Configuring RedHat Linux 6.2 for SMTP AUTH using
						Sendmail 8.11 + Cyrus-SASL

Changelog:

	* Tue May  7 15:35:55 IST 2002
	- Added in the port 25 telnet based AUTH PLAIN session
	* Thu Dec 20 2001
	- Use user@hostname from Pine for PAM backend
	* Thu Nov 29 2001
	- Added in info about RPM changing Sendmail.conf on upgrade/downgrade
	- Note about direct telnet to SMTP port for testing AUTH
	* Fri Sept 7 2001
	- Ran spell checker :)
	- Reformatted log and SMTP chat transcripts for better readability
	- Made domains consistant
	* Thu Aug 30 2001
	- Added new links in the URL section for SASL compilation And
	  configuration From 8.9 to 8.10: Upgrade Made Easy Using SMTP AUTH
	  in Sendmail 8.10
	* Sat Aug 25 2001
	- Added in URLs for CRAM-MD5
	- Added note about CRAM-MD5 and DIGEST-MD5 being present only with
	  sasldb back-end
	* 2001-08-16
	- Initial roll-out

SYNOPSIS:

	The SMTP AUTH can be used in anti-relay rulesets to allow relaying
	for those users that authenticated themselves to the MTA.

DESCRIPTION:

	This document defines an SMTP service extension [ESMTP] whereby an
	SMTP client may indicate an authentication mechanism to the server,
	perform an authentication protocol exchange, and optionally
	negotiate a security layer for subsequent protocol interactions.
	This extension is a profile of the Simple Authentication and
	Security Layer [SASL].

	[See ftp://ftp.isi.edu/in-notes/rfc2554.txt]

	The main purpose of implementing SMTP AUTH is to control relaying
	outside the DMZ and thereby control spam/mail abuse. "POP before
	SMTP" is another popular method for controlling relaying which is
	usually used by ISPs. With POP before SMTP, it is not possible(?) to
	provide selective relay acces while with SMTP AUTH it is possible.

REQUIREMENTS:

	Requirements for RedHat 6.x
	===========================
	
	Fully updated RedHat Linux 6.2
	Sendmail 8.11.x 	( I used SRPMS from RawHide )
	Cyrus-sasl 			( Rawhide )
	Bash2 				( RHL 7.1 SRPM recompiled )

	The following extra packages will be needed if the target machine is
	not fully updated:

	DB3 				( RedHat 6.2 Updates )
	OpenLDAP			( 6.2 Updates - liblber.so.1.0 )
	pam-0.72			( 6.2 Updates )
	rpm					( RPMv4 )

	A full back of /etc/sendmail* and /etc/mail ;) Sendmail 8.11 is bare
	minimum for SSL/TLS support which we plan to add in later. So dent start
	this hack with sendmail < 8.10.x.

INSTALLATION:

	Setting up SMTP AUTH in RHL 6.2 is a long and winding process. When
	compared with RHL 7.1, 6.2 is totally "featureless". Some of the
	limitations in 6.2 are:

	- It ships with Sendmail 8.9 which does not have SASL compiled in
	- Does not have cyrus-sasl
	- Does not support Sleepycat's DB3
	- Sendmail 8.11 requires Bash2, 6.2 does not ship with Bash2.
	- RPMv3 is obsolete. Need to use RPMv4
	- Yada yada yada

	The upgrade from Sendmail 8.9 to 8.10 is nasty. Read the article on
	upgrading from 8.9 to 8.10 here	http://www.sendmail.net/ninetoten.shtml.
	This will help in the transition process.

	This basically means that you cannot install Sendmail 8.11 on 6.2 and
	expect to run. You have to crawl before you can even walk. ;)

	Download, compile and upgrade the following packages in this order:

	rpm 				( RPMv3 )
	Bash2 				( RHL 7.1 SRPM recompiled )
	DB3 				( Redhat 6.2 Updates )
	Cyrus-sasl 			( Rawhide )
	Sendmail 8.11.x		( I used SRPMS from RawHide)

CONFIGURATION:

	Backup:

	[root@mail] ~# cd /root
	[root@mail] ~# tar zcvf sendmail-cf.tgz /etc/sendmail.* /etc/mail

