Recipe 7.8 Requiring Authentication

Problem

You have an internal mail system that is not advertised to the outside world and never provides service to the outside world. You have been asked to configure that system to always require strong authentication from connecting hosts .

Solution

Create a basic AUTH configuration as described in Recipe 7.1 and Recipe 7.2.

Add to the sendmail configuration a DAEMON_OPTIONS macro that specifies the M=a modifier to require AUTH authentication. Adding the following lines requires AUTH for any connection on the SMTP port:

 dnl Require AUTH for all incoming SMTP connections DAEMON_OPTIONS(`Name=MTA, M=a') 

Build the sendmail.cf file, copy it to /etc/mail/sendmail.cf , and restart sendmail. Use Recipe 1.8 as a guide.

Discussion

Use the DAEMON_OPTIONS macro on systems running sendmail 8.12. Prior to sendmail 8.12, daemon port options were set using the confDAEMON_OPTIONS define. confDAEMON_OPTIONS is no longer valid. Attempting to use it with a current release of sendmail produces the following build error:

 WARNING: confDAEMON_OPTIONS is no longer valid.         Use DAEMON_OPTIONS(  ); see cf/README. 

If you have an older version of sendmail that uses the confDAEMON_OPTIONS define, we recommend upgrading to a newer version of sendmail. The DAEMON_OPTIONS macro provides more configuration features.

The DAEMON_OPTIONS macro adds values to a sendmail.cf DaemonPortOptions statement or inserts a new DaemonPortOptions statement into the sendmail.cf file. A basic sendmail.cf configuration includes two DaemonPortOptions statements ”one for the message submission agent (MSA) and one for the mail transfer agent (MTA). A grep of the generic-linux.cf file shows this:

 #  grep DaemonPortOptions generic-linux.cf  O DaemonPortOptions=Name=MTA O DaemonPortOptions=Port=587, Name=MSA, M=E 

The DAEMON_OPTIONS macro in the Solution section adds a modifier to the message transfer agent DaemonPortOptions statement, creating the following sendmail.cf command:

 O DaemonPortOptions=Name=MTA, M=a 

The fact that the MTA is being modified is made clear by the Name=MTA parameter. However, even if that parameter was not specified, the MTA would have been modified because the Port value defaults to smtp , which is the port used by the MTA. To add the a modifier to the MSA configuration, the default MSA configuration needs to be removed with the no_default_msa feature, and the DAEMON_OPTIONS macro needs to explicitly refer to the MSA. For example:

 FEATURE(`no_default_msa') DAEMON_OPTIONS(`Port=587, Name=MSA, M=Ea') 

The key = value pairs of the DaemonPortOptions statement select optional characteristics for the sendmail daemon's ports. key can be any of the following:

Name

An arbitrary, internal name used to identify the daemon. Two values are pre-defined: MSA for the message submission agent and MTA for the message transmission agent.

Port

The port number or the name of a well-known port defined in the /etc/services file. This defaults to smtp , which is the name for port 25 used by the MTA. The standard port used for an MSA is 587.

Addr

The IP address of the network interface on which the daemon should listen for email connections. This defaults to INADDR_ANY , which matches every network interface installed on the system, meaning that email is accepted on every network interface. If an interface is identified with the Addr key, mail is only accepted on that interface, which can have unintended consequences. For example, adding Addr=192.168.0.3 to the MTA DaemonPortOptions on the host 192.168.0.3 would mean that mail from the local host to itself would be rejected because the localhost interface is 127.0.0.1 ”not 192.168.0.3.

Family

The address family, which is either inet or inet6 . It defaults to inet .

Listen

The maximum number of pending connections allowed in the listen queue. The default is operating system dependent, but, on our sample Linux system, it defaults to 10.

SndBufSize

The size of the TCP send buffer in bytes.

RcvBufSize

The size of the TCP receive buffer in bytes.

M

The modifier, which is a flag that selects optional behavior for the interface or port. The modifier flags are:

a

Causes sendmail to require authentication for every inbound connection.

b

Tells sendmail to bind to the interface through which the incoming mail was received when sending outgoing mail.

c

Enables hostname canonification.

f

Requires fully qualified hostnames on email addresses.

u

Permits unqualified sender addresses, meaning that the hostname part of the sender address is not required.

A

Disables AUTH authentication for this port.

C

Disables hostname canonification.

E

Disables the SMTP ETRN command.

O

Marks the socket as optional. Normally, sendmail listens on a new socket for every DaemonPortOptions statement defined in the sendmail.cf file. When O is specified, the socket is ignored if it fails to open correctly.

S

Do not allow STARTTLS on this interface. Chapter 8 covers STARTTLS.

By default, a system configured as described in Recipe 7.1 offers authentication, but it does not require it. A simple telnet test of a system running the basic AUTH configuration from Recipe 7.1 shows this:

 #  telnet localhost smtp  Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400  ehlo localhost  250-chef.wrotethebook.com Hello IDENT:QQqOd8VZzdwOiABzBr3HvETLtxcEaPg1@localhost  [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP  MAIL From:<craig@chef.wrotethebook.com>  250 2.1.0 <craig@chef.wrotethebook.com>... Sender ok  RCPT TO:<craig@rodent.wrotethebook.com>  250 2.1.5 <craig@rodent.wrotethebook.com>... Recipient ok  QUIT  221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host. 

The default configuration advertises the AUTH protocol, but it allows the mail connect to continue even though the connecting host does not authenticate itself. This is not just the default, it is also a requirement of the AUTH standard. If a mail system is advertised to the outside world, it cannot require authentication. Specifically, mail exchangers are forbidden to require authentication. The reason is simple. MX records advertise the mail exchanger as available for mail delivery. It cannot then refuse the mail for which it advertises.

Only mail hosts that are not advertised to the outside world are permitted to require authentication. An example of such a system might be a corporate mail relay located behind a firewall. This recipe could be used on such a system.

Rerunning the telnet test, after the DaemonPortOptions modifier is installed, shows the following result:

 #  telnet localhost smtp  Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400  ehlo localhost  250-chef.wrotethebook.com Hello IDENT:DXXGyJYPz7FDqe1dqRJVCgvxLAaoFgWP@localhost  [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP  MAIL From:<craig@chef.wrotethebook.com>  530 5.7.0 Authentication required  QUIT  221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host. 

In this case, when the connecting host attempts to start a mail dialogue without authentication, an "Authentication required" error is issued.

The limitation of the DAEMON_OPTIONS macro is that it applies to all inbound connections. If more flexibility is required by your configuration, see Recipe 7.9.

See Also

Recipe 7.1 and Recipe 7.2 cover basic AUTH configuration. The sendmail book covers the DAEMON_OPTIONS macro in Section 24.9.24. See TCP/IP Network Administration , Third Edition, by Craig Hunt (O'Reilly), for information on well-known ports and the /etc/services file.