sendmail: you get that automatically built into the base system sendmail already) dnl dnl TLS stuff dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl fifthly: there is no fifthly -- you're done. Build a sendmail.cf and test that it all works. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory
Re: Best practice: sendmail and SMTP auth
On 2008-03-12 14:19, Doug Poland [EMAIL PROTECTED] wrote: Hello, Not sure if this is the most appropriate place for this question, but since all my servers are FreeBSD 6.x/7.x, I'll give it a go... I am considering setting up SMTP auth on a number of sendmail instances that I control. After much googling and reading, it is not clear to me that a server with SMTP auth configured/enabled can relay mail in both auth and non-auth modes. If one sendmail configuration cannot accommodate both SMTP auth and access.db, does one setup a dedicated SMTP auth host with a SMART_HOST option and feed incoming email to an non-auth instance of sendmail? Sure it can. One of the ways to do something like this is: [1] Configure Sendmail to *require* authentication when one connects to its `submission' port (TCP port 587), and keep using /etc/mail/access for the default listener of the `smtp' port (TCP port 25). [2] Then you can configure your `trusted' clients to connect through port 587, and let everyone else keep using port 25. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Best practice: sendmail and SMTP auth
I dont remember if it can be done by sendmail, but with exim it can be done easy. Doug Poland пишет: Hello, Not sure if this is the most appropriate place for this question, but since all my servers are FreeBSD 6.x/7.x, I'll give it a go... I am considering setting up SMTP auth on a number of sendmail instances that I control. After much googling and reading, it is not clear to me that a server with SMTP auth configured/enabled can relay mail in both auth and non-auth modes. If one sendmail configuration cannot accommodate both SMTP auth and access.db, does one setup a dedicated SMTP auth host with a SMART_HOST option and feed incoming email to an non-auth instance of sendmail? Sorry if my terminology is ambiguous, I'm not a sendmail professional by day. -- Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail and SMTP AUTH, I need a hand [SOLVED]
Solved, thanks for your time --- Steve Bertrand [EMAIL PROTECTED] escribió: Hi, I tried to activate the SMTP AUTH in Sendmail following the steps of the man page (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth. html). Everythigns was ok, but... If on the client (Outlook Express or MS Outlook) is activated My server requires authentication the SMTP AUTH occurs and the mail is sent but if this option is disabled the mail is sent too. I can't really help on the config side of things, but: Are all of your clients under the domain you have listed in the access file? That essentially (AFAIR) means allow anyone sending from this domain to relay through me, no matter what, which (again AFAIR) means that any domain listed in that file can relay through you, even if I slap your domain into my mail client on my own IP address (please correct if wrong). If this is the case, remove the domain from access, and if it's in relaydomains, remove it from there too. After it's removed from access, do this: # cd /etc/mail # makemap hash access access I don't think you have to restart sendmail, but I can't remember. You should be able to eliminate all entries from both files after AUTH is enabled (again, AFAIR. I haven't used sendmail other than for system messages for a long time). Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Sé un Mejor Amante del Cine ¿Quieres saber cómo? ¡Deja que otras personas te ayuden! http://advision.webevents.yahoo.com/reto/entretenimiento.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Sendmail and SMTP AUTH, I need a hand
Hi, I tried to activate the SMTP AUTH in Sendmail following the steps of the man page (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html). Everythigns was ok, but... If on the client (Outlook Express or MS Outlook) is activated My server requires authentication the SMTP AUTH occurs and the mail is sent but if this option is disabled the mail is sent too. These are only the new settings on freebsd.mc define(`SMART_HOST', `smtp.domain.com') define(`confMAX_MESSAGE_SIZE', `6291456')dnl define(`confAUTH_OPTIONS', `A')dnl TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confLOG_LEVEL', `14')dnl access file: blue.domain.com RELAY telnet to Sendmail: --- 220 mail.blue.domain.com ESMTP Sendmail 8.13.8/8.13.8; Thu, 25 Oct 2007 13:00:51 -0400 ( CDT) ehlo blue.domain.com 250-mail.blue.domain.com Hello sistemas1.blue.domain.com [10.10.3.16], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 6291456 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN 250-DELIVERBY 250 HELP auth login 334 VXNlcm5hbWU6 ZWZyZW5iYQ== 334 UGFzc3dvcmQ6 bWVybHV6YTIwMDU= 235 2.0.0 OK Authenticated Username and passwd was encoded thanks to that page: http://makcoder.sourceforge.net/demo/base64.php Checking sasl into Sendmail: # /usr/sbin/sendmail -d0.1 -bt /dev/null Version 8.13.8 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG What do I miss in Sendmail to force the clients to use SMTP AUTH? Thanks in advance... Sé un Mejor Amante del Cine ¿Quieres saber cómo? ¡Deja que otras personas te ayuden! http://advision.webevents.yahoo.com/reto/entretenimiento.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail and SMTP AUTH, I need a hand
Hi, I tried to activate the SMTP AUTH in Sendmail following the steps of the man page (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth. html). Everythigns was ok, but... If on the client (Outlook Express or MS Outlook) is activated My server requires authentication the SMTP AUTH occurs and the mail is sent but if this option is disabled the mail is sent too. I can't really help on the config side of things, but: Are all of your clients under the domain you have listed in the access file? That essentially (AFAIR) means allow anyone sending from this domain to relay through me, no matter what, which (again AFAIR) means that any domain listed in that file can relay through you, even if I slap your domain into my mail client on my own IP address (please correct if wrong). If this is the case, remove the domain from access, and if it's in relaydomains, remove it from there too. After it's removed from access, do this: # cd /etc/mail # makemap hash access access I don't think you have to restart sendmail, but I can't remember. You should be able to eliminate all entries from both files after AUTH is enabled (again, AFAIR. I haven't used sendmail other than for system messages for a long time). Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: force smtp auth
On Feb 11, 2007, at 8:27 PM, Doug McComber wrote: This is for a web server that runs Drupal. I don't use the server for email as I have that hosted elsewhere. I just want Drupal to be able to send email (from localhost) via smtp auth. This is working right now except mail can also be sent without using smtp auth. I'm not entirely sure what you are asking. Is all the mail that Drupal sends from localhost? That is, is there a need for Drupal to listen on port 25 (or 587) at all? If there is no need for listening, then sendmail should be set up as a client only and listen only to localhost. I don't work with sendmail on FreeBSD so I can't say exactly how you do this, but getting something like DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') in the .mc source for your sendmail.cf should tell it to listen to daemon host. If you do want to connect to the machine remotely and have it relay mail for you, then having something like DAEMON_OPTIONS(`Name=MSA, Port=587, M=E') in the mc file that is the source for your sendmail.cf file should do the trick. That tells sendmail to listen on port 587 (smtp submission port) and require authentication. The M=E is what requires the authentication. Don't add that by hand, it is already nicely set up if you use FEATURE(`msp') If you want to force authentication even on localhost connections, then I guess something like DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA, M=E') should do the trick. Poking around I see that the src mc file is /usr/src/etc/sendmail/ freebsd.mc However, there is a good chance that I've answered the wrong question, because I'm not sure what it is that you are after. And someone who is familiar with managing sendmail on FreeBSD will be able to tell you the FreeBSD way of doing things. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/
Re: force smtp auth
On 2/12/07, Jeffrey Goldberg [EMAIL PROTECTED] wrote: On Feb 11, 2007, at 8:27 PM, Doug McComber wrote: This is for a web server that runs Drupal. I don't use the server for email as I have that hosted elsewhere. I just want Drupal to be able to send email (from localhost) via smtp auth. This is working right now except mail can also be sent without using smtp auth. I'm not entirely sure what you are asking. Is all the mail that Drupal sends from localhost? That is, is there a need for Drupal to listen on port 25 (or 587) at all? If there is no need for listening, then sendmail should be set up as a client only and listen only to localhost. I don't work with sendmail on FreeBSD so I can't say exactly how you do this, but getting something like DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') in the .mc source for your sendmail.cf should tell it to listen to daemon host. If you do want to connect to the machine remotely and have it relay mail for you, then having something like DAEMON_OPTIONS(`Name=MSA, Port=587, M=E') in the mc file that is the source for your sendmail.cf file should do the trick. That tells sendmail to listen on port 587 (smtp submission port) and require authentication. The M=E is what requires the authentication. Don't add that by hand, it is already nicely set up if you use FEATURE(`msp') If you want to force authentication even on localhost connections, then I guess something like DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA, M=E') should do the trick. Poking around I see that the src mc file is /usr/src/etc/sendmail/ freebsd.mc However, there is a good chance that I've answered the wrong question, because I'm not sure what it is that you are after. And someone who is familiar with managing sendmail on FreeBSD will be able to tell you the FreeBSD way of doing things. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ Thanks Jeffrey. What I'm after is that I want sendmail to require smtp auth regardless of who what or where. This is because I am only using sendmail on this server for php content management systems (drupal) to send verification emails. But, the reality is that over time a#$%oles will find a new security flaw in php and/or the cms and use my server to send spam (or worse). So, with smtp auth required for ALL smtp connections I can (hope to) stop this from happening. Anyway, what worked to force smtp auth was M=Ea. Thanks again, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
force smtp auth
