Translate

Arm Ukraine, zap Putin


berklix.com logo

berklix.org logo

No Cookies

Flag UK DE

BSD-PIE

BSD

GNU

Linux

No Tracking

Disclaimer

IBU

Consol

Configuring a FreeBSD client & server to use SASL Auth for client to identify itself to server to send outgoing mail to proxy smart mailer.

eg to smtprelay.berklix.org

SASL = Simple Authentication and Security Layer
+ Sendmail on FreeBSD both ends.

This Is: http://www.berklix.com/~jhs/txt/sasl.html

by Julian H. Stacey

INDEX

To Index

SASL-1 or SASL-2

I used SASL-1 when I first wrote this page. Later I switched to SASL-2 & appended specific notes for it Nov./Dec. 2012 Both sets of info here, as:
  • I don't have time to strip SASL-1 from the page .
  • I might need SASL-1 if I have to rescue an old customer config.
  • Someone else on a rescue might similarly need SASL-1 notes.
However, if you'r new to SASL, Use & read SASL-2, not SASL-1

See Also

Configuration Files
  • /usr/share/sendmail/cf/README <- /usr/src/contrib/sendmail/cf/README
  • /usr/lib/sasl/saslpasswd.conf ->
      ../../../site/usr/lib/sasl/saslpasswd.conf
    /usr/local/lib/sasl2/saslpasswd.conf ->
      ../../../../site/usr/local/lib/sasl2/saslpasswd.conf ->
      ../../../lib/sasl/saslpasswd.conf
  • /usr/local/lib/sasl/Sendmail.conf ->
      ../../../../site/usr/lib/sasl/Sendmail.conf
    /usr/local/lib/sasl2/Sendmail.conf ->
      ../../../../site/usr/lib/sasl/Sendmail.conf
    /usr/ports/security/cyrus-sasl2/files/Sendmail.README
External Links

To Index

Do This On The Local Gateway
( = the Local Client [Gateway] that sends mail via SMTP protocol to the Smart Relay Host remote on the Internet).

Do this on the local client (might be a single PC or a firewall gateway that is probably intermittently connected via DSL, ISDN or modem, that is probably allocated a temporary dynamic IP number valid only for the duration of the connection). Your Local Client [Gateway]'s intent is then to send mail up to a permanently connected Smart Host on the real internet with a permanent IP number, for onward relay. Your Local Client [Gateway] identifies itself to the remote smart host by using SASL, to show entitlement to be relayed.

Add to /etc/make.conf something like

(# Editor Note To Self JJLATER I must remember & document what is the purpose in this .html file of font color="brown)
.include " /etc/make.conf.sasl" 
.if exists ( /usr/local/include/sasl )      #{
SENDMAIL_CFLAGS+=   -I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS+=  -L/usr/local/lib
SENDMAIL_LDADD+=    -lsasl2
.endif                      #}

(Next bit might not be (**) necessary on client side, just on server:)

Install cyrus-sasl:

Configure sendmail to know access methods to identify itself to server end.
**: probably is necessary cos if one runs
pkg_delete cyrus-sasl-2.1.22_1 cyrus-sasl-saslauthd-2.1.22 (I don't use it on local gate or remote servers @ 2013-07) ; cd /etc/mail; xs make clean ; xs make ; xs make start
One gets:
Shared object "libsasl2.so.2" not found, required by "sendmail"
sendmail-clientmqueue/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "sendmail"
cd /usr/src/etc/sendmail
make cleandir ; make clean ; make cleandepend
vi /etc/mail/sendmail.mc # or `hostname.mc`
Add:
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
You might want, but probably don't, any of a bunch of other sendmail.mc things from my (Which I use via cpp with a lot of patches to /usr/src/etc/sendmail/Makefile, to produce .mc files for lots of different hosts. (There's lot of comment in that file, not just about SASL)).
make obj ; make
Optionally (depending on Makefile)
ls -l /usr/obj/`cd
/usr/src/etc/sendmail;/bin/pwd`/`hostname`.*
foreach i ( mc cf )
diff -c /usr/obj/`cd /usr/src/etc/sendmail;/bin/pwd`/`hostname`.$i /etc/mail/`hostname`.$i
end
make install # OR
cp /usr/obj/`cd /usr/src/etc/sendmail;/bin/pwd`/`hostname`.* /etc/mail/

