HPE Community
Operating System - HP-UX
1820636 Members
1851 Online
109626 Solutions
New Discussion юеВ

sendmail auth file permissions

 
Fred Ruffet
Honored Contributor

тАО01-06-2010 03:44 AM

тАО01-06-2010 03:44 AM

sendmail auth file permissions

Hi all,

I actually set-up sendmail on a 11iv1 server to relay mail to my ISP SMTP server. Their server runs on port 587 and needs authentication.

I managed to get the whole thing, but I have a problem with the auth file. I have configured sendmail.cf to use the file /etc/mail/authinfo. I have those rights :

root@rp3410:/etc/mail#ll authinfo
-rw------- 1 root bin 151 Jan 5 17:44 authinfo

when sending mail I have this line in mail.log :
Jan 6 12:17:14 rp3410 sm-mta[19087]: AUTH=client, error: can't open /etc/mail/authinfo: Permission denied

I tried to chmod g+r the file and then had :
Jan 6 12:06:09 rp3410 sm-mta[16715]: AUTH=client, error: can't open /etc/mail/authinfo: Group readable file

sendmail is running as root.

What permissions must I set to have this file used ?

Any help appreciated. Thanks,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
15 REPLIES 15
TTr
Honored Contributor

тАО01-06-2010 04:59 AM

тАО01-06-2010 04:59 AM

Re: sendmail auth file permissions

The sendmail daemon has these builtin security checks for the files that it uses. Try changing the ownership of the authinfo file to bin:bin and take out the group write permission. All these security options are listed in the sendmail.cf file right below all those text blocks and where the config section starts.
0 Kudos
Reply
Fred Ruffet
Honored Contributor

тАО01-06-2010 05:16 AM

тАО01-06-2010 05:16 AM

Re: sendmail auth file permissions

Thanks TTr,

I have already set these permissions whithout success :
root@rp3410:/etc/mail#ll authinfo
-rw------- 1 bin bin 151 Jan 5 17:44 authinfo
root@rp3410:/etc/mail#ll -d .
dr-xr-xr-x 2 bin bin 8192 Jan 6 14:05 .

I always have these messages in mail.log :
Jan 6 14:05:56 rp3410 sm-mta[15657]: AUTH=client, error: can't open /etc/mail/authinfo: World readable file

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
TTr
Honored Contributor

тАО01-06-2010 05:23 AM

тАО01-06-2010 05:23 AM

Re: sendmail auth file permissions

Now the file is world redable. Remove the world read setting from the file.
Make it only rw-------
0 Kudos
Reply
TTr
Honored Contributor

тАО01-06-2010 05:26 AM

тАО01-06-2010 05:26 AM

Re: sendmail auth file permissions

Actually, check the whole path leading to this file. Do you also have a hash filefor the authinfo file or a directory structure as described here? Check the paths of the files and directories and ensure they are not group or world readable (or writable).
http://docs.hp.com/en/5992-3190/ar01s08.html
0 Kudos
Reply
Fred Ruffet
Honored Contributor

тАО01-06-2010 05:30 AM

тАО01-06-2010 05:30 AM

Re: sendmail auth file permissions

sorry for the error. Message about world readable file was from another test I made. Message with the permission I told was :

Jan 6 14:20:41 rp3410 sm-mta[20494]: AUTH=client, error: can't open /etc/mail/authinfo: Permission denied

I'm looking forward the link you gave me.

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
Fred Ruffet
Honored Contributor

тАО01-06-2010 08:00 AM

тАО01-06-2010 08:00 AM

Re: sendmail auth file permissions

Back...

I got it to pass this problem. Mostly by adding this line to sendmail.cf :
Kauthinfo hash -o /etc/mail/authinfo.db

Problem is now that I have following line in mail.log :
Jan 6 16:28:15 rp3410 sm-mta[25881]: o06FS1gO025878: AUTH=client, available mechanisms do not fulfill requirements

According to what I found on the web, I should not have AUTH=client, but my login instead of client.

Digging the docs... any help appreciated...

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-06-2010 08:10 AM

тАО01-06-2010 08:10 AM

Re: sendmail auth file permissions

Shalom,

You may find it easier to use sendmail.mc, or the HP-UX equivalent.

http://hpux.ws/buildmail.hpux.text

Note, looks like HP may have changed the name of the .mc file. You will have to alter the script to use that.

The .mc file is human readable and there is a lot of support for changes on it at http://www.sendmail.org

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
TTr
Honored Contributor

тАО01-06-2010 08:38 AM

тАО01-06-2010 08:38 AM

Re: sendmail auth file permissions

What is in the authinfo (and authinfo.db) file? Is it in the correct syntax?

