Article 5440 at 06/05/29 16:05:50 From: tmueko (at mark) kommunity.net Subject: [coba-e:05440] Re: Authentication required on port 587 submission

Index: [Article Count Order] [Thread]
Date:  Mon, 29 May 2006 09:05:35 +0200
From:  =?ISO-8859-1?Q?Tom_M=FCller-Kortkamp?= <tmueko (at mark) kommunity.net>
Subject:  [coba-e:05440] Re: Authentication required on port 587 submission
To:  coba-e (at mark) bluequartz.org
Message-Id:  <3E873F5F-5B66-493E-865A-F685C05B9A59 (at mark) kommunity.net>
In-Reply-To:  <200605242337.15034.lesmith (at mark) ecsis.net>
References:  <002c01c67f99$3e376760$6500a8c0 (at mark) COMPUTER8SD7ER2> <200605242234.03942.lesmith (at mark) ecsis.net> <200605242337.15034.lesmith (at mark) ecsis.net>
X-Mail-Count: 05440


Am 25.05.2006 um 06:37 schrieb Larry Smith:

> On Wednesday 24 May 2006 22:34, Larry Smith wrote:
>> On Wednesday 24 May 2006 20:19, Darrell D. Mobley wrote:
>>> I use port 587 to get around my ISP's port 25 block.  You need me to
>>> check how my Outlook settings are configured?
>>>
>>>> -----Original Message-----
>>>> From: ernie [mailto:ernie (at mark) info.eis.net.au]
>>>> Sent: Wednesday, May 24, 2006 8:08 PM
>>>> To: coba-e (at mark) bluequartz.org
>>>> Subject: [coba-e:05376] Re: Authentication required on port 587
>>>> submission
>>>>
>>>>
>>>> That would probably work, though the solution I am looking for  
>>>> is how
>>>> to sdjust the sendmail.mc to make the submission port use either  
>>>> the
>>>> POP before SMTP like port 25 does, or get the username and password
>>>> that you fill in for the SMTP server in Outlook etc. to work  
>>>> with it.
>>>>
>>>> - Ernie.
>>>>
>>>>
>>>> On Wed, 24 May 2006 12:49:42 -0700, "Ken Marcus - Precision Web
>>>> Hosting,
>>>>
>>>> Inc." <kenmarcus (at mark) precisionweb.net> wrote:
>>>>> Ernie Wrote:
>>>>>> I am trying to get port 587 submission service working on a BQ  
>>>>>> box.
>>>>>> I
>>>>>
>>>>> put
>>>>>
>>>>>> the following two lines into the sendmail.mc and installed the
>>>>
>>>> resulting
>>>>
>>>>>> sendmail.cf file:
>>>>>>
>>>>>>  DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
>>>>>>  DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
>>>>>>
>>>>>>
>>>>>> Now sendmail quite happily responds on port 587 as well as  
>>>>>> port 25
>>>>>> but
>>>>>
>>>>> on
>>>>>
>>>>>> port 587 it expects some form of authentication. I have tried
>>>>>> setting usernames and passwords in Outlook etc. with no luck  
>>>>>> and it
>>>>>> seems to ignore the pop before smtp setup that works fine on port
>>>>>> 25.
>>>>>>
>>>>>> Does anyone know how to get this running?
>>>>>>
>>>>>> - Ernie.
>>>>>
>>>>> What about using something like:
>>>>> http://freshmeat.net/projects/portfwd/? 
>>>>> branch_id=8271&release_id=1974
>>>>> 48 to direct port 587 to port 25
>>>>>
>>>>>
>>>>> --
>>
>> Ok, first off, the daemon options you are using
>>
>>> DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
>>
>> the "a" after M=Ea tells sendmail to use authenticated sessions  
>> only.  The
>> E says to not accept ETRN commands.
>> Reference
>> http://www.sendmail.org/~gshapiro/8.10.Training/ 
>> DaemonPortOptions.html
>> for an explanation of the options and what they do.
>>
>> Two, for this to work as "designed", you must (read _must_) also have
>> saslauthd configured and running, and probably on the BQ boxes  
>> will have to
>> change it to use pam authentication vice the default of shadow  
>> (since BQ
>> does not use the shadow file for regular accounts).  Believe this is
>> something like what is described at
>> http://devhen.wordpress.com/2006/05/01/howto-sendmail-smtp-auth/
>>
>> While simply listening on port 587 works (no authentication) the real
>> purpose of port 587 (called smtp-auth or submission) is to do away  
>> with
>> things like popb4smtp and poprelayd programs and such and also  
>> means that
>> users (read that customers) don't have the problem with Outlook  
>> getting an
>> error on the first send (since it tries to send mail first, then  
>> read mail)
>> like it does with poprelayd; and is also much more  
>> "secure" (relative)
>> since you get an entry in the email headers that tells you who
>> authenticated to send that particular message so if you get spam  
>> reports,
>> you just look at the header, nuke the user, problem solved....
>
> Poor taste normally, but followup to my own.
>
> Just did this on my BQ box - edited sendmail.mc (added port 587,
> submission/smtp-auth), run make -C /etc/mail against the new  
> sendmail.mc,
> edited /etc/sysconfig/saslauthd to make sure MECH=pam; started  
> saslauthd
> (/etc/rc.d/init.d/saslauthd start); created dummy certificates (cd
> /usr/share/ssl/certs, edit make-dummy-certs changing state, town,  
> etc as
> appropriate) sh make-dummy-certs sendmail; move/copy file sendmail to
> sendmail.pem; restart sendmail with new sendmail.cf file from above  
> and sent
> messages on port 587.  First try, correct username and password  
> (mine from
> server), second try changed password and got an authentication  
> failure (using
> suse linux and kmail).
>
> -- 
> Larry Smith
> SysAd ECSIS.NET
> sysad (at mark) ecsis.net
>
>
>
Some more things to metion:

Add "HACK(popauth)dnl" at the and of sendmail.mc to get pop-before- 
relay working.

You may also want to define the allowed Authentication-Modules:

TRUST_AUTH_MECH(`EXTERNAL LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL LOGIN PLAIN')

(I disabled MD5, because i don't use saslpw)


tmueko