Hi, I've got smtp auth running with sendmail via the FreeBSD handbook. Now I'd like to set it up so that smtp auth is the only method allowed for sending outgoing mail. This is for a web server that runs Drupal. I don't use the server for email as I have that hosted elsewhere. I just want Drupal to be able to send email (from localhost) via smtp auth. This is working right now except mail can also be sent without using smtp auth. Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: question on smtp AUTH
David Banning wrote: That would seem to suggest that the spam is being sent using an authorized account, however, is it possible that a host inside your network is sending the spam? Thanks for that test Paul. I do believe that it could have been a virus infected windows box. I am not convinced now. I -do- know that I have had crackers attempting access via SSH and I did not have anything to stop them from trying every possible configuration. Eventually they may have gotten a usable login and password. I now have them blocked after 5 failed attempts but still there could be someone spamming using the login and password obtained previously. Before getting -everyone- to change thier password I am wondering if there isn't a way to log who is sending via what login authentication. I could then just setup a new password for that user only. You can make the logging more verbose at the SASL level. You should have a file /usr/local/lib/sasl2/Sendmail.conf which contains sendmail specific bits of the SASL configuration. (just create it if you don't already have it). You can add to that a log_level: 6 parameter, which should cause enough logging to be generated that you can tell who was logging in and where from, without logging passwords or other sensitive stuff. You might want to follow the instructions in /etc/syslog.conf for enabling the all.log. For more info on the sort of stuff you can put in the various SASL config files see: http://www.sendmail.org/~ca/email/cyrus2/options.html The available levels (from sasl.h) are: /* Logging levels for use with the logging callback function. */ #define SASL_LOG_NONE 0/* don't log anything */ #define SASL_LOG_ERR 1/* log unusual errors (default) */ #define SASL_LOG_FAIL 2/* log all authentication failures */ #define SASL_LOG_WARN 3/* log non-fatal warnings */ #define SASL_LOG_NOTE 4/* more verbose than LOG_WARN */ #define SASL_LOG_DEBUG 5/* more verbose than LOG_NOTE */ #define SASL_LOG_TRACE 6/* traces of internal protocols */ #define SASL_LOG_PASS 7/* traces of internal protocols, including Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
question on smtp AUTH
I am still pouring over logs to check how my server has been spamming. I am wondering about the possibility of someone using a working login and password to send spam through my server. So here is my question; I look at my maillog and see the following spam; maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540: from=[EMAIL PROTECTED], size=478, class=0, nrcpts=1, msgid=200701110714.l0B7 [EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=3s1.com [209.161.205.12] [EMAIL PROTECTED] does not exist as a user on my system, but the relay is mine (3s1.com), and 209.161.205.12 is mine. How can I find out or log when a user sends mail, what authentication was used? If they have to login to send through my server, who did they login as? - how would I find that out? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: question on smtp AUTH
--On January 13, 2007 1:08:17 PM -0500 David Banning [EMAIL PROTECTED] wrote: I am still pouring over logs to check how my server has been spamming. I am wondering about the possibility of someone using a working login and password to send spam through my server. So here is my question; I look at my maillog and see the following spam; maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540: from=[EMAIL PROTECTED], size=478, class=0, nrcpts=1, msgid=200701110714.l0B7 [EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=3s1.com [209.161.205.12] [EMAIL PROTECTED] does not exist as a user on my system, but the relay is mine (3s1.com), and 209.161.205.12 is mine. Your system appears to be working as expected: telnet 209.161.205.12 25 Trying 209.161.205.12... Connected to 3s1.com. Escape character is '^]'. EHL220 3s1.com ESMTP Sendmail 8.13.6/8.13.6; Sat, 13 Jan 2007 14:51:12 -0500 (EST) ^R EHLO testing 250-3s1.com Hello www.stovebolt.com [66.221.101.248], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-DELIVERBY 250 HELP MAIL FROM: [EMAIL PROTECTED] 250 2.1.0 [EMAIL PROTECTED] Sender ok RCPT TO: [EMAIL PROTECTED] 550 5.7.1 [EMAIL PROTECTED] Relaying denied. Proper authentication required. That would seem to suggest that the spam is being sent using an authorized account, however, is it possible that a host inside your network is sending the spam? Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: question on smtp AUTH
I am wondering about the possibility of someone using a working login and password to send spam through my server. So here is my question; That's depressingly common. Look for abandoned or unused accounts like guest/guest. R's, John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: question on smtp AUTH
--On January 13, 2007 6:34:17 PM -0500 David Banning [EMAIL PROTECTED] wrote: That would seem to suggest that the spam is being sent using an authorized account, however, is it possible that a host inside your network is sending the spam? Thanks for that test Paul. I do believe that it could have been a virus infected windows box. I am not convinced now. I -do- know that I have had crackers attempting access via SSH and I did not have anything to stop them from trying every possible configuration. Eventually they may have gotten a usable login and password. I now have them blocked after 5 failed attempts but still there could be someone spamming using the login and password obtained previously. Before getting -everyone- to change thier password I am wondering if there isn't a way to log who is sending via what login authentication. I could then just setup a new password for that user only. I'm not that knowledgeable of sendmail. (One of the first things I do on every install is install postfix and disable sendmail.) I sent a test message, and here's what I see in the logs: Jan 13 14:12:30 mail postfix/smtpd[55000]: F0E75114333: client=adsl-65-69-140-8.dsl.rcsntx.swbell. net[65.69.140.8], sasl_method=PLAIN, [EMAIL PROTECTED] Jan 13 14:12:31 mail postfix/smtp[55003]: 845B811431A: to=[EMAIL PROTECTED], relay=mx2.utdallas .edu[129.110.10.17]:25, delay=0.6, delays=0.34/0/0.13/0.13, dsn=2.0.0, status=sent (250 Ok: queued as 261313392) I don't know if sendmail logs those. If not, maybe a higher debug level would help? Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: question on smtp AUTH
That would seem to suggest that the spam is being sent using an authorized account, however, is it possible that a host inside your network is sending the spam? Thanks for that test Paul. I do believe that it could have been a virus infected windows box. I am not convinced now. I -do- know that I have had crackers attempting access via SSH and I did not have anything to stop them from trying every possible configuration. Eventually they may have gotten a usable login and password. I now have them blocked after 5 failed attempts but still there could be someone spamming using the login and password obtained previously. Before getting -everyone- to change thier password I am wondering if there isn't a way to log who is sending via what login authentication. I could then just setup a new password for that user only. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: question on smtp AUTH
On Saturday 13 January 2007 12:08, David Banning wrote: I am still pouring over logs to check how my server has been spamming. I am wondering about the possibility of someone using a working login and password to send spam through my server. So here is my question; I look at my maillog and see the following spam; maillog.0:Jan 11 02:14:17 3s1 sm-mta[3540]: l0B7EGO6003540: from=[EMAIL PROTECTED], size=478, class=0, nrcpts=1, msgid=200701110714.l0B7 [EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=3s1.com [209.161.205.12] [EMAIL PROTECTED] does not exist as a user on my system, but the relay is mine (3s1.com), and 209.161.205.12 is mine. How can I find out or log when a user sends mail, what authentication was used? If they have to login to send through my server, who did they login as? - how would I find that out? well, on my sendmail, which i know to be authing correctly.. i see an line with an authid and the originating server. here is what i see in my sendmail logs when i send an email thru my server: Jan 13 21:09:03 regulus sm-mta[1295]: AUTH=server, relay=athena.dfwlp.com [192.168.125.83], authid=jhorne, mech=PLAIN, bits=0 Jan 13 21:09:03 regulus sm-mta[1295]: l0E393ZZ001295: from=[EMAIL PROTECTED], size=340, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=IPv4, relay=athena.dfwlp.com [192.168.125.83] Jan 13 21:09:03 regulus spamd[778]: spamd: connection from localhost [127.0.0.1] at port 52812 Jan 13 21:09:03 regulus spamd[778]: spamd: processing message [EMAIL PROTECTED] for root:58 Jan 13 21:09:04 regulus spamd[778]: spamd: clean message (-4.4/3.6) for root:58 in 1.3 seconds, 634 bytes. Jan 13 21:09:04 regulus spamd[778]: spamd: result: . -4 - ALL_TRUSTED,BAYES_00 scantime=1.3,size=634,user=root,uid=58,required_score=3.6,rhost=localhost,raddr=127.0.0.1,rport=52812,mid=[EMAIL PROTECTED],bayes=1.98407501539322e-09,autolearn=ham Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 \n\tautolearn=ham version=3.1.7 Jan 13 21:09:04 regulus sm-mta[1295]: l0E393ZZ001295: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on regulus.dfwlp.com Jan 13 21:09:04 regulus spamd[648]: prefork: child states: II Jan 13 21:09:12 regulus sm-mta[1298]: l0E393ZZ001295: to=[EMAIL PROTECTED], ctladdr=[EMAIL PROTECTED] (1001/1001), delay=00:00:09, xdelay=00:00:08, mailer=esmtp, pri=30340, relay=gmail-smtp-in.l.google.com. [64.233.163.27], dsn=2.0.0, stat=Sent (OK 1168744152 18si11823416nzo) another very archaic test, and this is not so much a definitive test anymore, but it might not hurt to try the open relay test from mail-abuse.org. just type: telnet relay-test.mail-abuse.org and it should at least be able to withstand those 19 simple relay checks. what authmethod are you using on your sendmail, and did you make the appropriate changes in your .mc files? finally, when someone who tried to relay who is not authorized, your sendmail logs should produce lines like this: Jan 12 10:15:05 regulus sm-mta[28559]: l0CGEDDv028559: ruleset=check_rcpt, arg1=[EMAIL PROTECTED], relay=VG-4-52.dialup.access.telecore.net.ru [213.135.65.54], reject=550 5.7.1 [EMAIL PROTECTED]... Relaying denied. Proper authentication required. do a: cat /var/log/maillog*|grep Proper and see what you turn up. hth, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: question on smtp AUTH
From: John Levine [EMAIL PROTECTED]
I am wondering about the possibility of someone using a working login
and password to send spam through my server. So here is my question;
That's depressingly common. Look for abandoned or unused accounts
like guest/guest.
[EMAIL PROTECTED] - that causes me to wonder if you have a hacked web server
php script that is doing the sending.
