Translate

Arm Ukraine, zap Putin

Stolen Votes

berklix.com logo

berklix.org logo

No Cookies

Flag UK DE

BSD-PIE

BSD

GNU

Linux

No Tracking

Disclaimer

IBU

Consol

Configuring a FreeBSD client & server to use SASL Auth for client to identify itself to server to send outgoing mail to proxy smart mailer.

eg to smtprelay.berklix.org

http://www.berklix.com/~jhs/txt/sasl.html

SASL = Simple Authentication and Security Layer

by Julian H. Stacey

INDEX

To Index

SASL-1 or SASL-2

I used SASL-1 when I first wrote this page. Later I switched to SASL-2 & appended specific notes for it Nov./Dec. 2012 I keep both sets of info here for now, as:
  • I don't [yet] have time to strip SASL1 from the page .
  • I might need SASL1 if I have to rescue some old customer config.
  • Someone else on a rescue might similarly need SASL1 notes.
  • Better if I delay stripping SASL1 till later.
However, if you'r new to SASL, Use & read SASL-2, not SASL1

See Also

Configuration Files
  • /usr/share/sendmail/cf/README <- /usr/src/contrib/sendmail/cf/README
  • /usr/lib/sasl/saslpasswd.conf ->
      ../../../site/usr/lib/sasl/saslpasswd.conf
    /usr/local/lib/sasl2/saslpasswd.conf ->
      ../../../../site/usr/local/lib/sasl2/saslpasswd.conf ->
      ../../../lib/sasl/saslpasswd.conf
  • /usr/local/lib/sasl/Sendmail.conf ->
      ../../../../site/usr/lib/sasl/Sendmail.conf
    /usr/local/lib/sasl2/Sendmail.conf ->
      ../../../../site/usr/lib/sasl/Sendmail.conf
    /usr/ports/security/cyrus-sasl2/files/Sendmail.README
External Links

To Index

Do This On The Local Gateway
( = the local gateway that sends mail via SMTP protocol to the Smart Relay Host remote on the Internet).

Do this on the local gateway that is probably intermittently connected via DSL, ISDN or modem, that is probably allocated a temporary dynamic IP number valid only for the duration of the connection). Your local gateway's intent is then to send mail up to a permanently connected Smart Host, for later onward relay. Your local gateway identifies itself to the remote smart host by using SASL, to show entitlement to be relayed.

Add to /etc/make.conf something like

.include " /etc/make.conf.sasl" 
.if exists ( /usr/local/include/sasl )      #{
SENDMAIL_CFLAGS+=   -I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS+=  -L/usr/local/lib
SENDMAIL_LDADD+=    -lsasl2
.endif                      #}

(Next bit might not be (**) necessary on client side, just on server:)

Install cyrus-sasl:

Configure sendmail to know access methods to identify itself to server end.
**: probably is necessary cos if one runs
pkg_delete cyrus-sasl-2.1.22_1 cyrus-sasl-saslauthd-2.1.22 (I don't use it on local gate or remote servers @ 2013-07) ; cd /etc/mail; xs make clean ; xs make ; xs make start
One gets:
Shared object "libsasl2.so.2" not found, required by "sendmail"
sendmail-clientmqueue/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "sendmail"
cd /usr/src/etc/sendmail
make cleandir ; make clean ; make cleandepend
vi /etc/mail/sendmail.mc # or `hostname.mc`
Add:
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
You might want, but probably don't, any of a bunch of other sendmail.mc things from my (Which I use via cpp with a lot of patches to /usr/src/etc/sendmail/Makefile, to produce .mc files for lots of different hosts. (There's lot of comment in that file, not just about SASL)).
make obj ; make
Optionally (depending on Makefile)
ls -l /usr/obj/`cd
/usr/src/etc/sendmail;/bin/pwd`/`hostname`.*
foreach i ( mc cf )
diff -c /usr/obj/`cd /usr/src/etc/sendmail;/bin/pwd`/`hostname`.$i /etc/mail/`hostname`.$i
end
make install # OR
cp /usr/obj/`cd /usr/src/etc/sendmail;/bin/pwd`/`hostname`.* /etc/mail/