Step1: Check whether the compiled version Sendmail 8.11 has SASL support

	[root@mail] ~# /usr/sbin/sendmail -d0.1 -bv root | grep SASL
		NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS QUEUE SASL SCANF
		                                                    ^^^^

	NOTE: Create a symlink /etc/init.d pointing to /etc/rc.d/init.d.
	Sendmail expects the link to exist like in RHL > 7.0 
	
	[root@mail] ~# ln -svf /etc/rc.d/init.d /etc/init.d
	
Step2: The .mc file

	Previously in 6.1, the sendmail-cf files were under
	/usr/lib/sendmail-cf/cf. Sendmail 8.11, puts it in
	/usr/share/sendmail-cf/cf.

	[root@mail] ~# cd /usr/share/sendmail-cf/cf

	It is highly recommended that you copy the contents of redhat.mc to
	a site specific .mc file like "my-domain.mc".

	[root@mail] ~# cp redhat.mc my-domain.mc

	Edit my-domain.mc. Uncomment (or add if it does not exist) the
	following defines:

	-- redhat.cf --
	TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
	define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
	-- redhat.cf --

	Comment the DAEMON_OPTIONS line:
	
	-- redhat.cf --
	dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
	-- redhat.cf --

	Make other changes to the .cf file as required for your domain and
	generate the sendmail.cf.

	[root@mail] ~# m4 my-domain.mc > /etc/sendmail.cf

Step3. Decide the authentication backend you want to use: PAM or SASLDB

PAM:
====

	If you have a populated password database, it is preferred that you
	use the PAM approach. Sendmail will then use your existing PAM
	accounts for account validation.

	In /usr/lib/sasl/Sendmail.conf, drop this line:

	pwcheck_method:pam

	Restart Sendmail for the changes to take effect.

	[root@mail] ~# service sendmail restart (OR)
	[root@mail] ~# killall -HUP sendmail [recommended]

SASLDB:
======

	Cyrus SASL comes with its own password backend which one can use.
	This is preferred in the following case:

	1) You don't want to store user accounts in PAM.
	2) You are using a firewall/gateway as Sendmail relay where user
	accounts are prohibited.
	3) The database is going to be used exclusively for SMTP use.
	4) Do not want to use plain passwords

	In /usr/lib/sasl/Sendmail.conf, drop this line: 
	pwcheck_method:	sasldb

	Adding users to sasldb:

	Cyrus-SASL provides 2 utilities to list and manage user in the
	sasldb - saslpasswd and sasldblistusers.

	[root@mail] ~# saslpasswd -u my-domain.com username
	Password: XXXXX
	Again (for verification): XXXXX

	[root@mail] ~# sasldblistusers
	user: foo realm: my-domain.com mech: CRAM-MD5
	user: foo realm: my-domain.com mech: DIGEST-MD5
	user: foo realm: my-domain.com mech: PLAIN

	The "realm" (my-domain.com) is very important. If a realm is not
	specified, it might default to the FQDN of the host. This will make
	the user's login ID very long and difficult to remember -
	"user@mail.my-domain.com" instead of "user@my-domain.com".

Step4: Sendmail and PAM

	Check maillog for this message:

	Aug 16 11:28:49 mail sendmail[14360]: PAM unable to dlopen(/lib/security/pam_stack.so)
	Aug 16 11:28:49 mail sendmail[14360]: PAM [dlerror: /lib/security/pam_stack.so: cannot open shared object file: No such file or directory]
	Aug 16 11:28:49 mail sendmail[14360]: PAM adding faulty module: /lib/security/pam_stack.so

	Sendmail 8.11 uses the newer "pam-stack" style for PAM
	authentication which is the default for RHL 7.0 and later as it is
	very modular.  Upgrading PAM RPM version pam-0.72-20.6.x.i386.rpm or
	later from the 6.2 Updates tree fixes the "unable to dlopen.."
	error.

	/etc/pam.d/smtp should have the following lines in a pam-stack
	environment (7.0 and later):

	#%PAM-1.0
	auth       required     /lib/security/pam_stack.so service=system-auth
	account    required     /lib/security/pam_stack.so service=system-auth

	http://www.sendmail.net/usingsmtpauth.shtml has a lot of information
	on compiling and debugging SMTP AUTH.  

