Recipe 7.5 Using AUTH to Permit Relaying

Previous page
Table of content
Next page

Problem

You have been asked to configure a mail relay host that cannot rely on IP addresses or hostnames to grant relaying privileges.

Solution

Compile sendmail with AUTH support as described in Recipe 1.5. Install and configure SASL as described in the chapter Introduction and in Recipe 7.1.

Add the TRUST_AUTH_MECH macro to the sendmail configuration to list the authentication mechanisms trusted to authorize relaying. Here is a sample TRUST_AUTH_MECH macro that could be added to the sendmail configuration: 

 dnl List mechanisms trusted to authorize relaying TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5')

Build the new sendmail configuration file, copy it to /etc/mail/sendmail.cf , and restart sendmail with the new configuration. See the example in Recipe 1.8.

Discussion

AUTH authentication sets a variety of macros that can be examined by sendmail and used inside sendmail.cf rulesets. (Several of these macros are discussed in Introduction.) However, AUTH authentication does not grant special privileges. An authenticated host that is not granted relaying privileges by traditional means will have its mail rejected by sendmail if it attempts to relay mail. The following excerpt from an SMTP exchange shows this: 

 235 2.0.0 OK Authenticated >>> MAIL From:<craig@chef.wrotethebook.com> SIZE=96 AUTH=craig@chef.wrotethebook.com 250 2.1.0 <craig@chef.wrotethebook.com>... Sender ok >>> RCPT To:<craig@crab.wrotethebook.com> 550 5.7.1 <craig@crab.wrotethebook.com>... Relaying denied

The 235 response shows that the connecting host has been successfully authenticated. The 550 response shows that, regardless of authentication, the host is not granted relaying privileges.

Use the TRUST_AUTH_MECH macro to permit relaying by AUTH authenticated clients . The TRUST_AUTH_MECH macro adds the $={TrustAuthMech} class to the sendmail.cf file and defines the values for that class. The TRUST_AUTH_MECH example shown in the Solution section adds the following line to the sendmail.cf file: 

 C{TrustAuthMech}DIGEST-MD5 CRAM-MD5

The $={TrustAuthMech} class is used in the Rcpt_ok ruleset to authorize relaying. This test is added to the standard group of relaying tests. A host that is granted relaying privileges based on its IP address or hostname is allowed to relay even if it is not authenticated by AUTH. A host that would normally be denied relaying, however, is allowed to relay if it is authenticated by AUTH using one of the techniques listed in the $={TrustAuthMech} class.

The "Relaying denied" error shown at the start of this discussion occurred when chef attempted to relay mail addressed to crab through rodent . rodent is not configured to allow any relaying from external clients. After the TRUST_AUTH_MECH macro was added to the configuration on rodent , mail sent from chef to crab through rodent produced a different result, as the test below shows: 

 #  sendmail -Cauth.cf -v -t   To: craig@crab.wrotethebook.com   From: craig@chef.wrotethebook.com   Subject: Relay test with auth   Please ignore  .  Crtl-D  craig@crab.wrotethebook.com... Connecting to rodent.wrotethebook.com. via relay... 220 rodent.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Wed, 8 Jan 2003 19:14:35 - 0500 >>> EHLO chef.wrotethebook.com 250-rodent.wrotethebook.com Hello IDENT:ntwzejGL8kWjSvERN8B101kmvotCXzx9@chef [192. 168.0.8], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250 HELP >>> AUTH DIGEST-MD5 = 334 bm9uY2U9ImdScXZhVjVxYkpVdjJvU3FGWnR2UXJtR2hFhtPW1kNS1zZXNz >>> dXNlcm5hbWU9ImNoZWYiLHJlYWxtPSJ3cm90ZXRoZWJvb2YWMwZDIxM2QyYmE2MTVmZjY5 334 cnNwYXV0aD0zNzg3ZGI3N2E0M2YyYzhhMDdkZGRiYjg5N2NjNDkxOQ== >>> 235 2.0.0 OK Authenticated >>> MAIL From:<craig@chef.wrotethebook.com> SIZE=96 AUTH=craig@chef.wrotethebook.com 250 2.1.0 <craig@chef.wrotethebook.com>... Sender ok >>> RCPT To:<craig@crab.wrotethebook.com> 250 2.1.5 <craig@crab.wrotethebook.com>... Recipient ok >>> DATA 354 Enter mail, end with "." on a line by itself >>> . 250 2.0.0 h090EZh01410 Message accepted for delivery craig@crab.wrotethebook.com... Sent (h090EZh01410 Message accepted for delivery) Closing connection to rodent.wrotethebook.com. >>> QUIT 221 2.0.0 rodent.wrotethebook.com closing connection

For this test, a special AUTH configuration was created on chef that defined rodent as the SMART_HOST relay. Without this special configuration, chef would just deliver the mail directly to crab ”we want to test relaying through rodent .

In this case, chef is authenticated using the DIGEST-MD5 technique. This technique is listed in the $={TrustedAuthMech} class on rodent . Therefore, rodent accepts mail from chef for relaying.

See Also

Recipe 7.1 and Recipe 7.4 provide additional AUTH configuration examples. How relaying is controlled through the traditional means of IP address and hostname is covered in Chapter 3, and the SMART_HOST define is discussed in Recipe Recipe 3.2. The sendmail book covers AUTH configuration in Section 10.9 and the TRUST_AUTH_MECH macro in Section 10.9.3.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
A Practitioners Guide to Software Test Design
C++ How to Program (5th Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
802.11 Wireless Networks: The Definitive Guide, Second Edition
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy