Sendmail and smtp-auth against passwd
Vince
jhary at unsane.co.uk
Mon Nov 27 03:03:42 PST 2006
Matthias Fechner wrote:
> Hi,
>
> i tried to get smtp-auth against the pass working but it is not
> work. I must add users with saslpasswd2 to the sasldb but I want to
> auth my smtp users with there "normal" password without the need to
> add them to an additional db.
>
> What I did is:
> Installed sasl2authd from the ports.
>
> /etc/make.conf:
> # Add SMTP AUTH support to Sendmail
> SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2
> SENDMAIL_LDFLAGS+= -L/usr/local/lib
> SENDMAIL_LDADD+= -lsasl2
> # Enable smtps for sendmail
> SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL
> SENDMAIL_MILTER_IN_BASE=yes
> And recompiled sendmail in base.
>
> Edit /usr/local/lib/sasl2/Sendmail.conf:
> pwcheck_method: saslauthd
>
> Enabled saslauth in rc.conf and start it:
> saslauthd_enable="yes"
> saslauthd_flags="-a getpwent"
>
> Edited my .mc file:
> dnl Enable smpt-auth
> FEATURE(authinfo')
> define(confDONT_BLAME_SENDMAIL',GroupReadableSASLDBFile')dnl
> define(confAUTH_MECHANISMS',LOGIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl
> define(confRUN_AS_USER',root:mail')dnl
>
> But it seems to me that sendmail isn't using saslauth instead it uses
> directly the sasldb so all thinks I configured in sasl2authd is useless.
>
> Has someone smtp-auth with sendmail against passwd running?
>
Hmm i used the sendmail from ports, due to lazyness and (at the time
wasnt too familiar with Freebsd's /etc/make.conf) but your config looks
ok. Also I use 6.x and at one point was using nss_ldap so i use PAM
which has the same effect as you are intending, it might be worth your
while trying that too.
.mc file
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')
Because of this (the plain bit) i also enabled ssl (self signed but who
cares here. its just so the passwords dont go in cleartext)
dnl ### do STARTTLS
define(`confCACERT_PATH', `/usr/local/certs')dnl
define(`confCACERT', `/usr/local/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/usr/local/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/usr/local/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/usr/local/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/usr/local/certs/sendmail.pem')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl
The sasl side:
root at lobster
(10:50:35 <~>) 0 # cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd
/etc/rc.conf
#sasl auth for sendmail etc
saslauthd_enable="YES"
This allows sasl2authd to use the default flags of
-a pam
I also have the following file in /etc/pam.d/
root at lobster
(10:54:55 <~>) 0 # more /etc/pam.d/sendmail
# auth
#auth required pam_nologin.so no_warn
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
#auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
account required pam_unix.so
session required pam_unix.so
(excuse linewrap)
This works fine for me.
Good luck
Vince
> Best regards,
> Matthias
>
More information about the freebsd-questions
mailing list