topic Re: sendmail auth file permissions in Operating System - HP-UX

sendmail auth file permissions

Fred Ruffet — Wed, 06 Jan 2010 11:44:53 GMT

Hi all,

I actually set-up sendmail on a 11iv1 server to relay mail to my ISP SMTP server. Their server runs on port 587 and needs authentication.

I managed to get the whole thing, but I have a problem with the auth file. I have configured sendmail.cf to use the file /etc/mail/authinfo. I have those rights :

root@rp3410:/etc/mail#ll authinfo
-rw------- 1 root bin 151 Jan 5 17:44 authinfo

when sending mail I have this line in mail.log :
Jan 6 12:17:14 rp3410 sm-mta[19087]: AUTH=client, error: can't open /etc/mail/authinfo: Permission denied

I tried to chmod g+r the file and then had :
Jan 6 12:06:09 rp3410 sm-mta[16715]: AUTH=client, error: can't open /etc/mail/authinfo: Group readable file

sendmail is running as root.

What permissions must I set to have this file used ?

Any help appreciated. Thanks,

Fred

Re: sendmail auth file permissions

TTr — Wed, 06 Jan 2010 12:59:25 GMT

The sendmail daemon has these builtin security checks for the files that it uses. Try changing the ownership of the authinfo file to bin:bin and take out the group write permission. All these security options are listed in the sendmail.cf file right below all those text blocks and where the config section starts.

Re: sendmail auth file permissions

Fred Ruffet — Wed, 06 Jan 2010 13:16:12 GMT

Thanks TTr,

I have already set these permissions whithout success :
root@rp3410:/etc/mail#ll authinfo
-rw------- 1 bin bin 151 Jan 5 17:44 authinfo
root@rp3410:/etc/mail#ll -d .
dr-xr-xr-x 2 bin bin 8192 Jan 6 14:05 .

I always have these messages in mail.log :
Jan 6 14:05:56 rp3410 sm-mta[15657]: AUTH=client, error: can't open /etc/mail/authinfo: World readable file

Regards,

Fred

Re: sendmail auth file permissions

TTr — Wed, 06 Jan 2010 13:23:41 GMT

Now the file is world redable. Remove the world read setting from the file.
Make it only rw-------

Re: sendmail auth file permissions

TTr — Wed, 06 Jan 2010 13:26:25 GMT

Actually, check the whole path leading to this file. Do you also have a hash filefor the authinfo file or a directory structure as described here? Check the paths of the files and directories and ensure they are not group or world readable (or writable).
http://docs.hp.com/en/5992-3190/ar01s08.html

Re: sendmail auth file permissions

Fred Ruffet — Wed, 06 Jan 2010 13:30:11 GMT

sorry for the error. Message about world readable file was from another test I made. Message with the permission I told was :

Jan 6 14:20:41 rp3410 sm-mta[20494]: AUTH=client, error: can't open /etc/mail/authinfo: Permission denied

I'm looking forward the link you gave me.

Regards,

Fred

Re: sendmail auth file permissions

Fred Ruffet — Wed, 06 Jan 2010 16:00:23 GMT

Back...

I got it to pass this problem. Mostly by adding this line to sendmail.cf :
Kauthinfo hash -o /etc/mail/authinfo.db

Problem is now that I have following line in mail.log :
Jan 6 16:28:15 rp3410 sm-mta[25881]: o06FS1gO025878: AUTH=client, available mechanisms do not fulfill requirements

According to what I found on the web, I should not have AUTH=client, but my login instead of client.

Digging the docs... any help appreciated...

Regards,

Fred

Re: sendmail auth file permissions

Steven E. Protter — Wed, 06 Jan 2010 16:10:48 GMT

Shalom,

You may find it easier to use sendmail.mc, or the HP-UX equivalent.

http://hpux.ws/buildmail.hpux.text

Note, looks like HP may have changed the name of the .mc file. You will have to alter the script to use that.

The .mc file is human readable and there is a lot of support for changes on it at http://www.sendmail.org

SEP

Re: sendmail auth file permissions

TTr — Wed, 06 Jan 2010 16:38:31 GMT

What is in the authinfo (and authinfo.db) file? Is it in the correct syntax?

What version of sendmail are you using?

