ProblemYou have an internal mail system that is not advertised to the outside world and never provides service to the outside world. You have been asked to configure that system to always require strong authentication from connecting hosts . SolutionCreate a basic AUTH configuration as described in Recipe 7.1 and Recipe 7.2. Add to the sendmail configuration a DAEMON_OPTIONS macro that specifies the M=a modifier to require AUTH authentication. Adding the following lines requires AUTH for any connection on the SMTP port: dnl Require AUTH for all incoming SMTP connections DAEMON_OPTIONS(`Name=MTA, M=a') Build the sendmail.cf file, copy it to /etc/mail/sendmail.cf , and restart sendmail. Use Recipe 1.8 as a guide. DiscussionUse the DAEMON_OPTIONS macro on systems running sendmail 8.12. Prior to sendmail 8.12, daemon port options were set using the confDAEMON_OPTIONS define. confDAEMON_OPTIONS is no longer valid. Attempting to use it with a current release of sendmail produces the following build error: WARNING: confDAEMON_OPTIONS is no longer valid. Use DAEMON_OPTIONS( ); see cf/README. If you have an older version of sendmail that uses the confDAEMON_OPTIONS define, we recommend upgrading to a newer version of sendmail. The DAEMON_OPTIONS macro provides more configuration features. The DAEMON_OPTIONS macro adds values to a sendmail.cf DaemonPortOptions statement or inserts a new DaemonPortOptions statement into the sendmail.cf file. A basic sendmail.cf configuration includes two DaemonPortOptions statements ”one for the message submission agent (MSA) and one for the mail transfer agent (MTA). A grep of the generic-linux.cf file shows this: # grep DaemonPortOptions generic-linux.cf O DaemonPortOptions=Name=MTA O DaemonPortOptions=Port=587, Name=MSA, M=E The DAEMON_OPTIONS macro in the Solution section adds a modifier to the message transfer agent DaemonPortOptions statement, creating the following sendmail.cf command: O DaemonPortOptions=Name=MTA, M=a The fact that the MTA is being modified is made clear by the Name=MTA parameter. However, even if that parameter was not specified, the MTA would have been modified because the Port value defaults to smtp , which is the port used by the MTA. To add the a modifier to the MSA configuration, the default MSA configuration needs to be removed with the no_default_msa feature, and the DAEMON_OPTIONS macro needs to explicitly refer to the MSA. For example: FEATURE(`no_default_msa') DAEMON_OPTIONS(`Port=587, Name=MSA, M=Ea') The key = value pairs of the DaemonPortOptions statement select optional characteristics for the sendmail daemon's ports. key can be any of the following:
By default, a system configured as described in Recipe 7.1 offers authentication, but it does not require it. A simple telnet test of a system running the basic AUTH configuration from Recipe 7.1 shows this: # telnet localhost smtp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400 ehlo localhost 250-chef.wrotethebook.com Hello IDENT:QQqOd8VZzdwOiABzBr3HvETLtxcEaPg1@localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP MAIL From:<craig@chef.wrotethebook.com> 250 2.1.0 <craig@chef.wrotethebook.com>... Sender ok RCPT TO:<craig@rodent.wrotethebook.com> 250 2.1.5 <craig@rodent.wrotethebook.com>... Recipient ok QUIT 221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host. The default configuration advertises the AUTH protocol, but it allows the mail connect to continue even though the connecting host does not authenticate itself. This is not just the default, it is also a requirement of the AUTH standard. If a mail system is advertised to the outside world, it cannot require authentication. Specifically, mail exchangers are forbidden to require authentication. The reason is simple. MX records advertise the mail exchanger as available for mail delivery. It cannot then refuse the mail for which it advertises. Only mail hosts that are not advertised to the outside world are permitted to require authentication. An example of such a system might be a corporate mail relay located behind a firewall. This recipe could be used on such a system. Rerunning the telnet test, after the DaemonPortOptions modifier is installed, shows the following result: # telnet localhost smtp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400 ehlo localhost 250-chef.wrotethebook.com Hello IDENT:DXXGyJYPz7FDqe1dqRJVCgvxLAaoFgWP@localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP MAIL From:<craig@chef.wrotethebook.com> 530 5.7.0 Authentication required QUIT 221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host. In this case, when the connecting host attempts to start a mail dialogue without authentication, an "Authentication required" error is issued. The limitation of the DAEMON_OPTIONS macro is that it applies to all inbound connections. If more flexibility is required by your configuration, see Recipe 7.9. See AlsoRecipe 7.1 and Recipe 7.2 cover basic AUTH configuration. The sendmail book covers the DAEMON_OPTIONS macro in Section 24.9.24. See TCP/IP Network Administration , Third Edition, by Craig Hunt (O'Reilly), for information on well-known ports and the /etc/services file. |