1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • How to set up authorized submission ?

    From John Levine@21:1/5 to All on Sun May 16 02:03:17 2021
    I'm trying to set up the 8.17 so I can test the EAI stuff, but it's been a long time since I hacve set up
    a sendmail system (I think the last time, there was an active uucp gateway) and I'm stuck getting
    submission to work.

    I would like what I think is a pretty normal setup: SMTP on port 25,
    submission on port 587 which only allows relay after STARTTLS and AUTH
    PLAIN or AUTH LOGIN. I have it set up on FreeBSD, the STARTTLS works
    fine, I've built it with the cyrus SASL libraries, I can send and
    receive mail to and from local addresses, but I can't figure out what
    to put in sendmail.mc and submit.mc to get submission to work. Ideally
    I'd authorize against user/pw set with saslpasswd2 but /etc/shadow
    would be OK if that's hard.

    Googlage finds a lot of very old stuff like for 8.10 that doesn't work. Any hints where I might
    find a template for this?

    TIA
    --
    Regards,
    John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
    Please consider the environment before reading this e-mail. https://jl.ly

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to John Levine on Sat May 15 21:56:06 2021
    On 5/15/21 8:03 PM, John Levine wrote:
    I would like what I think is a pretty normal setup: SMTP on port 25, submission on port 587 which only allows relay after STARTTLS and
    AUTH PLAIN or AUTH LOGIN.

    That definitely sounds normal enough.

    I have it set up on FreeBSD, the STARTTLS works fine, I've built
    it with the cyrus SASL libraries, I can send and receive mail to
    and from local addresses, but I can't figure out what to put in
    sendmail.mc and submit.mc to get submission to work. Ideally I'd
    authorize against user/pw set with saslpasswd2 but /etc/shadow would
    be OK if that's hard.

    Check the DAEMON_OPTIONS for the submission port. You probably want the
    "a" modifier ("M") to "require SMTP Authentication".

    Also check out the confAUTH_OPTIONS to require that a secure channel
    (STARTTLS) is used when using sensitive credentials.

    Googlage finds a lot of very old stuff like for 8.10 that doesn't work.
    Any hints where I might find a template for this?

    Hopefully the information above will give you want you need to refine
    your searches.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to John Levine on Sun May 16 08:25:06 2021
    John Levine wrote:

    Googlage finds a lot of very old stuff like for 8.10 that doesn't work. Any hints

    A better problem description than "doesn't work" might be useful.

    If it is about getting Cyrus-SASL itself to work for sendmail the
    instructions are basically the same - it's mostly about setting up Sendmail.conf to specify which "password" backend to use.

    The questions about what to set up in the .mc file have already
    been answered by another reply.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Levine@21:1/5 to All on Sun May 16 15:59:35 2021
    According to Claus A�mann <ml+sendmail(-no-copies-please)@esmtp.org>:
    If it is about getting Cyrus-SASL itself to work for sendmail the >instructions are basically the same - it's mostly about setting up >Sendmail.conf to specify which "password" backend to use.

    Ah, that is helpful, since there is no clue in the documentation that Sendmail.conf even exists.

    --
    Regards,
    John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
    Please consider the environment before reading this e-mail. https://jl.ly

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Levine@21:1/5 to All on Thu May 20 02:57:52 2021
    According to John Levine <[email protected]>:

    Now I can connect to port 587, log in, and authenticate. The only thing I can't do is send mail:

    Never mind, the sendmail cookbook came through with TRUST_AUTH_MECH:

    FEATURE(`no_default_msa')
    DAEMON_OPTIONS(`Name=MSA, Port=587, M=Eac')
    dnl require STARTTLS
    define(`confAUTH_OPTIONS', `p')
    define(`confAUTH_MECHANISMS', `LOGIN PLAIN')
    TRUST_AUTH_MECH(`LOGIN PLAIN')

    Today's question is how I tell it that it's OK for an authenticated user to send
    mail with some other address in the envelope or From: header. I expect it's also
    in the cookbook but I don't know what it's called. Doesn't like like masquerade is quite it.

    --
    Regards,
    John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
    Please consider the environment before reading this e-mail. https://jl.ly

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Levine@21:1/5 to [email protected] on Thu May 20 02:19:38 2021
    It appears that Grant Taylor <[email protected]> said:
    On 5/15/21 8:03 PM, John Levine wrote:
    I would like what I think is a pretty normal setup: SMTP on port 25,
    submission on port 587 which only allows relay after STARTTLS and
    AUTH PLAIN or AUTH LOGIN.

    That definitely sounds normal enough.

    Well, I'm pretty close. I have O'Reilly's Sendmail Cookbook from 2003, and stared at a certain
    amount of source code.