Check /etc/mail/sendmail.cf now has eg:

# "Smart" relay host
DSesmtp:smtprelay.berklix.org
Add one or more lines to /etc/mail/access, example:
AuthInfo:slim.berklix.org "U:jhs" "R:slim.berklix.org" "P:password" "M:DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"
Notes
Field Example Comment
Remote Smart Host slim.berklix.org A real host name (DNS `A/Address record) works for me (I haven't yet tested whether it Has to be an A record, or whether the string just needs to match the text shown by sasldblistusers: user: jhs realm: slim.berklix.org mech: DIGEST-MD5 ).
With a name (smtprelay.berklix.org) that happened to be a (DNS) C name (alias), the local client did not try to authorise to remote server.
U: jhs Need not be login name or host name, just arbitrary name. Mine works with "jhs".
R: slim.berklix.org
P: AsInSaslSDb Need not be a password used by eg login, could be unique to & only used by SASL.
M: DIGEST-MD5 CRAM-MD5 LOGIN PLAIN  

cd /etc/mail ; make ; ls -l access*

lrwxr-xr-x 1 root wheel 9 Jul 10 2004 access@ -> LN/access
-rw-r----- 1 root wheel 114688 Aug 8 18:31 access.db
lrwxr----- 1 root bin 33 May 24 14:08 LN/access@ -> ../../domain/this/etc/mail/access
Ensure passwords database is not world readable.
cd /etc/mail ; chmod 640 access.db ; chown root:wheel access.db

cd /etc/mail ; make ; make stop ; make start # Probably better than restart.

To Index

Do This On Remote Server (Smart Host)

(That Should Receive Mail From You & Further Relay It To Rest Of Internet )
Rebuild other parts of /usr/src With the extended CFLAGS now including -ldb3 various bits will fail to compile (at least on FreeBSD-4.10): 
        lib/libsmutil
lib/libsm
libexec/mail.local
libexec/smrsh
usr.bin/vacation
usr.sbin/editmap
usr.sbin/mailstats
usr.sbin/makemap
usr.sbin/praliases
usr.sbin/sendmail
To avoid that, first:
cd /usr/ports/databases/db3 ; make install
To avoid missing libsmutil and libsm libraries, either eg:
cd /usr/src/lib/libsmutil ; make clean cleandepend depend all install
cd /usr/src/lib/libsm ; make clean cleandepend depend all install
cd /usr/src/usr.sbin/sendmail ; make clean cleandepend depend all install
Or more radically:
cd /usr/src ; make cleandir ; make clean ; make cleandepend ; make all install
The above might solve the problem of host=tower currently only showing: 250-AUTH PLAIN LOGIN

cd /etc/mail ; make ; make stop ; make start # Probably better than restart.

To Index

Test On Sender ( Gateway between Internet & local net)

echo "Local test (works without SASL)" ; date | mail postmaster@remote_relay_smart_host
echo "Remote test (needs SASL)" ; date | mail someone@some_host_beyond_smarthost

To Index

Verify

  • Check SASL is compiled in,

    sendmail -d0.1 < /dev/null

    4.10 (host=mart, local client) Sample output (notice SASL is there (does it need to be ?):
    Version 8.12.11
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
    6-1 (host=park, local client) Sample output (After recompiling & Installing:
    Version 8.13.6
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
    4.10 (host=slim, remote smtprelay.berklix.org) Sample output (notice SASL is there, needs to be)
    Version 8.12.11
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

    Notice sendmail version numbers too (as so much SASL & Sendmail documentation re. options is version number dependent)