{^_^}Joanne
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail and smtp-auth against passwd
On 11/27/06, Vince [EMAIL PROTECTED] wrote: Matthias Fechner wrote: Hi, i tried to get smtp-auth against the pass working but it is not work. I must add users with saslpasswd2 to the sasldb but I want to auth my smtp users with there normal password without the need to add them to an additional db. [...] Okay, this probably does not answer your question, but I have found postfix to be a lot more easier to configure and use than sendmail. You might wish to give it a try. Best, Amarendra ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail and smtp-auth against passwd
Hi, * Vince [EMAIL PROTECTED] [27-11-06 11:03]: define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5') TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5') thx for all the answers even the PMs I got. I found the problem now: The problem is/was if you have the two lines: define(confAUTH_MECHANISMS', LOGIN PLAIN DIGEST-MD5 CRAM-MD5') TRUST_AUTH_MECH(LOGIN PLAIN DIGEST-MD5 CRAM-MD5') sendmail uses the sasldb for authentification but if you replace them with: define(confAUTH_MECHANISMS',PLAIN LOGIN')dnl TRUST_AUTH_MECH(PLAIN LOGIN')dnl everythings works fine. So it is necessary to disable strong authentification. It seems that the saslauthd cannot handle it :( Best regards, Matthias -- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning. -- Rich Cook ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail and smtp-auth against passwd
SASL can and does fine with stronger authentication. However, some clients do not. Specifically Outlook doesn't support stronger authentication. -Derek At 09:17 AM 11/28/2006, Matthias Fechner wrote: Hi, * Vince [EMAIL PROTECTED] [27-11-06 11:03]: define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5') TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5') thx for all the answers even the PMs I got. I found the problem now: The problem is/was if you have the two lines: define(confAUTH_MECHANISMS', LOGIN PLAIN DIGEST-MD5 CRAM-MD5') TRUST_AUTH_MECH(LOGIN PLAIN DIGEST-MD5 CRAM-MD5') sendmail uses the sasldb for authentification but if you replace them with: define(confAUTH_MECHANISMS',PLAIN LOGIN')dnl TRUST_AUTH_MECH(PLAIN LOGIN')dnl everythings works fine. So it is necessary to disable strong authentification. It seems that the saslauthd cannot handle it :( Best regards, Matthias -- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning. -- Rich Cook ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail and smtp-auth against passwd
Matthias Fechner wrote: Hi, i tried to get smtp-auth against the pass working but it is not work. I must add users with saslpasswd2 to the sasldb but I want to auth my smtp users with there normal password without the need to add them to an additional db. What I did is: Installed sasl2authd from the ports. /etc/make.conf: # Add SMTP AUTH support to Sendmail SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS+= -L/usr/local/lib SENDMAIL_LDADD+=-lsasl2 # Enable smtps for sendmail SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL SENDMAIL_MILTER_IN_BASE=yes And recompiled sendmail in base. Edit /usr/local/lib/sasl2/Sendmail.conf: pwcheck_method: saslauthd Enabled saslauth in rc.conf and start it: saslauthd_enable=yes saslauthd_flags=-a getpwent Edited my .mc file: dnl Enable smpt-auth FEATURE(authinfo') define(confDONT_BLAME_SENDMAIL',GroupReadableSASLDBFile')dnl define(confAUTH_MECHANISMS',LOGIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl define(confRUN_AS_USER',root:mail')dnl But it seems to me that sendmail isn't using saslauth instead it uses directly the sasldb so all thinks I configured in sasl2authd is useless. Has someone smtp-auth with sendmail against passwd running? Hmm i used the sendmail from ports, due to lazyness and (at the time wasnt too familiar with Freebsd's /etc/make.conf) but your config looks ok. Also I use 6.x and at one point was using nss_ldap so i use PAM which has the same effect as you are intending, it might be worth your while trying that too. .mc file define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5') TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5') Because of this (the plain bit) i also enabled ssl (self signed but who cares here. its just so the passwords dont go in cleartext) dnl ### do STARTTLS define(`confCACERT_PATH', `/usr/local/certs')dnl define(`confCACERT', `/usr/local/certs/cacert.pem')dnl define(`confSERVER_CERT', `/usr/local/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/usr/local/certs/sendmail.pem')dnl define(`confCLIENT_CERT', `/usr/local/certs/sendmail.pem')dnl define(`confCLIENT_KEY', `/usr/local/certs/sendmail.pem')dnl DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl The sasl side: [EMAIL PROTECTED] (10:50:35 ~) 0 # cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd /etc/rc.conf #sasl auth for sendmail etc saslauthd_enable=YES This allows sasl2authd to use the default flags of -a pam I also have the following file in /etc/pam.d/ [EMAIL PROTECTED] (10:54:55 ~) 0 # more /etc/pam.d/sendmail # auth #auth requiredpam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass account requiredpam_unix.so session requiredpam_unix.so (excuse linewrap) This works fine for me. Good luck Vince Best regards, Matthias ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail and smtp-auth against passwd
That is an issue with the sasl configuration. sasl can be configured to read passwords from different locations, including a database. You may need to reconfigure sasl or even rebuild it. -Derek At 09:20 PM 11/26/2006, Matthias Fechner wrote: Hi, i tried to get smtp-auth against the pass working but it is not work. I must add users with saslpasswd2 to the sasldb but I want to auth my smtp users with there normal password without the need to add them to an additional db. What I did is: Installed sasl2authd from the ports. /etc/make.conf: # Add SMTP AUTH support to Sendmail SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS+= -L/usr/local/lib SENDMAIL_LDADD+=-lsasl2 # Enable smtps for sendmail SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL SENDMAIL_MILTER_IN_BASE=yes And recompiled sendmail in base. Edit /usr/local/lib/sasl2/Sendmail.conf: pwcheck_method: saslauthd Enabled saslauth in rc.conf and start it: saslauthd_enable=yes saslauthd_flags=-a getpwent Edited my .mc file: dnl Enable smpt-auth FEATURE(authinfo') define(confDONT_BLAME_SENDMAIL',GroupReadableSASLDBFile')dnl define(confAUTH_MECHANISMS',LOGIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl define(confRUN_AS_USER',root:mail')dnl But it seems to me that sendmail isn't using saslauth instead it uses directly the sasldb so all thinks I configured in sasl2authd is useless. Has someone smtp-auth with sendmail against passwd running? Best regards, Matthias -- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning. -- Rich Cook ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Sendmail and smtp-auth against passwd
Hi, i tried to get smtp-auth against the pass working but it is not work. I must add users with saslpasswd2 to the sasldb but I want to auth my smtp users with there normal password without the need to add them to an additional db. What I did is: Installed sasl2authd from the ports. /etc/make.conf: # Add SMTP AUTH support to Sendmail SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS+= -L/usr/local/lib SENDMAIL_LDADD+=-lsasl2 # Enable smtps for sendmail SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL SENDMAIL_MILTER_IN_BASE=yes And recompiled sendmail in base. Edit /usr/local/lib/sasl2/Sendmail.conf: pwcheck_method: saslauthd Enabled saslauth in rc.conf and start it: saslauthd_enable=yes saslauthd_flags=-a getpwent Edited my .mc file: dnl Enable smpt-auth FEATURE(authinfo') define(confDONT_BLAME_SENDMAIL',GroupReadableSASLDBFile')dnl define(confAUTH_MECHANISMS',LOGIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl define(confRUN_AS_USER',root:mail')dnl But it seems to me that sendmail isn't using saslauth instead it uses directly the sasldb so all thinks I configured in sasl2authd is useless. Has someone smtp-auth with sendmail against passwd running? Best regards, Matthias -- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning. -- Rich Cook ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMTP-AUTH woes.
Hello Greg I did installed an system sendmail/Cyrus imap/sasldb2 successfully. While these I run in a lot of troubles. If you're interessted I can send you my stuff about it. Am Mon, Jul 31, 2006 at 07:50:56AM -0500 Greg Groth schrieb: did you buildworld before you recompiled sendmail? ive found that if i buildworld, that before i recompile sendmail (to implement sasl2) that i have to make clean on my /usr/src, or else make will try to use what was already recompiled for sendmail during the buildworld. hth, jonathan This is a relatively fresh install, and I did update my ports with portsnap / portmanager, then cvsuped src-all and ran buildworld before playing around with this. I did not run make clean before the buildworld process though. I did attempt to rebuild just sendmail after I started having these problems: cd /usr/src/usr.sbin/sendmail make clean make depend make make install Nothing changed though. I was thinking on this a bit further, and although I don't have any of the error messages, I believe I was running into similar issues with Postfix last week. The box in question died on me, I don't have a battery backup and we had a brownout. While fscking the system because of the first brownout, we had a second, which rendered the box useless. I recall moving the unused sasl mechanisms out of /usr/local/lib/sasl2 into a deactivated directory (per some how-tos), and ended up with plain being the only mechanism left, and Postfix started giving error messages about no mechanisms available and couldn't seem to find plain text. I figured I screwed something up with Postfix, and went back to sendmail for this install until I had more time to play around with Postfix. I'll try the make clean / buildworld thing tonight to see if that helps, and post back if it doesn't. Best regards, Greg Groth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Regards Martin Schweizer [EMAIL PROTECTED] PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; pgp2eMqXoShmf.pgp Description: PGP signature
Re: SMTP-AUTH woes.
Martin Schweizer wrote: Hello Greg I did installed an system sendmail/Cyrus imap/sasldb2 successfully. While these I run in a lot of troubles. If you're interessted I can send you my stuff about it. I ended up doing a reinstall, and got it working. I also went with Dovecot this time around, and got that up and running as well. Everything was running well with Maildir, however I then tried to install spamassassin which ended up screwing something up. Sendmail ended up placing everything in the mbox files in /var/mail, instead of ~/Maildir. Not sure what happened, but I could not fix it. I ended up going back to Postfix, and that is at least delivering to ~/Maildir. SASL is working as it should though. Just have to get spamassassin and luser_relay working now. Greg Groth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMTP-AUTH woes.
On Sunday 30 July 2006 23:21, Greg Groth wrote: FreeBSD 6.1 saslauthd version 2.1.22 sendmail version 8.13.6 My problem is that sendmail is not authenticating plain text passwords. From my /etc/mail/hostname.mc file: define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl However when I telnet to the server I find the following: 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 From my /etc/make.conf: SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 From my /usr/local/lib/sasl2/Sendmail.conf file: pwcheck_method: saslauthd From my /var/log/maillog file: Jul 30 23:08:01 mail sendmail[4061]: NOQUEUE: connect from [EMAIL PROTECTED] Jul 30 23:08:01 mail sendmail[4061]: STARTTLS: ServerCertFile missing Jul 30 23:08:01 mail sendmail[4061]: AUTH: available mech=NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 Jul 30 23:08:01 mail sendmail[4061]: k6V481s5004061: Milter: no active filter Everything seems to be in place. SASL is running, and is working fine with the included testing tools, but sendmail does not seem to be accepting plain text logins. This is the same setup I have up and running on a 6.0 box, but it doesn't seem to be working now. Any ideas on what I might have screwed up? TIA Greg Groth did you buildworld before you recompiled sendmail? ive found that if i buildworld, that before i recompile sendmail (to implement sasl2) that i have to make clean on my /usr/src, or else make will try to use what was already recompiled for sendmail during the buildworld. hth, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMTP-AUTH woes.
did you buildworld before you recompiled sendmail? ive found that if i buildworld, that before i recompile sendmail (to implement sasl2) that i have to make clean on my /usr/src, or else make will try to use what was already recompiled for sendmail during the buildworld. hth, jonathan This is a relatively fresh install, and I did update my ports with portsnap / portmanager, then cvsuped src-all and ran buildworld before playing around with this. I did not run make clean before the buildworld process though. I did attempt to rebuild just sendmail after I started having these problems: cd /usr/src/usr.sbin/sendmail make clean make depend make make install Nothing changed though. I was thinking on this a bit further, and although I don't have any of the error messages, I believe I was running into similar issues with Postfix last week. The box in question died on me, I don't have a battery backup and we had a brownout. While fscking the system because of the first brownout, we had a second, which rendered the box useless. I recall moving the unused sasl mechanisms out of /usr/local/lib/sasl2 into a deactivated directory (per some how-tos), and ended up with plain being the only mechanism left, and Postfix started giving error messages about no mechanisms available and couldn't seem to find plain text. I figured I screwed something up with Postfix, and went back to sendmail for this install until I had more time to play around with Postfix. I'll try the make clean / buildworld thing tonight to see if that helps, and post back if it doesn't. Best regards, Greg Groth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SMTP-AUTH woes.
