Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
cancel
Showing results for 
Search instead for 
Did you mean: 

sendmail auth file permissions

Fred Ruffet
Honored Contributor

sendmail auth file permissions

Hi all,

I actually set-up sendmail on a 11iv1 server to relay mail to my ISP SMTP server. Their server runs on port 587 and needs authentication.

I managed to get the whole thing, but I have a problem with the auth file. I have configured sendmail.cf to use the file /etc/mail/authinfo. I have those rights :

root@rp3410:/etc/mail#ll authinfo
-rw------- 1 root bin 151 Jan 5 17:44 authinfo

when sending mail I have this line in mail.log :
Jan 6 12:17:14 rp3410 sm-mta[19087]: AUTH=client, error: can't open /etc/mail/authinfo: Permission denied

I tried to chmod g+r the file and then had :
Jan 6 12:06:09 rp3410 sm-mta[16715]: AUTH=client, error: can't open /etc/mail/authinfo: Group readable file

sendmail is running as root.

What permissions must I set to have this file used ?

Any help appreciated. Thanks,

Fred
--

"Reality is just a point of view." (P. K. D.)
15 REPLIES
TTr
Honored Contributor

Re: sendmail auth file permissions

The sendmail daemon has these builtin security checks for the files that it uses. Try changing the ownership of the authinfo file to bin:bin and take out the group write permission. All these security options are listed in the sendmail.cf file right below all those text blocks and where the config section starts.
Fred Ruffet
Honored Contributor

Re: sendmail auth file permissions

Thanks TTr,

I have already set these permissions whithout success :
root@rp3410:/etc/mail#ll authinfo
-rw------- 1 bin bin 151 Jan 5 17:44 authinfo
root@rp3410:/etc/mail#ll -d .
dr-xr-xr-x 2 bin bin 8192 Jan 6 14:05 .

I always have these messages in mail.log :
Jan 6 14:05:56 rp3410 sm-mta[15657]: AUTH=client, error: can't open /etc/mail/authinfo: World readable file

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
TTr
Honored Contributor

Re: sendmail auth file permissions

Now the file is world redable. Remove the world read setting from the file.
Make it only rw-------
TTr
Honored Contributor

Re: sendmail auth file permissions

Actually, check the whole path leading to this file. Do you also have a hash filefor the authinfo file or a directory structure as described here? Check the paths of the files and directories and ensure they are not group or world readable (or writable).
http://docs.hp.com/en/5992-3190/ar01s08.html
Fred Ruffet
Honored Contributor

Re: sendmail auth file permissions

sorry for the error. Message about world readable file was from another test I made. Message with the permission I told was :

Jan 6 14:20:41 rp3410 sm-mta[20494]: AUTH=client, error: can't open /etc/mail/authinfo: Permission denied

I'm looking forward the link you gave me.

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
Fred Ruffet
Honored Contributor

Re: sendmail auth file permissions

Back...

I got it to pass this problem. Mostly by adding this line to sendmail.cf :
Kauthinfo hash -o /etc/mail/authinfo.db

Problem is now that I have following line in mail.log :
Jan 6 16:28:15 rp3410 sm-mta[25881]: o06FS1gO025878: AUTH=client, available mechanisms do not fulfill requirements

According to what I found on the web, I should not have AUTH=client, but my login instead of client.

Digging the docs... any help appreciated...

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
Steven E. Protter
Exalted Contributor

Re: sendmail auth file permissions

Shalom,

You may find it easier to use sendmail.mc, or the HP-UX equivalent.

http://hpux.ws/buildmail.hpux.text

Note, looks like HP may have changed the name of the .mc file. You will have to alter the script to use that.

The .mc file is human readable and there is a lot of support for changes on it at http://www.sendmail.org

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
TTr
Honored Contributor

Re: sendmail auth file permissions

What is in the authinfo (and authinfo.db) file? Is it in the correct syntax?

