How to set up SMTP AUTH

Last Update February 21, 2004

What is this?

This is a simple "how to." This is for anyone out there who has ever wanted to simply add authentication to sendmail. All this page will do is show you one way to configure sendmail and Cyrus SASL libraries to set up a mail server that requires client authentication to send e-mail. This is not a detailed tutorial of either sendmail nor Cyrus SASL. For more detailed sendmail help, I strongly recommend going to the Official Sendmail Website or the comp.mail.sendmail newsgroup. For more in-depth discussion of SMTP AUTH with sendmail, try http://www.sendmail.org/~ca/email/auth.html.

It's somewhat ironic that I recommend that latter site (http://www.sendmail.org/~ca/email/auth.html). It was because of this site that I decided to write this site. Anyone I talked to about SMTP AUTH referred me to this site. I mean absolutely no disrespect to Claus Aßmann, but I read and re-read this site many times. It was only marginally helpful.

To Claus' credit, I ascribe the reason that it was only marginally helpful to the fact that I was unfamiliar with Cyrus SASL and only at a beginner-to-intermediate level with sendmail. Claus is clearly a sendmail guru of highest degree. This page is submitted as an SMTP AUTH Guide for the Rest of Us. At the simplest level, this is simply "What I Did."

So,... what are you assuming?

If this is just about what I did, I used the following ingredients:

Get to the point, will ya?!

Okay, okay! What I set out to do was to set up sendmail to use SMTP authentication to allow users to relay mail on my server. I run a family server, and my family is spread out over several ISPs. Allowing relays based on IP addresses wasn't really practical (especially since most of them were dial-up). For simplicity, I wanted to use the same username and password accounts that my family uses to access their mail (via POP3). These accounts are just the standard /etc/passwd and /etc/shadow logon accounts (using, say, useradd to have created them). I didn't want to try anything fancy (say, SSL, or anything like that). I wanted simple.

This is how I did it:

Step 1 - Check to see what's already installed

At this point, I had already installed SuSE Linux 7.3 (with the 2.4.22 kernel) on the machine I was working on. I had also installed db 3.1.17. I mention the Berkeley DB because this has come up in a couple of e-mails. I swear that I read somewhere in my mad pursuit of this project that Berkely DB 4.x does not play nice with cyrus-sasl 1.5.28. I can't find this now. If anyone out there has a reference URL for me, let me know. Anyway, I didn't realize that this had an affect on my install, but it appers to have had. I did not compile the source for this. I simply installed the db-3.1.17 RPM (as well as the db-devel-3.1.17) RPM that came with SuSE. I'm sure you could download the source and compile it, but I'm not sure where to get that, and I've never done it before.

The key here is, don't use Berkeley DB 4.x with the other product versions I've mentioned. I can't verify where I read this, but I'm pretty sure, without doing any kind of special patching, it won't work.

Also, check your version of GCC. According Lawrence Sheed, Cyrus-SASL does not compile properly with gcc version 3.2 (which comes with RedHat 8). He succeeded by upgrading to gcc 3.2.2. I used gcc 2.95.3 (the version that comes with SuSE Linux 7.3).

Step 2 - Build the Cyrus SASL libraries

Download the source for the last version of the Cyrus SASL 1.x libraries (yes, the 2.x libraries are out, but I didn't use those; as I understand it, without additional tricks, the 2.x libraries are not compatible). This can be done at ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-1.5.28.tar.gz

Again, I put the cyrus-sasl-1.5.28.tar.gz file in /usr/local/src. I then extracted the archive by typing tar xzvf cyrus-sasl-1.5.28.tar.gz

I entered the archive - cd /usr/local/src/cyrus-sasl-1.5.28 - and I followed the steps specified in the INSTALL file. The important element here is that AUTH LOGIN functionality is not included by default (A big thank you goes to Ken Murchison from the comp.mail.sendmail newsgroup for pointing this fact out to me). This is important because Microsoft Outlook and Entourage cannot use AUTH PLAIN or any of the other default methods. I configured it with this command:

./configure --prefix=/usr --enable-login
I chose the /usr prefix so that it would install the libraries in /usr/lib/sasl (which is where SuSE normally installs them). I originally tried using an RPM from SuSE to install the Cyrus SASL libraries, but again, the RPM's compilation does not support AUTH LOGIN either.

I finished the compilation by typing these two commands:

make
make install

Step 3 - Set up sendmail

Download the source for the latest version of sendmail. This can easily be done via ftp at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz.

I put the sendmail.8.12.10.tar.gz file in /usr/local/src. I then extracted the archive by typing tar xzvf sendmail.8.12.10.tar.gz

I entered the archive - cd /usr/local/src/sendmail-8.12.10 - and I followed the steps specified in the INSTALL file.

First you need to create a site.config.m4 file. This is just a text file that you can create with whatever editor you like (vi, pico, emacs, etc.). With whatever you put in there, you will at the very least need to add these lines:

APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl')


Notice the strange way that the quotes are used. They are single quotes, but there are actually open (`) and close (') quotes. The open quote is to the left of the "1" key on most keyboards. The close quote is to the right of the ":" key on most keyboards. I saved this file in /usr/local/src/sendmail-8.12.10/devtools/Site/

Second, you need to build sendmail. I did this by typing:

cd /usr/local/src/sendmail-8.12.10/sendmail
sh Build


Remember, if you're rebuilding sendmail, type sh Build -c

Third, I created a sendmail.mc file. I'll let you read up at sendmail.org as far as what should be added to this file, but you must have these three lines in there:

define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl


Fourth, I built the sendmail config files by typing:

cd ../cf/cf
sh Build sendmail.cf


Fifth, I installed the sendmail config files by typing sh Build install-cf

Lastly, I installed sendmail by typing:

cd /usr/local/src/sendmail-8.12.10/sendmail
sh Build install


One more note, you should not have sendmail configured to run as an unprivileged user for this configuration. Sendmail typically defaults to run as root, which, for this situation, will be fine. If you really want to run sendmail as a different user, you will need to make sure that this user has privileges to read the /etc/shadow file. Thanks to Ryan Alder for making a note of this.