FreeBSD 6.1 saslauthd version 2.1.22 sendmail version 8.13.6 My problem is that sendmail is not authenticating plain text passwords. From my /etc/mail/hostname.mc file: define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl However when I telnet to the server I find the following: 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 From my /etc/make.conf: SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 From my /usr/local/lib/sasl2/Sendmail.conf file: pwcheck_method: saslauthd From my /var/log/maillog file: Jul 30 23:08:01 mail sendmail[4061]: NOQUEUE: connect from [EMAIL PROTECTED] Jul 30 23:08:01 mail sendmail[4061]: STARTTLS: ServerCertFile missing Jul 30 23:08:01 mail sendmail[4061]: AUTH: available mech=NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 Jul 30 23:08:01 mail sendmail[4061]: k6V481s5004061: Milter: no active filter Everything seems to be in place. SASL is running, and is working fine with the included testing tools, but sendmail does not seem to be accepting plain text logins. This is the same setup I have up and running on a 6.0 box, but it doesn't seem to be working now. Any ideas on what I might have screwed up? TIA Greg Groth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
sendmail / smtp auth
Hello I read a lot over sendmail's smtp auth function in google, sendmail.org, O'Reilly sendmail book and FreeBSD's handbook etc. But now I'm very confused. My setup (all stuff from updated /usr/ports): FreeBSD 5.4 sendmail 8.13.3 Cyrus IMAP 2.2.12 Cyrus SASL2 2.1.21 MailScanner 4.46.2 After I configured sendmail for smtp auth (like described in FreeBSD's handbook) all mails no longer delivered to cyrus imapd. They now delivered local to root. I only changed /etc/mail/sendmail.mc and /etc/mail/auth-info (see attached). If rollback to no smtp auth then all works like a charme. My goals are to use sendmail for client relaying (for mobile users) and sendmail send mails with smtp auth to another mail server. Any hints are welcome. sendmail.mc: divert(-1) divert(0) VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.29 2003/12/24 21:15:09 gshapiro Exp $') OSTYPE(freebsd5) DOMAIN(generic) FEATURE(access_db, `hash -o -TTMPF /etc/mail/access') FEATURE(blacklist_recipients) FEATURE(local_lmtp) FEATURE(mailertable, `hash -o /etc/mail/mailertable') FEATURE(virtusertable, `hash -o /etc/mail/virtusertable') FEATURE(dnsbl, `relays.ordb.org', `550 Mail rejected - see http://www.ordb.org/faq;') FEATURE(dnsbl, `sbl.spamhaus.org', `550 Mail rejected - see http://www.spamhaus.org/SBL;') dnl Dialup users should uncomment and define this appropriately define(`SMART_HOST', `[195.186.18.142]') define(`confCW_FILE', `-o /etc/mail/local-host-names') dnl Enable for both IPv4 and IPv6 (optional) DAEMON_OPTIONS(`Name=IPv4, Family=inet') DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl dnl define(`confAUTH_MECHANISMS', `PLAIN')dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl define(`confBIND_OPTS', `WorkAroundBroken') define(`confNO_RCPT_ACTION', `add-to-undisclosed') define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy') dnl Änderung für Cyrus define(`confLOCAL_MAILER', `cyrusv2') MAILER(local) MAILER(smtp) dnl Änderung für Cyrus MAILER(`cyrusv2') auth-info: ** martin martin blabla pcs.ms PLAIN -- Regards Martin Schweizer [EMAIL PROTECTED] PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; pgpIVhJNkZbr7.pgp Description: PGP signature
Re: MailScanner / SMTP Auth
Hi looks like you found it then... -- Martin On 11/15/05, Martin Schweizer [EMAIL PROTECTED] wrote: Hello Martin I checked the archive but didn't found the thread. Which target words should I ckeck in the archive? Am Mon, Nov 14, 2005 at 07:45:15PM + Martin Hepworth schrieb: Martin there's been a thread on this in the MailScanner email list over the last couple of days - check it out... -- Regards Martin Schweizer [EMAIL PROTECTED] PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: MailScanner / SMTP Auth
Hello Martin I checked the archive but didn't found the thread. Which target words should I ckeck in the archive? Am Mon, Nov 14, 2005 at 07:45:15PM + Martin Hepworth schrieb: Martin there's been a thread on this in the MailScanner email list over the last couple of days - check it out... -- Regards Martin Schweizer [EMAIL PROTECTED] PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; pgp3UxKN0TdmV.pgp Description: PGP signature
MailScanner / SMTP Auth
Hello Until now I run sendmail, mailscanner and cyrus-imapd without any problems. Now I want to update sendmail with SMTP Auth. I updated my sendmail.mc like described in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html. But after this all new mails only delivered local to root (no more to cyrus). Below attached is my sendmail.mc. Is there anybody how has the same setup? Are there any pitfalls? My system: FreeBSD 5.4, sendmail 8.13.3, cyrus IMAP4 2.2.12 Any hints are welcome. -- Regards Martin [EMAIL PROTECTED] PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; pgp41sL3bJb1J.pgp Description: PGP signature
Fwd: MailScanner / SMTP Auth
Sorry, forgot to attache the sendmail.mc
Hello
Until now I run sendmail, mailscanner and cyrus-imapd without any problems. Now
I
want to update sendmail with SMTP Auth. I updated my sendmail.mc like
described in
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html. But
after this all new mails only delivered local to root (no more to cyrus).
Below attached is my sendmail.mc. Is there anybody how has the
same setup? Are there any pitfalls?
My system: FreeBSD 5.4, sendmail 8.13.3, cyrus IMAP4 2.2.12
Any hints are welcome.
divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#notice, this list of conditions and the following disclaimer in the
#documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#must display the following acknowledgement:
# This product includes software developed by the University of
# California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
#may be used to endorse or promote products derived from this software
#without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
#
# This is a generic configuration file for FreeBSD 5.X and later systems.
# If you want to customize it, copy it to a name appropriate for your
# environment and do the modifications there.
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#
divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.29 2003/12/24 21:15:09
gshapiro Exp $')
OSTYPE(freebsd5)
DOMAIN(generic)
FEATURE(access_db, `hash -o -TTMPF /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl your permission.
dnl FEATURE(relay_based_on_MX)
dnl DNS based black hole lists
dnl
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit
dnl http://directory.google.com/Top/Computers/Internet/Abuse/Spam/Blacklists/
dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `550 Mail from
${client_addr} rejected, see http://mail-abuse.org/cgi-bin/lookup?;
${client_addr}')
FEATURE(dnsbl, `relays.ordb.org', `550 Mail rejected - see
http://www.ordb.org/faq;')
FEATURE(dnsbl, `sbl.spamhaus.org', `550 Mail rejected - see
http://www.spamhaus.org/SBL;')
dnl Dialup users should uncomment and define this appropriately
define(`SMART_HOST', `[195.186.18.142]')
dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')
dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
define(`confBIND_OPTS', `WorkAroundBroken')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS
Re: Fwd: MailScanner / SMTP Auth
--On 14. november 2005 10:15 +0100 Martin Schweizer
[EMAIL PROTECTED] wrote:
Sorry, forgot to attache the sendmail.mc
Hello
Until now I run sendmail, mailscanner and cyrus-imapd without any
problems. Now I want to update sendmail with SMTP Auth. I updated my
sendmail.mc like described in
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html.
But after this all new mails only delivered local to root (no more to
cyrus). Below attached is my sendmail.mc. Is there anybody how has the
same setup? Are there any pitfalls?
My system: FreeBSD 5.4, sendmail 8.13.3, cyrus IMAP4 2.2.12
Any hints are welcome.
divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#notice, this list of conditions and the following disclaimer in the
#documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#must display the following acknowledgement:
# This product includes software developed by the University of
# California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
#may be used to endorse or promote products derived from this software
#without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#
# This is a generic configuration file for FreeBSD 5.X and later systems.
# If you want to customize it, copy it to a name appropriate for your
# environment and do the modifications there.
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#
divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.29 2003/12/24
21:15:09 gshapiro Exp $') OSTYPE(freebsd5)
DOMAIN(generic)
FEATURE(access_db, `hash -o -TTMPF /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl your permission.
dnl FEATURE(relay_based_on_MX)
dnl DNS based black hole lists
dnl
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit
dnl
http://directory.google.com/Top/Computers/Internet/Abuse/Spam/Blacklists/
dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `550 Mail from
${client_addr} rejected, see http://mail-abuse.org/cgi-bin/lookup?;
${client_addr}') FEATURE(dnsbl, `relays.ordb.org', `550 Mail rejected -
see http://www.ordb.org/faq;') FEATURE(dnsbl, `sbl.spamhaus.org', `550
Mail rejected - see http://www.spamhaus.org/SBL;')
dnl Dialup users should uncomment and define this appropriately
define(`SMART_HOST', `[195.186.18.142]')
dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')
dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
define(`confBIND_OPTS', `WorkAroundBroken
Re: Fwd: MailScanner / SMTP Auth
Sasa Stupar wrote:
--On 14. november 2005 10:15 +0100 Martin Schweizer
[EMAIL PROTECTED] wrote:
Sorry, forgot to attache the sendmail.mc
Hello
Until now I run sendmail, mailscanner and cyrus-imapd without any
problems. Now I want to update sendmail with SMTP Auth. I updated my
sendmail.mc like described in
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html.
But after this all new mails only delivered local to root (no more to
cyrus). Below attached is my sendmail.mc. Is there anybody how has the
same setup? Are there any pitfalls?
My system: FreeBSD 5.4, sendmail 8.13.3, cyrus IMAP4 2.2.12
Any hints are welcome.
divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
#The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#notice, this list of conditions and the following disclaimer in the
#documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this
software
#must display the following acknowledgement:
#This product includes software developed by the University of
#California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
#may be used to endorse or promote products derived from this
software
#without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#
# This is a generic configuration file for FreeBSD 5.X and later
systems.
# If you want to customize it, copy it to a name appropriate for your
# environment and do the modifications there.
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#
divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.29 2003/12/24
21:15:09 gshapiro Exp $') OSTYPE(freebsd5)
DOMAIN(generic)
FEATURE(access_db, `hash -o -TTMPF /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl your permission.
