Up To Date Guide/information Sendmail SMTP Auth

Home » General » Up To Date Guide/information Sendmail SMTP Auth
General 17 Comments

Hello all,

I’ve been googling my brains out since yesterday looking for up-to-date information on this matter, and have found information that is anywhere from 15 to 5 years old. I’d really like some information that much more up to date on the subject. Specifically configuring Sendmail SMTP
authentication (_no smart host stuff_).

I’ve got Sendmail 8.14 installed on a CentOS 7.3 server. Also installed:

– Cyrus-sasl
– Dovecot
– Openssl

Essentially everything I need except the working knowledge for the process. If someone knows where I might locate this information it would be greatly appreciated.

thanks

Mark

17 thoughts on - Up To Date Guide/information Sendmail SMTP Auth

  • I wrote this article years ago:

    https://www.madboa.com/geek/sendmail-auth/

    The configuration outlined there is essentially unchanged today. I
    have it running on a CentOS 7 machine with sendmail 8.14.

    The only real change is the SOCKETDIR setting in
    /etc/sysconfig/saslauthd, which is now /run/saslauthd (rather than
    /var/run/saslauthd). And, of course, I use systemctl rather than chkconfig to control boot-time behavior.

    The trickier bit for me was stopping and restarting the whole SMTP
    toolchain, which includes spamassassin, clavav, and opendmarc. Below my .sig, I’ve included the shell script I use for that.

  • Do you need Cyrus-sasl anymore? Dovecot now comes with its own sasl.

    I am working up a C7-Postfix/MYsql/Postfixadmin/Dovecot/Roundcube/Amavis-clamav howto.

    So, sorry, I switched from Sendmail to Postfix some 6+ years ago.

    I am actually doing this on CentOS7-amrv7hl, but it will work on all C7
    arches. It will take me a couple more weeks to finish, but will share with anyone that wants it now or more wants to help.

  • I thought about Postfix for a few minutes and decided because of the amount of other stuff I’ve got on my plate since I’m already familiar with Sendmail I decided to stay with it. But thank you.

  • Hi Paul,

    I much appreciate the info and will be having a look at it. I’ll post back as to how its gone. Migrating is both enjoyable, exciting and a real BIG pain in the ass; all at the same time.

  • Hi Paul,

    I followed your guide to the letter, however I think it seems I missed something. When I test with telnet to port 25 this is the result:

    > telnet merlin 25
    Trying 10.10.3.6… Connected to merlin.ciss.local. Escape character is ‘^]’.
    220 mdw1982.com ESMTP Sendmail 8.14.7/8.13.8; Wed, 8 Mar 2017 16:53:31 -0500
    ehlo merlin
    250-mdw1982.com Hello [10.10.3.102], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-DELIVERBY
    250 HELP
    > auth login
    504 5.3.3 AUTH mechanism login not available

    thoughts?

  • Am 08.03.2017 um 22:57 schrieb Mark Weaver:

    That makes your mistake obvious: the .cf version is 8.13.8 – it does not match the Sendmail version 8.14.7. So you did not build the sendmail.cf from the modified sendmail.mc.

    Make sure you have run “yum install sendmail-cf” so that “cd /etc/mail;
    make” can do what it should do.

    Alexander

  • And now?

    > telnet merlin 25
    Trying 10.10.3.6… Connected to merlin.ciss.local. Escape character is ‘^]’.
    220 mdw1982.com ESMTP Sendmail 8.14.7/8.14.7; Wed, 8 Mar 2017 18:39:51 -0500
    ehlo merlin
    250-mdw1982.com Hello [10.10.3.102], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-DELIVERBY
    250 HELP
    > auth login
    504 5.3.3 AUTH mechanism login not available

  • Many. :-)

    Check your mail log for clues.

    Ensure you have a valid SSL certificate and key. Sendmail is touchy about permissions on the key file. Try googling for confDONT_BLAME_SENDMAIL and GroupReadableKeyFile.

    Make sure saslauthd is configured and running.

    Compile your .mc (m4) file with the macros distributed with the version of sendmail you’re actually running. This line suggests you’re not:

    mdw1982.com ESMTP Sendmail 8.14.7/8.13.8

    That’s a first stab at things to try.

  • I fixed the version mis-match by installing sendmail-cf package and recompiling sendmail.mc. saslauthd is running and conigured according to your specs. So, I’m not sure what’s missing.

  • Still googling around and found some things that appear to be missing from the sendmail config, but when I test saslauthd it doesn’t appear to be working.

    testsaslauthd -u username -p mypassword
    0: NO “authentication failed”

  • Am 2017-03-09 00:41, schrieb Mark Weaver:

    [ … ]

    Mark,

    which cyrus-sasl packages did you install?

    What’s your precise Sendmail configuration in sendmail.mc? Please provide too your /etc/sasl2/Sendmail.conf as well your saslauthd configuration if you make use of it.

    Alexander

    P.S. This is a mailing list, so please strip your replies as it is not necessary to quote a hole previous mail. Just keep the context to which your reply. Thanks.

  • Am 2017-03-09 02:20, schrieb Mark Weaver:

    [ … ]

    How is your saslauthd configured? Which backend does it use? For debugging purposes it is helpful not to start saslauthd as a service but to run it with parameter -d to see its output on stdout.

    Alexander

  • Usually, testsaslauthd needs a service name. In this case,

    testsaslauthd -u username -p mypassword -s SMTP

    If your password has any characters a shell might misinterpret (*, !,
    <, >, &, …), make sure you enclose it in quotation marks.

    What have you seen in your logs (usually /var/log/maillog on CentOS
    systems)? If sendmail is having trouble setting up TLS/SSL, it will let you know!

    You may have to post the entire contents of your sendmail.mc (the m4
    file), redacted as necessary to obscure any non-relevant bits that may be sensitive.

  • Alexander… Paul,

    My apologies for taking so long to reply. I did get everything worked out and if I’m honest I had to go through all the crap I went through to get everything work; including TLS. Working with MS Exchange and other MS server environment products, not to mention all the other things included in that, have made my linux skills rather rusty.

    Now that I’ve done it and actually understand what’s going on I can’t believe how blasted easy it really is and feel a little foolish; mostly for allowing my Linux skills to get rusty to begin with. Hell! my CentOS
    5 server simply runs, doesn’t complain, doesn’t break down or choke and puke on updates. (thats one of the reasons I use to justify my skills getting rusty. ;P )

    But, thank you gentlemen for your assistance. It is appreciated.

    Now… one last question: Is it better to use self-signed certs for Sendmail, or is it better to get CA Authority signed certs for sendmail?
    I get all my web server certs from Go Daddy, but from what I’ve read so far Sendmail seems to experience issues with CA Authority signed certs that contain a common name and I /believe/ certs from places like Go Daddy require the common name field no be empty.

    thanks in advance…