    FreeBSD Sendmail
    6.1 8.13.6
    5.3 8.13.1
    4.10 8.12.11
  • telnet smtprelay.berklix.org smtp
    You type:
    EHLO local-gate.net
    (Where local-gate.net could be any string your local gateway chooses [optionally to masquerade ] as your as sending domain name).
    It responds
    250-slim. berklix.org Hello p549A79B0.dip.t-dialin.net [84.154.121.176], pleased to meet you
    250-AUTH DIGEST-MD5 PLAIN LOGIN
    You type
    AUTH DIGEST-MD5
    It responds with about 200 bytes of hex string
    quit

To Index

Debug

  • Not sure if this helps, but ...)
    On local gateway client: edit /etc/syslog.conf from
    mail.info /var/log/maillog
    to
    mail.debug /var/log/maillog
    & trigger a rescan:
    kill -HUP 646 `cat /var/run/syslog.pid`
  • On local gateway client: Kill background sendmail (not the one marked as Queue runner, but other one). Then run sendmail with extra debug flags:
    /usr/sbin/sendmail -bD -d13 -O LogLevel=14 -N failure,delay,success
    -bD runs in foreground
    -d13 set the LogLevel
    -O LogLevel=14 set the LogLevel
    -N failure,delay,success Maximise feedback
  • Run 2 xterms, one on local gateway & 1 on remote Smarthost, running
    tail -F /var/log/maillog
  • Look for error symptoms
    • On remote server:
      < MAIL From:<local_user@local-gate.net> SIZE=377 AUTH=<>
      Sep 13 09:57:53 slim sm-mta[52439]: k8D7vrBQ052439: --- 250 2.1.0 <local_user@local-gate.net>... Sender ok
      <-- RCPT To:<remote@destination. com>
      --- 550 5.7.1 <remote@destination. com>... Relaying denied. Proper authentication required.
      ruleset=check_rcpt, arg1=<remote@destination. com>, relay=p549A643D.dip.t-dialin.net [84.154.100.61], reject=550 5.7.1 <remote@destination. com>... Relaying denied. Proper authentication required.
    • On local client gateway:
      • In /var/log/maillog an empty mech= :
        AUTH=client, relay= slim.berklix.org., mech= , bits=0
      • In mail with:
        To: root@local_gateway_sasl_client
        Subject: Cron <root@local_gateway_sasl_client> periodic daily
        #if SASL
        ...
        "Warning: Option: %s requires SASL support (-DSASL)\n"
        From /usr/src/contrib/sendmail/src/readcf.c

To Index

Good Examples

/var/log/maillog Each line begins: Date Time hostname sm-mta[Process ID] (Note, particularly on remote smart host, sometimes different PID lines get interleaved, indicating several jobs running in parallel simultaneously).

On Local Gateway, To Remote Smart Host

k04DRJls021661: --- 050 <remote@destination.com> Connecting to smtprelay2.berklix.org via esmtp...
k04DRJls021661: SMTP outgoing connect on p549A63B3.dip.t-dialin.net
AUTH=client, realm=tower.berklix.org, available realms=<No Realms>
AUTH=client, relay=smtprelay2.berklix.org, mech=DIGEST-MD5, bits=128
k04DRJls021661: --- 050 <remote@destination. com> Sent (k04DRNos040492 Message accepted for delivery)
k04DRJls021661: to=<remote@destination. com> delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=30594, relay=smtprelay2.berklix.org [my.old.ip.v4], dsn=2.0.0, stat=Sent (k04DRNos040492 Message accepted for delivery)
k04DRJls021661: done; delay=00:00:06, ntries=1 NOQUEUE: --- 050 Closing connection to smtprelay2.berklix.org

On Remote Smart Host

Notes debugging with SASL2, Looking on smart server in /var/mail/maillog

  • AUTH: available mech=SCRAM-SHA-1 DIGEST-MD5 OTP CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS,

