How to setup and test SMTP AUTH within Sendmail

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)
  • Sendmail

Issue

  • How to setup and test SMTP AUTH within Sendmail

Resolution

1. Setting up SMTP AUTH:

  • Install following packages by using yum or update command.
        cyrus-sasl-gssapi
        cyrus-sasl-md5
        cyrus-sasl
        cyrus-sasl-plain
        cyrus-sasl-devel
        sendmail
        sendmail-cf
  • Start "saslauthd" service
        # service saslauthd start
        # chkconfig saslauthd on
  • add "confAUTH_OPTIONS" option with /etc/mail/sendmail.mc
dnl define(`confAUTH_OPTIONS', `A p')dnl  <--- comment out.  "p" means that SSL/TLS settings are required (cf. https://access.redhat.com/solutions/1337083)
define(`confAUTH_OPTIONS', `A')dnl      <--- Add this if you do not use TLS/SSL and you want to use auth LOGIN PLAIN
  • Within /etc/mail/sendmail.mc, make sure following lines are uncommented if you want to use LOGIN PLAIN (GSSAPI DIGEST-MD5 CRAM-MD5 are enabled by default when cyrus-sasl-md5 and cyrus-sasl-gssapi are installed)

        TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN'')dnl

        define(`confAUTH_MECHANISMS'', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
        PLAIN'')dnl
  • Restart sendmail and saslauthd
        # service saslauthd restart
        Stopping saslauthd:                                        [  OK  ]
        Starting saslauthd:                                        [  OK  ]
        # service sendmail restart
        Shutting down sendmail:                                    [  OK  ]
        Shutting down sm-client:                                   [  OK  ]
        Starting sendmail:                                         [  OK  ]
        Starting sm-client:                                        [  OK  ]

2. Testing SMTP AUTH

  • To test SMTP AUTH from command line a valid username/password is required, following command uses username "test" and password "redhat" as example.

  • Generate base64 encoded string for username and password

       # echo -ne "\0test\0redhat" | base64
       AHRlc3QAcmVkaGF0
  • Telnet can be used to test SMTP AUTH by using above encoded string

        # telnet 127.0.0.1 25
        Trying 127.0.0.1...
        Connected to localhost.localdomain (127.0.0.1).
        Escape character is ''^]''.
        220 dhcp.redhat.com ESMTP Sendmail 8.12.10/8.12.10; Wed, 24 Mar 2004
        13:03:57 -0500
        hello test
        250-dhcp.redhat.com Hello localhost.localdomain [127.0.0.1], pleased to
        meet you
        250-ENHANCEDSTATUSCODES
        250-PIPELINING
        250-8BITMIME
        250-SIZE
        250-DSN
        250-ETRN
        250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
        250-DELIVERBY
        250 HELP
        auth plain AHRlc3QAcmVkaGF0
        235 2.0.0 OK Authenticated
        quit
        221 2.0.0 dhcp.redhat.com closing connection
        Connection closed by foreign host.
  • Note: Be sure to remove the pam_stack.so module if you are using RHEL 5 or newer.

For example /etc/pam.d/smtp:

#%PAM-1.0
auth       include      password-auth
account    include      password-auth

When you use TLS/SSL , you can check SMTP AUTH(LOGIN AUTH) using an openssl command like below


# openssl s_client -connect 127.0.0.1:25 -starttls smtp
CONNECTED(00000003)
:
:
 Certification 
    0070 - 3d c5 f3 e6 6a ff 7e 72-16 f6 06 91 1e 37 30 a1   =...j.~r.....70.
    0080 - 59 36 86 7b 88 21 be af-41 e5 a4 9a a5 4c c2 5b   Y6.{.!..A....L.[
    0090 - 14 8e 30 88 bb 05 e9 2a-c6 5e df 03 c8 b9 d2 76   ..0....*.^.....v

    Start Time: 1584963694
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 HELP  
EHLO localhost  <----------------------------Enter
250-localhost Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP

Diagnostic Steps

A possible issue is that if you have postfix also installed (a  known bug) - postfix will remove the needed pam smtp auth file, without  it SMTP-AUTH within sendmail will fail. Check to see if the following  file exists and has the following data within it (in fact my system had  postfix installed and so I needed to fix this during verification and  testing while witting this up) :

# cp /etc/pam.d/smtp.postfix /etc/pam.d/smtp
# cat /etc/pam.d/smtp
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
#

The bugzilla on this issue can be found at:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=109313

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments