PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : SMTP-Auth für sendmail aktivieren?!



mythorth
08.11.05, 10:52
So,

mein erster Beitrag hier, habe nicht wirklich viel Ahnung von Linux aber würde gerne sendmail zumindest minimal sicher machen und die authetifizierung aktivieren da sie momentan ausgeschaltet ist, habe jetzt in etc/sysconfig/sendmail unter "SMTP_AUTH_SERVER" und "SMTP_AUTH_MECHANISM" den Wert plain eingetragen und SuSEconfig --module sendmail ausgeführt wie es in einem Tutorial stand, danach den Test ob es funktioniert mit "telnet localhost 25" gestartet und laut angabe des Tutorials soll da irgendwo dann 250-AUTH PLAIN LOGIN stehen, das erscheint aber bei mir nicht sondern eine telnet Verbindung kommt zu stande.

Hier der Link zum Tutorial:
http://portal.suse.de/sdb/de/2003/10/sendmail_smtp_auth_server.html

Es wäre nett wenn mir jemand da mal auf die Sprünge helfen könnte weil ich abgesehen von dem abtippen irgendwelcher Tutorials keine Ahnung habe wie ich das nun ans rennen kriegen soll...danke schon jetzt !

RichieX
08.11.05, 16:28
Eine telnet-Verbindung kommt immer zustande. Wie ist denn die Ausgabe, wenn du in der telnet-Sitzung "EHLO localhost" eingibst?

mythorth
09.11.05, 19:45
also ich war dann wohl zu blöd im tutorial zu lesen das man auch noch den befehl einegeben muss um die Ausgabe zu erhalten, habe ich jetzt nachgeholt und es kam dann:


250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DNS
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250-HELP

habe dann versucht eine Mail zu verdenen und es geht noch ohne authetifizierung, alles was ich verändert habe war in der etc/syscoonfig/sendmail das SMTP_AUTH_SERVER="" zu einem SMTP_AUTH_SERVER="plain" zu machen.

Wie muss ich jetzt weiter machen um die authentifizierung komplett zu aktivieren damit nicht jeder über den Server Mails versenden kann ?

Riesen Danke schonmal !

mythorth
09.11.05, 19:53
das verzeichnis usr/lib/sasl gibts übrigens bei mir nicht also kann ich mich nicht genau ans tutorial halten und häng mal wieder fest

RichieX
10.11.05, 09:28
cyrus-sasl solltest du aber auf jeden Fall installiert haben. Schau bitte mit "rpm -qa|grep sasl" ob es so ist.

Ansonsten kommt es darauf an, was in deiner /etc/mail/access drin steht. Von wo aus versuchst du ein verschicken mit/ohne auth; von einem Client oder vom Server selbst?

mythorth
10.11.05, 10:43
also auf die Eingabe "rpm -qa|grep sasl" kam jetzt "cyrus-sasl2-2.1.12-36" als Ausgabe.

Meine Testmail habe ich von einem Client aus gesendet der noch auf SMTP ohne authentifizierung eingestellt ist.

In meiner /etc/mail/access stehen jede menge kommentare oben drüber, nur eine zeile die nicht mit ' auskommentiert ist und da steht:

127 RELAY

Also wie mache ich weiter ? DANKE nochmal !

RichieX
10.11.05, 12:11
Also ist ersteinmal sasl installiert. Die Zeile in der access bedeutet, dass nur Mails, die von localhost (also nur lokal) verschickte Mails ohne Authentifizierung angenommen werden. Dementsprechend sollte der Client sich authentifizieren müssen. Zur weiteren Analyse, warum das nicht so ist, bräuchte man die sendmail.mc. Poste die einfach mal.

mythorth
19.11.05, 17:33
sorry für die blöde frage aber wo finde ich die sendmail.mc ?

RichieX
20.11.05, 14:43
Unter /etc/mail/

mythorth
23.11.05, 21:52
also eine sendmail.mc gibts da nicht, hier die dateiliste aus etc/mail:

http://www.in-car-dvd.de/Daten/privat/mailfolder.jpg

soll ich den Inhalt von irgend einer der Dateien posten ? Hätte das gerne fertig damit ich sicher sein kann das keiner meinen server zum mailverteilen nutzt ;-)

DANKE schonmal

RichieX
24.11.05, 18:38
Na dann versuchen wirs mal mit der linux.mc. Zeig die mal her.

mythorth
24.11.05, 22:26
include(`/usr/share/sendmail/m4/cf.m4')


Das ist die erste Zeile der Linux.mc, gehe ich recht in der annahme das also die cf.m4 interessant ist ?

