Configure Linux for smtp auth (710 Views)
Reply
Valued Contributor
Posts: 411
Registered: ‎07-24-2008
Message 1 of 4 (710 Views)
Accepted Solution

Configure Linux for smtp auth

We need to configure Linux with smtp auth to send mails from our server.

Please share ateps for the same.

 

Tried editing sendmail.mc but still unable to do the same.

Recipient address rejected: Access denied ....Our mail guy saying you need to configure sendmail with authentication .

 

[root@yumSRV ~]# uname -a
Linux yumSRV 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux

Honored Contributor
Posts: 6,271
Registered: ‎12-02-2001
Message 2 of 4 (680 Views)

Re: Configure Linux for smtp auth

Based on your kernel version number, you seem to be running RHEL 6.3.


Any changes to sendmail.mc will only take effect if both these conditions are true:

  • the sendmail-cf package is installed, and
  • you have run "make" in /etc/mail directory after editing sendmail.mc

This is because sendmail.mc is not actually used by sendmail directly: instead, it is used by the m4 macro processor to create a new sendmail.cf, using bits and pieces of configuration provided by the sendmail-cf package.

 

The "standard" way to create a new sendmail.cf is to run something like "m4 sendmail.mc > sendmail.cf" in the directory that contains the contents of the sendmail-cf package, but RedHat has made this easier for you. Running "make" in /etc/mail will do the right thing automatically.

 

(If you have previously edited sendmail.cf directly, it is better to move all your customizations to sendmail.mc instead. Your old modified sendmail.cf will be renamed to sendmail.cf.bak, so you can compare it to the new one to see the differences.)

 

This page from sendmail.org has the steps for configuring authentication for Sendmail:

http://www.sendmail.org/~ca/email/auth.html

Please look at the chapter titled "Using sendmail as a client with AUTH".

Note that in step 6 you should use the RedHat specific procedure instead of standard sendmail.org procedure:

6. Generate sendmail.cf:

  # cd /etc/mail
  # make
  

 

MK
Valued Contributor
Posts: 411
Registered: ‎07-24-2008
Message 3 of 4 (659 Views)

Re: Configure Linux for smtp auth

Hi Matti ,

 

We have tried make option too.

Even then its the same , recipient address rejected .  

:( 

 

sendmailcf package also is installed.

Anything to be done at Mail server end ?

They are saying you just have to configure smtp with authentication , we have given our login credentials, even after configuring the same , its still ecipient address rejected .  ( whitelisting done for that server too from where we are sending mails )

Honored Contributor
Posts: 6,271
Registered: ‎12-02-2001
Message 4 of 4 (646 Views)

Re: Configure Linux for smtp auth

Authentication without encryption is just a way to give away your login credentials to anyone who might be snooping your network traffic. Most ISPs today recognize that this is a bad idea.

 

So, you will probably have to make sure your sendmail will attempt encrypted connections whenever the remote server will support them.

 

You can verify this requirement by doing some simple tests. First, use telnet to open a plain unencrypted connection to the mail server's SMTP port:

[root@yumSRV ~]# telnet your-mailserver 25

 The response should include a line like this:

220 <mail.server.full.name> ESMTP <mail_server_software_info>

 You should type a response like this (replace <yumSRV.full.name> with the actual fully-qualified DNS hostname of your yumSRV host):

EHLO <yumSRV.full.name>

 The next response is the important one. It will probably include multiple lines, each starting with result code "250".

For each line except the last one, the result code will have a minus sign after it; for the last line, there will be a space character instead. After that, each line will have some keywords. If authentication is supported (without encryption), there will be a line with the "AUTH" keyword and the list of supported authentication types. For example, this line indicates that DIGEST-MD5 and CRAM-MD5 authentication types are supported:

250-AUTH DIGEST-MD5 CRAM-MD5

 If there is no line with the AUTH keyword, but instead a line like this:

250-STARTTLS

then the mail server supports TLS encryption and probably will not allow any (or only a very limited set of) authentication options unless an encrypted session is established first.

Type "quit" and press Enter to end the connection to the mail server.

 

With the OpenSSL command line tools, you can actually test an encrypted connection too.

Instead of using the telnet command, run this command:

[root@yumSRV ~]# openssl s_client -connect your-mailserver:25 -starttls smtp

 Now, you'll first get a lot of SSL/TLS information from OpenSSL, and then a response from the mail server. The mail server's response will probably be prefixed with the result code "250", and it might be shorter than with the telnet test.

When I tried this with my mail server, the response was just:

250 DSN

 You should again type a response like this:

EHLO <yumSRV.full.name>

 Again, the mail server will output a multi-line response. If the response now includes a line with the AUTH keyword, you have confirmed that the server will only accept authentication if encryption is used too.

 

Example: when an encrypted connection is used, my mail server will accept a wider variety of authentication types:

250 DSN
ehlo my.full.hostname
250-mail.server.full.hostname
250-PIPELINING
250-SIZE 102400000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit

 

If you get an error message from OpenSSL when trying to establish an encrypted connection, it might mean that the mail server requires your host to have a SSL certificate too. Please post the error message for further analysis in that case.

 

If the unencrypted EHLO response from the mail server does not include the STARTTLS keyword, then the mail server will not accept encrypted connections in port 25; another port should be used instead for encrypted connections. You can try port 465 (the port for SSL-encrypted SMTP connections) instead. Note that the -starttls option should not be used here:

# openssl s_client your-mailserver:465
[... information about the SSL certificate...]
220 <mail-server.full.name> ESMTP <mail-server-software-info>
ehlo <my.host.full.name>
250-<mail-server.full.name>
250-PIPELINING
250-SIZE 102400000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit

 Or if connections to port 465 are refused, you can try connecting to port 587. Like port 25, traffic to port 587 can be plaintext or encrypted, and the available authentication types can depend on whether encryption is used or not. The protocol is basically identical to SMTP in port 25, so use commands like these to establish a connection and then proceed as with port 25:

[root@yumSRV ~]# telnet your-mailserver 587

or

[root@yumSRV ~]# openssl s_client -connect your-mailserver:587 -starttls smtp

 

You should attempt to find out:

  • which port(s) are available for SMTP traffic in your mail server: just 25 or maybe 465 and/or 587 too?
  • does the mail server require encryption before allowing authentication in ports 25 or 587? (the port 465 will always require encryption)
  • which authentication type(s) are supported by the mail server?
  • is certificate-based authentication required by the mail server? (unlikely but possible)

Once you know these things, it will be much easier to suggest the necessary configuration changes.

MK
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.