berklix.com logo

BSD-PIE icon

berklix.org logo

BSD icon
Gnu icon
Linux icon

Disclaimer

MHL
Medical

How to get a FreeBSD client to use SASL-1 to Auth identify itself to an outgoing mail proxy.

eg to smtprelay.berklix.org

http://www.berklix.com/~jhs/txt/sasl.html

by Julian Stacey

Links to Berklix servers in italics - Syntax in Brown

INDEX

To Index

See Also

To Index

SASL: RFC 2222 SASL (Simple Authentication and Security Layer)

Both Ends ? - Caution Re. Building Code

Some Things may be necessary to do on both local Client & remote Smarthost Servers, though perhaps I may have listed them as only necessary for one host. I'll remove them when I'm sure.

To Index

Do This On The Client
( = the local gateway that sends mail via SMTP protocol to the Smart Relay Host remote on the Internet).

Do this on the local gateway that is probably intermittently connected via DSL, ISDN or modem, that is probably allocated a temporary dynamic IP number valid only for the duration of the connection). Your local gateway's intent is then to send mail up to a permanently connected Smart Host, for later onward relay. Your local gateway identifies itself to the remote smart host by using SASL, to show entitlement to be relayed.

Add to /etc/make.conf something like

With content as shown by clicking above.
(I also use a site switchable (though content of that is not relevant to SASL).

(Next bit might not be necessary on client side, just on server:)
Install cyrus-sasl:

Configure sendmail to know access methods to identify itself to server end.
cd /usr/src/etc/sendmail
make cleandir ; make clean cleandepend
vi /etc/mail/sendmail.mc # or `hostname.mc`
Add:
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
You might want, but probably don't, any of a bunch of other things from my (Which I use via cpp with a lot of patches to /usr/src/etc/sendmail/Makefile, to produce .mc files for lots of different hosts. There's lot of comment in that file that you might like to skim).
make obj ; make
Optionally (depending on Makefile)
ls -l /usr/obj/`cd
/usr/src/etc/sendmail;/bin/pwd`/`hostname`.*
foreach i ( mc cf )
diff -c /usr/obj/`cd /usr/src/etc/sendmail;/bin/pwd`/`hostname`.$i /etc/mail/`hostname`.$i
end
make install # OR
cp /usr/obj/`cd /usr/src/etc/sendmail;/bin/pwd`/`hostname`.* /etc/mail/

Check /etc/mail/sendmail.cf now has eg:

# "Smart" relay host
DSesmtp:smtprelay.berklix.org
Add one or more lines to /etc/mail/access, example:
AuthInfo:slim.berklix.org "U:jhs" "R:slim.berklix.org" "P:password" "M:DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"
Notes
Field Example Comment
Remote Smart Host slim.berklix.org A real host name (DNS `A/Address record) works for me (I haven't yet tested whether it Has to be an A record, or whether the string just needs to match the text shown by sasldblistusers: user: jhs realm: slim.berklix.org mech: DIGEST-MD5 ).
With a name (smtprelay.berklix.org) that happened to be a (DNS) C name (alias), the local client did not try to authorise to remote server.
U: jhs Need not be login name or host name, just arbitrary name. Mine works with "jhs".
R: slim.berklix.org
P: AsInSaslSDb Need not be a password used by eg login, could be unique to & only used by SASL.
M: DIGEST-MD5 CRAM-MD5 LOGIN PLAIN  

cd /etc/mail ; make ; ls -l access*

lrwxr-xr-x 1 root wheel 9 Jul 10 2004 access@ -> LN/access
-rw-r----- 1 root wheel 114688 Aug 8 18:31 access.db
lrwxr----- 1 root bin 33 May 24 14:08 LN/access@ -> ../../domain/this/etc/mail/access
Ensure passwords database is not world readable.
cd /etc/mail ; chmod 640 access.db ; chown root:wheel access.db

cd /etc/mail ; make ; make stop ; make start # Probably better than restart.