  • /var/log/maillog: "allowed mech"
    /etc/mail/sendmail.cf:
    • "list of authentication mechanisms"
    • "O AuthMechanisms="
    Server SLIM OK___: ________ GSSAPI ___________ DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
    Server LAND Fails: EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 _____ _____
NOQUEUE: connect from p549A63B3.dip.t-dialin.net [84.154.99.179]
AUTH: available mech=LOGIN PLAIN ANONYMOUS DIGEST-MD5 CRAM-MD5, allowed mech=GSSAPI DIGEST-MD5 PLAIN LOGIN
k04DRNor040492: Milter: no active filter
k04DRNor040492: --- 220 tower. berklix.org ESMTP Sendmail 8.12.9p2/8.12.9; Wed, 4 Jan 2006 14:27:23 +0100 (CET)
k04DRNor040492: <-- EHLO local-gate.net
k04DRNor040492: --- 250-tower. berklix.org Hello p549A63B3.dip.t-dialin.net [84.154.99.179], pleased to meet you
k04DRNor040492: --- 250-ENHANCEDSTATUSCODES
k04DRNor040492: --- 250-PIPELINING
k04DRNor040492: --- 250-8BITMIME
k04DRNor040492: --- 250-SIZE
k04DRNor040492: --- 250-DSN
k04DRNor040492: --- 250-ETRN
k04DRNor040492: --- 250-AUTH DIGEST-MD5 PLAIN LOGIN
k04DRNor040492: --- 250-DELIVERBY
k04DRNor040492: --- 250 HELP
k04DRNor040492: <-- AUTH DIGEST-MD5 =
k04DRNor040492: --- 334 bm9uY2U....................
k04DRNor040492: --- 334 cnNwYXV....................
k04DRNor040492: --- 235 2.0.0 OK Authenticated
AUTH=server, relay=p549A63B3.dip.t-dialin.net [84.154.99.179], authid=jhs, mech=DIGEST-MD5, bits=128
k04DRNor040492: <-- EHLO local-gate.net
k04DRNos040492: --- 250-tower. berklix.org Hello p549A63B3.dip.t-dialin.net [84.154.99.179], pleased to meet you
k04DRNos040492: --- 250-ENHANCEDSTATUSCODES
k04DRNos040492: --- 250-PIPELINING
k04DRNos040492: --- 250-8BITMIME
k04DRNos040492: --- 250-SIZE
k04DRNos040492: --- 250-DSN
k04DRNos040492: --- 250-ETRN
k04DRNos040492: --- 250-AUTH DIGEST-MD5 PLAIN LOGIN
k04DRNos040492: --- 250-DELIVERBY
k04DRNos040492: --- 250 HELP
k04DRNos040492: <-- MAIL From:<local_user @flat. berklix.net> SIZE=594
k04DRNos040492: --- 250 2.1.0 <local_user @flat. berklix.net> Sender ok
k04DRNos040492: <-- RCPT To:<remote@destination. com>
k04DRNos040492: --- 250 2.1.5 <remote@destination. com> Recipient ok
k04DRNos040492: <-- DATA
k04DRNos040492: --- 354 Enter mail, end with "." on a line by itself
k04DRNos040492: from=<local_user@ flat. berklix.net> size=828, class=0, nrcpts=1, msgid=<200601041327.k04DRccs003279 @local-gate.net>, proto=ESMTP, daemon=IPv4, relay=p549A63B3.dip.t-dialin.net [84.154.99.179]
k04DRNos040492: --- 250 2.0.0 k04DRNos040492 Message accepted for delivery
k04DRNot040492: <-- QUIT
k04DRNot040492: --- 221 2.0.0 tower. berklix.org closing connection

To Index

SASL2

On Local Sending Client Host:
cd /etc/mail ;
touch access ;
cat >> access < EOF
AuthInfo:server1.berklix.org "U:userName" "R:server1.berklix.org" "P:password" "M:DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"
AuthInfo:server2.berklix.org "U:userName" "R:server2.berklix.org" "P:password" "M:DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"
EOF
cd /etc/mail ; make access.db
On Remote Receiving Server Host:
cd /usr/ports/security/cyrus-sasl2; make install ; rehash
sasldblistusers2
ls -l /usr/local/etc/sasldb2.db # See the size with 0 entries in.
saslpasswd2 -c -a Sendmail -u `hostname` userName
password

sasldblistusers2
ls -l /usr/local/etc/sasldb2.db # Notice size does not grow with an entry in
# output is 1 to several lines, eg: 
user1@server1.berklix.org: userPassword
user2@server2.berklix.org: userPassword
Old FreeBSD: echo /var/db/pkg/*cyrus*
/var/db/pkg/cyrus-sasl-2.1.25_2
/var/db/pkg/cyrus-sasl-saslauthd-2.1.25 (I don't use it on local gate or remote servers @ 2013-07)
New FreeBSD: pkg info | grep cyrus
cyrus-sasl-2.1.26_12 RFC 2222 SASL (Simple Authentication and Security Layer)
Old FreeBSD: pkg_info -r cyrus-sasl-saslauthd-2.1.25
# (I don't use it on local gate or remote servers @ 2013-07)
Dependency: cyrus-sasl-2.1.25_2
vi /etc/rc.conf: # Not currently used: saslauthd_enable="YES"
# (I don't use it on local gate or remote servers @ 2013-07)
echo "Not currently: cd /usr/local/etc/rc.d ; ./saslauthd start"
# (I don't use it on local gate or remote servers @ 2013-07)
cat >> /etc/make.conf << EOF
# .include "/site/domain/this/etc/make.conf"
# .include "/site/domain/this/etc/make.conf.sasl"
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
EOF
cd /usr/src/lib/libsmutil; make cleandir ; make clean ; make obj ; make
cd /usr/src/lib/libsm; make cleandir ; make clean ; make obj ; make
cd /usr/src/usr.sbin/sendmail; make cleandir ; make clean ; make obj ; make ; make install
cd /usr/local/lib/sasl2
ln -s -f ../../../../site/usr/local/lib/sasl2 LN
ln -s -f LN/saslpasswd.conf
ln -s -f LN/Sendmail.conf
cd /etc/mail ; make ; make stop ; make start
Bug: 
From: Peter Jeremy <peterj@@@FreeBSD.org>
Date: Tue, 19 Apr 2022 20:15:50 +1000
To: Hajimu UMEMOTO <ume@@@mahoroba.org
Cc: SAY@@@office.sigma-soft.ru WARNING: SITE IN .RU DOMAIN, ports@@@FreeBSD.org

On 2022-Apr-16 21:03:21 +0900, Hajimu UMEMOTO <ume@@@mahoroba.org> wrote:
>On Sun, 17 Apr 2022 05:52:27 +0900, ####### ###### ####### wrote:
>> I would like to help test if I can.
>
>No, I cannot reproduce your problem.
>As I said in my previous message, I'm using sendmail-8.17.1_3 with
>cyrus-sasl-2.1.28 without any problem.

There's a known incompatibility between cyrus-sasl-2.1.28 and
sendmail-8.17.1 that is fixed in sendmail-8.17.1.9 - see
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262935

I haven't verified that the problem still exists in
sendmail-8.17.1_3 but the problem definitely existed in
sendmail-8.17.1_2 and the only change between those versions
is the PORTREVISION.  Looking at the local patches, neither
mail/sendmail nor security/cyrus-sasl2-saslauthd include
patches that would make them compatible.

Which Smart Host

A client host with (FreeBSD 12.4-RELEASE) Sendmail with SASL2 does not just try sending to the "Smart" relay host specified by "^DS" in /etc/mail/sendmail.cf . If the smart server fails, the client also tries other "^AuthInfo" servers listed in client's /etc/mail/access .

Nice, except after breaking my specified smart relay I was confused by rejects from an alternate smart relay. Problem was reserve smart relay had not been previously repaired to accept SASL (so I hashed out the reserve in ./access on client until later).

Stolen VotesBerklix.Net Computer AssociatesDomainsApache: Web ServerFreeBSD: Operating System