From owner-freebsd-security Sun Sep 15 5:24:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38BDD37B400 for ; Sun, 15 Sep 2002 05:24:46 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E8815C.dip0.t-ipconnect.de [217.232.129.92]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0565A43E75 for ; Sun, 15 Sep 2002 05:24:44 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 685E75F0; Sun, 15 Sep 2002 14:24:40 +0200 (CEST) Date: Sun, 15 Sep 2002 14:24:40 +0200 To: "Scot W. Hetzel" Cc: Greg Panula , freebsd-security@FreeBSD.ORG Subject: Re: asmtp 587 - quickie faq submission Message-ID: <20020915122440.GF23222@lupe-christoph.de> References: <002b01c25930$f4627270$0100a8c0@soap> <3D7F3726.958781C8@dolaninformation.com> <20020911153003.GD19536@lupe-christoph.de> <20020911161018.GE19536@lupe-christoph.de> <008e01c25b58$2a2eb930$11fd2fd8@ADMIN00> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <008e01c25b58$2a2eb930$11fd2fd8@ADMIN00> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday, 2002-09-13 at 14:02:52 -0500, Scot W. Hetzel wrote: > From: "Lupe Christoph" > > On Wednesday, 2002-09-11 at 17:30:03 +0200, lupe wrote: > > > We still need an explanation for sendmail! I found nothing better than > > > http://www.sendmail.org/~ca/email/auth.html which doesn't look very > > > /usr/friendly to me ;-) > > > The default sendmail in FreeBSD is not compiled with SASL and does not > > > do ASMTP. I suppose one must install the sendmail-sasl port for this. > > > I'm doing that next, but can't test very much with it, due to my setup. > Or you can compile the default sendmail w/SASL support during a buildworld. The latest version of this is: Q: Ok, how about with Sendmail? A: To implement ASMTP, you must install a sendmail with SASL compiled in. This requires the installation of the cyrus-sasl port. You can then either recompile the system's sendmail as detailed in /etc/defaults/make.conf (look for SASL) or install the sendmail-sasl port, and replace the default sendmail with the one from that port. Add the following to your config.mc and recreate your sendmail.cf define(`confAUTH_MECHANISMS', `PLAIN DIGEST-MD5')dnl This allow use of Plain-text and DIGEST-MD5. Valid options are: GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 PLAIN Some help for this can be obtained from: http://www.sendmail.org/~ca/email/auth.html More background is contained in http://www.sendmail.org/~gshapiro/security.pdf > > Ok, I've installed the port. First thing /usr/local/sbin/sendmail > > complains about: > > error: safesasl(/usr/local/etc/sasldb.db) failed: Group readable file > > Chmodding to 600 gives: > > error: safesasl(/usr/local/etc/sasldb.db) failed: Permission denied > > Sigh. > Read PREFIX/doc/cyrus-sasl/Sendmail.README, It has all the information you > need to setup Sendmail w/SASL, and to configure the *.mc file. Greg, can you modify thusly, please: A: To implement ASMTP, you must install a sendmail with SASL compiled in. This requires the installation of the cyrus-sasl port. After you have installed cyrus-sasl, documentation for the modification of sendmail can be found in /usr/local/share/doc/cyrus-sasl/Sendmail.README. Starting with Sendmail 8.12, you can also use the security/cyrus-sasl2 port. The documentation for this version ends up in .../doc/cyrus-sasl2. You can then either recompile the system's sendmail as described in /usr/local/share/doc/cyrus-sasl*/Sendmail.README or in /etc/defaults/make.conf (look for SASL) or install the sendmail-sasl port, and replace the default sendmail with the one from that port. > Scot W. Hetzel > Cyrus-SASL v1 Maintainer The definitive source ;-) Thanks, Scot! Lupe -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message