Hier mal die cf.m4, falls trotzdem noch die linux.mc benötigt wird poste ich die auch noch gerne aber die ist lang


divert(-1)
#
# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers.
# All rights reserved.
# Copyright (c) 1983, 1995 Eric P. Allman. All rights reserved.
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

#
# This file is included so that multiple includes of cf.m4 will work
#

# figure out where the CF files live
ifdef(`_CF_DIR_', `',
`ifelse(__file__, `__file__',
`define(`_CF_DIR_', `../')',
`define(`_CF_DIR_',
substr(__file__, 0, eval(len(__file__) - 8)))')')

divert(0)dnl
ifdef(`OSTYPE', `dnl',
`include(_CF_DIR_`'m4/cfhead.m4)dnl
VERSIONID(`$Id: cf.m4,v 8.32 1999/02/07 07:26:14 gshapiro Exp $')')


DAAAANKE !

RichieX
25.11.05, 11:35
Die linux.mc wäre schon noch interessant.

mythorth
25.11.05, 11:40
include(`/usr/share/sendmail/m4/cf.m4')
divert(0)dnl
VERSIONID(`@(#)Setup for SuSE Linux 8.12.3-0.4 (SuSE Linux) 2002/01/14')
dnl
dnl This is the default configuration for SuSE Linux.
dnl See `/usr/share/sendmail/ostype/suse-linux.m4' and take a look
dnl into `/usr/share/sendmail/README' for more information.
dnl
dnl The suse-linux.m4 enables the FEATUREs mailertable, genericstable,
dnl virtusertable, and access_db. Just look to those file for some
dnl examples. They are stored in `/etc/mail/'. If you have changed
dnl one or more files you should run SuSEconfig or generate the
dnl `.db' files by hand (see /sbin/conf.d/SuSEconfig.sendmail).
dnl
dnl NOTE: YOU HAVE TO CHANGE THE CONFIGURATION TO FIT YOUR NEEDS
dnl BEFORE ACTIVTING SOME OF THESE EXAMPLES!
dnl
OSTYPE(`suse-linux')dnl
dnl
dnl By default the MSA (Message Submission Agent) daemon is disabled on
dnl SuSE Linux. If you want to use this service enabled the following.
dnl
dnl DAEMON_OPTIONS(`Port=587,Name=MSA,M=E')dnl
dnl
dnl Do not send MIME error messages
dnl
dnl define(`confMIME_FORMAT_ERRORS', `False')dnl
dnl
dnl If you have a modem and you use dial on demand, specify the time
dnl until you have a working connection. Sendmail will then retry to
dnl establish a connection.
dnl
dnl define(`confDIAL_DELAY', `10s')dnl
dnl
dnl Timeout before a warning message is sent to the sender telling them
dnl that the message has been deferred. The FEATURE(dialup) will
dnl overwrite this.
dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl
dnl Timeout before a message is returned as undeliverable
dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl
dnl If you have lots of users, you might want to add "restrictmailq" and
dnl "restrictrunq", but normally they can be left out. "authwarnings"
dnl warns about all people that e.g. use "sendmail -bs" and adds
dnl `X-Authentication-Warning:' headers. Pine users might want to disable this.
dnl "noreceipts" disables DSN (Delivery Status Notification) and ignores all
dnl `Return-Receipt-To:' headers even if `confRRT_IMPLIES_DSN' is `true'.
dnl For service provider using ETRN on port 25 the noetrn could be removed.
dnl
dnl define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,novrfy,noexpn,noetrn,no verb')dnl
dnl
dnl These users given in `/etc/mail/trusted-users' are allowed to modify
dnl the email sender address.
dnl
dnl FEATURE(`use_ct_file')dnl
dnl
dnl You can specify a smart host either here or in `/etc/mail/mailertable'
dnl
dnl define(`SMART_HOST', `smtp:mail.smarthost.other.domain')dnl
dnl define(`SMART_HOST', `uucp-dom:otheruucphost')dnl
dnl define(`MAIL_HUB', `smtp:host.your.domain')dnl
dnl define(`LOCAL_RELAY', `smtp:host.your.domain')dnl
dnl
dnl Redirect all email to unknown people to Postmaster.
dnl
dnl define(`LUSER_RELAY', `local:postmaster')dnl
dnl
dnl Enable the following SuSE FEATURE, if you have a expensive
dnl dialup connection for SMTP and want to queue all email until
dnl `sendmail -q' is started.
dnl
dnl FEATURE(`expensive')dnl
dnl
dnl This is used for dial-on-demand connections where we don't want to
dnl trigger a connection just for a DNS query.
dnl Sendmail will give all hostnames to your DNS server and replace the
dnl names with the FQDN ones. As nearly all email-programs use the full
dnl hostname and you will probably also just use full hostnames as