Check /etc/mail/sendmail.cf now has eg:

# "Smart" relay host
DSesmtp:smtprelay.berklix.org
Add one or more lines to /etc/mail/access, example:
AuthInfo:slim.berklix.org "U:jhs" "R:slim.berklix.org" "P:password" "M:DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"
Notes
Field Example Comment
Remote Smart Host slim.berklix.org A real host name (DNS `A/Address record) works for me (I haven't yet tested whether it Has to be an A record, or whether the string just needs to match the text shown by sasldblistusers: user: jhs realm: slim.berklix.org mech: DIGEST-MD5 ).
With a name (smtprelay.berklix.org) that happened to be a (DNS) C name (alias), the local client did not try to authorise to remote server.
U: jhs Need not be login name or host name, just arbitrary name. Mine works with "jhs".
R: slim.berklix.org
P: AsInSaslSDb Need not be a password used by eg login, could be unique to & only used by SASL.
M: DIGEST-MD5 CRAM-MD5 LOGIN PLAIN  

cd /etc/mail ; make ; ls -l access*

lrwxr-xr-x 1 root wheel 9 Jul 10 2004 access@ -> LN/access
-rw-r----- 1 root wheel 114688 Aug 8 18:31 access.db
lrwxr----- 1 root bin 33 May 24 14:08 LN/access@ -> ../../domain/this/etc/mail/access
Ensure passwords database is not world readable.
cd /etc/mail ; chmod 640 access.db ; chown root:wheel access.db

cd /etc/mail ; make ; make stop ; make start # Probably better than restart.

To Index

Do This On Remote Server (Smart Host)

(That Should Receive Mail From You & Further Relay It To Rest Of Internet )
Rebuild other parts of /usr/src With the extended CFLAGS now including -ldb3 various bits will fail to compile (at least on FreeBSD-4.10): 
        lib/libsmutil
lib/libsm
libexec/mail.local
libexec/smrsh
usr.bin/vacation
usr.sbin/editmap
usr.sbin/mailstats
usr.sbin/makemap
usr.sbin/praliases
usr.sbin/sendmail
To avoid that, first:
cd /usr/ports/databases/db3 ; make install
To avoid missing libsmutil and libsm libraries, either eg:
cd /usr/src/lib/libsmutil ; make clean cleandepend depend all install
cd /usr/src/lib/libsm ; make clean cleandepend depend all install
cd /usr/src/usr.sbin/sendmail ; make clean cleandepend depend all install
Or more radically:
cd /usr/src ; make cleandir ; make clean ; make cleandepend ; make all install
The above might solve the problem of host=tower currently only showing: 250-AUTH PLAIN LOGIN

cd /etc/mail ; make ; make stop ; make start # Probably better than restart.

To Index

Test On Sender ( Gateway between Internet & local net)

echo "Local test (works without SASL)" ; date | mail postmaster@remote_relay_smart_host
echo "Remote test (needs SASL)" ; date | mail someone@some_host_beyond_smarthost

To Index

Verify

  • Check SASL is compiled in,

    sendmail -d0.1 < /dev/null

    4.10 (host=mart, local client) Sample output (notice SASL is there (does it need to be ?):
    Version 8.12.11
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
    6-1 (host=park, local client) Sample output (After recompiling & Installing:
    Version 8.13.6
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
    4.10 (host=slim, remote smtprelay.berklix.org) Sample output (notice SASL is there, needs to be)
    Version 8.12.11
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

    Notice sendmail version numbers too (as so much SASL & Sendmail documentation re. options is version number dependent)

