Article Title: detailed guide to SendmailSMTPSASL authentication. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
I. Overview In the modern network environment, mail relay is a very heated topic. How to allow external users or mobile users to perform mail relay on the company's email server is the focus of attention, with the emergence of standardized SASL authentication and the support for smtp auth in the new version of Sendmail, the problem has gradually become clear and easy to solve.
Ii. Purpose The main purpose of this article is to compile Cyrus-SASL and Sendmail 8.11 On any linux system, explain in detail how to compile and implement this function and related issues.
Iii. Environment The compiling and testing environments I use are Redhat Linux 6.1 and VA Linux 6.2.4, using cyrus-SASL 1.5.24 and Sendmail 8.11.4. On Redhat Linux 7.1, you do not need to compile any more. You only need to generate your own sendmail. cf file.
Step 4: 1. Slave
# Cd/home/jephe
# Tar xvfz cyrus-sasl-1.5.24.tar.gz
# Cd cyrus-sasl-1.5.24
#./Configure -- enable-login (the default configuration does not support the login authentication mechanism, but is required for OutlookExpress)
# Make
# Make install
This will automatically install all SASL library files in the/usr/local/lib/sasl/directory and header files in/usr/local/include/object? Br> trace? However, Sendmail searches for these files in/usr/lib/sasl. Therefore, the simplest way is to create a symbolic link? Br> module?
# Cd/usr/lib
# Ln-sf/usr/local/lib/sasl
# Cp-a/usr/local/lib/libsasl */usr/lib
Use vi to edit a new configuration file and place it in cf/config. mc. The content is as follows: (Note that there is no line number. The line number here is for the convenience of explaining each line below)
Divert (-1 )#
# Copyright (c) 1998,199 9 Sendmail, Inc. and its suppliers.
# All rights reserved.
# Copyright (c) 1983 Eric P. Allman. All rights reserved.
# Copyright (c) 1988,199 3
# The Regents of the University of California. All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# Forth in the LICENSE file which can be found at the top level
# The sendmail distribution.
#
#
21 define ('confauth _ MECHANISMS ', 'login plain gssapi extends OS _v4 DIGEST-MD5CRAM-MD5') dnl
22 TRUST_AUTH_MECH ('login plain gssapi export OS _v4 DIGEST-MD5 CRAM-MD5 ') dnl
23 DAEMON_OPTIONS ('port = smtp, Name = MTA ') dnl
24 FEATURE ('no _ default_msa ') dnl
25 DAEMON_OPTIONS ('port = 587, Name = MSA, M = E') dnl
Note: Row 3 enhances the security of sendmail.
Row 7th uses multiple message queues to increase performance
Line 12-16 is commented out here. If you need these advanced settings, you can remove the previous dnl to use it,
But you must know exactly what you are doing.
Rows 20-25 are the most important because they are required for smtp auth.
Now you can compile Sendmail.
# Cd/home/jephe/sendmail-8.11.4
# Sh./Build (if it is not the first compilation, sh./Build-c should be used to clear the last compilation)
# Cd cf/cf
# Sh./Build config. cf
Prepare to compile Sendmail. Before compiling, back up the sendmail execution file and configuration file of your original version, generally/usr/sbin/sendmail and/etc/sendmail. cf.
# Cd ../../
# Sh./Build install
# Cp-f config. cf/etc/mail/sendmail. cf
# Cd/var/spool/mqueue
# Mkdir q1 q2 q3 q4 q5 (you can create more directories at any time and use them as queue directories as long as they start with q)
#/Etc/rc. d/init. d/sendmail restart
Make sure that you can see the following lines during compilation:
...-I/usr/lib/include-DNEWDB-DSASL
In the new version of sendmail, all configuration files are stored in/etc/mail. You may need to do the following:
A. # cp/etc/aliases/etc/mail/aliases
B. # cp/etc/sendmail. cw/etc/mail/local-host-names
C. #/etc/rc. d/init. d/sendmail restart
Now, the compilation should end, and try to run the following command to check the output
#/Usr/sbin/sendmail-d0.1-bv root | grep SASL
You should see the following line
NETUNIX NEWDB QUEUE SASL SCANF SMTP USERDB XDEBUG
3. Set SASL authentication. Use vi to edit the new file/usr/lib/sasl/Sendmail. conf and drop the following lines.
Pwcheck_method: pam
Since PAM is widely used in Redhat Linux, we will use PAM Authentication. We will discuss SASLDB authentication later.
Now let's move the following line to/etc/pam. d/smtp (use vi to edit the new file smtp)
4 auth sufficient/lib/security/pam_listfile.so item = user sense = allow file =/etc/m
Ail/smtpsuperusers. allow
5 auth required/lib/security/pam_listfile.so item = user sense = deny file =/etc/mail
/Smtpusers. deny
6 auth required/lib/security/pam_listfile.so item = group sense = allow file =/etc/ma
Il/smtpgroup. allow
If you have a large number of POP3 users and want to use the same password as POP3, you can use the PAM Authentication method. The above lines are explained as follows:
Line 3: If you want to prohibit all users from mail relay, simply remove the preceding comment.
If row 2nd is enabled, mail relay is prohibited if the user's logon shell is not in/etc/shells.
Row 3-6 uses the PAM_listfile module to pass external file control Authentication
The first line must include this line to use the file/etc/shadow password authentication, so that any user must first pass the password authentication, and then check the subsequent rules.
Row 3: as long as the user is listed in the file/etc/mail/smtpsuperusers. in allow, relay is allowed. Note that sufficient is not required. You must put this row at the beginning so that as long as the user is detected to be listed in the file, then, no further checks will be performed, regardless of how mail relay is allowed.
Relay is prohibited if the user is listed in/etc/mail/smtpusers. deny in the row and one user name in the row.
Row 3: If the user's group is listed in/etc/mail/smtpgroup. allow and is not in/etc/mail/smtpusers. deny, relay is allowed.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