dnl destination addresses, you could disable `nocanonify'. With `nodns'
dnl you should declare the local, the mail hub, the smart, and the mail
dnl relay host with their IP addresses and the corresponding Full Qualified
dnl Domain Names (in short FQDN which means hostname.domain) /etc/hosts.
dnl Do NOT use this together with anti-spam FEATUREs.
dnl
dnl FEATURE(`nocanonify')dnl
dnl HACK(`nodns')dnl
dnl
dnl The following FEATURE provides the possibility to avoid further
dnl dialups. The delivery mode is defer (postpone) therefore this
dnl FEATURE should NOT be used in combination with anti-spam FEATUREs.
dnl Note, that this FEATURE needs the FQDN as stored in /etc/HOSTNAME
dnl read into the variable FQHOSTNAME. Therefore replace myhost.newdomain.notused!
dnl
dnl FEATURE(`dialup', `myhost.newdomain.notused')dnl
dnl
dnl This is a NO NO and only suitable in real intranet. This because
dnl it `provides' a mail really for spam mails even if your local host
dnl is connected over a dialup line. To avoid this miss-FEATURE you
dnl should enable FEATURE(`use_cw_file') and declare the hosts to accept
dnl in `/etc/mail/local-host-names'.
dnl Do NEVER use this together with anti-spam FEATUREs or being connected
dnl to the Internet.
dnl
dnl FEATURE(`promiscuous_relay')dnl
dnl
dnl Sendmail only accepts emails as local that use the FQDN. If you want
dnl to accept further hostnames as local email, add them here or put
dnl them into the `/etc/mail/local-host-names' file.
dnl
dnl FEATURE(`use_cw_file')dnl
dnl
dnl This FEATURE enables (open)ldap and requires some arguments. For
dnl information see http://www.stanford.edu/~bbense/ldap/. Note that this
dnl FEATURE define a map `ldap' and expand the AliasFile with `sequence:ldap'.
dnl We choose an other name for the proposed map name `luser' (see URL) to
dnl avoid conflicts with LUSER_RELAY. The necessary change in rule S5 is
dnl already done and will be enabled by this FEATURE.
dnl
dnl FEATURE(`ldap', `place_here_your_configuration')dnl
dnl
dnl The ldap_routing FEATURE is part of the official sendmail since 8.10.0.
dnl You'll find a description in /usr/share/sendmail/README at `LDAP ROUTING'.
dnl You've to replace example.notused, mailHostdefine, mailRoutingAddressdefine,
dnl and bounce argument if not `passthru' with your're own configuration.
dnl
dnl define(`confLDAP_DEFAULT_SPEC', `-h mailHost')dnl
dnl LDAPROUTE_DOMAIN(`example.notused')dnl
dnl FEATURE(`ldap_routing', dnl
dnl `ldap -1 -v mailHost -k (&(objectClass=inetLocalMailRecipient) (mailLocalAddress=%0))', dnl
dnl `ldap -1 -v mailRoutingAddress -k (&(objectClass=inetLocalMailRecipient) (mailLocalAddress=%0))', dnl
dnl `bounce')dnl
dnl
dnl To stop spamming from known domains and known senders you should
dnl not use the FEATURE(dialup) nor FEATURE(promiscuous_relay) nor HACK(nodns).
dnl To turn on the ability to refuse or allow incoming mail for certain
dnl recipient usernames, hostnames, or addresses, you should declare them
dnl in `/etc/mail/access'.
dnl You can provide a black list for the FEATURE below list which is used to
dnl block incoming mail for certain recipient usernames, hostnames, or
dnl addresses.
dnl
dnl FEATURE(`blacklist_recipients')dnl
dnl
dnl The Realtime Blackhole List is a service of rbl.maps.vix.com
dnl (see http://maps.vix.com/rbl/). It provides a list of hosts
dnl of known spammers. The FEATURES below are some other server
dnl for rejecting well known spammers
dnl (see http://maps.vix.com/ and http://www.orbs.org/).
dnl
dnl FEATURE(`dnsbl')dnl
dnl FEATURE(`dnsbl',`dul.maps.vix.com',` Mail from $&{client_addr} rejected - dul; see http://maps.vix.com')dnl
dnl FEATURE(`dnsbl',`relays.orbs.org', ` Mail from $&{client_addr} rejected - open relay; see http://www.orbs.org')dnl
dnl
dnl
dnl Just add the local domain if the email address doesn't have one
dnl
FEATURE(`always_add_domain')dnl
dnl
dnl Specify the sender email address for all outgoing mail from the local
dnl machine. Most people also want to use "masquerade_envelope" to also
dnl change the envelope addresses.
dnl Use "allmasquerade" to also change the recipient address. Don't use