Step 4 - Configure the SASL libraries for sendmail

Here, you need to create a configuration file for SASL. Once again, use your favorite text editor. This file needs to be named Sendmail.conf (notice the capital 'S'; that's deliberate), and it must be placed in your SASL libraries directory. In my compile, this directory was /usr/lib/sasl. If you didn't specify a prefix when you compiled SASL, they are likely to have been put in /usr/local/lib/sasl.

The Sendmail.conf only needs one line:

pwcheck_method: shadow

Step 5 - Try it out

If you haven't already, start (or restart) sendmail. You're now ready to try authenticating to send mail. I typically used my e-mail clients in my situation. Both Outlook Express and Entourage allow you to set up SMTP authentication by choosing Accounts from the Tools menu. In the Accounts window, double-click on the account you wish to change. In the Edit Account window at the bottom is the Sending mail section. You will have already entered your mail server's name or IP address in the SMTP server: field. Click on the "button" that says Click here for advanced sending options.

In the sub-window that appears, click on the check box entitled "SMTP server requires authentication." For convenience, click on the radio button that says "Use same settings as receiving mail server." Then, click back in the Edit Account window, and click "OK" to save your changes. Feel free to close the Accounts window at this point.

Now, send a message from your client. If it reaches its destination, life is good. If it doesn't, check your logs (for me, it is /var/log/mail).

You can also try to test it manually. Here is a dialog from my system (properly garbled for security reasons). The green text is what you would type. The blue text is what the server displays.

> telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 something.fake ESMTP Sendmail 8.12.10/8.12.10/SuSE Linux 0.6; Wed, 2 Apr 2003 15:13:01 -0700

EHLO localhost
250-something.fake Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP

AUTH LOGIN
334 VXNlcm5hbWU6
a4msl9ux
334 UGFzc3dvcmQ6
ZvVx9G1hcg==
235 2.0.0 OK Authenticated
MAIL FROM: me@something.fake
250 2.1.0 me@something.fake... Sender ok
RCPT TO: you@nowhere.land
250 2.1.5 you@nowhere.land... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
This is a test
.

250 2.0.0 h12MD1qV026715 Message accepted for delivery
QUIT
221 2.0.0 something.fake closing connection
Connection closed by foreign host.


The line a4msl9ux is a user name encoded in Base64. Likewise, the line ZvVx9G1hcg== is the password to that account also encoded in Base64. As most people don't know their usernames or passwords encoded in Base64 off the top of their heads, you can either use ed64 by downloading the contents of that link and compiling it with cc -o ed64 ed64.c OR you can simply go to the Base64 Encoder and Decoder web page and use their interface (Major thanks go to Bryan Halvorson for finding this information for me, and for not giving up on me).

If you really want to just use your client, though, you can watch this same output by stopping sendmail and starting it using these tags:

sendmail -O LogLevel=14 -bd -X /tmp/output.log

(A grand round of applause is due to Claus Aßmann for giving me this information)

If you use this method, you'll want to stop sendmail after you've tried to send from your client (and start it up again the way you normally would, if you want). This generates a log file located at /tmp/output.log and it should show a very similar output to the manual example I gave earlier.

Final thoughts

If you still need help, feel free to e-mail me. Personally, I don't feel that I would be nearly as big a help as the comp.mail.sendmail newsgroup, but I would be happy to help where I can.

If you notice any spelling or grammatical errors, please e-mail me. I'm fairly anal about such things, and would like to keep this looking good.

If you notice any technical errors in my data, please e-mail me, but keep in mind that I never intended this to be an all-encompassing tutorial. These may not be appropriate instructions for someone running, say, Solaris 2.5 and sendmail 8.8. I specified precisely what I used, and it works. That's the only certification you get.

I don't want any lectures about features that are available that I didn't talk about. I didn't talk about them for a reason. I either don't know how to use them or don't care to know how to use them.

I don't want any lectures about security. AUTH LOGIN uses Base64 encoding to transfer the username and password. Is this as secure as, say, SSL? Absolutely not. Is it better than setting up sendmail as an open relay? Absolutely! Besides, as I alluded earlier, my users also use POP3 to retrieve their e-mail which, of course, sends their username and password information in clear text, so the security of the Base64 encoding for my SMTP AUTH is the least of my concerns.

I don't want any religious lectures (e.g., sendmail vs. postfix, MacOS vs. Windows, etc.). You may think that you can convince me of the "errors of my ways," but the fact that you should keep in mind is: I don't care. Save your rants for your website.

Lastly, I sincerely hope that this helps people to lock down their sendmail servers. I am a great loather of spam, and I will do anything that I can to help eliminate the proliferation of such garbage. I hope that there is at least one person that found this useful, and that this saves someone the month-long struggle that I endured.


Copyright © Jon Fullmer