Recipe 7.1 Offering AUTH Authentication

Previous page
Table of content
Next page

Problem

In order to require strong authentication before granting special privileges, such as relaying, you have been asked to configure sendmail to offer AUTH authentication.

Solution

AUTH requires the SASL library. Configure the SASL authentication technique that you wish to use. See this chapter's Introduction for information about the SASL library and where it can be obtained.

Use -d0.1 to check the sendmail compiler options. If the "Compiled with:" list displays SASL , restart sendmail to reload the freshly configured SASL libraries and you're ready to run. If SASL is not included in the "Compiled with:" list, recompile sendmail as shown in Recipe 1.5.

Discussion

There is no need to add m4 macros to the sendmail configuration to advertise basic AUTH mechanisms. Only a properly installed and configured SASL library and a copy of sendmail that has been compiled with SASL support are needed.

The SASL configuration is driven by which SASL authentication techniques are installed on your system and by which of those techniques are selected for use. Our sample Red Hat system was delivered with SASL preinstalled . Figure 7-1 shows the System Environment/Libraries window from an RPM management tool.

Figure 7-1. Observing the installed SASL libraries in Red Hat Linux
figs/smcb_0701.gif

The figure shows the three SASL library modules that came with this Linux system. cyrus-sasl-1.5.24-25 is the basic SASL library. cyrus-sasl-plain-1.5.24-25 is the SASL plug-in that provides the PLAIN and LOGIN authentication techniques. cyrus-sasl-md5-1.5.24-25 is the plug-in that provides the CRAM-MD5 and DIGEST-MD5 SASL authentication techniques. Of these, only CRAM-MD5 and DIGEST-MD5 offer any real security.

The sendmail server will not advertise the DIGEST-MD5 and CRAM-MD5 techniques unless the file /etc/sasldb exists. sasldb stores the names and passwords used for MD5 authentication. The file is built by saslpasswd the first time it is used to create an SASL password. To authenticate a client with the sasldb , add the client's name and password to the database. Assume we want to authenticate crab using MD5 and that we assign crab the password: It'sasecret! . The following command would accomplish this and make both CRAM-MD5 and DIGEST-MD5 available for sendmail authentication: 

 #  saslpasswd -c -u wrotethebook.com crab  Password:  It'sasecret!  Again (for verification):  It'sasecret!

The -u argument defines the SASL realm. When creating an SASL account for AUTH authentication, always explicitly define the realm with the -u argument. The realm used on both endpoints must agree in order for authentication to succeed. Take control of this important information by explicitly defining the realm that both the server and the client should use. In the example, the realm is wrotethebook.com , which is the same as the local domain name. The string used to name the realm is arbitrary. It can be any value you choose. While the realm does not have to be a domain name, it usually is for the sake of simplicity.

The -c argument tells saslpasswd to create a new account. The account name, crab in the example, is placed at the end of the command line. saslpasswd then prompts for a password for the crab account. This password is the shared-secret key used for DIGEST-MD5 or CRAM-MD5 authentication.

After configuring SASL, the receiving host responds to the SMTP EHLO command by listing the available AUTH authentication techniques. A telnet test shows this: 

 #  telnet localhost smtp  Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400  ehlo localhost  250-chef.wrotethebook.com Hello IDENT:jlXFenYjCfmga11KxmpDxZFsKgljZB2/@localhost  [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP  QUIT  221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host.

The receiving host responds to the EHLO command with a list of the extended services that it supports. The 250-AUTH response shows that the host supports the AUTH protocol, and the response lists the specific authentication techniques that it supports. In the example, the server advertises DIGEST-MD5 and CRAM-MD5, meaning that SASL has been configured for CRAM-MD5 and DIGEST-MD5, and sendmail has been directed to advertise these authentication methods . Recipe 7.4 describes how to control which AUTH techniques are advertised by sendmail.

In the example above, the receiving system responds with 250-AUTH . If you have just configured the receiving system, and it doesn't issue the 250-AUTH response, there are several things you can do to try to discover the problem. First, check the log to see if any security problems are logged. sendmail may have been unable to open a required file.

If basic logging doesn't show the problem, increase the LogLevel to 13 and rerun the test shown above. (Recipe 1.10 provides an example of setting the sendmail LogLevel .) Examine the log again.

sendmail only advertises AUTH if some of the authentication mechanisms that it is configured to accept are available from SASL and properly configured. grep the log for the string mech= . The available mech= log entry lists the mechanisms that sendmail believes are offered by SASL. The allowed mech= entry lists the mechanisms that sendmail believes it is allowed to offer. sendmail only issues the 250-AUTH response if these lists share some common items. If the available mech= list identifies some mechanism, you can change the list of mechanisms that sendmail will accept using the confAUTH_MECHANISMS define described in Recipe Recipe 7.6.

If the available mech= list is empty, and the log contains either an error message from SASL that contains the string listmech=0 or the sendmail error message "AUTH warning: no mechanisms," SASL is not properly installed and configured. SASL must be installed with authentication mechanisms, as noted earlier in the discussion of Figure 7-1. Make sure you download and properly install all of the required libraries.

If SASL is not complaining but sendmail is, perhaps sendmail is looking in the wrong place for SASL libraries. The path to SASL libraries can be set using the environment variable SASL_PATH by adding lines such as the following to the sendmail configuration: 

 LOCAL_CONFIG ESASL_PATH=/usr/lib/sasl

Of course, this path is only an example. You would use the path value appropriate to your system.

Installing SASL, configuring the sasldb , and compiling sendmail with SASL support configures sendmail to accept only inbound AUTH connections. If the system must also send out mail using AUTH authentication, the configuration in Recipe 7.2 should be added to this recipe to create a complete configuration.

See Also

Recipe 7.4 and Recipe 7.5 provide related AUTH configuration examples. The sendmail book covers AUTH configuration in Section 10.9. See the sysadmin.html file in the SASL documentation directory for additional information about SASL configuration.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Lotus Notes and Domino 6 Development (2nd Edition)
C++ How to Program (5th Edition)
Introduction to 80x86 Assembly Language and Computer Architecture
802.11 Wireless Networks: The Definitive Guide, Second Edition
What is Lean Six Sigma
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy