From owner-freebsd-questions@FreeBSD.ORG Tue Dec 2 07:15:48 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74E6616A4CE for ; Tue, 2 Dec 2003 07:15:48 -0800 (PST) Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D51843FE5 for ; Tue, 2 Dec 2003 07:15:44 -0800 (PST) (envelope-from barner@in.tum.de) Received: from zi025.glhnet.mhn.de (localhost.glhnet.mhn.de. [127.0.0.1]) by zi025.glhnet.mhn.de (8.12.9p2/8.12.9) with ESMTP id hB2FEOmI033014; Tue, 2 Dec 2003 16:14:24 +0100 (CET) (envelope-from simon@zi025.glhnet.mhn.de) Received: (from simon@localhost) by zi025.glhnet.mhn.de (8.12.9p2/8.12.9/Submit) id hB2FENkL033013; Tue, 2 Dec 2003 16:14:23 +0100 (CET) (envelope-from simon) Date: Tue, 2 Dec 2003 16:14:23 +0100 From: Simon Barner To: Dan Strick Message-ID: <20031202151423.GD618@zi025.glhnet.mhn.de> References: <200312020802.hB282549000478@mist.nodomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0lnxQi9hkpPO77W3" Content-Disposition: inline In-Reply-To: <200312020802.hB282549000478@mist.nodomain> User-Agent: Mutt/1.5.4i X-Virus-Scanned: by amavisd-new at informatik.tu-muenchen.de cc: freebsd-questions@freebsd.org cc: dan@mist.nodomain Subject: Re: sendmail and SMTP client-side authentication X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 15:15:48 -0000 --0lnxQi9hkpPO77W3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > AuthInfo:mail.covad.net "U:userid" "P:password" >=20 > (of course "userid" and "password" are not the real values). >=20 > When my sendmail connects to the email relay, the email relay says > (in SMTP speak): >=20 > 250-covad.net > 250-AUTH LOGIN PLAIN > 250-AUTH=3DLOGIN PLAIN Perhaps the remote site does not allow the PLAIN authentication method. When performed my research for the sendmail tutorial at http://home.leo.org/~barner/freebsd/articles/mailsetup/article.html, I found that the following works for me: AuthInfo:external.mail.server "U:remoteuser" "I:remoteuser" "P:secret" "R:external.mail.server" "M:DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"=20 =20 > but there is no obvious exchange of authentication information > and my ISP's email relay sometimes rejects my attempts to submit > email for relay. This is a typical SMTP rejection message: >=20 > 553 sorry, that domain isn't allowed to be relayed thru this MTA (#5.= 7.1) >=20 > Sometimes my email gets through. I don't know why. That's very strange indeed. Do you get more valuable information in the maillog when you increase sendmail verbosity level: define(`confLOG_LEVEL', `15') > When I send email via Netscape, Netscape does authenticate itself > to the email relay. >=20 > Note: I did do a "make sendmail.cf" in /etc/mail after changing > the .mc file and I did restart the sendmail daemons before sending > the rejected email. The authinfo file belongs to root:wheel and > has mode 640. I also tried it with mode 644 just in case. I also > tried creating the file /etc/mail/access with the same contents and > doing "makemap hash /etc/mail/access". The sendmail.mc file > contains the standard line: >=20 > FEATURE(access_db, `hash -o -T /etc/mail/access') I figured out that you apparently need to stop and restart sendmail in order to apply your SASL changes. IIRC this is because SASL is provided by an external library that has the named behavior. So, "make install stop start" might work for you. > Can someone who knows how this is supposed to work help me out? >=20 > Is there an SMTP authentication protocol that protects the > authentication information from network snoopers? Yes, everything apart from M$'s PLAIN method will perform some sort of encryption. If your mail relay supports SSL/TLS, you should definitely rebuild your sendmail installation with the support for it, since some of the authentication protocols don't use real encryption by only scramble the login handshake a bit. If sendmail is aware of TLS, it will automatically make use of it if it's available on the remote end. Simon --0lnxQi9hkpPO77W3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/zKxPCkn+/eutqCoRAi0qAKD47W0LX20AUw2VUsW6qZpUhFCX/ACaAuxJ ncVcBYlVADLODIhQHzH88co= =RgTa -----END PGP SIGNATURE----- --0lnxQi9hkpPO77W3--