Re: sendmail auth file permissions

TTr — Wed, 06 Jan 2010 16:50:02 GMT

Did you configure TLS and is sendmail starting it up?

Re: sendmail auth file permissions

Fred Ruffet — Wed, 06 Jan 2010 17:35:19 GMT

Shalom SEP,

I have not looked at .mc files as long as it seems strange in HP-UX. But it should be possible to manage all this with .cf file.

TTr,

I have tried authinfo with almost all possible arrangements :
AuthInfo:server.name "I:ident" "P:passwd" "M:PLAIN LOGIN"
AuthInfo:server.name "U:root" "I:ident" "P:passwd" "M:LOGIN"
AuthInfo:server.name "U:root" "I:ident" "P:passwd" "M:PLAIN LOGIN"
AuthInfo:server.name:587 "U:root" "I=base64ident" "P=base64passwd" "M:PLAIN LOGIN"
...
and so on

Regards,

Fred

Re: sendmail auth file permissions

Fred Ruffet — Wed, 06 Jan 2010 17:36:14 GMT

TTr,

no, I didn't configure TLS.

Regards,

Fred

Re: sendmail auth file permissions

TTr — Wed, 06 Jan 2010 18:17:24 GMT

I am thinking TLS might be a prerequisite for auth because without encryption, auth is pointles, hence the error message that you get. I don't have access to my external sendmail servers right now but see if these links can offer some help.
http://www.linuxquestions.org/questions/linux-software-2/sendmail-authentication-for-smarthost-relay-354488/ (note the sendmail version differences here)

http://www.linuxquestions.org/questions/linux-software-2/sendmail-seems-not-to-use-default-auth-info-367231/

http://www.docs.hp.com/en/5992-3190/ar01s06.html

Search for TLS here and elsewhere as well.

Re: sendmail auth file permissions

Sameer_Nirmal — Wed, 06 Jan 2010 18:36:13 GMT

Assuming Sendmail version is 8.13.3

Sendmail support of SMTP authentication is based on SASL. The systems also needs to have OpenSSL. If LOGIN auth is needed, it needs to be added in the sendmail.cf file.

http://docs.hp.com/en/5991-6611/5991-6611.pdf

Re: sendmail auth file permissions

Fred Ruffet — Thu, 07 Jan 2010 08:40:28 GMT

TTr,

I don't think TLS nor any encryption is needed. As a proof, have a look at this test I made on the same server (names have been changed to protect the innocents) :
root@rp3410:/#telnet smtp.auth.myisp.com 587
Trying...
Connected to smtp.auth.myisp.com.
Escape character is '^]'.
220 smtp03.myisp.net ESMTP ISP; Wed, 6 Jan 2010 11:11:47 +0100
ehlo mydomain.com
250-smtp03.myisp.net Hello mail.mydomain.com [xxx.xxx.xxx.xxx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 21000000
250-DSN
250-AUTH PLAIN LOGIN
250-DELIVERBY
250 HELP
auth login
334 VXNlcm5hbWU6
myloginconvertedtobase64
334 UGFzc3dvcmQ6
mypassinbase64
235 2.0.0 OK Authenticated
MAIL FROM: root@mydomain.com
250 2.1.0 root@mydomain.com... Sender ok
RCPT TO: testaddress@elsewhere.fr
250 2.1.5 testaddress@elsewhere.fr... Recipient ok
data
354 Enter mail, end with "." on a line by itself
test message
.
250 2.0.0 o06ABl82003471 Message accepted for delivery
quit
221 2.0.0 smtp03.myisp.net closing connection
Connection closed by foreign host.

AUTH whith LOGIN only consists of a kind of chat and conversion in base64 of authentication. I agree to tell it's not secured at all, and it's not the point. This kind of connection protects them from spammers, I think.

It reminds me of the times of 56k modems and dial-up connections...

My map file is used as long as this command gives me a good answer :
echo '/map authinfo AuthInfo:smtp.myisp.com' | /usr/sbin/sendmail -bt

Regards,

Fred

Re: sendmail auth file permissions

Fred Ruffet — Thu, 07 Jan 2010 09:20:51 GMT

Sameer,

Yes I have upgraded sendmail to 8.13.3 in order to implement AUTH. sendmail.cf has been modified this way, but I may miss a point in configuration... And even looking at docs, I don't know what point.

Regards,

Fred