dnl FEATURE(relay_based_on_MX)
dnl DNS based black hole lists
dnl
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit
dnl
http://directory.google.com/Top/Computers/Internet/Abuse/Spam/Blacklists/
dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `550 Mail from
${client_addr} rejected, see http://mail-abuse.org/cgi-bin/lookup?;
${client_addr}') FEATURE(dnsbl, `relays.ordb.org', `550 Mail rejected -
see http://www.ordb.org/faq;') FEATURE(dnsbl, `sbl.spamhaus.org', `550
Mail rejected - see http://www.spamhaus.org/SBL;')
dnl Dialup users should uncomment and define this appropriately
define(`SMART_HOST', `[195.186.18.142]')
dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')
dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
Re: MailScanner / SMTP Auth
Martin there's been a thread on this in the MailScanner email list over the last couple of days - check it out... -- Martin On 11/14/05, Martin Schweizer [EMAIL PROTECTED] wrote: Hello Until now I run sendmail, mailscanner and cyrus-imapd without any problems. Now I want to update sendmail with SMTP Auth. I updated my sendmail.mchttp://sendmail.mclike described in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html. But after this all new mails only delivered local to root (no more to cyrus). Below attached is my sendmail.mc http://sendmail.mc. Is there anybody how has the same setup? Are there any pitfalls? My system: FreeBSD 5.4, sendmail 8.13.3, cyrus IMAP4 2.2.12 Any hints are welcome. -- Regards Martin [EMAIL PROTECTED] PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Error making Sendmail with SMTP AUTH
I am trying to set up SMTP AUTH per the handbook section 22.10. I have FreeBSD 5.3 and have installed cyrus-sasl-2.1.19_1; cyrus-sasl-1.5.28_3 is also present. I have set pwcheck_method: passwd and added the 3 lines to make.conf. I am trying to recompile Sendmail and the make outputs ends as below: cc -O -pipe -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB -DNIS -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DNETINET6 -DSTARTTLS -D_FFR_TLS_1 -I/usr/local/include/sasl1 -DSASL -L/usr/local/lib -o sendmail alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util.o version.o -lutil -lwrap /usr/src/lib/libsmutil/libsmutil.a /usr/src/lib/libsm/libsm.a -lssl -lcrypto -lsasl cc: /usr/src/lib/libsmutil/libsmutil.a: No such file or directory cc: /usr/src/lib/libsm/libsm.a: No such file or directory *** Error code 1 What am I doing wrong? Thanks, Nick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Error making Sendmail with SMTP AUTH
Nick wrote: I am trying to set up SMTP AUTH per the handbook section 22.10. I have FreeBSD 5.3 and have installed cyrus-sasl-2.1.19_1; cyrus-sasl-1.5.28_3 is also present. I have set pwcheck_method: passwd and added the 3 lines to make.conf. I am trying to recompile Sendmail and the make outputs ends as below: cc -O -pipe -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB -DNIS -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DNETINET6 -DSTARTTLS -D_FFR_TLS_1 -I/usr/local/include/sasl1 -DSASL -L/usr/local/lib -o sendmail alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util.o version.o -lutil -lwrap /usr/src/lib/libsmutil/libsmutil.a /usr/src/lib/libsm/libsm.a -lssl -lcrypto -lsasl cc: /usr/src/lib/libsmutil/libsmutil.a: No such file or directory cc: /usr/src/lib/libsm/libsm.a: No such file or directory *** Error code 1 What am I doing wrong? Show us your /etc/make.conf and the actually commands you're using to (re)compile sendmail. Also, you should consider removing one of the cyrus-sasl versions unless you know you need both (preferably saslv1 as I think it's nearing EOL). G ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Error making Sendmail with SMTP AUTH
Hi Greg $ m make.conf # -- use.perl generated deltas -- # # Created: Sat Nov 20 20:42:01 2004 # Setting to use base perl from ports: PERL_VER=5.8.5 PERL_VERSION=5.8.5 PERL_ARCH=mach NOPERL=yo NO_PERL=yo NO_PERL_WRAPPER=yo SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl and # cd /usr/src/usr.sbin/sendmail # make cleandir # make obj # make error text generated at this point # make install Thanks, Nick [EMAIL PROTECTED] wrote: Nick wrote: I am trying to set up SMTP AUTH per the handbook section 22.10. I have FreeBSD 5.3 and have installed cyrus-sasl-2.1.19_1; cyrus-sasl-1.5.28_3 is also present. I have set pwcheck_method: passwd and added the 3 lines to make.conf. I am trying to recompile Sendmail and the make outputs ends as below: cc -O -pipe -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB -DNIS -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DNETINET6 -DSTARTTLS -D_FFR_TLS_1 -I/usr/local/include/sasl1 -DSASL -L/usr/local/lib -o sendmail alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util.o version.o -lutil -lwrap /usr/src/lib/libsmutil/libsmutil.a /usr/src/lib/libsm/libsm.a -lssl -lcrypto -lsasl cc: /usr/src/lib/libsmutil/libsmutil.a: No such file or directory cc: /usr/src/lib/libsm/libsm.a: No such file or directory *** Error code 1 What am I doing wrong? Show us your /etc/make.conf and the actually commands you're using to (re)compile sendmail. Also, you should consider removing one of the cyrus-sasl versions unless you know you need both (preferably saslv1 as I think it's nearing EOL). G ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Error making Sendmail with SMTP AUTH
Nick wrote: Hi Greg $ m make.conf # -- use.perl generated deltas -- # # Created: Sat Nov 20 20:42:01 2004 # Setting to use base perl from ports: PERL_VER=5.8.5 PERL_VERSION=5.8.5 PERL_ARCH=mach NOPERL=yo NO_PERL=yo NO_PERL_WRAPPER=yo SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl and # cd /usr/src/usr.sbin/sendmail # make cleandir # make obj # make error text generated at this point # make install Nick: I haven't used saslv1 in a long time but I used to use sendmail auth on FBSD 5.3 (before recently moving to Postfix) that used SASLv2 with sendmail quite successfully. The following lines are taken verbatim from its /etc/make.conf: SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS+= -L/usr/local/lib SENDMAIL_LDADD+= -lsasl2 I would try removing the old cyrus-sasl first, then use the above lines to tell sendmail to build against saslv2 and then do a complete `make world` if this is practical in your environment. I suspect your problem might stem from some confusion over having both sasl versions on the system. Another possibility is the documentation you took the syntax for make.conf from is incorrect. Maybe someone else on the list can shed more light on this... Hope that helps, G ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: freebsd sendmail smtp auth
On Sun, 27 Feb 2005, Noah wrote: sendmail 8.13.3 I have looked over three different SMTP AUTH tutorials for sendmail and they dont fully cover the configuration or I am completely misreading them. somebody please send me to a really good site to explain how to set up SMTP AUTH. thank you in advance, Noah Hi, 1) make sure you are running sendmail with sasl-support. Try sendmail -bt -d0.1 to see if sasl support is enabled. If not recompile sendmail or install the sendmail with sasl support package (sendmail+tls+sasl2-8.13.1) and cyrus-sasl-saslauthd-2.1.19 (see then /usr/local/share/doc/cyrus-sasl2/Sendmail.README) 2) a) Add this from cyrus-sasl documentation to your sendmail.mc: dnl ### dnl # From cyrus-sasl Sendmail-README # dnl ### dnl # The group needs to be mail in order dnl # to read the sasldb2 file define(`confRUN_AS_USER',`root:mail')dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl define(`confAUTH_MECHANISMS',`DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl b) Enable smtp authentication to your sendmail.mc file e.g.: dnl ### dnl # SMTP AUTHENTICATION # dnl ### define(`SMART_HOST',`[me.myself.andI]')dnl FEATURE(`authinfo')dnl The FEATURE(`authinfo') is optional (see herefore the cf.README of sendmail). Create a /etc/mail/authinfo file (they should not be readable by anyone).The authinfo file should contain something like this: AuthInfo:me.myself.andI U:myusername P:mypassword The cd to /etc/mail and do: makemap hash authinfo authinfo chmod 600 authinfo authinfo.db 3) Install ypur new sendmail.mc file, restart sendmail and test your configuration. Oliver -- ... don't touch the bang bang fruit ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
freebsd sendmail smtp auth
sendmail 8.13.3 I have looked over three different SMTP AUTH tutorials for sendmail and they dont fully cover the configuration or I am completely misreading them. somebody please send me to a really good site to explain how to set up SMTP AUTH. thank you in advance, Noah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
bind+postfix+courier+sals+amavis+spamassian+pop3+mysql+apache+smtp-auth
Hmmzz yep, I want to do this but my packet version conflicted.. FreeBSD 5.3 stable Mysql-server-5.0.1 Bind9-9.3.0 (for only dns cahe) Postfix-2.2.20041008,2 (also for GUI postfix-admin) Courier-Imap-3.0.8.1 Cyrus-sasl-2.1.20 Apache-2.0.52_3 Amavisd (clamav + spamassassin) Sqwebmail (for webmail and also very important that is user must be change his/her passwd) I saw openwebmail its very nice but passwd change options hasnt been in packet so I give up using this. why all packet is conflict each other I couldnt understantd A lots of virtual host and I must find POP3 competible with courier-imap and also very very important point is SMTP-AUTH in POP3 for virtual users and quota for virtual user and they can be change their passwd from webmail. and also I had look a lots of document such as http://www.high5.net/howto/ http//yocum.org/faqs/postfix-tls-sasl.html http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO.pdf shortly I have a lots of virual user that must reach webmail also POP3 and prevent their mailbox from spam and virus and also they must change own passwd and pop3 deamond must be smtp-aut depens on their username and passwd. AND also my stafff may manage webtools (with GUI) they can create new virtual user and may give quota and aliases virtusertable etc...and important point I dont want to use sendmail. :(( On Sat, 18 Dec 2004 21:27:12 +0100, martin hudec [EMAIL PROTECTED] wrote: Hello, On Sat, Dec 18, 2004 at 10:10:22PM +0200 or thereabouts, tethys ocean wrote: I set that but I need pop3 because we have got a lots of virtual host I must look for pop3 competible with courier-imap isnt it?! courier-imap is able to serve its maildirs (no, not mbox) using IMAP and POP3, both with secure variants. You can use mysql as authentication backend with sasl. I am using this solution with postfix as smtp server (also with user and virtual data in mysql), amavisd (clamav + spamassassin) as spam/virus filter. I am just bit sad that openwebmail is not working with maildirs, so I use horde/imp application instead to provide webmail services. Cheers, Martin -- martin hudec * 421 907 303 393 * [EMAIL PROTECTED] * http://www.aeternal.net Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws. Douglas Adams, The Hitchhiker's Guide to the Galaxy ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
bind+postfix+courier+sals+amavis+spamassian+pop3+mysql+apache+smtp-auth
Hi all, I want to setup a mail server Freebsd 5.3 bind 9.0 (dnscahce) +mysql4.0+postfix2.2.20040829,2+courier+sasl etc in the beginning of my installation I am taking such error message courier-mysql-0.45.4 conflicts with installed pakages(s) postfix-2.2.20040829,2 They install files into the same places. Please remover.. What can I do? I looked a lots of document but I coulnt actual solutions.. any comment?! Thanks a lots ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
bind+postfix+courier+sals+amavis+spamassian+pop3+mysql+apache+smtp-auth
Hello, On Sat, Dec 18, 2004 at 09:38:52PM +0200 or thereabouts, tethys ocean wrote: I want to setup a mail server Freebsd 5.3 bind 9.0 (dnscahce) +mysql4.0+postfix2.2.20040829,2+courier+sasl etc in the beginning of my installation I am taking such error message courier-mysql-0.45.4 conflicts with installed pakages(s) postfix-2.2.20040829,2 you want probably to have complex mail solution, and you would like to use mail/courier-imap port, right? Standard mail/courier can be used as smtp server, so it is obvious that it would conflict with your installed postfix (or qmail, etc.). Look into Makefile for conflicting packages. Cheers, Martin -- martin hudec * 421 907 303 393 * [EMAIL PROTECTED] * http://www.aeternal.net Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws. Douglas Adams, The Hitchhiker's Guide to the Galaxy pgpsICg8qIIfG.pgp Description: PGP signature
bind+postfix+courier+sals+amavis+spamassian+pop3+mysql+apache+smtp-auth
Hi, I check confiliction package mysql pakages confilict and I found this document http://www.syntheticzero.com/howto/vmail.php and also in this paragraph Notes for FreeBSD users: The courier-imap port in freebsd is kinda messed up with regards to getting the mysql auth stuff to compile... find .if !defined(WITH_MYSQL) in the Makefile and change this: PLIST_SUB+= MYSQLFLAG= endif to this: PLIST_SUB+= MYSQLFLAG= CONFIGURE_ARGS+= \ --with-authmysql --with-mysql-libs=/usr/local/lib/mysql/ \ --with-mysql-includes=/usr/local/include/mysql endif I set that but I need pop3 because we have got a lots of virtual host I must look for pop3 competible with courier-imap isnt it?! H.O. On Sat, 18 Dec 2004 20:58:21 +0100, martin hudec [EMAIL PROTECTED] wrote: Hello, On Sat, Dec 18, 2004 at 09:38:52PM +0200 or thereabouts, tethys ocean wrote: I want to setup a mail server Freebsd 5.3 bind 9.0 (dnscahce) +mysql4.0+postfix2.2.20040829,2+courier+sasl etc in the beginning of my installation I am taking such error message courier-mysql-0.45.4 conflicts with installed pakages(s) postfix-2.2.20040829,2 you want probably to have complex mail solution, and you would like to use mail/courier-imap port, right? Standard mail/courier can be used as smtp server, so it is obvious that it would conflict with your installed postfix (or qmail, etc.). Look into Makefile for conflicting packages. Cheers, Martin -- martin hudec * 421 907 303 393 * [EMAIL PROTECTED] * http://www.aeternal.net Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws. Douglas Adams, The Hitchhiker's Guide to the Galaxy ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
bind+postfix+courier+sals+amavis+spamassian+pop3+mysql+apache+smtp-auth
Hello, On Sat, Dec 18, 2004 at 10:10:22PM +0200 or thereabouts, tethys ocean wrote: I set that but I need pop3 because we have got a lots of virtual host I must look for pop3 competible with courier-imap isnt it?! courier-imap is able to serve its maildirs (no, not mbox) using IMAP and POP3, both with secure variants. You can use mysql as authentication backend with sasl. I am using this solution with postfix as smtp server (also with user and virtual data in mysql), amavisd (clamav + spamassassin) as spam/virus filter. I am just bit sad that openwebmail is not working with maildirs, so I use horde/imp application instead to provide webmail services. Cheers, Martin -- martin hudec * 421 907 303 393 * [EMAIL PROTECTED] * http://www.aeternal.net Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws. Douglas Adams, The Hitchhiker's Guide to the Galaxy pgpaOGqdKLD0F.pgp Description: PGP signature
sendmail smtp-auth
Hi, Sendmail8.11 and sasl run on FreeBSD 5.2.1 RELEASE server so I wonder smtp auth has got or not. after telnet localhost 25 the result can be shown in below ehlo localhost 250-www.stockimage.co.kr Hello localhost.stockimage.co.kr [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP Indeed f it has got smtp auth result must be below? ehlo server 250-sizinev 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250-AUTH=GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250 8BITMIME 250-AUTH GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250-AUTH=GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5 our user s usng ADSL Cable an/or dial-up Dial-up connection if their connection differ from out connection (outside of our network) thet can get mail but coulndt send mail since mail server reject their IP and in log (may be forged) Before me other admin enter their IP in access and add RELAY bu it is not exact solution. are there any commend? I searched in Google I get this result if our server has got smtp auth in the result of telnet localhost 25 and ehlo server must be in below? isnt it?!?!? [EMAIL PROTECTED] telnet localhost smtp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 testterm.ryuchi.org ESMTP Sendmail 8.11.0/8.11.0; Wed, 9 Aug 2000 16:33:03 +0900 (JST) EHLO localhost 250-momiji.ryuchi.org Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH CRAM-MD5 250 HELP QUIT 221 2.0.0 testterm.ryuchi.org closing connection Connection closed by foreign host. [EMAIL PROTECTED] r.p. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mail server questions (SMTP Auth, Imap and virtual domains)
From: Wayne Pascoe [EMAIL PROTECTED] 2. Setup a webmail solution. I'm currently using Squirrelmail for users that exist in /etc/passwd (not very many!), and am considering a migration to Horde/IMP. Near as I can tell though it's not the webmail client that matters, but the imap server. Does anyone know of an imap server that will do 'virtual mailboxes' like vm-pop3d does ? I'm using Cyrus IMAPD as IMAP backend for my Horde/IMP installation. Cyrus has its own userbase so you don't need to create UNIX users for all the mail users. I guess that's what vm-pop3d means by 'virtual mailboxes'. It's been working mostly fine since 2001. Only thing to watch out for is upgrades of the db3 package if you use sasldb authentication (one of many possible authentication methods in Cyrus). I've been bitten a couple of times when db3 got portupgraded as a dependency of 'something' and Cyrus was unable to read it's authentication database which was created with previous version of db3. -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * RUNTIME ERROR 6D at 417A:32CF : Incompetent user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Mail server questions (SMTP Auth, Imap and virtual domains)
Hi all, I've got a mail setup doing virtualhosts as described at http://www.penguinpowered.org/documentation/exim_virtualhosting.html My users can pull their mail down with POP, but have to use their ISP's SMTP server for outgoing mail. I'd like to do two things at this stage, and I'd appreciate any advice on pointers to help me achieve these: 1. Setup SMTP Auth with Exim so that they can use my boxes for outgoing SMTP. This would allow me to setup SPF on their domains as well, which would be a plus. 2. Setup a webmail solution. I'm currently using Squirrelmail for users that exist in /etc/passwd (not very many!), and am considering a migration to Horde/IMP. Near as I can tell though it's not the webmail client that matters, but the imap server. Does anyone know of an imap server that will do 'virtual mailboxes' like vm-pop3d does ? Thanks in advance, -- Wayne Pascoe(gpg --keyserver www.co.uk.pgp.net --recv-keys 79A7C870) A good sysadmin always carries around a few feet of fiber. If he gets lost, he simply drops the fiber on the ground, waits 10 minutes and asks the backhoe operator for directions - Bill Bradford ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
postfix smtp auth TLS , cyrus sasl SSL/TLS
Trying to get cyrus with SSL/TLS, as well as postfix with smtp auth what I did: follow the howtos http://postfix.state-of-mind.de/patrick.koetter/smtpauth/sasldb_configuration.html http://yocum.org/faqs/postfix-tls-sasl.html things working so far: I can login to imap accounts using SSL or TLS, and CRAM-MD5, etc. This is with sasldb, as cyrus is configured with sasl_pwcheck_method: auxprop saslauthd is not running. strange issue: whenever login in successfully, /var/log/messages shows (IP changed) Aug 24 13:55:55 www imaps[2004]: login: adsl-X-X-X.pacbell.net [XX.XX.XX.XX] bruno CRAM-MD5+TLS User logged in and in /var/log/auth: Aug 24 13:55:55 www imaps[2004]: no user in db sasldblistusers2 shows the user is there. Stranger: when changing/adding/removing users to the sasldb database, I get this in /var/log/messages: Aug 24 14:04:37 www saslpasswd2: setpass succeeded for bruno Aug 24 14:04:37 www saslpasswd2: Couldn't update db Aug 24 14:04:37 www last message repeated 2 times I do not know which db is not being updated, because I can list users, and check they are in there. Since encrypted login to imaps essentially works, I would not care, but now that I am trying to get postfix smtp auth working through sasl, I think it might be an issue. When trying to login to postfix/smtp, the following message appears in /var/log/messages: Aug 24 15:49:50 www postfix/smtpd[2977]: warning: SASL authentication failure: no user in db Aug 24 15:49:50 www postfix/smtpd[2977]: warning: SASL authentication failure: no user in db Aug 24 15:49:50 www postfix/smtpd[2977]: warning: SASL authentication failure: no secret in database Aug 24 15:49:50 www postfix/smtpd[2977]: warning: XXX.XXX.XXX.XXX.pacbell.net[XX.XX.XX.XX]: SASL CRAM-MD5 authentication failed So, the questions are: - which db is not being updated ? - why is authentication failing with smtp and not imap ? Any help greatly appreciated ! bruno ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: postfix, smtp-auth, Cyrus SASL for relay restriction troubles.
Thanks so much for the reposes, Josh and Paul.
Josh: great article... if nothing else, the errors changed that I was
getting so I can feel hopeful that progress is being made. I wish I
had found that at the beginning of this whole progress, because it
gave about the most logical recipie to follow that I've seen so far.
so, here are the current errors upon SMTP-Auth failure... and to let
know, I have created the sasldb2 file in /usr/local/etc/ with the
utilities that you mentioned in your article.
logfile snip
Jul 18 10:04:16 www postfix/smtpd[20073]: warning: SASL authentication
failure: Could not open db
Jul 18 10:04:16 www postfix/smtpd[20073]: warning: SASL authentication
failure: Could not open db
Jul 18 10:04:16 www postfix/smtpd[20073]: warning: SASL authentication
failure: Password verification failed
logfile end ===
Paul: here's what my master.cf file looks like. I do have Amavis and
ClamAV installed and running could they be getting in the way
somehow? One thing that I noticed is the smtp-amavis line in the file
appears to be configured to run chrooted. Will this make sasl grumpy?
=== master.cf ==
smtp inet n - n - - smtpd -v
pickupfifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verifyunix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmailunix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o mynetworks=127.0.0.0/8
smtps inet n - n - - smtpd -o
smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: postfix, smtp-auth, Cyrus SASL for relay restriction troubles.
Tim Schutt wrote: logfile snip Jul 18 10:04:16 www postfix/smtpd[20073]: warning: SASL authentication failure: Could not open db Jul 18 10:04:16 www postfix/smtpd[20073]: warning: SASL authentication failure: Could not open db Jul 18 10:04:16 www postfix/smtpd[20073]: warning: SASL authentication failure: Password verification failed logfile end === if i do a saslpasswd2 -c -u evilcoder.org remko and type in my password, i get a file in /usr/local/etc/ named sasldb2 with permissions for cyrus (rw) and for the group mail (r). My postfix user is in the group mail. The problem you are describing seems to me that the postfix user does not have enough permissions to get access to the db. Check them out.. :-) Cheers -- Kind regards, Remko Lodder |[EMAIL PROTECTED] Reporter DSINet|[EMAIL PROTECTED] Projectleader Mostly-Harmless |[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: postfix, smtp-auth, Cyrus SASL for relay restriction troubles.
Hey Remko, Good catch! You were right that postfix didn't have access to the database. But this is still bizarre now when I do the login, it doesn't report that it can't access the database, but states that there are no users in the database. Jul 18 12:40:55 www postfix/smtpd[21129]: warning: SASL authentication failure: no user in db Jul 18 12:40:55 www postfix/smtpd[21129]: warning: SASL authentication failure: Password verification failed I am able to do a sasldblistusers2 and see all the entries in the file, so I know that they are there, and I believe that postfix is hitting the correct file because the error changed as soon as I changed the database's group to the same as postfix and gave it read access. *sigh*,,, I feel like I am so close, but just can't find the correct switch to throw. Thanks so much for your help with this!! Tim, the hopelessly new. :-) if i do a saslpasswd2 -c -u evilcoder.org remko and type in my password, i get a file in /usr/local/etc/ named sasldb2 with permissions for cyrus (rw) and for the group mail (r). My postfix user is in the group mail. The problem you are describing seems to me that the postfix user does not have enough permissions to get access to the db. Check them out.. :-) Cheers -- Kind regards, Remko Lodder ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: postfix, smtp-auth, Cyrus SASL for relay restriction troubles.
Heya Tim Tim Schutt wrote: Hey Remko, Good catch! You were right that postfix didn't have access to the database. But this is still bizarre now when I do the login, it doesn't report that it can't access the database, but states that there are no users in the database. :-) good Jul 18 12:40:55 www postfix/smtpd[21129]: warning: SASL authentication failure: no user in db Jul 18 12:40:55 www postfix/smtpd[21129]: warning: SASL authentication failure: Password verification failed I am able to do a sasldblistusers2 and see all the entries in the file, so I know that they are there, and I believe that postfix is hitting the correct file because the error changed as soon as I changed the database's group to the same as postfix and gave it read access. When you added your user did you specify what domain he has ? (-u dom) . If not, please consider trying to add an user with a domain attached. If you have only one domain you could also set the postfix option: smtpd_sasl_local_domain = yourdomainhere in main.cf If you have multiple domains you should specify: smtpd_sasl_local_domain = empty in main.cf But then you need to authenticate as [EMAIL PROTECTED] (in my case) Perhaps this helps a bit ? :-) *sigh*,,, I feel like I am so close, but just can't find the correct switch to throw. Thanks so much for your help with this!! Well i had lots of troubles with Sasl when i started, (on OpenBSD) and now i have it running ;) Tim, the hopelessly new. :-) You are not hopeless, you will get there :) -- Kind regards, Remko Lodder |[EMAIL PROTECTED] Reporter DSINet|[EMAIL PROTECTED] Projectleader Mostly-Harmless |[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: postfix, smtp-auth, Cyrus SASL for relay restriction troubles.
