A server offers authentication by presenting the AUTH keyword to the connecting site, following that with the types of mechanisms supported: 250-host.domain Hello some.domain, pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 note this line 250-DELIVERBY 250 HELP If the connecting site wishes to authenticate itself, it replies with an AUTH command indicating the type of mechanism preferred: AUTH X5 client sends 504 Unrecognized authentication type. server replies AUTH CRAM-MD5 client sends 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4= server replies ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ= = client sends 235 Authentication successful. server replies Here, the client first asks for X5 authentication, which the server rejects. The client next asks for CRAM-MD5. The server says it can support that by replying with a 334 followed by a challenge string. The client replies to the challenge with an appropriate reply string, and the authentication is successful (as shown in the last line). If authentication is successful, this ${auth_authen} macro is assigned the authentication credentials that were approved as its value. The form of the credentials depends on the encryption used. It could be a simple username (such as bob ), or a username at a realm (such as bob@some.domain ). The client can then offer a different user , rather than the envelope sender, to authenticate on behalf of the envelope sender. This is done by adding an AUTH= parameter to the MAIL FROM: keyword: MAIL FROM: <user@host.domain> AUTH= address The address is assigned to the {auth_author} macro, and the trust_auth rule set (Section 10.9.4) is called to make further policy decisions, with the AUTH= parameter in its workspace. The ${auth_authen} macro is useful for adding your own rules to the Local_trust_auth rule set. ${auth_authen} is transient. If defined in the configuration file or in the command line, that definition can be ignored by sendmail . Note that a $& prefix is necessary when you reference this macro in rules (that is, use $&{auth_authen} , not ${auth_authen} ). |