    First I built sendmail with the PLAIN and LOGIN auth methods by overriding the AUTH_MECHANISMS define.
    To my surprise, this worked:

    dnl for sasl
    APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL=2')
    APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
    dnl include all SASL methods APPENDDEF(`conf_sendmail_ENVDEF',`-DAUTH_MECHANISMS="\"EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 PLAIN LOGIN\""')

    Then I instaled the FreeBSD packages for cyrus-sasl and cyrus-saslauthd. It turns out that the nearly undocumented
    /usr/local/lib/sasl2/Sendmail.conf already contains "pwcheck_method: saslauthd", so I started
    the sasl daemon with args "-a sasldb" rather than the default "-a pam".

    Then I set up sendmail.mc to do just LOGIN and PLAIN after STARTTLS on port 587, no auth on port 25:

    dnl Enable port 25 for both IPv4 and IPv6 with no auth DAEMON_OPTIONS(`Name=IPv4, Family=inet, M=A')
    DAEMON_OPTIONS(`Name=IPv6, Family=inet6, M=A')

    FEATURE(`no_default_msa')
    DAEMON_OPTIONS(`Name=MSA, Port=587, M=Eac')
    dnl require STARTTLS
    define(`confAUTH_OPTIONS', `p')
    define(`confAUTH_MECHANISMS', `LOGIN PLAIN')

    Now I can connect to port 587, log in, and authenticate. The only thing I can't do is send mail:

    At my end:

    21:53:10.618705 send: 'AUTH PLAIN AGVhaXRlewyc3Hh4\r\n'
    21:53:10.665909 reply: b'235 2.0.0 OK Authenticated\r\n'
    21:53:10.666115 reply: retcode (235); Msg: b'2.0.0 OK Authenticated'
    logged in as eaitest

    On the server:

    May 20 01:53:10 xn--5nq21jyu9d1ta sm-mta[49767]: STARTTLS=server, relay=[64.246.232.221], version=TLSv1.3, verify=NO, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
    May 20 01:53:10 xn--5nq21jyu9d1ta sm-mta[49767]: AUTH=server, relay=[64.246.232.221], authid=eaitest, mech=PLAIN, bits=0
    May 20 01:53:10 xn--5nq21jyu9d1ta sm-mta[49767]: 14K1rAnE049767: ruleset=check_rcpt, arg1=<[email protected]>, relay=[64.246.232.221], reject=550 5.7.1 <[email protected]>... Relaying denied. IP name lookup failed [64.246.232.221]
    May 20 01:53:10 xn--5nq21jyu9d1ta sm-mta[49767]: 14K1rAnE049767: from=<[email protected]>, size=44, class=0, nrcpts=0, proto=UTF8SMTPSA, daemon=MSA, relay=[64.246.232.221]

    I presume I have to tweak check_rcpt to allow me to send mail once authenticated. Uh, a hint or two would be appreciated.


    -- not urgent question --

    Is there a way to do submits on port 465? It's like the MSA on 587 but does the TLS handshake when it connects, like https does.


    --- Sort of bug report ---

    The default config for AUTH allows CRAM-MD5 and DIGEST-MD5 but not
    LOGIN or PLAIN, presumably because 20 years ago few SMTP sessions used
    TLS and you can't recover the password by snooping. But now everyone
    does TLS, and those two methods require that the server store the
    plaintext passwords or a fragile prehash of them.

    The IETF has considered CRAM-MD5 to be obsolete since 2008, and
    DIGEST-MD5 obsolete since 2011, see RFC 6331. These days the preferred
    AUTH is LOGIN or PLAIN protected by STARTTLS, so it would be a
    kindness to future sendmail users to make that the default, or at
    least compile in LOGIN and PLAIN, and package up the settings as an
    easy to find option.

    --
    Regards,
    John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
    Please consider the environment before reading this e-mail. https://jl.ly

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to John Levine on Thu May 20 04:37:09 2021
    John Levine wrote:

    Today's question is how I tell it that it's OK for an authenticated user to send
    mail with some other address in the envelope or From: header. I expect it's also

    Have you simply tried it?

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to John Levine on Thu May 20 04:55:21 2021
    John Levine wrote:

    First I built sendmail with the PLAIN and LOGIN auth methods by overriding the
    AUTH_MECHANISMS define.
    To my surprise, this worked:

    Why don't you simply use the run time option?

    APPENDDEF(`conf_sendmail_ENVDEF',`-DAUTH_MECHANISMS="\"EXTERNAL GSSAPI KERBEROS_V4
    DIGEST-MD5 CRAM-MD5 PLAIN LOGIN\""')

    That just sets the default.

