# Sendmail and AUTH with SASL.

## ErikT

I'm trying to get sendmail 8.12.7-r5 and cyrus-sasl-2.1.10-r2 to work. Everything seems to work ok if I use the /etc/sasl2/sasldb2 (and populate it via the saslpasswd2 program).

But that's not how I want it. Yet another login/password-database to keep current...

I can't seem to figure out how to make it use PAM. Any suggestions?

----------

## Paul Forgey

Me too!  I'm seeing a lot of people ask this with no answers, and from what I can poke around looking at, it just doesn't appear to work with the portage builds.

TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

This is sort of a critical problem over here.  I really don't want to migrate my mail users back over to my RedHat box, but I absolutely need to use this.

----------

## georwell

you can use lots of different authentications.  You just need to setup sasl to do it for you.  That is the beauty of sasl.  

Check out saslauthd and /usr/lib/sasl/Sendmail.conf

Let me know if you have already looked at these.

----------

## Paul Forgey

I have.  Although I'm not an expert on sendmail+sasl (nor do I want to be), I have read lots and lots and lots of web pages on how to set this up, and I can not get any combination of any authentication methods to work.

----------

## georwell

what type of authentications are you offering with SASL?  Have you run the test programs with SASL?

What do you have in your /usr/lib/sasl/Sendmail.conf?

----------

## Paul Forgey

This is actually sasl2, as what gets pulled in by including 'sasl' in USE.  sasl is offering "getpwent pam rimap shadow" as what seems to be configured as the default with the portage build.

I'm not aware of what relavent tests there are -- I simply emerge'd cyrus-sasl and there isn't really anything in the way of documentation specifically for using the sasl library.

/usr/lib/sasl2/Sendmail.conf has:

pwcheck_method: shadow

although I've also tried using 'pam' instead of shadow.  I copied /etc/pam.d/imap -> /etc/pam.d/smtp.

----------

## georwell

Try this...

pwcheck_method: saslauthd

then run saslauthd -a pam

and try to authenticate....

----------

## Paul Forgey

thank you!!  That finally did it.

Like the rest of sendmail, this is _way_ harder than it needs to be.

----------

## georwell

Just a quick tip.  If you are going to be using PLAIN or LOGIN for authentication don't allow non-ssl connections.  Make them use STARTTLS then advertise authentication.

Check out these options...

define(`confAUTH_OPTIONS', `p,y')dnl

 p   don't permit mechanisms susceptible to simple

                        passive attack (e.g., PLAIN, LOGIN), unless a

                        security layer is active.

 y   don't permit mechanisms that allow anonymous login.

Sendmail is a beast but once you learn it, you know what true power is!

Cheers

----------

## Paul Forgey

Yes, but this is primarily for SSL connections, otherwise these users are using unencrypted imap or pop3 authentication anyway so it really doesn't hide anything.

(I'm not all that new to sendmail-- years ago I did the NT port, so I shouldn't gripe too much)

----------

## georwell

 *Quote:*   

> users are using unencrypted imap or pop3 authentication

 

Its a pain in the rear but I would take those away too.  Unless you have thousands of users and don't have the support staff to help them with the switch.  I know I feel better when my people don't connect un-ecrypted when they are on the road from some hotel lobby using 802.11b.  Wait till the 1st password is sniffed and then BAM you get paged at 3:00 am because the mail servers are at 100% CPU and blasting thousands of spam per second.   :Wink: 

Cheers

----------

## Paul Forgey

Very valid point indeed.  Since SSL can be done easily from both OS-X Mail and Windows OE, I should probably just do it...  how do I make sure I don't accidentally lock out outside mail being delivered locally and local servers using me as a mail hub (for daemons and such)?

----------