    FreeBSD Sendmail
    14.3-RELEASE-p2 8.17.1
    12.4-RELEASE 8.16.1
    6.1 8.13.6
    5.3 8.13.1
    4.10 8.12.11
  • telnet smtprelay.berklix.org smtp
    You type:
    EHLO local-gate.net
    (Where local-gate.net could be any string your local gateway chooses [optionally to masquerade ] as your as sending domain name).
    It responds
    250-slim. berklix.org Hello p549A79B0.dip.t-dialin.net [84.154.121.176], pleased to meet you
    250-AUTH DIGEST-MD5 PLAIN LOGIN
    You type
    AUTH DIGEST-MD5
    It responds with about 200 bytes of hex string
    quit

To Index

Debug

  • Not sure if this helps, but ...)
    On Local Client [Gateway]: edit /etc/syslog.conf from
    mail.info /var/log/maillog
    to
    mail.debug /var/log/maillog
    & trigger a rescan:
    kill -HUP 646 `cat /var/run/syslog.pid`
  • On Local Client [Gateway]: Kill background sendmail (not the one marked as Queue runner, but other one). Then run sendmail with extra debug flags:
    /usr/sbin/sendmail -bD -d13 -O LogLevel=14 -N failure,delay,success
    -bD runs in foreground
    -d13 set the LogLevel
    -O LogLevel=14 set the LogLevel
    -N failure,delay,success Maximise feedback
  • Run 2 xterms, one on Local Client [Gateway] & 1 on remote Smarthost, running
    tail -F /var/log/maillog
  • Look for error symptoms
    • On remote server:
      < MAIL From:<local_user@local-gate.net> SIZE=377 AUTH=<>
      Sep 13 09:57:53 slim sm-mta[52439]: k8D7vrBQ052439: --- 250 2.1.0 <local_user@local-gate.net>... Sender ok
      <-- RCPT To:<remote@destination. com>
      --- 550 5.7.1 <remote@destination. com>... Relaying denied. Proper authentication required.
      ruleset=check_rcpt, arg1=<remote@destination. com>, relay=p549A643D.dip.t-dialin.net [84.154.100.61], reject=550 5.7.1 <remote@destination. com>... Relaying denied. Proper authentication required.
    • On local client gateway:
      • In /var/log/maillog an empty mech= :
        AUTH=client, relay= slim.berklix.org., mech= , bits=0
      • In mail with:
        To: root@local_gateway_sasl_client
        Subject: Cron <root@local_gateway_sasl_client> periodic daily
        #if SASL
        ...
        "Warning: Option: %s requires SASL support (-DSASL)\n"
        From /usr/src/contrib/sendmail/src/readcf.c

To Index

Good Examples

/var/log/maillog Each line begins: Date Time hostname sm-mta[Process ID] (Note, particularly on remote smart host, sometimes different PID lines get interleaved, indicating several jobs running in parallel simultaneously).

On Local Client [Gateway], To Remote Smart Host

k04DRJls021661: --- 050 <remote@destination.com> Connecting to smtprelay2.berklix.org via esmtp...
k04DRJls021661: SMTP outgoing connect on p549A63B3.dip.t-dialin.net
AUTH=client, realm=tower.berklix.org, available realms=<No Realms>
AUTH=client, relay=smtprelay2.berklix.org, mech=DIGEST-MD5, bits=128
k04DRJls021661: --- 050 <remote@destination. com> Sent (k04DRNos040492 Message accepted for delivery)
k04DRJls021661: to=<remote@destination. com> delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=30594, relay=smtprelay2.berklix.org [my.old.ip.v4], dsn=2.0.0, stat=Sent (k04DRNos040492 Message accepted for delivery)
k04DRJls021661: done; delay=00:00:06, ntries=1 NOQUEUE: --- 050 Closing connection to smtprelay2.berklix.org

On Remote Smart Host

Notes debugging with SASL-2, Looking on smart server in /var/mail/maillog

  • AUTH: available mech=SCRAM-SHA-1 DIGEST-MD5 OTP CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS,

