some questions on this (thanks for doing this, by the way). first of all, I'm running Red Hat Linux 7.3, pretty much out of the box (plus eratta).
On 29-Jan-02 Rodolfo J. Paiz wrote: > All: > > The following are basic instructions on enabling SMTP AUTH on a late-model > server. These instructions have been tested with Red Hat Linux 7.0 and 7.2, > using sendmail versions 8.11.0 through 8.11.6 obtained in RPM form from Red > Hat updates. > > They *should* work; however, if they don't, I will *ONLY* attempt to help > people resolve issues with SMTP AUTH on redhat-list or enigma-list, so that > everyone gets the benefit of the questions & answers. No questions in > private email will be answered. Also, note that I am not an expert so I may > not even know the answers. > > Give me feedback and I might just post this on the Web so people can get at > it more conveniently. > > Having said that... > > 1. Make sure all your clients are configured to authenticate to > the mail server. They will not be able to send mail at all if they don't. > Double-check; many people somehow check the wrong box. > > In Outlook or Outlook Express, in the section "Outgoing Mail" of each > Internet Mail account, there is a checkbox labeled "My server requires > authentication." Check that; the settings do not need to be changed since > they are the same username/password they need to get mail. > > In Eudora, every Personality has a checkbox labeled "Authentication > allowed". Eudora being somewhat more intelligent, this box is checked by > default. > > 2. Make sure you are root. If you logged in as a normal user, make > sure you became root using "su -" to get the full login environment. "su" > alone misses some things. > > 3. Backup your sendmail.mc file by: > ># cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak > > 4. The file /etc/mail/sendmail.mc needs to contain the following > three lines: > > define(`confAUTH_OPTIONS', `A')dnl > TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl This seems to be in the stock RH7.3 distribution > Please note these are three lines only, be careful of the word wrap. Also, > those are *directed quotes* not normal quotes. The left directed quote is > typed with the backtick or "accent grave" key (for those French among us), > and the right directed quote is typed with the apostrophe. > > 5. Backup the /etc/sendmail.cf (the file sendmail actually uses to > run) by: > ># cp /etc/sendmail.cf /etc/sendmail.cf.bak > > 6. Generate a new sendmail.cf file: > ># m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf > > 7. Copy your new sendmail.cf file over the old one: > ># cp /etc/mail/sendmail.cf /etc/sendmail.cf The generated sendmail.cf differs from the original only in some comments. > Overwrite /etc/sendmail.cf? y > > 8. Verify that you have an /etc/pam.d/smtp file with the following > contents: > >#%PAM-1.0 > auth required /lib/security/pam_stack.so service=system-auth > account required /lib/security/pam_stack.so service=system-auth it's there by default in RH7.3 > 9. Verify that you have a /usr/lib/sasl/Sendmail.conf file with > the following contents: > > pwcheck_method:pam There by default in stock RH7.3 > 10. Test that sendmail has correctly configured AUTH. Since you do > not yet have any encrypted authentication mechanisms available, the only > ones shown when you issue an EHLO command should be LOGIN and PLAIN. > ># telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 dude.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 29 Jan 2002 07:24:49 -0600 > ehlo localhost > 250-dude.com Hello dude.com [127.0.0.1], pleased to meet you > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250-SIZE > 250-DSN > 250-ONEX > 250-ETRN > 250-XUSR > 250-AUTH LOGIN PLAIN > 250 HELP ok, here is where I see something different. telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 localhost.localdomain ESMTP Sendmail 8.11.6/8.11.6; Tue, 25 Jun 2002 09:52:46 +0800 ehlo localhost 250-localhost.localdomain Hello IDENT:Gx/saMUl33v+ffuKhaTs6iwrb6jWcZ3o@amnesia [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250 HELP note that the AUTH line is not there. any hints ? > quit > 221 2.0.0 dude.com closing connection > Connection closed by foreign host. Next question. Assuming that all relaying is to be done by smtp authentication, and none by