Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Dec 2003 16:14:23 +0100
From:      Simon Barner <barner@in.tum.de>
To:        Dan Strick <strick@covad.net>
Cc:        dan@mist.nodomain
Subject:   Re: sendmail and SMTP client-side authentication
Message-ID:  <20031202151423.GD618@zi025.glhnet.mhn.de>
In-Reply-To: <200312020802.hB282549000478@mist.nodomain>
References:  <200312020802.hB282549000478@mist.nodomain>

next in thread | previous in thread | raw e-mail | index | archive | help

--0lnxQi9hkpPO77W3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> 	AuthInfo:mail.covad.net         "U:userid" "P:password"
>=20
> (of course "userid" and "password" are not the real values).
>=20
> When my sendmail connects to the email relay, the email relay says
> (in SMTP speak):
>=20
> 	250-covad.net
> 	250-AUTH LOGIN PLAIN
> 	250-AUTH=3DLOGIN PLAIN

Perhaps the remote site does not allow the PLAIN authentication method.
When performed my research for the sendmail tutorial at

http://home.leo.org/~barner/freebsd/articles/mailsetup/article.html,

I found that the following works for me:

AuthInfo:external.mail.server "U:remoteuser" "I:remoteuser" "P:secret"
   "R:external.mail.server" "M:DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"=20
  =20
> but there is no obvious exchange of authentication information
> and my ISP's email relay sometimes rejects my attempts to submit
> email for relay.  This is a typical SMTP rejection message:
>=20
>     553 sorry, that domain isn't allowed to be relayed thru this MTA (#5.=
7.1)
>=20
> Sometimes my email gets through.  I don't know why.

That's very strange indeed. Do you get more valuable information in the
maillog when you increase sendmail verbosity level:

define(`confLOG_LEVEL', `15')

> When I send email via Netscape, Netscape does authenticate itself
> to the email relay.
>=20
> Note: I did do a "make sendmail.cf" in /etc/mail after changing
> the .mc file and I did restart the sendmail daemons before sending
> the rejected email.  The authinfo file belongs to root:wheel and
> has mode 640.  I also tried it with mode 644 just in case.  I also
> tried creating the file /etc/mail/access with the same contents and
> doing "makemap hash /etc/mail/access".  The sendmail.mc file
> contains the standard line:
>=20
> 	FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')

I figured out that you apparently need to stop and restart sendmail
in order to apply your SASL changes. IIRC this is because SASL is
provided by an external library that has the named behavior.

So, "make install stop start" might work for you.

> Can someone who knows how this is supposed to work help me out?
>=20
> Is there an SMTP authentication protocol that protects the
> authentication information from network snoopers?

Yes, everything apart from M$'s PLAIN method will perform some sort of
encryption. If your mail relay supports SSL/TLS, you should definitely
rebuild your sendmail installation with the support for it, since some
of the authentication protocols don't use real encryption by only
scramble the login handshake a bit. If sendmail is aware of TLS, it will
automatically make use of it if it's available on the remote end.

Simon

--0lnxQi9hkpPO77W3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/zKxPCkn+/eutqCoRAi0qAKD47W0LX20AUw2VUsW6qZpUhFCX/ACaAuxJ
ncVcBYlVADLODIhQHzH88co=
=RgTa
-----END PGP SIGNATURE-----

--0lnxQi9hkpPO77W3--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031202151423.GD618>