sendmail and SMTP_AUTH on RH8

[rnovick]

Hello All,

I have been administering a RH8 sendmail server for about eight months, now. Since we have distributed offices, I had been handling mail relay by specifying trusted IPs in the access database. This has become a bit cumbersome, and I realize that these IPs can be spoofed by anyone. So, I've been looking for a way to have MUAs present some kind of username-password authenticating mechanism (a dialog, basically) when people are sending mail through my server. Reading up a little on this has led me to consider activating SMTP_AUTH. The documentation at sendmail.org is pretty confusing to me, and before I start digging in, I wanted to ask the advice of a couple forums. My questions are:

- Is the sendmail included with RH8 already precompiled with the SMTP_AUTH capability? If I can avoid recompiling, I'd like to.

- Will activating SMTP_AUTH result in password-authentication dialogs being thrown up on the sending user's MUA for each message sent to my sendmail server?

- I have to support Netscape 4.71 for my Solaris (x86 & SPARC) folks, and the list of MUAs that support SMTP_AUTH on senmail.org is choked with question marks. How confident can I be that their MUAs will be able to handle an activation of SMTP_AUTH?

... and ...

- Is there some kind of idiot-proof howto out there for setting up SMTP_AUTH? I realize that I need a little handholding and troubleshooting assistance, and I want to avoid as many potential mistakes as possible.

I know that's a lot of stuff to ask. I'd appreciate any advice folks might have.

Many thanks,
-- Randy

 

[aixmurderer]

My understanding of SMTP_AUTH is that the receiving server does a DNS MX lookup of the sending server to verify that the IP it's connecting from is indeed the server when it identifies itself by host.domainname at smtp connection time.

If this is the case then it's not what you are after if you want to use user/password authentication. But the connecting server will have to get both hostname and IP right before email will be accepted, so even if the sending server spoofs the IP correctly it will be highly unlikely they will go to the effort to change the host.domainname as well.

If you are worried that your mail server will be used as a relay server then you should look at other ways to prevent it. The most common would be to use the built-in anti-relay bits of sendmail to not allow relaying mail for other domain names but your own.

On the version of sendmail on RH8 there should be an entry in the sendmail.cf for SMTP_AUTH, it is possible that it's commented out.

Hope this helps a bit.

IBM Certified Confused - MQSeries
IBM Certified Flabbergasted - AIX 5 pSeries System Administration

 

[javatizer]

Hi,
I have almost a similar problem, I have my mail server CommuniGate behind a firewall that intercepts every incoming SMTP session, and act on behalf of the mail server, the FW MTA is SendMail, and its configured that if the mail is for local domain to forward it to the local mail server(s), if not it will send it outside to its destination.
All works fine for local users on the LAN, since the FW is treating LAN IP as trusted IPs, but the problem is when remote users try to send email, they cant, and enabling domain relay check and the reply to is not secure enough.
I have SMTP authentication enabled on CommuniGate and tested OK form inside the LAN, but when remote/mobile users try that they are actualy talking to the FW and not CommuniGate, which does not work.
Can Sendmail be configured to "pass" the SMTP AUTH to another SMTP Server, where can I find examples of that ?


Thanks in advance...
Javatizer

 

[BitFuzzy]

why don't you take a look at 'pop-before-smtp

http://popbsmtp.sourceforge.net

The way this works, is that when your &quot;users&quot; are authenticated via <uid/passwd> their IP gets logged and is allowed for a set period of time (the default is 30 min)
after which their ip is deleted and the ip is again blocked until they check mail.


Hope this helps

KC