Relay of smtp server

edwardspl at ita.org.mo edwardspl at ita.org.mo
Mon Sep 17 17:33:52 UTC 2007


Hello Alex,

As the following is okay ?

define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl

Edward.

Alexander Dalloz wrote:

>edwardspl at ita.org.mo schrieb:
>
>  
>
>>Hello Alex,
>>
>>So, how to modify the mc file for using sasl ?
>>
>>Edward.
>>    
>>
>
>Edward,
>
>the sendmail.mc shipping with Fedora already contains the required
>"switches" to configure Sendmail providing SMTP AUTH (which makes use of
>SASL). Besides one of those lines they all are commented by a leading
>"dnl" (M4 syntax). What is set active is
>
>define(`confAUTH_OPTIONS', `A')dnl
>
>>From cf/README that setting says:
>
>If this option is 'A' then the AUTH= parameter for the MAIL FROM command
>is only issued when authentication succeeded. Other values (which should
>be listed one after the other without any intervening characters except
>for space or comma) are a, c, d, f, p, and y.
>See doc/op/op.me for details.
>
>A different setting of confAUTH_OPTIONS is pre-defined but commented as
>well, which will Sendmail instruct to only allow plaintext
>authentication if the connection is TLS/SSL protected, so does not
>transport the auth credentials in readable plain text over the wire.
>That is a good and recommended choice but requires to have a working
>STARTTLS configuration setup as well.
>
>The other 2 pre-definitions Sendmail needs to provide AUTH as part of
>ESMTP are
>
>dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
>LOGIN PLA
>IN')dnl
>
>As you see, they are by default commented. TRUST_AUTH_MECH is related to
>the trust_auth ruleset. The ruleset trust_auth is used to determine
>whether a given AUTH= parameter (that is passed to this ruleset) should
>be trusted. Per default, relaying is allowed for any user who
>authenticated via a "trusted" mechanism, i.e., one that is defined via
>TRUST_AUTH_MECH(`list of mechanisms'). So it is ok to set this to a full
>list of mechs which you would like to have available for advanced AUTH
>setups.
>
>The confAUTH_MECHANISMS is a list of authentication mechanisms for AUTH
>(separated by spaces). The advertised list of authentication mechanisms
>will be the intersection of this list and the list of available
>mechanisms as determined by the CYRUS SASL library. By default those
>mechs are set to GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5. To not confuse
>the clients which will try to make use of AUTH that list of auth
>mechanisms should be set to what your system really can handle. As said
>in my previous posting, using saslauthd from cyrus-sasl, you can not
>make use of DIGEST-MD5 and CRAM-MD5 due to the way those work. Using
>sasldb as a backend you on the other hand could provide -MD5 mechs.
>EXTERNAL would delegate the authentication to a different service.
>Offering GSSAPI practically means you have a working Kerberos setup.
>
>Of course you too will have to make sure that all required cyrus-sasl
>rpms are installed. I.e. for providing LOGIN and/or PLAIN you need to
>have cyrus-sasl-plain installed. For the 2 -MD5 mechs you need
>cyrus-sasl-md5.
>
>So far about the settings inside the sendmail.mc. Please install the
>sendmail-doc rpm to be able to read your own through the cf/README and
>op.me documents. To be able to apply the changes within the sendmail.mc
>to the sendmail.cf, which is the configuration which Sendmail really is
>operating with, you need to have the sendmail-cf rpm being installed.
>Then you can run "make -C /etc/mail" to get a freshly regenerated
>sendmail.cf. Or just run "service sendmail restart". This is required
>anyway to have read in the new config, and this will automatically
>detect if a change to one of the 2 .mc files has been made and whether a
>.cf regeneration is required.
>
>Alexander
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20070918/9ee2fa9c/attachment-0001.htm>


More information about the fedora-list mailing list