  • /var/log/maillog: "allowed mech"
    /etc/mail/sendmail.cf:
    • "list of authentication mechanisms"
    • "O AuthMechanisms="
    Server SLIM OK___: ________ GSSAPI ___________ DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
    Server LAND Fails: EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 _____ _____
NOQUEUE: connect from p549A63B3.dip.t-dialin.net [84.154.99.179]
AUTH: available mech=LOGIN PLAIN ANONYMOUS DIGEST-MD5 CRAM-MD5, allowed mech=GSSAPI DIGEST-MD5 PLAIN LOGIN
k04DRNor040492: Milter: no active filter
k04DRNor040492: --- 220 tower. berklix.org ESMTP Sendmail 8.12.9p2/8.12.9; Wed, 4 Jan 2006 14:27:23 +0100 (CET)
k04DRNor040492: <-- EHLO local-gate.net
k04DRNor040492: --- 250-tower. berklix.org Hello p549A63B3.dip.t-dialin.net [84.154.99.179], pleased to meet you
k04DRNor040492: --- 250-ENHANCEDSTATUSCODES
k04DRNor040492: --- 250-PIPELINING
k04DRNor040492: --- 250-8BITMIME
k04DRNor040492: --- 250-SIZE
k04DRNor040492: --- 250-DSN
k04DRNor040492: --- 250-ETRN
k04DRNor040492: --- 250-AUTH DIGEST-MD5 PLAIN LOGIN
k04DRNor040492: --- 250-DELIVERBY
k04DRNor040492: --- 250 HELP
k04DRNor040492: <-- AUTH DIGEST-MD5 =
k04DRNor040492: --- 334 bm9uY2U....................
k04DRNor040492: --- 334 cnNwYXV....................
k04DRNor040492: --- 235 2.0.0 OK Authenticated
AUTH=server, relay=p549A63B3.dip.t-dialin.net [84.154.99.179], authid=jhs, mech=DIGEST-MD5, bits=128
k04DRNor040492: <-- EHLO local-gate.net
k04DRNos040492: --- 250-tower. berklix.org Hello p549A63B3.dip.t-dialin.net [84.154.99.179], pleased to meet you
k04DRNos040492: --- 250-ENHANCEDSTATUSCODES
k04DRNos040492: --- 250-PIPELINING
k04DRNos040492: --- 250-8BITMIME
k04DRNos040492: --- 250-SIZE
k04DRNos040492: --- 250-DSN
k04DRNos040492: --- 250-ETRN
k04DRNos040492: --- 250-AUTH DIGEST-MD5 PLAIN LOGIN
k04DRNos040492: --- 250-DELIVERBY
k04DRNos040492: --- 250 HELP
k04DRNos040492: <-- MAIL From:<local_user @flat. berklix.net> SIZE=594
k04DRNos040492: --- 250 2.1.0 <local_user @flat. berklix.net> Sender ok
k04DRNos040492: <-- RCPT To:<remote@destination. com>
k04DRNos040492: --- 250 2.1.5 <remote@destination. com> Recipient ok
k04DRNos040492: <-- DATA
k04DRNos040492: --- 354 Enter mail, end with "." on a line by itself
k04DRNos040492: from=<local_user@ flat. berklix.net> size=828, class=0, nrcpts=1, msgid=<200601041327.k04DRccs003279 @local-gate.net>, proto=ESMTP, daemon=IPv4, relay=p549A63B3.dip.t-dialin.net [84.154.99.179]
k04DRNos040492: --- 250 2.0.0 k04DRNos040492 Message accepted for delivery
k04DRNot040492: <-- QUIT
k04DRNot040492: --- 221 2.0.0 tower. berklix.org closing connection