What version of sendmail are you using?
TTr
Honored Contributor

Re: sendmail auth file permissions

Did you configure TLS and is sendmail starting it up?
Fred Ruffet
Honored Contributor

Re: sendmail auth file permissions

Shalom SEP,

I have not looked at .mc files as long as it seems strange in HP-UX. But it should be possible to manage all this with .cf file.

TTr,

I have tried authinfo with almost all possible arrangements :
AuthInfo:server.name "I:ident" "P:passwd" "M:PLAIN LOGIN"
AuthInfo:server.name "U:root" "I:ident" "P:passwd" "M:LOGIN"
AuthInfo:server.name "U:root" "I:ident" "P:passwd" "M:PLAIN LOGIN"
AuthInfo:server.name:587 "U:root" "I=base64ident" "P=base64passwd" "M:PLAIN LOGIN"
...
and so on

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
Fred Ruffet
Honored Contributor

Re: sendmail auth file permissions

TTr,

no, I didn't configure TLS.

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
TTr
Honored Contributor

Re: sendmail auth file permissions

I am thinking TLS might be a prerequisite for auth because without encryption, auth is pointles, hence the error message that you get. I don't have access to my external sendmail servers right now but see if these links can offer some help.
http://www.linuxquestions.org/questions/linux-software-2/sendmail-authentication-for-smarthost-relay-354488/ (note the sendmail version differences here)

http://www.linuxquestions.org/questions/linux-software-2/sendmail-seems-not-to-use-default-auth-info-367231/

http://www.docs.hp.com/en/5992-3190/ar01s06.html

Search for TLS here and elsewhere as well.
Sameer_Nirmal
Honored Contributor

Re: sendmail auth file permissions

Assuming Sendmail version is 8.13.3

Sendmail support of SMTP authentication is based on SASL. The systems also needs to have OpenSSL. If LOGIN auth is needed, it needs to be added in the sendmail.cf file.


http://docs.hp.com/en/5991-6611/5991-6611.pdf
Fred Ruffet
Honored Contributor

Re: sendmail auth file permissions

TTr,

I don't think TLS nor any encryption is needed. As a proof, have a look at this test I made on the same server (names have been changed to protect the innocents) :
root@rp3410:/#telnet smtp.auth.myisp.com 587
Trying...
Connected to smtp.auth.myisp.com.
Escape character is '^]'.
220 smtp03.myisp.net ESMTP ISP; Wed, 6 Jan 2010 11:11:47 +0100
ehlo mydomain.com
250-smtp03.myisp.net Hello mail.mydomain.com [xxx.xxx.xxx.xxx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 21000000
250-DSN
250-AUTH PLAIN LOGIN
250-DELIVERBY
250 HELP
auth login
334 VXNlcm5hbWU6
myloginconvertedtobase64
334 UGFzc3dvcmQ6
mypassinbase64
235 2.0.0 OK Authenticated
MAIL FROM: root@mydomain.com
250 2.1.0 root@mydomain.com... Sender ok
RCPT TO: testaddress@elsewhere.fr
250 2.1.5 testaddress@elsewhere.fr... Recipient ok
data
354 Enter mail, end with "." on a line by itself
test message
.
250 2.0.0 o06ABl82003471 Message accepted for delivery
quit
221 2.0.0 smtp03.myisp.net closing connection
Connection closed by foreign host.

AUTH whith LOGIN only consists of a kind of chat and conversion in base64 of authentication. I agree to tell it's not secured at all, and it's not the point. This kind of connection protects them from spammers, I think.

It reminds me of the times of 56k modems and dial-up connections...

My map file is used as long as this command gives me a good answer :
echo '/map authinfo AuthInfo:smtp.myisp.com' | /usr/sbin/sendmail -bt

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
Fred Ruffet
Honored Contributor

Re: sendmail auth file permissions

Sameer,

Yes I have upgraded sendmail to 8.13.3 in order to implement AUTH. sendmail.cf has been modified this way, but I may miss a point in configuration... And even looking at docs, I don't know what point.

Regards,

Fred


--

"Reality is just a point of view." (P. K. D.)