SendmailSMTPSASL authentication detailed guide

Source: Internet
Author: User
Tags smtp auth
Article Title: detailed guide to SendmailSMTPSASL authentication. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
   I. Overview
In the modern network environment, mail relay is a very heated topic. How to allow external users or mobile users to perform mail relay on the company's email server is the focus of attention, with the emergence of standardized SASL authentication and the support for smtp auth in the new version of Sendmail, the problem has gradually become clear and easy to solve.
  
   Ii. Purpose
The main purpose of this article is to compile Cyrus-SASL and Sendmail 8.11 On any linux system, explain in detail how to compile and implement this function and related issues.
  
   Iii. Environment
The compiling and testing environments I use are Redhat Linux 6.1 and VA Linux 6.2.4, using cyrus-SASL 1.5.24 and Sendmail 8.11.4. On Redhat Linux 7.1, you do not need to compile any more. You only need to generate your own sendmail. cf file.
  
   Step 4:
1. Slave
  
# Cd/home/jephe
# Tar xvfz cyrus-sasl-1.5.24.tar.gz
# Cd cyrus-sasl-1.5.24
#./Configure -- enable-login (the default configuration does not support the login authentication mechanism, but is required for OutlookExpress)
# Make
# Make install
  
This will automatically install all SASL library files in the/usr/local/lib/sasl/directory and header files in/usr/local/include/object? Br> trace? However, Sendmail searches for these files in/usr/lib/sasl. Therefore, the simplest way is to create a symbolic link? Br> module?
# Cd/usr/lib
# Ln-sf/usr/local/lib/sasl
# Cp-a/usr/local/lib/libsasl */usr/lib
  
Finally, it should look like the following:
  
[Jephe @ smtp lib] $ ls libsasl * sasl-l
-R-x ------ 1 root 683 Jul 27 16:32 libsasl. la
Lrwxrwxrwx 1 root 16 Jul 27 16:32 libsasl. so-> libsasl. so.7.1.8
Lrwxrwxrwx 1 root 16 Jul 27 :33 libsasl. so.7-> libsasl. so.7.1.8
-R-x ------ 1 root 194079 Jul 27 16:32 libsasl. so.7.1.8
Lrwxrwxrwx 1 root 19 Jul 27 16: 32 sasl->/usr/local/lib/sasl
  
Change File Permission now
  
# Chmod-R 500/usr/local/lib/sasl/usr/local/lib/libsasl */usr/lib/sasl/usr/lib/libsasl *
  
Edit the file/etc/ld. so. conf and add the following lines.
  
#/Usr/lib/sasl
  
Then run
  
#/Sbin/ldconfig (no error warning should be displayed)
  
2. Now we compile sendmail. download the latest sendmail.8.11.4.tar.gz from www.sendmail.organd put it in the/home/jephe directory.
  
# Cd/home/jephe
# Tar xvfz sendmail.8.11.4.tar.gz
# Cd/home/jephe/sendmail-8.11.4
  
Put the following line down to devtools/Site/site. config. m4 (make sure the file name is correct. Use vi to edit the new file site. config. m4)
  
APPENDDEF ('confenvdef ','-DSASL ')
APPENDDEF ('conf _ sendmail_LIBS ','-lsasl ')
APPENDDEF ('flibdirs', '-L/usr/lib/sasl ')
APPENDDEF ('confincdirs', '-I/usr/local/include ')
  
Use vi to edit a new configuration file and place it in cf/config. mc. The content is as follows: (Note that there is no line number. The line number here is for the convenience of explaining each line below)
  
Divert (-1 )#
# Copyright (c) 1998,199 9 Sendmail, Inc. and its suppliers.
# All rights reserved.
# Copyright (c) 1983 Eric P. Allman. All rights reserved.
# Copyright (c) 1988,199 3
# The Regents of the University of California. All rights reserved.
#
  
# By using this file, you agree to the terms and conditions set
# Forth in the LICENSE file which can be found at the top level
# The sendmail distribution.
#
#
  
1 VERSIONID ('$ Id: generic-linux.mc, v 8.1 22:48:05 gshapiro Exp $ ')
2 OSTYPE (linux) dnl
3 DOMAIN (generic) dnl
4 MAILER (local) dnl
5 MAILER (smtp) dnl
  
6 define ('confprivacy _ FLAGS ', 'authwarnings, needmailhelo, novrfy, noexpn') dnl
7 define (QUEUE_DIR, '/var/spool/mqueue/q *')
  
8 FEATURE ('use _ cw_file ') dnl
9 FEATURE ('mailertable', 'hash-o/etc/mail/mailertable') dnl
10 FEATURE ('domaintable', 'hash-o/etc/mail/domaintable') dnl
11 FEATURE ('your usertable', 'hash-o/etc/mail/Your usertable') dnl
  