To Index

SASL-2

On Local Sending Client Host:
cd /etc/mail ;
touch access ;
cat >> access < EOF
AuthInfo:server1.berklix.org "U:userName" "R:server1.berklix.org" "P:password" "M:DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"
AuthInfo:server2.berklix.org "U:userName" "R:server2.berklix.org" "P:password" "M:DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"
EOF
cd /etc/mail ; make access.db
On Remote Receiving Server Host:
cd /usr/ports/security/cyrus-sasl2; make install ; rehash
sasldblistusers2
ls -l /usr/local/etc/sasldb2.db # See the size with 0 entries in.
saslpasswd2 -c -a Sendmail -u `hostname` userName
password

sasldblistusers2
ls -l /usr/local/etc/sasldb2.db # Notice size does not grow with an entry in
# output is 1 to several lines, eg: 
user1@server1.berklix.org: userPassword
user2@server2.berklix.org: userPassword
Old FreeBSD: echo /var/db/pkg/*cyrus*
/var/db/pkg/cyrus-sasl-2.1.25_2
/var/db/pkg/cyrus-sasl-saslauthd-2.1.25 (I don't use it on local gate or remote servers @ 2013-07)
New FreeBSD: pkg info | grep cyrus
cyrus-sasl-2.1.26_12 RFC 2222 SASL (Simple Authentication and Security Layer)
Old FreeBSD: pkg_info -r cyrus-sasl-saslauthd-2.1.25
# (I don't use it on local gate or remote servers @ 2013-07)
Dependency: cyrus-sasl-2.1.25_2
vi /etc/rc.conf: # Not currently used: saslauthd_enable="YES"
# (I don't use it on local gate or remote servers @ 2013-07)
echo "Not currently: cd /usr/local/etc/rc.d ; ./saslauthd start"
# (I don't use it on local gate or remote servers @ 2013-07)
cat >> /etc/make.conf << EOF
# .include "/site/domain/this/etc/make.conf"
# .include "/site/domain/this/etc/make.conf.sasl"
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
EOF
cd /usr/src/lib/libsmutil; make cleandir ; make clean ; make obj ; make
cd /usr/src/lib/libsm; make cleandir ; make clean ; make obj ; make
cd /usr/src/usr.sbin/sendmail; make cleandir ; make clean ; make obj ; make ; make install
cd /usr/local/lib/sasl2
ln -s -f ../../../../site/usr/local/lib/sasl2 LN
ln -s -f LN/saslpasswd.conf
ln -s -f LN/Sendmail.conf
cd /etc/mail ; make ; make stop ; make start
Bug: 
From: Peter Jeremy <peterj@@@FreeBSD.org>
Date: Tue, 19 Apr 2022 20:15:50 +1000
To: Hajimu UMEMOTO <ume@@@mahoroba.org
Cc: SAY@@@office.sigma-soft.ru WARNING: SITE IN .RU DOMAIN, ports@@@FreeBSD.org

On 2022-Apr-16 21:03:21 +0900, Hajimu UMEMOTO <ume@@@mahoroba.org> wrote:
>On Sun, 17 Apr 2022 05:52:27 +0900, ####### ###### ####### wrote:
>> I would like to help test if I can.
>
>No, I cannot reproduce your problem.
>As I said in my previous message, I'm using sendmail-8.17.1_3 with
>cyrus-sasl-2.1.28 without any problem.

There's a known incompatibility between cyrus-sasl-2.1.28 and
sendmail-8.17.1 that is fixed in sendmail-8.17.1.9 - see
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262935

I haven't verified that the problem still exists in
sendmail-8.17.1_3 but the problem definitely existed in
sendmail-8.17.1_2 and the only change between those versions
is the PORTREVISION.  Looking at the local patches, neither
mail/sendmail nor security/cyrus-sasl2-saslauthd include
patches that would make them compatible.

Which Smart Host

A client host with (FreeBSD 12.4-RELEASE) Sendmail with SASL-2 does not just try sending to the "Smart" relay host specified by "^DS" in /etc/mail/sendmail.cf . If the smart server fails, the client also tries other "^AuthInfo" servers listed in client's /etc/mail/access .

Nice, except after breaking my specified smart relay I was confused by rejects from an alternate smart relay. Problem was reserve smart relay had not been previously repaired to accept SASL (so I hashed out the reserve in ./access on client until later).

Stolen VotesBerklix.Net Computer AssociatesDomainsApache: Web ServerFreeBSD: Operating System