WOOHOO!!! That did it. I have been struggling with this solid since wednesday to get this up color me grinnin'! The final problem that I had was I was specifying the virtual domain in the user list instead of the base domain of the system, and not specifying the domain in the smtp login. Many many thanks to Remko, Paul and Josh... you each helped me fix a piece of this! Tim When you added your user did you specify what domain he has ? (-u dom) . If not, please consider trying to add an user with a domain attached. If you have only one domain you could also set the postfix option: smtpd_sasl_local_domain = yourdomainhere in main.cf If you have multiple domains you should specify: smtpd_sasl_local_domain = empty in main.cf But then you need to authenticate as [EMAIL PROTECTED] (in my case) Perhaps this helps a bit ? :-) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
postfix, smtp-auth, Cyrus SASL for relay restriction troubles.
Hey People,
ok... My hair is falling out fast enough without me pulling it, so I'm
looking for some help with this:
I've installed postfix and Cyrus SASL on FreeBSD 5.1 and I am having
the worst time getting any authentication to work for smtp-auth. I've
attached log and configuration snips below. Please forgive if there is
an ignorant mistake here... I admit to being fairly new to the whole
UNIX thing.
The short story is authentication always fails, mail won't relay, and
nothing even shows up in auth.log. Am I missing something to hook
these processes together?
Thanks!
Tim
[EMAIL PROTECTED]
(apologies to digest readers because it's kinda long)
config: main.cf (snip)
===
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
alias_maps=hash:/usr/local/etc/postfix/aliases
alias_database=hash:/usr/local/etc/postfix/aliases
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client relays.ordb.org
smtpd_sender_restrictions = permit_mynetworks
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
default_rbl_reply = $rbl_code Service unavailable; $rbl_class
[$rbl_what] blocked using $rbl_domain${rbl_reason?;
$rbl_reason}
home_mailbox=$home/Maildir/
mailbox_size_limit = 2048
message_size_limit = 0
virtual_mailbox_limit = 2048
content_filter=smtp-amavis:[127.0.0.1]:10024
disable_dns_lookup = YES
smtpd_sasl_auth_enable = YES
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domains =
broken_sasl_auth_clients = YES
smtpd_sasl_local_domain =
html_directory = no
smtp_sasl_password_maps = unix:password.byname
===
log snip from /var/maillog
===
Jul 17 19:14:59 www postfix/smtpd[4040]: smtpd_sasl_authenticate:
sasl_method PLAIN, init_response AHRzY2h1dHQAMXJlbmUx
Jul 17 19:14:59 www postfix/smtpd[4040]: smtpd_sasl_authenticate:
decoded initial response
Jul 17 19:14:59 www postfix/smtpd[4040]: warning:
roc-66-67-59-117.rochester.rr.com[66.67.59.117]: SASL PLAIN
authentication failed
Jul 17 19:14:59 www postfix/smtpd[4040]:
roc-66-67-59-117.rochester.rr.com[66.67.59.117]: 535 Error:
authentication failed
Jul 17 19:14:59 www postfix/smtpd[4040]: watchdog_pat: 0x8086b88
Jul 17 19:14:59 www postfix/smtpd[4040]: smtp_get: EOF
Jul 17 19:14:59 www postfix/smtpd[4040]: match_hostname:
roc-66-67-59-117.rochester.rr.com ~? 127.0.0.0/8
Jul 17 19:14:59 www postfix/smtpd[4040]: match_hostaddr: 66.67.59.117
~? 127.0.0.0/8
Jul 17 19:14:59 www postfix/smtpd[4040]: match_hostname:
roc-66-67-59-117.rochester.rr.com ~? 66.67.59.0/24
Jul 17 19:14:59 www postfix/smtpd[4040]: match_hostaddr: 66.67.59.117
~? 66.67.59.0/24
Jul 17 19:14:59 www postfix/smtpd[4040]: lost connection after AUTH
from roc-66-67-59-117.rochester.rr.com[66.67.59.117]
===this is the tail of auth.log -- login attempt doesn't even show up ==
Jul 17 18:55:59 www saslauthd[3969]: detach_tty : master pid is: 3969
Jul 17 18:55:59 www saslauthd[3969]: ipc_init: listening on
socket: /var/state/saslauthd/mux
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: postfix, smtp-auth, Cyrus SASL for relay restriction troubles.
On Sat, Jul 17, 2004 at 07:28:39PM -0400, Tim Schutt wrote: Hey People, ok... My hair is falling out fast enough without me pulling it, so I'm looking for some help with this: I've installed postfix and Cyrus SASL on FreeBSD 5.1 and I am having the worst time getting any authentication to work for smtp-auth. I've attached log and configuration snips below. Please forgive if there is an ignorant mistake here... I admit to being fairly new to the whole UNIX thing. The short story is authentication always fails, mail won't relay, and nothing even shows up in auth.log. Am I missing something to hook these processes together? Thanks! Tim [EMAIL PROTECTED] Here's a small article I did up after I made postfix and SMTP AUTH work together. http://www.tcbug.org/postfix_smtpauth.html Hope this helps. Josh Paetzel ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: postfix, smtp-auth, Cyrus SASL for relay restriction troubles.
--On Saturday, July 17, 2004 7:28 PM -0400 Tim Schutt [EMAIL PROTECTED] wrote: Hey People, ok... My hair is falling out fast enough without me pulling it, so I'm looking for some help with this: I've installed postfix and Cyrus SASL on FreeBSD 5.1 and I am having the worst time getting any authentication to work for smtp-auth. I've attached log and configuration snips below. Please forgive if there is an ignorant mistake here... I admit to being fairly new to the whole UNIX thing. What do you have in master.cf? Here's a working one. smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMTP AUTH
On May 27, 2004, at 12:39 PM, Noah wrote: how do I configure sendmail to support smtps (SSL before SMTP) I want to configure this. any links out there show how to do this please? Doing STARTTLS is better than SMTPS, because it is backwards compatible with traditional SMTP. In any event, to answer your question, install /usr/ports/security/stunnel, and read the manpage-- which is very well written, and has examples of doing SMTP and IMAP over SSL, I believe... -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: SMTP AUTH
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Richard Stevenson Outlook 2002 (from Office XP) will try STARTTLS if SMTP-over-SSL doesn't work for any port other than 25, apparently, but as I said, it's still a bit hairy. I've got clients in .us, .uk, and .nz doing this with my server in .nz. FWIW, I believe Microsoft are still working on this - I'm told they might default to trying STARTTLS first for port 587. These things take time; the MSA standard is only about five years old, after all... Wow, that responsive? The only hitch is that office 2K is my last version of office (as win2K is my last version of a MS OS that'll I'll buy). It was a challange to cover all the bases, between outlook [express] and others (Kmail, Evolution...) I have running: 25 - smtp (with or w/o auth), w/STARTTLS 587 - MSA (auth SMTP), w/ STARTTLS 465 - smtps (with or w/o auth), SSL 110 - pop3, w/STARTTLS *996 (not 995!) - pop3s, SSL 143 - imap (don't think that supports STARTTLS) 993 - imaps, SSL I'm using qpopper for pop3 and imap-uw for imap and sendmail for the rest. I installed cyrus-sasl to provide decent password protection on the non-ssl'ed connections. *996 instead of 995... this was a wierd one. Outlook normally defaults to port 995 if one selects use SSL but when I configured qpopper to use SSL on 995 the negotation would fail. If i changed ports, it succeeded. I think I know what happened and that I could probably get it to work on 995 but I haven't had the time to work on it. I config Outlook to use SSL on ports 465 and either 996(pop3) or 993(imap). Kmail and such use 587(MSA) and 110/993 as they support STARTTLS. If anyone is interested in the relevant bits of inetd/sendmail/qpopper config files, just shout. -lee ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: SMTP AUTH
On Wed, 26 May 2004 07:22:19 -0400, Lee Dilkie wrote On Tue, 25 May 2004, Noah wrote: sendmail-8.12.11 freeBSD-4.9-STABLE I must be doing something wrong. SMTP AUTH is not working very well for me. I have been trying to authenticate with user and password to port 25. I prefer to send all auth user and password information with SSL encryption. would like SSL Version 3 encryption. You've got This server requires a secure connection (SSL) enabled for the SMTP server in Outlook? In my experience (outlook 2000, not tested on outlook express) this won't work. Outlook doesn't seem to understand that use SSL means use STARTLS. What I did was to configure sendmail to also support smtps (SSL before SMTP) on the smtps port (465) and point outlook at that port with the use ssl checked. Hi there, how do I configure sendmail to support smtps (SSL before SMTP) I want to configure this. any links out there show how to do this please? - Noah I have configured outgoing mail requiring authentication then clicking both with Secure Password Authenticaiton and without. That should be without for SPA. Agreed, turn off SPA. -lee ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: SMTP AUTH
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Noah
Sent: Thursday, May 27, 2004 12:40 PM
Hi there,
how do I configure sendmail to support smtps (SSL before SMTP)
I want to
configure this. any links out there show how to do this please?
- Noah
I found all i needed on the net but it wasn't all in one place.
Here's some of what I did.
In /etc/make.conf
# add alternate port (smtps) for sendmail
SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL
and rebuild the world (or if you're smarter than me you can rebuild only the sendmail
part).
In your /etc/mail/${hostname}.sendmail.mc, define the service itself.
The first part is to define the certificates, they are used for both STARTTLS and
smtps. There are plenty of sites that'll tell you how to generate those. Mine is a bit
unusual as I don't use a self-signed certificate, I'm using a different CA as root.
It's easiest, but costs money, to use a real root CA and avoid the hassle of
configuring outlook/windows to trust a new root certificate.
dnl add STARTTLS support
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/mitelroot_cert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/priv_key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/priv_key.pem')dnl
then add support on the smtps port...
DAEMON_OPTIONS(`Port=smtps,Addr={put_your_addr_here}, Name=TLSMTA, M=s')dnl smtp over
TLS on port 465
then do the standard make and make restart thingie to restart sendmail
try it out and see what fails (it helps to bump sendmail logging to 64).
