cancel
Showing results for 
Search instead for 
Did you mean: 

sendmail / authentication

SOLVED
Go to solution
Fred Martin_1
Valued Contributor

sendmail / authentication

I've been running sendmail here for years on our HP-UX box. All clients use our sendmail server for smtp; they all pop in here too, to get mail.

My sendmail server has never been set up to require authentication; however it is not an open relay. It relays for my networks and for specific IPs, which are cellphones with static IP addresses.

I'd like a brief discussion about sendmail requiring authentication.

I believe that it's a simple option in the sendmail.cf file, to require clients to authenticate. I'd have to modify all my clients, wherever they may be.

Is there anything else?

I'm a little confused about what happens when joe@yahoo.com sends an email to someone on my network. Is this authentication requirement a factor there?

I have an anti-spam gateway between my sendmail server and the internet. It runs MS SMTP. It's the smart host for my sendmail server for all outbound email. Is that an issue as regards authentication?

Fred
fmartin@applicatorssales.com
4 REPLIES
Fred Martin_1
Valued Contributor

Re: sendmail / authentication

I just found this on sendmail.org, is it referring to the case where joe@yahoo.com wants to send an email to someone on my network?

"Requiring SMTP AUTH for all mails is in general a bad idea, because then you cannot receive mails from other users (since the cannot authenticate). So you must do this only on a server that is solely intended for your own users to send mail, not for a publically advertised (via MX records) server."

Fred
fmartin@applicatorssales.com
Matti_Kurkela
Honored Contributor
Solution

Re: sendmail / authentication

Your sendmail might receive a connection attempt to TCP port 25 for two legitimate reasons:
a) MUA -> MTA: the mail client(MUA) of one of your users wishes to send outbound email
b) MTA -> MTA: joe.random@yahoo.com's mail server (MTA) somewhere in the Internet wishes to send inbound email to one of your users.

The problem is, at the basic SMTP protocol level, cases a) and b) can be told apart only by looking at the connection source address. Yet they must be treated differently: connection a) must be accepted for relaying to any destination, while in b) the mail must be accepted only if the destination is one of your users.

It would be impractical to enforce any kind of authentication on b): you most likely cannot give every legitimate mail server in the world the authentication credentials for connecting your mail server.

I think the current recommended practice is to leave the port TCP/25 as it is now, and to implement a new SMTP service on an alternate port for those cases of MUA -> MTA communication where authentication is required. The suggested alternate port is TCP/587, the "submission" port, as per RFC 4409.

http://www.ietf.org/rfc/rfc4409.txt

If you want to use authentication to allow your users to send mail through your SMTP server from outside your network, encrypting the traffic of port 587 would be a good idea.

HP offers Sendmail version 8.13.3 at software.hp.com: according to the Release Notes, it has some pre-built facilities for the use of SSL/TLS encryption, SMTP authentication and the "submission" port.

Download:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SMAIL813

Release Notes:
http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02038007/c02038007.pdf

Unfortunately, enabling authentication is not quite as simple as changing one option in the sendmail.cf file:

- Using your HP-UX login password for email authentication is just a bad idea, since the email authentication password will most likely be stored into the email client's configuration for convenience.

- If you are going to allow your clients to connect from the Internet, it would be a very good idea to use encryption or hashed passwords at the very least. However, modern secure password hashing mechanisms are incompatible with Unix password hashes: you will have to set up a separate email password configuration file.

You should also read this whitepaper, titled "Sendmail 8.13.3 Secure Mailing Solution": it contains the instructions for setting up the authentication and encryption mechanisms.

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02037950/c02037950.pdf

If you can make your anti-spam gateway use SMTP authentication when connecting to your sendmail server, you might be able to apply the instructions on pages 22-25 of the whitepaper as-is. But if you need to allow unauthenticated connections on port 25 while requiring authentication (and possibly encryption) on port 587, it seems some configuration tweaking might be required. Perhaps doing the suggested modifications for submit.cf only would be sufficient?

Disclaimer: I haven't done this on HP-UX sendmail myself. But I've done it with Postfix, and after reading a recent edition of the Bat Book ("Sendmail" from O'Reilly: it's *the* book for sendmail administrators) and the above-mentioned whitepaper & release notes, it looks like it's doable with HP-UX Sendmail 8.13.3. With older versions, all the necessary features might not be compiled-in to the sendmail binary.

MK
MK
Bill Hassell
Honored Contributor

Re: sendmail / authentication

Having gone through this is great detail, sendmail authentication is very complex and requires a lot of special software to make it work (OpenSSL, SASL, lots of configurations and very little feedback when something doesn't work. sendmail authentication for HP-UX is usually required for outbound only. Even when you get it working, there are very few email destinations that will let you connect directly. You usually have to locate an email forwarder such as noip.com where you get a login for sendmail forwarding and pay a (very small) fee for mail messages. Note also that old versions of sendmail may not support authentication. I have attached a document from HP that goes over the steps needed to make sendmail work.

But as I dug into the actual code, it turns out that a script can perform email authentication (outbound) without using sendmail at all. I have attached the script to the next reply.


Bill Hassell, sysadmin
Bill Hassell
Honored Contributor

Re: sendmail / authentication

Here's the script. I call it mailxauth because it can be used to replace mail and mailx for outgoing mail. It has an extensive syslog.log debug capability so you can see if everything is working. It will also use /etc/mail/aliases to follow distribution lists. You can trace every step in the script by setting TRACEME=1 on the command line:

TRACEME=1 mailxauth -t

TRACEME=1 mailx -v -s "Some subject" name@addr.com < /etc/profile


Bill Hassell, sysadmin