Recipe 7.3 Storing AUTH Credentials in the authinfo File

Problem

Security requirements make it necessary for you to store AUTH authentication credentials in a file separate from the access database.

Solution

Create the /etc/mail/authinfo file. Store the client's authentication credentials in that file using the same AuthInfo : tag used in the access database. Make sure that the authinfo text file and database are not readable by anyone except root .

Add the authinfo feature to the sendmail configuration. Here are the lines that should be added to the sendmail configuration:

 dnl Use the authinfo database for AUTH credentials FEATURE(`authinfo')

Following the guidance of Recipe 1.8, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail.

Discussion

An alternative to defining the AUTH credentials in the access database is to define the credentials in a separate file named /etc/mail/authinfo . The primary reason for doing this is file security. AUTH passwords are stored in the access database and in the authinfo file as clear text. Because the access database holds a wide variety of information, there is a remote possibility that you might grant multiple users read access to that file. If, for some reason, you do grant users other than root read access to the access database, move the AuthInfo : entries from the access database to the authinfo file, and add the authinfo feature to the sendmail configuration. The authinfo feature simply tells sendmail to lookup authentication credentials in the authinfo database instead of in the access database. Here is an example of creating an authinfo file:

 #  cd /etc/mail  #  cat > authinfo   AuthInfo:chef.wrotethebook.com "U:crab" "I:crab" "P:It'sasecret!" "R:wrotethebook. com" "M:DIGEST-MD5"   Ctrl-D  #  makemap hash authinfo < authinfo  #  chmod 600 authinfo authinfo.db

Entries in the authinfo database are the standard AuthInfo : entries used in the access database. The entries have the same format and contain the same information. The Discussion section of Recipe 7.2 provides details of the AuthInfo : entry format.

Using this recipe's configuration, run the sendmail -Am -v -t test shown in the Discussion of Recipe 7.2. Again the message:

 235 2.0.0 OK Authenticated

is displayed, indicating that sendmail successfully authenticated the local host to the remote system without using the access database. You can prove the access database was not used with a simple sendmail -bt test:

 #  sendmail -bt  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  /map access AuthInfo:rodent.wrotethebook.com  Map named "access" not found >  /map authinfo AuthInfo:rodent.wrotethebook.com  map_lookup: authinfo (AuthInfo:chef.wrotethebook.com) returns "U:crab" "I:crab" "P: It'sasecret!" "R:wrotethebook.com" "M:DIGEST-MD5" (0) >  /quit

This test shows that the access database does not exist, yet the system was successfully authenticated. Clearly this is because the AuthInfo : entries are stored in the authinfo database. Of course, this is just an example. On a real system, you will have both the access database and the authinfo database. The only reasons to use the authinfo database are to separate the authentication data from the other data already stored in the access database and to secure that data so that the clear text passwords it contains cannot be easily read. In the example above, we were only able to read the authinfo database because we ran the sendmail -bt command as root .

This recipe assumes that the system has the necessary SASL support. If your system does not, see Introduction for information on obtaining the SASL libraries, and see Recipe 1.5 for information on recompiling sendmail with SASL support before attempting to implement this recipe.

Recipe 7.3 Storing AUTH Credentials in the authinfo File

Problem

Solution

Discussion

See Also