[lug] smtp authentication with sendmail

Bear Giles bgiles at coyotesong.com
Fri Apr 12 10:50:30 MDT 2002


> i've been struggling with getting a sendmail 8.11.6 daemon up and running 
> using cyrus-sasl for smtp authentication. my goal is to use simple PLAIN 
> auth against the local /etc/shadow to allow roaming users smtp access 
                   ^^^^^^^^^^^^^^^^^
                   !!!!!!!!!!!!!!!!!
                   ?????????????????
> without opening the server up to blind open relay.

Is there some reason you want to have your passwords sent in plaintext
across the 'net?  (Assuming that PLAIN auth is what the name implies -
it's been a while since I looked at SASL.)

> Likewise, when using a local pop3/smtp application, the connection times 
> out due to inactivity from the server. Can anyone point out my mistake 
> that is causing this to fail?

With a straight line like that....

Seriously, this is a complex problem and the SASL stuff feels ad hoc.
Another approach to consider is STARTTLS - sendmail and qmail (and
probably other) MTAs support TLS, and I know that qmail can be configured
to reject connections unless the client connects with a previously 
registered X.509 cert.

In this case you would set up the main site to reject mail forwarding
unless the client had one of your roaming user certs.  I'm not sure how
this is set up on the client side under Windows and Macs - under Linux
you could just use any MTA with STARTTLS support.

Bear

(P.S., one complication is that qmail's emphasis on "doing it right"
can make life miserable with TLS - it wants DNS records for the remote
site.  A mere /etc/hosts entry will not suffice.  If your users are
truly roaming you might need to use a different MTA.  Or they the qmail
patch might have been relaxed to hadle this case by now.)



More information about the LUG mailing list