-lee
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: SMTP AUTH
On Tue, 25 May 2004, Noah wrote: sendmail-8.12.11 freeBSD-4.9-STABLE I must be doing something wrong. SMTP AUTH is not working very well for me. I have been trying to authenticate with user and password to port 25. I prefer to send all auth user and password information with SSL encryption. would like SSL Version 3 encryption. You've got This server requires a secure connection (SSL) enabled for the SMTP server in Outlook? In my experience (outlook 2000, not tested on outlook express) this won't work. Outlook doesn't seem to understand that use SSL means use STARTLS. What I did was to configure sendmail to also support smtps (SSL before SMTP) on the smtps port (465) and point outlook at that port with the use ssl checked. I have configured outgoing mail requiring authentication then clicking both with Secure Password Authenticaiton and without. That should be without for SPA. Agreed, turn off SPA. -lee ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: SMTP AUTH
I have configured both sendmail and cyrus to use SSL (Not SPA) with SMTP auth on FreeBSD with Outlook clients. Can't remember the name of the application but it was something like stunnel or similar. Basically I kept sendmail and cyrus as is and used this application to listen on the SSL ports. It just accepted the SSL connection and passed the data off to the either sendmail and cyrus. The client had to install a certificate that was signed and generated in house. Very straight forward (if I could remember the name of it)... Sincerely, Robert T. Covell President / Owner Rolet Internet Services, LLC Web: www.rolet.com Email: [EMAIL PROTECTED] Phone: 816.471.1095 Fax: 816.471.3447 24x7: 816.210.7145 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lee Dilkie Sent: Wednesday, May 26, 2004 6:22 AM To: 'Richard Stevenson'; 'Noah' Cc: [EMAIL PROTECTED] Subject: RE: SMTP AUTH On Tue, 25 May 2004, Noah wrote: sendmail-8.12.11 freeBSD-4.9-STABLE I must be doing something wrong. SMTP AUTH is not working very well for me. I have been trying to authenticate with user and password to port 25. I prefer to send all auth user and password information with SSL encryption. would like SSL Version 3 encryption. You've got This server requires a secure connection (SSL) enabled for the SMTP server in Outlook? In my experience (outlook 2000, not tested on outlook express) this won't work. Outlook doesn't seem to understand that use SSL means use STARTLS. What I did was to configure sendmail to also support smtps (SSL before SMTP) on the smtps port (465) and point outlook at that port with the use ssl checked. I have configured outgoing mail requiring authentication then clicking both with Secure Password Authenticaiton and without. That should be without for SPA. Agreed, turn off SPA. -lee ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: SMTP AUTH
On Wed, 26 May 2004, Lee Dilkie wrote: You've got This server requires a secure connection (SSL) enabled for the SMTP server in Outlook? In my experience (outlook 2000, not tested on outlook express) this won't work. Outlook doesn't seem to understand that use SSL means use STARTLS. What I did was to configure sendmail to also support smtps (SSL before SMTP) on the smtps port (465) and point outlook at that port with the use ssl checked. Outlook 2002 (from Office XP) will try STARTTLS if SMTP-over-SSL doesn't work for any port other than 25, apparently, but as I said, it's still a bit hairy. I've got clients in .us, .uk, and .nz doing this with my server in .nz. FWIW, I believe Microsoft are still working on this - I'm told they might default to trying STARTTLS first for port 587. These things take time; the MSA standard is only about five years old, after all... Cheers Richard -- Richard Stevenson ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SMTP AUTH
sendmail-8.12.11 freeBSD-4.9-STABLE I must be doing something wrong. SMTP AUTH is not working very well for me. I have been trying to authenticate with user and password to port 25. I prefer to send all auth user and password information with SSL encryption. would like SSL Version 3 encryption. I am using microsoft outlook on windows XP machine to do the sending. I have the username and password defined. I have configured outgoing mail requiring authentication then clicking both with Secure Password Authenticaiton and without. receiving POP mail securely is working fine. this is the error ending up in /var/log/maillog --- from the Maillogs --- May 21 16:19:33 typhoon sm-mta[64503]: i4LNJXxA064503: hostname.domain.com [10.10.10.10] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA --- snip --- --- sendmail prompt --- Trying 127.0.0.1... Connected to localhost Escape character is '^]'. 220 hostname ESMTP Sendmail 8.12.11/8.12.11; Fri, 21 May 2004 16:07:4 0 -0700 (PDT) --- snip --- --- from /etc/mail/hostname.mc file --- dnl password authentication for relaying only define(`confAUTH_OPTIONS', `A p y')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confCACERT_PATH',`/usr/local/openssl/certs')dnl define(`confCACERT',`/usr/local/openssl/certs/ca-bundle.crt')dnl define(`confSERVER_CERT',`/usr/local/openssl/certs/sendmail.pem')dnl define(`confSERVER_KEY',`/usr/local/openssl/certs/sendmail.pem')dnl define(`confCLIENT_CERT', `/usr/local/openssl/certs/sendmail.pem')dnl define(`confCLIENT_KEY', `/usr/local/openssl/certs/sendmail.pem')dnl --- snip Any clues on this? - Noah ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMTP AUTH
On Tue, 25 May 2004, Noah wrote: sendmail-8.12.11 freeBSD-4.9-STABLE I must be doing something wrong. SMTP AUTH is not working very well for me. I have been trying to authenticate with user and password to port 25. I prefer to send all auth user and password information with SSL encryption. would like SSL Version 3 encryption. You've got This server requires a secure connection (SSL) enabled for the SMTP server in Outlook? I am using microsoft outlook on windows XP machine to do the sending. I have the username and password defined. I have configured outgoing mail requiring authentication then clicking both with Secure Password Authenticaiton and without. That should be without for SPA. this is the error ending up in /var/log/maillog --- from the Maillogs --- May 21 16:19:33 typhoon sm-mta[64503]: i4LNJXxA064503: hostname.domain.com [10.10.10.10] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA --- snip --- If you're requiring SSL, then my guess is that Outlook isn't seeing STARTTLS in response to EHLO. You can confirm by getting a session log: http://support.microsoft.com/?kbid=300479 And if you're running one of those [EMAIL PROTECTED]@[EMAIL PROTECTED] antivirus products that scans outbound e-mail, *disable it*. Those things all prevent SMTP AUTH and/or STARTTLS from working. Cheers Richard -- Richard Stevenson If you can hear your neighbours firing small arms, they are using subsonic ammunition. -- Andrew Dalgliesh, in the Monastery ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
sendmail dnsbl takes precedence over SMTP Auth
Hi list, we use SMTP auth on our mail servers (sendmail 8.12.10) in addition to blacklists like ORDB and DSBL. When a client wants to send mail and authenticates properly with SMTP auth but gets an ip address listed in dsbl.org sendmail refuses to send the mail (relaying denied). This happens mostly when a dynamic dsl ip gets into one of those lists. Is there a way to have SMTP auth take precedence over dsbl blacklists? (since I'm not on this list please include me on CC) Thanks, Lutz Rabing ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SMTP-AUTH + SSL - Possible?
Hi All, I am looking at ways to provide my clients with more convenience. One of those ways is to be able to send and receive email via my server. However, I know this can be a huge security hole and not one I would like to open. I feel that SMTP-AUTH without SSL is probably not that secure so -- 1. Is SMTP-AUTH a pain in the butt to set up? [yes I have read the handbook but I want to make sure] 2. Does SMTP over SSL use a standard SSL cert and is that relatively easy to set up? 3. Has anyone managed to use a chained SSL cert for SMTP over SSL (yes, I'm cheap :) All suggestions, URLs and docs gratefully received, TIA Steve To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
HELP: Exim - SMTP AUTH, STARTTLS, and PAM or pwcheck on FreeBSD
--- Sorry if this gets posted twice, sigh, email issues -
I've been playing with exim for a little bit now, my new server I'm going to
roll out I would like to use exim instead of sendmail. So far, exim is much
nicer to use, however, I am at a loss where to go now.
I figure many would like to have the following ...
SMTP standard receive on port 25
Relaying supported on 25 via STARTTLS + SMTP AUTH
SSL Tunneled on port 485 + SMTP AUTH
I've gotten the tunneled part to work. I got port 25 going. I can't get
AUTH to work, and haven't tried STARTTLS yet.
My authenticators section, I have so far:
fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition=${if pam{$1:$2}{1}{0}}
# server_condition = ${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}
# server_condition = ${if pwcheck{$1:$2}{1}{0}}
server_set_id = $1
Note, the commented sections I have tired each and still generate the errors
below.
2003-03-05 12:28:46 Authentication failed for ([192.168.22.101])
[192.168.22.101]: 435 Unable to authenticate at present (set_id=dpd): cannot
connect to pwcheck daemon
2003-03-05 12:58:00 Authentication failed for ([192.168.22.101])
[192.168.22.101]: 535 Incorrect authentication data (set_id=dpd)
I have not modified /etc/pam.conf yet.
Anyone got some tips, help, advice where to go next - it seems like is a
PAM/pwcheck issue, not exim at this point, or a draft at an HOWTO ?
Specifics on exim and freebsd seem to be few right now.
random rant
Anyone know how to get your IPS out of SPEWS ? My ISP had some spammers
they ditched a while back, but SPEWS has the whole dag IP range listed. The
ISP has tried multiple times, but the WHOIS records still are pointed into
the IP range (which they can't control), even though the co-los have been
kicked out, but SPEWS wouldn't drop the blocks.
/ random rant
-- *** -
| David P. Discher * http://davidpdischer.com/ * (314) 518-3795 |
| [EMAIL PROTECTED] * AIM: DavidDPD * ICQ:4222899 |
-- *** -
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: Best way to scale SMTP auth?
Steven, I suggest you Postfix + SMTP AUTH You will find the howto´s in Postfix homepage at http://www.postfix.org Ronan Hi. Got a slight problem. I'd like to do an SMTP system that allows up to 100 users a second to authenticate to the system using the simplest means possible. I'd like to use the Pop before SMTP method over authentication before SMTP. However from my understanding, it doesn't scale very well. So I'm trying to find a way to make this be able to handle as much traffic as possible without overloading the existing system. Thanks. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Best way to scale SMTP auth?
Hi. Got a slight problem. I'd like to do an SMTP system that allows up to 100 users a second to authenticate to the system using the simplest means possible. I'd like to use the Pop before SMTP method over authentication before SMTP. However from my understanding, it doesn't scale very well. So I'm trying to find a way to make this be able to handle as much traffic as possible without overloading the existing system. Thanks. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
SMTP auth on demand
Hi all. Is there a way to get your SMTP server to look at your radius logs, see where you're logged in from, what IP specifically, and allow relaying through that IP until you log off? Basically what I need is when one of our employee's logs in using a remote ISP, they can have access to our SMTP server up until they disconnect from the internet. Once they do that then the ability to relay mail from that IP is restricted again as before. Am I making any sence? Is there a way to do this? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: SMTP auth on demand
Thread yesterday or day before on this. Look into POP before SMTP. Kevin Kinsey DaleCo, S.P. - Original Message - From: Steven Lake [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 01, 2002 4:27 PM Subject: SMTP auth on demand Hi all. Is there a way to get your SMTP server to look at your radius logs, see where you're logged in from, what IP specifically, and allow relaying through that IP until you log off? Basically what I need is when one of our employee's logs in using a remote ISP, they can have access to our SMTP server up until they disconnect from the internet. Once they do that then the ability to relay mail from that IP is restricted again as before. Am I making any sence? Is there a way to do this? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: SMTP auth on demand
On Fri, Nov 01, 2002 at 04:27:28PM -0600, Steven Lake wrote: Hi all. Is there a way to get your SMTP server to look at your radius logs, see where you're logged in from, what IP specifically, and allow relaying through that IP until you log off? Basically what I need is when one of our employee's logs in using a remote ISP, they can have access to our SMTP server up until they disconnect from the internet. Once they do that then the ability to relay mail from that IP is restricted again as before. Am I making any sence? Is there a way to do this? That depends on your MTA, I'd suggest. http://www.exim.org/exim-html-4.10/doc/html/spec_12.html#CHAP12 Ceri -- you can't see when light's so strong you can't see when light is gone To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