    AuthMechanisms
    [no short name] List of authentication mech-
    anisms for AUTH (separated by spaces). The
    advertised list of authentication mechanisms
    will be the intersection of this list and
    the list of available mechanisms as deter-
    mined by the Cyrus SASL library.

    See also cf/README.

    define(`confAUTH_MECHANISMS', `LOGIN PLAIN')

    Which means your compile time option is unneeded.

    I presume I have to tweak check_rcpt to allow me to send mail once authenticated.

    Please read cf/README -- the sendmail documentation is fairly good...

    Per default, relaying is allowed for any user who authenticated
    via a "trusted" mechanism, i.e., one that is defined via
    TRUST_AUTH_MECH(`list of mechanisms')
    For example:
    TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5')

    Is there a way to do submits on port 465? It's like the MSA on 587 but does the TLS
    handshake when it connects, like https does.

    Look in op.* for "smtps"
    DaemonPortOptions=options
    s Run smtps (SMTP over SSL) instead of smtp

    The default config for AUTH allows CRAM-MD5 and DIGEST-MD5 but not
    LOGIN or PLAIN, presumably because 20 years ago few SMTP sessions used
    TLS and you can't recover the password by snooping. But now everyone
    ^^?
    does TLS, and those two methods require that the server store the
    plaintext passwords or a fragile prehash of them.

    And yet you misconfigured it...

    Have you tried STARTTSL and then AUTH?


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to John Levine on Thu May 20 09:41:29 2021
    On 5/19/21 8:57 PM, John Levine wrote:
    Today's question is how I tell it that it's OK for an authenticated
    user to send mail with some other address in the envelope or From:
    header.

    I think that it's going to just work.

    I've never had Sendmail not allow authenticated senders to use any SMTP envelope address that they wanted to. -- Thankfully I've never
    /needed/ to impose such limitations. Thus I've not looked for how to do
    it. Ergo, I think you can do what you want out of the gate.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Levine@21:1/5 to All on Thu May 20 16:51:24 2021
    According to Grant Taylor <[email protected]>:
    On 5/19/21 8:57 PM, John Levine wrote:
    Today's question is how I tell it that it's OK for an authenticated
    user to send mail with some other address in the envelope or From:
    header.

    I think that it's going to just work.

    No, see other messages.

    --
    Regards,
    John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
    Please consider the environment before reading this e-mail. https://jl.ly

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Levine@21:1/5 to @esmtp.org on Thu May 20 16:52:30 2021
    It appears that Claus A�mann <ml+sendmail(-no-copies-please)@esmtp.org> said: >> APPENDDEF(`conf_sendmail_ENVDEF',`-DAUTH_MECHANISMS="\"EXTERNAL GSSAPI KERBEROS_V4
    DIGEST-MD5 CRAM-MD5 PLAIN LOGIN\""')

    That just sets the default.

    So I now see. I was confused because I didn't realize that it treated
    different AUTN mechanisms differently and some are handled as "more
    secure" than others. That is just strange -- every client library I
    know just tries all the mechanisms until one works.

    Please read cf/README -- the sendmail documentation is fairly good...

    Per default, relaying is allowed for any user who authenticated
    via a "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(`list of mechanisms')
    For example:
    TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5')

    See other message, I found that in the cookbook. It is still strange that some auth methods
    are "more secure". Having used a lot of MTAs, I think I can say with confidence that nobody
    else does that. I also don't think anyone else shows a different list before and after STARTTLS.
    They often show no AUTH at all before STARTTLS, but not a truncated list.

    Is there a way to do submits on port 465? It's like the MSA on 587 but does the TLS
    handshake when it connects, like https does.

    Look in op.* for "smtps"
    DaemonPortOptions=options
    s Run smtps (SMTP over SSL) instead of smtp

    Aha. That worked:

    dnl Enable for both IPv4 and IPv6 (optional) with no auth DAEMON_OPTIONS(`Name=IPv4, Family=inet, M=A')
    DAEMON_OPTIONS(`Name=IPv6, Family=inet6, M=A')

    dnl set up MSAs
    FEATURE(`no_default_msa')
    DAEMON_OPTIONS(`Name=Submit4, Family=inet, Port=587, M=Eac') DAEMON_OPTIONS(`Name=Submit6, Family=inet6, Port=587, M=Eac') DAEMON_OPTIONS(`Name=Submits4, Family=inet, Port=465, M=Eacs') DAEMON_OPTIONS(`Name=Submits6, Family=inet6, Port=465, M=Eacs')

    dnl require STARTTLS
    define(`confAUTH_OPTIONS', `p')
    define(`confAUTH_MECHANISMS', `LOGIN PLAIN')
    TRUST_AUTH_MECH(`LOGIN PLAIN')

    The default config for AUTH allows CRAM-MD5 and DIGEST-MD5 but not
    LOGIN or PLAIN, presumably because 20 years ago few SMTP sessions used
    TLS and you can't recover the password by snooping. But now everyone
    ^^?
    does TLS, and those two methods require that the server store the
    plaintext passwords or a fragile prehash of them.

