Recipe 7.4 Limiting Advertised Authentication Mechanisms
ProblemSeveral different SASL authentication techniques are configured for various uses. You wish to control which authentication techniques are advertised for SMTP AUTH authentication. SolutionAdd the confAUTH_MECHANISMS define to the sendmail configuration. Use the define to list only those authentication techniques that you wish to advertise. Here is a sample confAUTH_MECHANISMS define that might be added to the sendmail configuration: dnl Define the acceptable AUTH mechanisms define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5') Build the new sendmail configuration file, copy it to /etc/mail/sendmail.cf , and restart sendmail, as described in Recipe 1.8. DiscussionThe confAUTH_MECHANISMS define sets the values assigned to the sendmail.cf AuthMechanisms option. sendmail advertises any SASL authentication technique listed in the AuthMechanisms option that is configured and running on the local host. The AuthMechanisms comment in a basic sendmail.cf file shows the default list of authentication techniques used by sendmail: $ grep AuthMechanisms generic-linux.cf #O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 By default, sendmail will advertise:
The receiving host advertises the available authentication techniques, but the connecting host selects the technique that will be used. Therein lies the problem. It is possible for the connecting host to select a technique that you really don't want to use for SMTP authentication, unless you explicitly specify the advertised techniques using the confAUTH_MECHANISMS define. For example: # telnet rodent smtp Trying 192.168.0.3... Connected to rodent. Escape character is '^]'. 220 rodent.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400 ehlo chef 250-rodent.wrotethebook.com Hello IDENT:/tNy4XlJuCgfwrxksOjP9e2Hm3dZuOiC@chef [192. 168.0.8], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250 HELP quit 221 2.0.0 rodent.wrotethebook.com closing connection Connection closed by foreign host. This telnet test shows that rodent.wrotethebook.com advertises Kerberos 5 as a technique that can be used for SMTP authentication. If the connecting system is a Kerberos 5 client, it may choose this technique to authenticate itself, which is all well and good if the administrator of rodent really wants to use Kerberos 5 for SMTP authentication. If not, the confAUTH_MECHANISMS define shown in the Solution section can be used to limit the list of advertised authentication techniques. After installing that confAUTH_MECHANISMS define on rodent , it displays the following line in its EHLO response: 250-AUTH DIGEST-MD5 CRAM-MD5 The confAUTH_MECHANISMS define can also be used to increase the list of advertised authentication techniques. For example, the default SASL configuration on a Red Hat Linux system includes PLAIN and LOGIN as well as DIGEST-MD5 and CRAM-MD5. If the administrator of a Red Hat system placed the following confAUTH_MECHANISMS define in the sendmail configuration: define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 PLAIN LOGIN') the server would display the following advertisement in its EHLO response: 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN In most cases, this is not a good thing to do. PLAIN and LOGIN are not secure authentication techniques, and they should not be used with sendmail over an unsecured link. PLAIN sends clear text passwords over the network ”where they are vulnerable to snooping. LOGIN implements nonstandard, undocumented, and unsupported authentication techniques used by older, broken SMTP clients , and it also sends clear text passwords. These techniques should only be used if the link itself is encrypted to prevent password snooping. See AlsoRecipe 7.1 and Recipe 7.5 provide related AUTH configuration examples. The sendmail book covers AUTH configuration in Section 10.9 and the confAUTH_MECHANISMS define in 24.9.5.  |