TESTING:

Step1: Basic testing for supported authenticated mechanisms

	[root@mail] ~# telnet mail.my-domain.com 25
	Connected to mail.FooBar.com.
	Escape character is '^]'.
	220 localhost.localdomain ESMTP Sendmail 8.11.4/8.11.4; Thu, 16 Aug 2001 12:51:59 +0530
>	ehlo there
	250-localhost.localdomain Hello root@localhost.localdomain [127.0.0.1], pleased to meet you
	250-ENHANCEDSTATUSCODES
	250-8BITMIME
	250-SIZE
	250-DSN
	250-ONEX
	250-ETRN
	250-XUSR
>	250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
	250 HELP

	The listed AUTH mechanisms are:

	- DIGEST-MD5
	- CRAM-MD5
	- LOGIN
	- PLAIN 

	NOTE: The "CRAM-MD5" and "DIGEST-MD5" auth mechanisms will be listed
	in the "ehlo" transcript only with the sasldb backend and that too
	only if /etc/sasldb exists. With PAM authentication, only LOGIN and
	PLAIN will be listed.

Step2: Telnet based testing

	For telnet based SMTP auth to work:

	- A TLS session must not be started using the SMTP "STARTTLS" command.  
	- The username/password has to be converted to	the Base64 format before
	  it can be passed to Sendmail

	Assuming that you have created a user "foo@my-domain.com" and "testpass"
	as the password:

	root@mail:~# sasldblistusers |grep foo
	user: foo realm: my-domain.com mech: CRAM-MD5
	user: foo realm: my-domain.com mech: PLAIN
	user: foo realm: my-domain.com mech: DIGEST-MD5

	and the base64 encoded string looks like this:
	root@monster:~#  printf 'foo@my-domain.com\0foo@my-domain.com\0testpass' | mmencode
	Zm9vQG15LWRvbWFpbi5jb20AZm9vQG15LWRvbWFpbi5jb20AdGVzdHBhc3M=

	[root@mail] ~# telnet mail.my-domain.com 25
	Connected to mail.FooBar.com.
	Escape character is '^]'.
	220 localhost.localdomain ESMTP Sendmail 8.11.4/8.11.4; Thu, 16 Aug 2001 12:51:59 +0530
>	ehlo there
	250-localhost.localdomain Hello root@localhost.localdomain [127.0.0.1], pleased to meet you
	250-ENHANCEDSTATUSCODES
	250-8BITMIME
	250-SIZE
	250-DSN
	250-ONEX
	250-ETRN
	250-XUSR
>	250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
	250 HELP
->	AUTH PLAIN Zm9vQG15LWRvbWFpbi5jb20AZm9vQG15LWRvbWFpbi5jb20AdGVzdHBhc3M=
	235 2.0.0 OK Authenticated

Step3: Mail client settings for Outlook

	1. Click Tools -> MAIL -> Select Account -> Servers Tab -> Outgoing
	mail server 
	
	2. In "My server requires authentication authentication", fill in
	the username and passwords for the SMTP server.

	You will now be prompted for authentication will sending mail.
	Outlook only supports "PLAIN" as the authentication mechanism.

	NOTE: The username field will vary with the sasl authentication
	mechanism and the sasl realm.

	Do no enable SPA and SSL together!


SASL Backend:
============

	If the user "foo" has been added with the realm "my-domain.com",
	then the username will be "foo@my-domain.com". The username should
	include the realm part otherwise authentication will fail with "user
	not found"

PAM Backend:
===========

	In the case of PAM, the realm part should not be used. The username
	will be be the same as the login ID.

PINE Configuration:

	.pinerc:
	smtp-server=mail.my-domain.com/user=foo@my-domain.com

	PINE uses CRAM-MD5 as default and will fall back to PLAIN if
	CRAM-MD5 fails.

	If your server is configured only for plain auth, then add the
	following to .pinerc to speed up the AUTH process:

	# List of SASL authenticators to disable.
	disable-these-authenticators=CRAM-MD5

	In case AUTH is failing in PAM mode, tru passing the hostname along with
	the username like this - user@hostname. user@fqdn did not work against PAM
	from Pine.
	
