Sendmail and smtp-auth against passwd

Vince jhary at unsane.co.uk
Mon Nov 27 03:03:42 PST 2006 

Matthias Fechner wrote:
> Hi,
> 
> i tried to get smtp-auth against the pass working but it is not
> work. I must add users with saslpasswd2 to the sasldb but I want to
> auth my smtp users with there "normal" password without the need to
> add them to an additional db.
> 
> What I did is:
> Installed sasl2authd from the ports.
> 
> /etc/make.conf:
> # Add SMTP AUTH support to Sendmail
> SENDMAIL_CFLAGS+=   -I/usr/local/include -DSASL=2
> SENDMAIL_LDFLAGS+=  -L/usr/local/lib
> SENDMAIL_LDADD+=    -lsasl2
> # Enable smtps for sendmail
> SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL
> SENDMAIL_MILTER_IN_BASE=yes
> And recompiled sendmail in base.
> 
> Edit /usr/local/lib/sasl2/Sendmail.conf:
> pwcheck_method: saslauthd
> 
> Enabled saslauth in rc.conf and start it:
> saslauthd_enable="yes"
> saslauthd_flags="-a getpwent"
> 
> Edited my .mc file:
> dnl Enable smpt-auth
> FEATURE(authinfo')
> define(confDONT_BLAME_SENDMAIL',GroupReadableSASLDBFile')dnl
> define(confAUTH_MECHANISMS',LOGIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl
> define(confRUN_AS_USER',root:mail')dnl
> 
> But it seems to me that sendmail isn't using saslauth instead it uses
> directly the sasldb so all thinks I configured in sasl2authd is useless.
> 
> Has someone smtp-auth with sendmail against passwd running?
> 
Hmm i used the sendmail from ports, due to lazyness and (at the time
wasnt too familiar with Freebsd's /etc/make.conf) but your config looks
ok. Also I use 6.x and at one point was using nss_ldap so i use PAM
which has the same effect as you are intending, it might be worth your
while trying that too.

.mc file
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')

Because of this (the plain bit) i also enabled ssl (self signed but who
cares here. its just so the passwords dont go in cleartext)

dnl ### do STARTTLS
define(`confCACERT_PATH', `/usr/local/certs')dnl
define(`confCACERT', `/usr/local/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/usr/local/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/usr/local/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/usr/local/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/usr/local/certs/sendmail.pem')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl

The sasl side:
root at lobster
(10:50:35 <~>) 0 # cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd

/etc/rc.conf
#sasl auth for sendmail etc
saslauthd_enable="YES"

This allows sasl2authd to use the default flags of
-a pam

I also have the following file in /etc/pam.d/

root at lobster
(10:54:55 <~>) 0 # more /etc/pam.d/sendmail

# auth
#auth           required        pam_nologin.so          no_warn
#auth           sufficient      pam_krb5.so             no_warn
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn
try_first_pass
#auth           sufficient      /usr/local/lib/pam_ldap.so      no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass
account         required        pam_unix.so
session         required        pam_unix.so

(excuse linewrap)
This works fine for me.
Good luck
Vince

> Best regards,
> Matthias
>

More information about the freebsd-questions mailing list