    And yet you misconfigured it...

    No kidding. Have I mentioned that the sasl documentation is nearly nonexistent? Lucky for me
    that this newsgroup still exists.

    I had one other question about overriding from addresses but the cookbook pointed me at trusted users
    so I think I'm OK there.

    Now on to EAI testing. It seems generally to work but I have some suggestions about implementation choices.

    R's,
    John
    --
    Regards,
    John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
    Please consider the environment before reading this e-mail. https://jl.ly

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to All on Thu May 20 17:51:49 2021
    John Levine wrote:

    Please stop sending me copies via e-mail - esp. if your software
    messes up the address.

    It is still
    strange that some auth methods are "more secure".

    What is strange about that? The Cyrus-SASL docs as well as the
    RFCs about the various mechanisms explain the security implications.

    of MTAs, I think I can say with confidence that nobody else does
    that. I also don't think anyone else shows a different list before
    and after STARTTLS.

    Not my problem - seems the code we got from the Cyrus-SASL developers
    is "better" (more functionality)... and sendmail supported AUTH
    before STARTTLS.

    Cyrus-SASL has a lot of features and sendmail simply makes those
    available:

    AuthOptions
    a protection from active (non-dictionary) attacks
    during authentication exchange.
    d don't permit mechanisms susceptible to passive
    dictionary attack.
    f require forward secrecy between sessions
    (breaking one won't help break next).
    m require mechanisms which provide mutual authentication
    (only available if using Cyrus SASL v2 or later).
    p don't permit mechanisms susceptible to simple
    passive attack (e.g., PLAIN, LOGIN), unless a
    security layer is active.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Levine@21:1/5 to @esmtp.org on Thu May 20 20:04:06 2021
    It appears that Claus A�mann <ml+sendmail(-no-copies-please)@esmtp.org> said: >> It is still strange that some auth methods are "more secure".

    What is strange about that? The Cyrus-SASL docs as well as the
    RFCs about the various mechanisms explain the security implications.

    Well, yes, the RFCs say CRAM-MD5 and DIGEST-MD5 were deprecated a
    decade ago. It's easy enough to turn them off, and I suppose it's
    unlikely that anyone who cares about this stuff will use the
    defaults.

    Not my problem - seems the code we got from the Cyrus-SASL developers
    is "better" (more functionality)... and sendmail supported AUTH
    before STARTTLS.

    I undestand there is a lot of 20 year old code, but it doesn't mean
    that the 20 year old code is still all fit for purpose. AUTH without
    STARTTLS allows an attack where a MITM hijacks the session after the
    AUTH response. That seems unlikely outside of enviroments with
    students with nothing better to do, but it's one of the reasons a lot
    of us don't allow any AUTH before STARTTLS, and why we put valid certs
    on our mail servers.



    --
    Regards,
    John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
    Please consider the environment before reading this e-mail. https://jl.ly

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to John Levine on Thu May 20 20:27:12 2021
    On 5/20/21 10:51 AM, John Levine wrote:
    No, see other messages.

    I'm not sure what other message you're referring to.

    Then we have something significantly different between our systems.

    I just confirmed and I have exactly one (1) SMTP client configuration
    for my mail server. I have four (4) IMAP client configurations for the
    same mail server and each are using unique SMTP envelope from addresses
    with the same single SMTP client configuration. One of the IMAP client configurations has sixteen (16) alternate identities, each with their
    own unique SMTP envelope from address. That's a total of twenty (20)
    different SMTP envelope from addresses that I use through the single
    SMTP client configuration. Many of those alternate identities aren't
    actually configured as an address and instead are part of a wildcard in virtusertable for incoming addresses to a sub-domain.

    Hence why I say that "I think that it's going to just work" ... "for an authenticated user to send mail with some other address in the envelope
    or From: header."

    I would like to know what is different so that I have a tool to put in
    the tool box in case I ever have a need to lock down so that the
    authenticating account can only send as specific pre-approved addresses.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Levine@21:1/5 to All on Fri May 21 03:03:08 2021
    According to Grant Taylor <[email protected]>:
    On 5/20/21 10:51 AM, John Levine wrote:
    No, see other messages.

    I'm not sure what other message you're referring to.

    The one about TRUST_AUTH_MECH(`LOGIN PLAIN')

    For changing the From address, the incantation seems to be:

    FEATURE(`use_ct_file')

    --
    Regards,
    John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
    Please consider the environment before reading this e-mail. https://jl.ly

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)