dnl this feature, if you don't have the full /etc/aliases and the full
dnl /etc/passwd on your host.
dnl
dnl MASQUERADE_AS(`newdomain.notused')dnl
dnl FEATURE(`masquerade_envelope')dnl
dnl FEATURE(`allmasquerade')dnl
dnl FEATURE(`no_local_masquerading')dnl
dnl
dnl Normally, any hosts decided as locally are masqueraded. If
dnl the feature limited_masquerade is used, only the hosts listed in
dnl MASQUERADE_DOMAIN() are masqueraded. This is useful if you have
dnl several domains with disjoint namespaces hosted on the same machine.
dnl
dnl MASQUERADE_DOMAIN(`otherdmain.notused')dnl
dnl FEATURE(`limited_masquerade')dnl
dnl
dnl The list will cause certain addresses originating locally (i.e. that
dnl are unqualified) or domains to be looked up in a map and turned into
dnl another ("generic") form, which can change both the domain name and
dnl the user name. These domains can additional to the local domains be
dnl changed in /etc/mail/genericstable
dnl
dnl GENERICS_DOMAIN(`your.domain')dnl
dnl
dnl Foreign package amavis needs libmilter interface
dnl
dnl define(`MILTER')dnl
dnl divert(-1)
dnl INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/run/amavis/amavis-milter.sock, T=S:10m;R:10m;E:10m')
dnl divert(0)dnl
dnl
dnl
dnl Enable SMTP-AUTH as client (plain, gssapi, digest-md5, and cram-md5)
dnl AUTH_DIR is defined in OSTYPE(`suse-linux') as /etc/mail/auth
dnl Please not that most providers only know about `plain' which means
dnl that the user data will not be encrypted.
dnl
dnl define(`confAUTH_MECHANISMS', `place_here_your_auth_mechanism')dnl
dnl FEATURE(`authinfo', `hash -o 'AUTH_DIR\`/auth-info')dnl
dnl
dnl Enable SMTP-AUTH as server (gssapi, digest-md5, and cram-md5)
dnl for an explanation read
dnl /usr/share/sendmail/README, /usr/share/doc/packages/sendmail/op.txt.bz2,
dnl and http://www.sendmail.org/~ca/email/auth.html.
dnl
dnl define(`confAUTH_OPTIONS', `Apy')dnl
dnl TRUST_AUTH_MECH(`place_here_your_auth_mechanism')d nl
dnl define(`confAUTH_MECHANISMS', `place_here_your_auth_mechanism')dnl
dnl
dnl Enable STARTTLS Certificates, for an explanation read
dnl /usr/share/doc/packages/sendmail/op.txt.bz2 and
dnl http://www.sendmail.org/~ca/email/starttls.html
dnl The certification and key files are placed at
dnl /etc/mail/certs/ as CA.cert.pem, MYServer.cert.pem,
dnl MYServer.key.pem (for STARTTLS server) and
dnl MYClient.cert.pem, MYClient.key.pem (for STARTTLS client).
dnl CERT_DIR is defined in OSTYPE(`suse-linux') as /etc/mail/certs
dnl
dnl define(`confCACERT', CERT_DIR/`CA.cert.pem')dnl"
dnl define(`confSERVER_CERT', CERT_DIR/`MYServer.cert.pem')dnl"
dnl define(`confSERVER_KEY', CERT_DIR/`MYServer.key.pem')dnl"
dnl define(`confCLIENT_CERT', CERT_DIR/`MYClient.cert.pem')dnl"
dnl define(`confCLIENT_KEY', CERT_DIR/`MYClient.key.pem')dnl"
dnl
dnl We use the generic m4 macro definition. This defines
dnl an extented .forward and redirect mechanism.
dnl
DOMAIN(`generic')dnl
FEATURE(`smrsh',`/usr/lib/sendmail.d/bin/smrsh')dnl
dnl
dnl These mailers are available. per default only smtp is used. You have
dnl to add entries to /etc/mail/mailertable to enable one of the other
dnl mailers.
dnl
FEATURE(`accept_unresolvable_domains')dnl Added by sendmail-tuning in post-install
define(`POP_B4_SMTP_TAG')dnl Added by sendmail-tuning in post-install
HACK(`popauth')dnl Added by sendmail-tuning in post-install
FEATURE(`no_default_msa')dnl Added by sendmail-tuning in post-install
DAEMON_OPTIONS(`Port=smtp, Name=MSA, M=E')dnl Added by sendmail-tuning in post-install
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl Added by sendmail-tuning in post-install
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl Added by sendmail-tuning in post-install
MAILER(`local')dnl
MAILER(`smtp')dnl
MAILER(`procmail')dnl
MAILER(`uucp')dnl
MAILER(`bsmtp')dnl
MAILER(`fido')dnl
dnl
dnl Just an other (open)ldap feature is the usage of maill500 as mailer
dnl for a given (open)ldap domain (see manual page mail500).
dnl
dnl MAILER(`mail500', `place_here_your_openldap_domain')dnl
dnl
dnl This line is required for formating the /etc/sendmail.cf
dnl
LOCAL_CONFIG
dnl
dnl The alternate names of this host:
dnl
dnl Cw localhost www.domain.notused
dnl

mythorth
25.11.05, 13:47
also ich habe jetzt nochmal ein bisschen prbiert und das tutorial das ich schon am anfang gepostet hatte komplett durchgeführt, der abschließende test gibt jetzt folgendes aus:


Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 xxxxx.xxxxx.de ESMTP Sendmail 8.12.7/8.12.7/SuSE Linux 0.6; Fri, 25 Nov 2005 13:37:20 +0100
EHLO client.host.tld
250-xxxxx.xxxxx.de Hello xxxxx.xxxxx.de [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
AUTH PLAIN dXNlcm5hbWUAdNlcm5hWUAcGFzc3dvcm=
535 5.7.0 authentication failed


in die linux.mc habe ich bereits das hier eingefügt:


TRUST_AUTH_MECH(`$SMTP_AUTH_SERVER')dnl
define(`confAUTH_OPTIONS', `Ay' )dnl


die datei etc/sysconfig/sendmail sieht so an der entscheidenden stelle aus:


# Please not that most providers only know about `plain' which means
# that the user data will not be encrypted.
# You will have to identify yourself using the information in
# /etc/mail/auth/auth-info.
#
SMTP_AUTH_MECHANISMS="plain,login"

## Type: list(plain,gssapi,digest-md5,cram-md5)
## Default: ""
#
# enable SMTP AUTHENTICATION as a server, for an explanation read
# /usr/share/sendmail/README, /usr/share/doc/packages/sendmail/op.txt.bz2,
# and http://www.sendmail.org/~ca/email/auth.html.
# Possible values are gssapi, digest-md5, and cram-md5. Note that
# `plain' should be used because data will not be encrypted and
# that more than one value separated by spaces is allowed.
#
SMTP_AUTH_SERVER="plain,login"


Dann die /etc/sysconfig/saslauthd


## Path: System/Security/SASL
## Type: list(getpwent,kerberos5,pam,rimap,shadow,ldap)
## Default: pam
#
# Authentication mechanism to use by saslauthd.
# See man 8 saslauthd for available mechanisms.
#
SASLAUTHD_AUTHMECH=pam


und die /usr/lib/sasl2/Sendmail.conf


#
pwcheck_method: saslauthd


dann hätten wir noch /etc/pam.d/smtp


#%PAM-1.0
auth required pam_unix.so #nullok set_setrpc
account required pam_unix.so


Ich verzweifel hier langsam dran...wo liegt denn der Fehler ? Habe mich genau ans tutorial gehalten...hier nochmal der link:

http://portal.suse.de/sdb/de/2003/10...th_server.html

von meinem Mailclient aus kann ich immernoch mail versenden ohne das authentifizierung für smtp aktiviert ist...HIIIILFEEE ;-(

RichieX
25.11.05, 16:28
Aber er scheint doch eine Authentifizierung durchzuführen:




AUTH PLAIN dXNlcm5hbWUAdNlcm5hWUAcGFzc3dvcm=
535 5.7.0 authentication failed

mythorth
25.11.05, 20:45
aber in meinem mailprogramm ist keine auth konfiguriert und ich kann trotzdem versenden...ausserdem soll ja laut dem tutorial die suthentifizierung dann funktionieren wenn man das so testet ;-)

mythorth
25.11.05, 23:29
also ich habe folgendes festgestellt: wenn ich auch etc/mail/ die popauth.db lösche dann kann ich aus dem mailprogramm keine mails mehr ohne eingeschaltete authentifizierung versenden, allerings funktionieren die logindaten des POP3 Zugangs dann auch nicht mehr, ich kann also dann folglich zwar keine mails ohne auth versenden, aber auch keine mit...

ich hoffe das hilf und ihr habt tipps ?!?

RichieX
28.11.05, 14:38
Hast du schonmal nach der Konfiguration "SuSEconfig --module sendmail" ausgeführt?