To Index

Do This On Remote Server (Smart Host)

(That Should Receive Mail From You & Further Relay It To Rest Of Internet )
Rebuild other parts of /usr/src With the extended CFLAGS now including -ldb3 various bits will fail to compile (at least on FreeBSD-4.10): 
        libexec/mail.local
libexec/smrsh
usr.bin/vacation
usr.sbin/editmap
usr.sbin/mailstats
usr.sbin/makemap
usr.sbin/praliases
usr.sbin/sendmail
To avoid that, first:
cd /usr/ports/databases/db3 ; make install
To avoid missing libsmutil and libsm libraries, either eg:
cd /usr/src/lib/libsmutil ; make clean cleandepend depend all install
cd /usr/src/lib/libsm ; make clean cleandepend depend all install
cd /usr/src/usr.sbin/sendmail ; make clean cleandepend depend all install
Or more radically:
cd /usr/src ; make cleandir ; make clean cleandepend all install
The above might solve the problem of host=tower currently only showing: 250-AUTH PLAIN LOGIN

cd /etc/mail ; make ; make stop ; make start # Probably better than restart.

To Index

Test On Sender ( Gateway between Internet & local net)

echo "Local test (works without SASL)" ; date | mail postmaster@remote_relay_smart_host
echo "Remote test (needs SASL)" ; date | mail someone@some_host_beyond_smarthost

To Index

Verify

  • Check SASL is compiled in,

    sendmail -d0.1 < /dev/null

    4.10 (host=mart, local client) Sample output (notice SASL is there (does it need to be ?):
    Version 8.12.11
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
    6-1 (host=park, local client) Sample output (After recompiling & Installing:
    Version 8.13.6
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
    4.10 (host=slim, remote smtprelay.berklix.org) Sample output (notice SASL is there, needs to be)
    Version 8.12.11
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

    Notice sendmail version numbers too (as so much SASL & Sendmail documentation re. options is version number dependent)

    FreeBSD Sendmail
    6.1 8.13.6
    5.3 8.13.1
    4.10 8.12.11
  • telnet smtprelay.berklix.org smtp
    You type:
    EHLO local-gate.net
    (Where local-gate.net could be any string your local gateway chooses [optionally to masquerade ] as your as sending domain name).
    It responds
    250-slim. berklix.org Hello p549A79B0.dip.t-dialin.net [84.154.121.176], pleased to meet you
    250-AUTH DIGEST-MD5 PLAIN LOGIN
    You type
    AUTH DIGEST-MD5
    It responds with about 200 bytes of hex string
    quit

To Index

Debug

  • Not sure if this helps, but ...)
    On local gateway client: edit /etc/syslog.conf from
    mail.info /var/log/maillog
    to
    mail.debug /var/log/maillog
    & trigger a rescan:
    kill -HUP 646 `cat /var/run/syslog.pid`
  • On local gateway client: Kill background sendmail (not the one marked as Queue runner, but other one). Then run sendmail with extra debug flags:
    /usr/sbin/sendmail -bD -d13 -O LogLevel=14 -N failure,delay,success
    -bD runs in foreground
    -d13 set the LogLevel
    -O LogLevel=14 set the LogLevel
    -N failure,delay,success Maximise feedback
  • Run 2 xterms, one on local gateway & 1 on remote Smarthost, running
    tail -F /var/log/maillog
  • Look for error symptoms
    • On remote server:
      < MAIL From:<local_user@local-gate.net> SIZE=377 AUTH=<>
      Sep 13 09:57:53 slim sm-mta[52439]: k8D7vrBQ052439: --- 250 2.1.0 <local_user@local-gate.net>... Sender ok
      <-- RCPT To:<remote@destination. com>
      --- 550 5.7.1 <remote@destination. com>... Relaying denied. Proper authentication required.
      ruleset=check_rcpt, arg1=<remote@destination. com>, relay=p549A643D.dip.t-dialin.net [84.154.100.61], reject=550 5.7.1 <remote@destination. com>... Relaying denied. Proper authentication required.
    • On local client gateway:
      • In /var/log/maillog an empty mech= :
        AUTH=client, relay= slim.berklix.org., mech= , bits=0
      • In mail with:
        To: root@local_gateway_sasl_client
        Subject: Cron <root@local_gateway_sasl_client> periodic daily
        #if SASL
        ...
        "Warning: Option: %s requires SASL support (-DSASL)\n"
        From /usr/src/contrib/sendmail/src/readcf.c

To Index

Good Examples

/var/log/maillog Each line begins: Date Time hostname sm-mta[Process ID] (Note, particularly on remote smart host, sometimes different PID lines get interleaved, indicating several jobs running in parallel simultaneously).