domain, are steps 10,11,12 necessary ? (i.e. /etc/mail/relay-domains is non-existant) thx, and rgds, -Greg > 10. Test removing all relaying in the access map at 2:00 AM then > trying to send mail. Do this by backing up your current /etc/mail/access > and using something like this: > ># Check the /usr/share/doc/sendmail-8.11.6/README.cf file for a description ># of the format of this file. (search for access_db in that file) ># The /usr/share/doc/sendmail-8.11.6/README.cf is part of the sendmail-doc ># package. ># ># by default we allow relaying from localhost... > localhost.localdomain RELAY > localhost RELAY > 127.0.0.1 RELAY > > 11. Ensure that your file /etc/mail/relay-domains contains *only* > the domains you host. > > 12. Ensure that your sendmail.mc does not enable relaying in funny > forms like "accept unresolvable domains", "relay by domain", or any of that > crap. An example (complete) sendmail.mc which is relay-safe is included here: > > divert(-1) > dnl This is the sendmail macro config file. If you make changes to this file, > dnl you need the sendmail-cf rpm installed and then have to generate a > dnl new /etc/sendmail.cf by running the following command: > dnl > dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf > dnl > include(`/usr/share/sendmail-cf/m4/cf.m4') > VERSIONID(`linux setup for Red Hat Linux')dnl > OSTYPE(`linux') > define(`confDEF_USER_ID',``8:12'')dnl > undefine(`UUCP_RELAY')dnl > undefine(`BITNET_RELAY')dnl > define(`confAUTO_REBUILD')dnl > define(`confTO_CONNECT', `1m')dnl > define(`confTRY_NULL_MX_LIST',true)dnl > define(`confDONT_PROBE_INTERFACES',true)dnl > define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl > define(`ALIAS_FILE', `/etc/aliases')dnl > dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl > define(`UUCP_MAILER_MAX', `2000000')dnl > define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl > define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl > define(`confAUTH_OPTIONS', `A')dnl > TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > dnl define(`confTO_QUEUEWARN', `4h')dnl > dnl define(`confTO_QUEUERETURN', `5d')dnl > dnl define(`confQUEUE_LA', `12')dnl > dnl define(`confREFUSE_LA', `18')dnl > dnl FEATURE(delay_checks)dnl > FEATURE(`no_default_msa',`dnl')dnl > FEATURE(`smrsh',`/usr/sbin/smrsh')dnl > FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl > FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl > FEATURE(redirect)dnl > FEATURE(always_add_domain)dnl > FEATURE(use_cw_file)dnl > FEATURE(use_ct_file)dnl > FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl > FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl > FEATURE(`blacklist_recipients')dnl > EXPOSED_USER(`root')dnl > dnl Change sendmail to only listen on the loopback interface and > dnl the internal network interface; never accept outside traffic. > dnl Add "dnl" to both DAEMON_OPTIONS lines to accept mail from > dnl all network interfaces. > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') > dnl DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.1, Name=MTA') > dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires > dnl a kernel patch > dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6') > dnl We strongly recommend to comment this one out if you want to protect > dnl yourself from spam. However, the laptop and users on computers that do > dnl not have 24x7 DNS do need this. > dnl FEATURE(`accept_unresolvable_domains')dnl > dnl FEATURE(`relay_based_on_MX')dnl > MAILER(smtp)dnl > MAILER(procmail)dnl > Cwlocalhost.localdomain > > 13. Hover anxiously over the server for a couple of days and check > for "Relaying denied" errors. Track them down aggressively as most will be > your own customers. :) Fix their mail client configurations which they > didn't fix before when you told them to. > > 14. Get some sleep. > > > > -- > Rodolfo J. Paiz > [EMAIL PROTECTED] > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list ---------------------------------- E-Mail: Gregory Hosler <[EMAIL PROTECTED]> Date: 25-Jun-02 Time: 09:49:40 If each of us have one object, and we exchange them, then each of us still has one object. If each of us have one idea, and we exchange them, then each of us now has two ideas. ---------------------------------- _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