12 dnl FEATURE ('genericstable', 'hash-o/etc/mail/genericstable') dnl
13 dnl GENERICS_DOMAIN_FILE ('/etc/mail/genericsdomain') dnl
14 dnl FEATURE (allmasquerade) dnl
15 dnl FEATURE (masquerade_envelope) dnl
16 dnl MASQUERADE_AS (yourdomain.com) dnl
  
17 FEATURE (redirect) dnl
18 FEATURE (always_add_domain) dnl
19 FEATURE ('Access _ db') dnl
20 FEATURE ('blacklist _ recipients ') dnl
  
21 define ('confauth _ MECHANISMS ', 'login plain gssapi extends OS _v4 DIGEST-MD5CRAM-MD5') dnl
22 TRUST_AUTH_MECH ('login plain gssapi export OS _v4 DIGEST-MD5 CRAM-MD5 ') dnl
23 DAEMON_OPTIONS ('port = smtp, Name = MTA ') dnl
24 FEATURE ('no _ default_msa ') dnl
25 DAEMON_OPTIONS ('port = 587, Name = MSA, M = E') dnl
  
Note: Row 3 enhances the security of sendmail.
Row 7th uses multiple message queues to increase performance
Line 12-16 is commented out here. If you need these advanced settings, you can remove the previous dnl to use it,
But you must know exactly what you are doing.
Rows 20-25 are the most important because they are required for smtp auth.
  
Now you can compile Sendmail.
  
# Cd/home/jephe/sendmail-8.11.4
# Sh./Build (if it is not the first compilation, sh./Build-c should be used to clear the last compilation)
# Cd cf/cf
# Sh./Build config. cf
  
Prepare to compile Sendmail. Before compiling, back up the sendmail execution file and configuration file of your original version, generally/usr/sbin/sendmail and/etc/sendmail. cf.
  
# Cd ../../
# Sh./Build install
# Cp-f config. cf/etc/mail/sendmail. cf
# Cd/var/spool/mqueue
# Mkdir q1 q2 q3 q4 q5 (you can create more directories at any time and use them as queue directories as long as they start with q)
#/Etc/rc. d/init. d/sendmail restart
  
Make sure that you can see the following lines during compilation:
  
...-I/usr/lib/include-DNEWDB-DSASL
  
In the new version of sendmail, all configuration files are stored in/etc/mail. You may need to do the following:
  
A. # cp/etc/aliases/etc/mail/aliases
  
B. # cp/etc/sendmail. cw/etc/mail/local-host-names
C. #/etc/rc. d/init. d/sendmail restart
  
Now, the compilation should end, and try to run the following command to check the output
  
#/Usr/sbin/sendmail-d0.1-bv root | grep SASL
  
You should see the following line
  
NETUNIX NEWDB QUEUE SASL SCANF SMTP USERDB XDEBUG
  
   3. Set SASL authentication.
Use vi to edit the new file/usr/lib/sasl/Sendmail. conf and drop the following lines.
  
Pwcheck_method: pam
  
Since PAM is widely used in Redhat Linux, we will use PAM Authentication. We will discuss SASLDB authentication later.
  
  
Now let's move the following line to/etc/pam. d/smtp (use vi to edit the new file smtp)
  
# % PAM-1.0
  
1 # auth required/lib/security/pam_deny
2 # auth required/lib/security/pam_shells.so
  
3 auth required/lib/security/pam_pwdb.so shadow md5
  
4 auth sufficient/lib/security/pam_listfile.so item = user sense = allow file =/etc/m
Ail/smtpsuperusers. allow
  
5 auth required/lib/security/pam_listfile.so item = user sense = deny file =/etc/mail
/Smtpusers. deny
6 auth required/lib/security/pam_listfile.so item = group sense = allow file =/etc/ma
Il/smtpgroup. allow
  
If you have a large number of POP3 users and want to use the same password as POP3, you can use the PAM Authentication method. The above lines are explained as follows:
  
Line 3: If you want to prohibit all users from mail relay, simply remove the preceding comment.
If row 2nd is enabled, mail relay is prohibited if the user's logon shell is not in/etc/shells.
Row 3-6 uses the PAM_listfile module to pass external file control Authentication
  
The first line must include this line to use the file/etc/shadow password authentication, so that any user must first pass the password authentication, and then check the subsequent rules.
  
Row 3: as long as the user is listed in the file/etc/mail/smtpsuperusers. in allow, relay is allowed. Note that sufficient is not required. You must put this row at the beginning so that as long as the user is detected to be listed in the file, then, no further checks will be performed, regardless of how mail relay is allowed.
  
Relay is prohibited if the user is listed in/etc/mail/smtpusers. deny in the row and one user name in the row.
  
Row 3: If the user's group is listed in/etc/mail/smtpgroup. allow and is not in/etc/mail/smtpusers. deny, relay is allowed.
  
Now you can use telnet to test:
  
# Telnet localhost 25
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.