Smtp Auth Failure

I am trying to setup smtp auth for all of the employees in my office. The
list of relay-domain ip's is getting rather large seeing alot of people are
not on static ip's. I followed the instructions on this page:

http://www.joreybump.com/code/howto/smtpauth.html

And I am still getting relayed denied in Outlook when I remove my ip from
relay-domains. I am using sendmail 8.14.1 on a FC6 server. I purchased a ssl
cert for this and named the file mail.crt. Here is the section in my
sendmail.mc where I set up smtp_auth.

dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
define(`confAUTH_OPTIONS',`A p y')
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS',`LOGIN PLAIN')
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/mail/certs/mail.crt')dnl
define(`confSERVER_KEY', `/etc/mail/certs/mail.key')dnl
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl

Anyone have any ideas? And yes saslauth is running.

Thanks
Jim

Re: Smtp Auth Failure

"Jim G" wrote in
news:479a7ada$0$6132$4c368faf@roadrunner.com:

> I am trying to setup smtp auth for all of the employees in my office.
> The list of relay-domain ip's is getting rather large seeing alot of
> people are not on static ip's. I followed the instructions on this
> page:
>
> http://www.joreybump.com/code/howto/smtpauth.html
>
> And I am still getting relayed denied in Outlook when I remove my ip
> from relay-domains. I am using sendmail 8.14.1 on a FC6 server. I
> purchased a ssl cert for this and named the file mail.crt. Here is the
> section in my sendmail.mc where I set up smtp_auth.
>
> dnl # The following allows relaying if the user authenticates, and
> disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS
> links dnl #
> define(`confAUTH_OPTIONS',`A p y')
> dnl #
> dnl # PLAIN is the preferred plaintext authentication method and used
> by dnl # Mozilla Mail and Evolution, though Outlook Express and other
> MUAs do dnl # use LOGIN. Other mechanisms should be used if the
> connection is not dnl # guaranteed secure.
> dnl # Please remember that saslauthd needs to be running for AUTH.
> dnl #
> TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS',`LOGIN PLAIN')
> dnl #
> dnl # Rudimentary information on creating certificates for sendmail
> TLS: dnl # cd /usr/share/ssl/certs; make sendmail.pem
> dnl # Complete usage:
> dnl # make -C /usr/share/ssl/certs usage
> dnl #
> define(`confCACERT_PATH', `/etc/mail/certs')dnl
> define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
> define(`confSERVER_CERT', `/etc/mail/certs/mail.crt')dnl
> define(`confSERVER_KEY', `/etc/mail/certs/mail.key')dnl
> dnl # This allows sendmail to use a keyfile that is shared with
> OpenLDAP's dnl # slapd, which requires the file to be readble by group
> ldap dnl #
> dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
> dnl #
> dnl define(`confTO_QUEUEWARN', `4h')dnl
> dnl define(`confTO_QUEUERETURN', `5d')dnl
> dnl define(`confQUEUE_LA', `12')dnl
> dnl define(`confREFUSE_LA', `18')dnl
> define(`confTO_IDENT', `0')dnl
> dnl FEATURE(delay_checks)dnl
> FEATURE(`no_default_msa', `dnl')dnl
> FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
> FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
> FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
> FEATURE(redirect)dnl
> FEATURE(always_add_domain)dnl
> FEATURE(use_cw_file)dnl
> FEATURE(use_ct_file)dnl
>
> Anyone have any ideas? And yes saslauth is running.
>
> Thanks
> Jim
>
>


Not an expert but do you have something like one of these? I would think
you need one


DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

DAEMON_OPTIONS(`Port=smtps, Name=MTAS, M=Eas')dnl


the "a" modifier requires authentication.

Don't do this on the smtp port (25)

Re: Smtp Auth Failure

Outsider wrote in
news:Xns9A30DD6F2D20Coutsideroutnet@69.28.186.158:

> "Jim G" wrote in
> news:479a7ada$0$6132$4c368faf@roadrunner.com:
>
>> I am trying to setup smtp auth for all of the employees in my office.
>> The list of relay-domain ip's is getting rather large seeing alot of
>> people are not on static ip's. I followed the instructions on this
>> page:
>>
>> http://www.joreybump.com/code/howto/smtpauth.html
>>
>> And I am still getting relayed denied in Outlook when I remove my ip
>> from relay-domains. I am using sendmail 8.14.1 on a FC6 server. I
>> purchased a ssl cert for this and named the file mail.crt. Here is
>> the section in my sendmail.mc where I set up smtp_auth.
>>
>> dnl # The following allows relaying if the user authenticates, and
>> disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS
>> links dnl #
>> define(`confAUTH_OPTIONS',`A p y')
>> dnl #
>> dnl # PLAIN is the preferred plaintext authentication method and used
>> by dnl # Mozilla Mail and Evolution, though Outlook Express and other
>> MUAs do dnl # use LOGIN. Other mechanisms should be used if the
>> connection is not dnl # guaranteed secure.
>> dnl # Please remember that saslauthd needs to be running for AUTH.
>> dnl #
>> TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
>> define(`confAUTH_MECHANISMS',`LOGIN PLAIN')
>> dnl #
>> dnl # Rudimentary information on creating certificates for sendmail
>> TLS: dnl # cd /usr/share/ssl/certs; make sendmail.pem
>> dnl # Complete usage:
>> dnl # make -C /usr/share/ssl/certs usage
>> dnl #
>> define(`confCACERT_PATH', `/etc/mail/certs')dnl
>> define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
>> define(`confSERVER_CERT', `/etc/mail/certs/mail.crt')dnl
>> define(`confSERVER_KEY', `/etc/mail/certs/mail.key')dnl
>> dnl # This allows sendmail to use a keyfile that is shared with
>> OpenLDAP's dnl # slapd, which requires the file to be readble by
>> group ldap dnl #
>> dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
>> dnl #
>> dnl define(`confTO_QUEUEWARN', `4h')dnl
>> dnl define(`confTO_QUEUERETURN', `5d')dnl
>> dnl define(`confQUEUE_LA', `12')dnl
>> dnl define(`confREFUSE_LA', `18')dnl
>> define(`confTO_IDENT', `0')dnl
>> dnl FEATURE(delay_checks)dnl
>> FEATURE(`no_default_msa', `dnl')dnl
>> FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
>> FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
>> FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
>> FEATURE(redirect)dnl
>> FEATURE(always_add_domain)dnl
>> FEATURE(use_cw_file)dnl
>> FEATURE(use_ct_file)dnl
>>
>> Anyone have any ideas? And yes saslauth is running.
>>
>> Thanks
>> Jim
>>
>>
>
>
> Not an expert but do you have something like one of these? I would
> think you need one
>
>
> DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
>
> DAEMON_OPTIONS(`Port=smtps, Name=MTAS, M=Eas')dnl
>
>
> the "a" modifier requires authentication.
>
> Don't do this on the smtp port (25)
>
>
>
>


I think you need to disable the default options for the msa port ahead of
the above like this

FEATURE(`no_default_msa')dnl

Re: Smtp Auth Failure

"Outsider" wrote in message
news:Xns9A30DD6F2D20Coutsideroutnet@69.28.186.158...
> "Jim G" wrote in
> news:479a7ada$0$6132$4c368faf@roadrunner.com:
>
>> I am trying to setup smtp auth for all of the employees in my office.
>> The list of relay-domain ip's is getting rather large seeing alot of
>> people are not on static ip's. I followed the instructions on this
>> page:
>>
>> http://www.joreybump.com/code/howto/smtpauth.html
>>
>> And I am still getting relayed denied in Outlook when I remove my ip
>> from relay-domains. I am using sendmail 8.14.1 on a FC6 server. I
>> purchased a ssl cert for this and named the file mail.crt. Here is the
>> section in my sendmail.mc where I set up smtp_auth.
>>
>> dnl # The following allows relaying if the user authenticates, and
>> disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS
>> links dnl #
>> define(`confAUTH_OPTIONS',`A p y')
>> dnl #
>> dnl # PLAIN is the preferred plaintext authentication method and used
>> by dnl # Mozilla Mail and Evolution, though Outlook Express and other
>> MUAs do dnl # use LOGIN. Other mechanisms should be used if the
>> connection is not dnl # guaranteed secure.
>> dnl # Please remember that saslauthd needs to be running for AUTH.
>> dnl #
>> TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
>> define(`confAUTH_MECHANISMS',`LOGIN PLAIN')
>> dnl #
>> dnl # Rudimentary information on creating certificates for sendmail
>> TLS: dnl # cd /usr/share/ssl/certs; make sendmail.pem
>> dnl # Complete usage:
>> dnl # make -C /usr/share/ssl/certs usage
>> dnl #
>> define(`confCACERT_PATH', `/etc/mail/certs')dnl
>> define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
>> define(`confSERVER_CERT', `/etc/mail/certs/mail.crt')dnl
>> define(`confSERVER_KEY', `/etc/mail/certs/mail.key')dnl
>> dnl # This allows sendmail to use a keyfile that is shared with
>> OpenLDAP's dnl # slapd, which requires the file to be readble by group
>> ldap dnl #
>> dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
>> dnl #
>> dnl define(`confTO_QUEUEWARN', `4h')dnl
>> dnl define(`confTO_QUEUERETURN', `5d')dnl
>> dnl define(`confQUEUE_LA', `12')dnl
>> dnl define(`confREFUSE_LA', `18')dnl
>> define(`confTO_IDENT', `0')dnl
>> dnl FEATURE(delay_checks)dnl
>> FEATURE(`no_default_msa', `dnl')dnl
>> FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
>> FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
>> FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
>> FEATURE(redirect)dnl
>> FEATURE(always_add_domain)dnl
>> FEATURE(use_cw_file)dnl
>> FEATURE(use_ct_file)dnl
>>
>> Anyone have any ideas? And yes saslauth is running.
>>
>> Thanks
>> Jim
>>
>>
>
>
> Not an expert but do you have something like one of these? I would think
> you need one
>
>
> DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
>
> DAEMON_OPTIONS(`Port=smtps, Name=MTAS, M=Eas')dnl
>
>
> the "a" modifier requires authentication.
>
> Don't do this on the smtp port (25)
>
>
>

I have this in my sendmail.mc

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl

and this for port 587 as an alternate port as some people cannot send thru
their isp.

DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

Jim

Re: Smtp Auth Failure

>>
>
> I have this in my sendmail.mc
>
> DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
>
> and this for port 587 as an alternate port as some people cannot send
> thru their isp.
>
> DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
>
> Jim
>
>

You may still need

FEATURE(`no_default_msa')dnl

to stop the msa default settings

and, of course, you need to aim your client at 587 since only it is looking
for authentication per the M=a. If your client sends to 25 it will not ask
for authentication. You also need to have configured saslauth for an auth
mechanism. The saslauthd man page is pretty good for that. You can do a
ps -ef |grep saslauthd to see how it was run. If you have all of this you
should post the log entries that result when you connect and are not
chalenged by the server.

Re: Smtp Auth Failure

In article Outsider
writes:
>
>and, of course, you need to aim your client at 587 since only it is looking
>for authentication per the M=a. If your client sends to 25 it will not ask
>for authentication.

No, M=a *requires* authentication. If the general auth/sasl stuff has
been set up right, AUTH will be *offered* regardles of M=a, which means
that a MUA that has been told to authenticate will attempt it.

--Per Hedeland
per@hedeland.org

Re: Smtp Auth Failure

per@hedeland.org (Per Hedeland) wrote in
news:fngdpl$166d$1@hedeland.org:

> In article Outsider
> writes:
>>
>>and, of course, you need to aim your client at 587 since only it is
>>looking for authentication per the M=a. If your client sends to 25 it
>>will not ask for authentication.
>
> No, M=a *requires* authentication. If the general auth/sasl stuff has
> been set up right, AUTH will be *offered* regardles of M=a, which
> means that a MUA that has been told to authenticate will attempt it.
>
> --Per Hedeland
> per@hedeland.org
>

I never realized that. From home I can't go out on port 25 so I never
noticed it offered auth. I always _assumed_ if it was not required it was
not offered but I know what happens when one assumes!

Andy