Monday, May 29, 2006

Sendmail/SASL does not do LOGIN authentication without being recompiled

A CentOS 3.4 system with sendmail-8.12.11-4.RHEL3.1 and cyrus-sasl-2.1.15-10 needed to use a SMTP gateway that required LOGIN authentication. I had previously done this on an old server that was still running RedHat 9 (it was not exposed to the Internet, so I wasn't worried about security there), this time I decided to document it in case anyone else has this situation. It should be rare, because LOGIN authentication is not recommended, that's probably why it is not enabled by default.

Your gateway only accepts LOGIN authentication if you get a dialog like this

$ telnet sout.inter.net.il 25
Trying 192.114.186.49...
Connected to sout.inter.net.il (192.114.186.49).
Escape character is '^]'.
220 romy.inter.net.il ESMTP Mirapoint 3.7.3-GA; Mon, 29 May 2006 15:25:35 +0300 (IDT)
EHLO whoever
250-romy.inter.net.il Hello ntn-144-100.inter.net.il [212.68.144.100] (may be forged), resetting message state
250-8BITMIME
250-SIZE 12582912
250-DSN
250-ETRN
250-AUTH LOGIN
250-AUTH=LOGIN
250 HELP

I started with the latest versions, sendmail.8.13.6.tar.Z and cyrus-sasl-2.1.22.tar.gz

unzip the tarballs

$ tar xvzf cyrus-sasl-2.1.22.tar.gz
$ tar xvzf sendmail.8.13.6.tar.Z

configure sasl to build a static library (you want to do this with dynamic libraries, good for you, but I didn't get it to work, or even to build both dyamic and static libraries at the same time) with LOGIN authentication enabled. I didn't bother installing it. When it's done, there will be a lib/libsasl2.a

$ cd cyrus-sasl-2.1.22
$ ./configure --disable-dynamic --enable-static --enable-login
$ make

Now build sendmail to use sasl

$ cd sendmail-8.13.6/site.config.m4.sample site.config.m4

add these lines to site.config.m4 (I tried using ~ instead of /home/warren, but that didn't work). It might work without the -DOPENSSL_NO_KRB5 but it didn't on RH 9 and I didn't need it on this system either, so I didn't try.

APPENDDEF(`confENVDEF',`-DSASL=2 -DOPENSSL_NO_KRB5')
APPENDDEF(`confLIBS', `/home/warren/cyrus-sasl-2.1.22/lib/libsasl2.a')
APPENDDEF(`confINCDIRS', `-I/home/warren/cyrus-sasl-2.1.22/include/')

$ cd ../..
$ ./Build

Nope, complains
../../sendmail/sendmail.h:1323:23: phclient.h: No such file or directory

OK, back to site.config.m4, dnl out these lines (dnl starts a comment in m4. So easy to remember ...)
dnl APPENDDEF(`confMAPDEF',`-DPH_MAP')
dnl APPENDDEF(`confLIBS', `-lphclient')
dnl APPENDDEF(`confINCDIRS', `-I/opt/nph/include')
dnl APPENDDEF(`confLIBDIRS', `-L/opt/nph/lib')

Run Build with -c or it won't notice the changes to site.config.m4
$ ./Build -c

OK, that worked. Make sure it has SASLv2 and LOGIN compiled in:
$ obj.Linux.2.4.21-20.EL.c0smp.i686/sendmail/sendmail -d0.1 | grep SASL
NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF
$ strings obj.Linux.2.4.21-20.EL.c0smp.i686/sendmail/sendmail | grep LOGIN
clientinlen is > 1024 characters in LOGIN plugin
Invalid LOGIN server step %d
LOGIN version mismatch
Invalid LOGIN client step %d
SSF requested of LOGIN plugin
Version mismatch in LOGIN

From here on, do it as root.

# make install

Now change sendmail's config

# cd /etc/mail

put this in sendmail.mc (it was already there, dnl'd out)
define(`SMART_HOST',`sout.inter.net.il')

Make sure that confAUTH_MECHANISMS includes LOGIN (it already did)
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

Add this
FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl

Now make the authinfo file
$ mkdir auth
# chmod 700 auth
# cd auth

Put this in client-info (change user and pass).
AuthInfo:sout.inter.net.il "U:root" "I:user" "P:pass" "M:LOGIN"

$ makemap hash client-info < client-info
# chmod 600 client-info*

Rebuild the sendmail config, and restart sendmail.
# cd ..
# make
# /sbin/service sendmail status
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)