Monday, May 29, 2006

Sendmail/SASL does not do LOGIN authentication without being recompiled

A CentOS 3.4 system with sendmail-8.12.11-4.RHEL3.1 and cyrus-sasl-2.1.15-10 needed to use a SMTP gateway that required LOGIN authentication. I had previously done this on an old server that was still running RedHat 9 (it was not exposed to the Internet, so I wasn't worried about security there), this time I decided to document it in case anyone else has this situation. It should be rare, because LOGIN authentication is not recommended, that's probably why it is not enabled by default.

Your gateway only accepts LOGIN authentication if you get a dialog like this

$ telnet sout.inter.net.il 25
Trying 192.114.186.49...
Connected to sout.inter.net.il (192.114.186.49).
Escape character is '^]'.
220 romy.inter.net.il ESMTP Mirapoint 3.7.3-GA; Mon, 29 May 2006 15:25:35 +0300 (IDT)
EHLO whoever
250-romy.inter.net.il Hello ntn-144-100.inter.net.il [212.68.144.100] (may be forged), resetting message state
250-8BITMIME
250-SIZE 12582912
250-DSN
250-ETRN
250-AUTH LOGIN
250-AUTH=LOGIN
250 HELP

I started with the latest versions, sendmail.8.13.6.tar.Z and cyrus-sasl-2.1.22.tar.gz

unzip the tarballs

$ tar xvzf cyrus-sasl-2.1.22.tar.gz
$ tar xvzf sendmail.8.13.6.tar.Z

configure sasl to build a static library (you want to do this with dynamic libraries, good for you, but I didn't get it to work, or even to build both dyamic and static libraries at the same time) with LOGIN authentication enabled. I didn't bother installing it. When it's done, there will be a lib/libsasl2.a

$ cd cyrus-sasl-2.1.22
$ ./configure --disable-dynamic --enable-static --enable-login
$ make

Now build sendmail to use sasl

$ cd sendmail-8.13.6/site.config.m4.sample site.config.m4

add these lines to site.config.m4 (I tried using ~ instead of /home/warren, but that didn't work). It might work without the -DOPENSSL_NO_KRB5 but it didn't on RH 9 and I didn't need it on this system either, so I didn't try.

APPENDDEF(`confENVDEF',`-DSASL=2 -DOPENSSL_NO_KRB5')
APPENDDEF(`confLIBS', `/home/warren/cyrus-sasl-2.1.22/lib/libsasl2.a')
APPENDDEF(`confINCDIRS', `-I/home/warren/cyrus-sasl-2.1.22/include/')

$ cd ../..
$ ./Build

Nope, complains
../../sendmail/sendmail.h:1323:23: phclient.h: No such file or directory

OK, back to site.config.m4, dnl out these lines (dnl starts a comment in m4. So easy to remember ...)
dnl APPENDDEF(`confMAPDEF',`-DPH_MAP')
dnl APPENDDEF(`confLIBS', `-lphclient')
dnl APPENDDEF(`confINCDIRS', `-I/opt/nph/include')
dnl APPENDDEF(`confLIBDIRS', `-L/opt/nph/lib')

Run Build with -c or it won't notice the changes to site.config.m4
$ ./Build -c

OK, that worked. Make sure it has SASLv2 and LOGIN compiled in:
$ obj.Linux.2.4.21-20.EL.c0smp.i686/sendmail/sendmail -d0.1 | grep SASL
NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF
$ strings obj.Linux.2.4.21-20.EL.c0smp.i686/sendmail/sendmail | grep LOGIN
clientinlen is > 1024 characters in LOGIN plugin
Invalid LOGIN server step %d
LOGIN version mismatch
Invalid LOGIN client step %d
SSF requested of LOGIN plugin
Version mismatch in LOGIN

From here on, do it as root.

# make install

Now change sendmail's config

# cd /etc/mail

put this in sendmail.mc (it was already there, dnl'd out)
define(`SMART_HOST',`sout.inter.net.il')

Make sure that confAUTH_MECHANISMS includes LOGIN (it already did)
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

Add this
FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl

Now make the authinfo file
$ mkdir auth
# chmod 700 auth
# cd auth

Put this in client-info (change user and pass).
AuthInfo:sout.inter.net.il "U:root" "I:user" "P:pass" "M:LOGIN"

$ makemap hash client-info < client-info
# chmod 600 client-info*

Rebuild the sendmail config, and restart sendmail.
# cd ..
# make
# /sbin/service sendmail status
Posted by at No comments:

Shavuot recipe - Cheese Onion Bread

From "Cheese Cookery", by Doris McFerran Townsend, ISBN 0-89586-039-2, which I picked up in the 2 for $3 bin at Shakespeare & Co on the Upper West Side of Manhattan many years ago.

Makes two loaves.

Combine
  • 1/3 cup sugar
  • 1 teaspoon salt
  • 2 tablespoons active dry yeast
  • 1 c flour
Set aside.
Heat until very warm
  • 1.25 cup milk
  • 1/2 cup butter
Slowly stir into flour.
Add
  • 3 eggs
Beat 2 minutes at medium.
Stir in, to make stiff dough
  • 5 c flour (approx.)
Turn out, rest 10 minutes, knead 10 minutes. Rise in greased bowl 1 hour.

Roll dough to two 18x10 inch rectangles. Sprinkle with
  • 3 cup shredded cheddar
  • 1 cup chopped onion
Roll up, curve (or don't, if it fits better that way), cut 1/2 in deep gashes 1 inch apart. Cover with towel, rise 45 minutes.

Sprinkle with paprika. Bake at 350 degrees, 25 to 30 minutes.
Posted by at No comments:
Subscribe to: Posts (Atom)