What version of sendmail are you using?
0 Kudos
Reply
TTr
Honored Contributor

тАО01-06-2010 08:50 AM

тАО01-06-2010 08:50 AM

Re: sendmail auth file permissions

Did you configure TLS and is sendmail starting it up?
0 Kudos
Reply
Fred Ruffet
Honored Contributor

тАО01-06-2010 09:35 AM

тАО01-06-2010 09:35 AM

Re: sendmail auth file permissions

Shalom SEP,

I have not looked at .mc files as long as it seems strange in HP-UX. But it should be possible to manage all this with .cf file.

TTr,

I have tried authinfo with almost all possible arrangements :
AuthInfo:server.name "I:ident" "P:passwd" "M:PLAIN LOGIN"
AuthInfo:server.name "U:root" "I:ident" "P:passwd" "M:LOGIN"
AuthInfo:server.name "U:root" "I:ident" "P:passwd" "M:PLAIN LOGIN"
AuthInfo:server.name:587 "U:root" "I=base64ident" "P=base64passwd" "M:PLAIN LOGIN"
...
and so on

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
Fred Ruffet
Honored Contributor

тАО01-06-2010 09:36 AM

тАО01-06-2010 09:36 AM

Re: sendmail auth file permissions

TTr,

no, I didn't configure TLS.

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
TTr
Honored Contributor

тАО01-06-2010 10:17 AM

тАО01-06-2010 10:17 AM

Re: sendmail auth file permissions

I am thinking TLS might be a prerequisite for auth because without encryption, auth is pointles, hence the error message that you get. I don't have access to my external sendmail servers right now but see if these links can offer some help.
http://www.linuxquestions.org/questions/linux-software-2/sendmail-authentication-for-smarthost-relay-354488/ (note the sendmail version differences here)

http://www.linuxquestions.org/questions/linux-software-2/sendmail-seems-not-to-use-default-auth-info-367231/

http://www.docs.hp.com/en/5992-3190/ar01s06.html

Search for TLS here and elsewhere as well.
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

тАО01-06-2010 10:36 AM

тАО01-06-2010 10:36 AM

Re: sendmail auth file permissions

Assuming Sendmail version is 8.13.3

Sendmail support of SMTP authentication is based on SASL. The systems also needs to have OpenSSL. If LOGIN auth is needed, it needs to be added in the sendmail.cf file.


http://docs.hp.com/en/5991-6611/5991-6611.pdf
0 Kudos
Reply
Fred Ruffet
Honored Contributor

тАО01-07-2010 12:40 AM

тАО01-07-2010 12:40 AM

Re: sendmail auth file permissions

TTr,

I don't think TLS nor any encryption is needed. As a proof, have a look at this test I made on the same server (names have been changed to protect the innocents) :
root@rp3410:/#telnet smtp.auth.myisp.com 587
Trying...
Connected to smtp.auth.myisp.com.
Escape character is '^]'.
220 smtp03.myisp.net ESMTP ISP; Wed, 6 Jan 2010 11:11:47 +0100
ehlo mydomain.com
250-smtp03.myisp.net Hello mail.mydomain.com [xxx.xxx.xxx.xxx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 21000000
250-DSN
250-AUTH PLAIN LOGIN
250-DELIVERBY
250 HELP
auth login
334 VXNlcm5hbWU6
myloginconvertedtobase64
334 UGFzc3dvcmQ6
mypassinbase64
235 2.0.0 OK Authenticated
MAIL FROM: root@mydomain.com
250 2.1.0 root@mydomain.com... Sender ok
RCPT TO: testaddress@elsewhere.fr
250 2.1.5 testaddress@elsewhere.fr... Recipient ok
data
354 Enter mail, end with "." on a line by itself
test message
.
250 2.0.0 o06ABl82003471 Message accepted for delivery
quit
221 2.0.0 smtp03.myisp.net closing connection
Connection closed by foreign host.

AUTH whith LOGIN only consists of a kind of chat and conversion in base64 of authentication. I agree to tell it's not secured at all, and it's not the point. This kind of connection protects them from spammers, I think.

It reminds me of the times of 56k modems and dial-up connections...

My map file is used as long as this command gives me a good answer :
echo '/map authinfo AuthInfo:smtp.myisp.com' | /usr/sbin/sendmail -bt

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
Fred Ruffet
Honored Contributor

тАО01-07-2010 01:20 AM

тАО01-07-2010 01:20 AM

Re: sendmail auth file permissions

Sameer,

Yes I have upgraded sendmail to 8.13.3 in order to implement AUTH. sendmail.cf has been modified this way, but I may miss a point in configuration... And even looking at docs, I don't know what point.

Regards,

Fred


--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.