Logs: /var/log/maillog

Outlook Express using PLAIN mechanism:

	Aug 16 12:04:29 mail sendmail[14443]: f7G6YTV14443: from=<sonz@bigfoot.com>,
	size=2316, class=0, nrcpts=1, msgid=<002001c1261c$b485ec60$1601a8c0@FooBar.com>,
	proto=ESMTP, daemon=MTA, mech=LOGIN, relay=vmduron.FooBar.com [192.168.1.22]

	Aug 16 12:04:50 mail sendmail[14445]: f7G6YTV14443: to=<sonz@bigfoot.com>,
	delay=00:00:21, xdelay=00:00:21, mailer=esmtp, pri=32316, relay=mail.bigfoot.com.
	[20 8.156.39.203], dsn=2.0.0, stat=Sent (Message accepted for delivery)

Pine using CRAM-MD5 mechanism:

	Aug 16 12:45:36 mail sendmail[14544]: f7G7EuV14544: from=<root@zeenext.com>,
	size=309, class=0, nrcpts=0, msgid=<Pine.LNX.4.33.0108161239150.6771-100000@godzilla.FooBar.com>,
	proto=ESMTP, daemon=MTA, mech=CRAM-MD5, relay=root@godzilla.FooBar.com [192.168.1.24]

	Aug 16 12:45:36 mail sendmail[14544]: f7G7EuV14544: to=<foobar@zeenext.com>,
	delay=00:00:00, mailer=esmtp, pri=309, dsn=4.4.3, stat=queued

UPGRADING/DOWNGRADING SENDMAIL VERSIONS:

	When later versions of Sendmail RPMS are available and when an 'rpm -Uvh
	sendmail-<new-version>.i386.rpm is performed, make sure you check on the
	Sendmail.conf file in /usr/lib/sasl/Sendmail.conf.

	Sometimes RPM renames Sendmail.conf with a '.rpmsave' suffix and puts in a
	new Sendmail.conf with the stock sendmail default SASL authentication
	mechanism. Keep this in mind in case AUTH breaks after an upgrade or
	downgrade. We learnt this the hardway as it goes by un-noticed!

FILES:

	/etc/sendmail.cf
	/etc/pam.d/smtp
	/usr/lib/sasl/Sendmail.conf
	/usr/share/sendmail-cf/cf/redhat.mc

RPMS:

	openldap-1.2.12-3.i386.rpm
	bash-2.04-21.i386.rpm
	cyrus-sasl-gssapi-1.5.24-19.i386.rpm
	cyrus-sasl-1.5.24-19.i386.rpm
	cyrus-sasl-md5-1.5.24-19.i386.rpm
	cyrus-sasl-plain-1.5.24-19.i386.rpm

	Optional:
	
	cyrus-sasl-devel-1.5.24-19.i386.rpm ( Optional )
	bash-doc-2.04-21.i386.rpm ( Optional )

SEE ALSO:

	1. SMTP AUTH in sendmail 8.10/8.11
	http://www.sendmail.org/~ca/email/auth.html
	
	2. SMTP AUTH for sendmail 8.x: Realms and Examples:
	http://www.sendmail.org/~ca/email/authrealms.html

	3. PRESENTATION - Extended Features of Sendmail (SMTP Auth and STARTTLS)
	http://www.mn-linux.org/members/tanner/presentations/

	4. Another SMTP AUTH HOWTO by Pavel
	http://www.asp.ogi.edu/people/paja/linux/sendmail/

	5. Cyrus-SASL Build Notes
	http://www.sial.org/sendmail/docs/install-sasl.txt

	6. CRAM-MD5 RFC
	ftp://ftp.isi.edu/in-notes/rfc2195.txt
	
	7. SASL Compilation And Configuration
	http://www.sendmail.org/compiling.html#SASL

	8. From 8.9 to 8.10: Upgrade Made Easy
	http://www.sendmail.net/ninetoten.shtml
	
	9. Using SMTP AUTH in Sendmail 8.10
	http://www.sendmail.net/usingsmtpauth.shtml

BUGS:

	Only client side ones! ;)

	One confusion exists, what will happen to the normal SMTP talk b/w
	MTAs? Will it always require authentication too?

	Update: AUTH is requested only in relay mode so normal SMTP talk
	will not be a problem.

TODO:


AUTHOR:

	Shanker Balan
	http://shankerbalan.com/