On Local Gateway, To Remote Smart Host

k04DRJls021661: --- 050 <remote@destination. com> Connecting to smtprelay3.berklix.org via esmtp...
k04DRJls021661: SMTP outgoing connect on p549A63B3.dip.t-dialin.net
AUTH=client, realm=tower.berklix.org, available realms=<No Realms>
AUTH=client, relay=smtprelay3.berklix.org, mech=DIGEST-MD5, bits=128
k04DRJls021661: --- 050 <remote@destination. com> Sent (k04DRNos040492 Message accepted for delivery)
k04DRJls021661: to=<remote@destination. com> delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=30594, relay=smtprelay3.berklix.org [83.236.223.114], dsn=2.0.0, stat=Sent (k04DRNos040492 Message accepted for delivery)
k04DRJls021661: done; delay=00:00:06, ntries=1 NOQUEUE: --- 050 Closing connection to smtprelay3.berklix.org

On Remote Smart Host

NOQUEUE: connect from p549A63B3.dip.t-dialin.net [84.154.99.179]
AUTH: available mech=LOGIN PLAIN ANONYMOUS DIGEST-MD5 CRAM-MD5, allowed mech=GSSAPI DIGEST-MD5 PLAIN LOGIN
k04DRNor040492: Milter: no active filter
k04DRNor040492: --- 220 tower. berklix.org ESMTP Sendmail 8.12.9p2/8.12.9; Wed, 4 Jan 2006 14:27:23 +0100 (CET)
k04DRNor040492: <-- EHLO local-gate.net
k04DRNor040492: --- 250-tower. berklix.org Hello p549A63B3.dip.t-dialin.net [84.154.99.179], pleased to meet you
k04DRNor040492: --- 250-ENHANCEDSTATUSCODES
k04DRNor040492: --- 250-PIPELINING
k04DRNor040492: --- 250-8BITMIME
k04DRNor040492: --- 250-SIZE
k04DRNor040492: --- 250-DSN
k04DRNor040492: --- 250-ETRN
k04DRNor040492: --- 250-AUTH DIGEST-MD5 PLAIN LOGIN
k04DRNor040492: --- 250-DELIVERBY
k04DRNor040492: --- 250 HELP
k04DRNor040492: <-- AUTH DIGEST-MD5 =
k04DRNor040492: --- 334 bm9uY2U....................
k04DRNor040492: --- 334 cnNwYXV....................
k04DRNor040492: --- 235 2.0.0 OK Authenticated
AUTH=server, relay=p549A63B3.dip.t-dialin.net [84.154.99.179], authid=jhs, mech=DIGEST-MD5, bits=128
k04DRNor040492: <-- EHLO local-gate.net
k04DRNos040492: --- 250-tower. berklix.org Hello p549A63B3.dip.t-dialin.net [84.154.99.179], pleased to meet you
k04DRNos040492: --- 250-ENHANCEDSTATUSCODES
k04DRNos040492: --- 250-PIPELINING
k04DRNos040492: --- 250-8BITMIME
k04DRNos040492: --- 250-SIZE
k04DRNos040492: --- 250-DSN
k04DRNos040492: --- 250-ETRN
k04DRNos040492: --- 250-AUTH DIGEST-MD5 PLAIN LOGIN
k04DRNos040492: --- 250-DELIVERBY
k04DRNos040492: --- 250 HELP
k04DRNos040492: <-- MAIL From:<local_user @ flat. berklix.net> SIZE=594
k04DRNos040492: --- 250 2.1.0 <local_user @flat. berklix.net> Sender ok
k04DRNos040492: <-- RCPT To:<remote@destination. com>
k04DRNos040492: --- 250 2.1.5 <remote@destination. com> Recipient ok
k04DRNos040492: <-- DATA
k04DRNos040492: --- 354 Enter mail, end with "." on a line by itself
k04DRNos040492: from=<local_user @ flat.berklix.net> size=828, class=0, nrcpts=1, msgid=<200601041327.k04DRccs003279 @local-gate.net>, proto=ESMTP, daemon=IPv4, relay=p549A63B3.dip.t-dialin.net [84.154.99.179]
k04DRNos040492: --- 250 2.0.0 k04DRNos040492 Message accepted for delivery
k04DRNot040492: <-- QUIT
k04DRNot040492: --- 221 2.0.0 tower. berklix.org closing connection

To Index

Berklix.Net Computer Associates Domains Apache: Web Server FreeBSD: Operating System