CentOS - Mar 2017 - Up to date guide/information Sendmail SMTP Auth

On 03/08/2017 06:42 PM, Paul Heinlein wrote:
> On Wed, 8 Mar 2017, Mark Weaver wrote:
>
> > On 03/08/2017 11:00 AM, Paul Heinlein wrote:
> >> On Wed, 8 Mar 2017, Mark Weaver wrote:
> >>
> >> > Hello all,
> >> >
> >> > I've been googling my brains out since yesterday looking
for
> >> > up-to-date information on this matter, and have found
> >> > information that is anywhere from 15 to 5 years old. I'd
really
> >> > like some information that much more up to date on the
subject.
> >> > Specifically configuring Sendmail SMTP authentication (_no
smart
> >> > host stuff_).
> >>
> >> I wrote this article years ago:
> >>
> >> https://www.madboa.com/geek/sendmail-auth/
> >>
> >> The configuration outlined there is essentially unchanged today. I
> >> have it running on a CentOS 7 machine with sendmail 8.14.
> >>
> >> The only real change is the SOCKETDIR setting in
> >> /etc/sysconfig/saslauthd, which is now /run/saslauthd (rather than
> >> /var/run/saslauthd). And, of course, I use systemctl rather
> >> thachkconfig to control boot-time behavior.
> >
> > Hi Paul,
> >
> > I followed your guide to the letter, however I think it seems I
> > missed something. When I test with telnet to port 25 this is the
> > result:
> >
> >> telnet merlin 25
> > Trying 10.10.3.6...
> > Connected to merlin.ciss.local.
> > Escape character is '^]'.
> > 220 mdw1982.com ESMTP Sendmail 8.14.7/8.13.8; Wed, 8 Mar 2017 
> 16:53:31 -0500
> > ehlo merlin
> > 250-mdw1982.com Hello [10.10.3.102], pleased to meet you
> > 250-ENHANCEDSTATUSCODES
> > 250-PIPELINING
> > 250-8BITMIME
> > 250-SIZE
> > 250-DSN
> > 250-ETRN
> > 250-DELIVERBY
> > 250 HELP
> >> auth login
> > 504 5.3.3 AUTH mechanism login not available
> >
> > thoughts?
>
> Many. :-)
>
> Check your mail log for clues.
>
> Ensure you have a valid SSL certificate and key. Sendmail is touchy
> about permissions on the key file. Try googling for
> confDONT_BLAME_SENDMAIL and GroupReadableKeyFile.
>
> Make sure saslauthd is configured and running.
>
> Compile your .mc (m4) file with the macros distributed with the
> version of sendmail you're actually running. This line suggests
you're
> not:
>
> mdw1982.com ESMTP Sendmail 8.14.7/8.13.8
>
> That's a first stab at things to try.
>
I fixed the version mis-match by installing sendmail-cf package and 
recompiling sendmail.mc. saslauthd is running and conigured according to 
your specs. So, I'm not sure what's missing.

On 03/08/2017 07:09 PM, Mark Weaver wrote:
> On 03/08/2017 06:42 PM, Paul Heinlein wrote:
> > On Wed, 8 Mar 2017, Mark Weaver wrote:
> >
> > > On 03/08/2017 11:00 AM, Paul Heinlein wrote:
> > >> On Wed, 8 Mar 2017, Mark Weaver wrote:
> > >>
> > >> > Hello all,
> > >> >
> > >> > I've been googling my brains out since yesterday
looking for
> > >> > up-to-date information on this matter, and have found
> > >> > information that is anywhere from 15 to 5 years old.
I'd really
> > >> > like some information that much more up to date on the
subject.
> > >> > Specifically configuring Sendmail SMTP authentication
(_no smart
> > >> > host stuff_).
> > >>
> > >> I wrote this article years ago:
> > >>
> > >> https://www.madboa.com/geek/sendmail-auth/
> > >>
> > >> The configuration outlined there is essentially unchanged
today. I
> > >> have it running on a CentOS 7 machine with sendmail 8.14.
> > >>
> > >> The only real change is the SOCKETDIR setting in
> > >> /etc/sysconfig/saslauthd, which is now /run/saslauthd (rather
than
> > >> /var/run/saslauthd). And, of course, I use systemctl rather
> > >> thachkconfig to control boot-time behavior.
> > >
> > > Hi Paul,
> > >
> > > I followed your guide to the letter, however I think it seems I
> > > missed something. When I test with telnet to port 25 this is the
> > > result:
> > >
> > >> telnet merlin 25
> > > Trying 10.10.3.6...
> > > Connected to merlin.ciss.local.
> > > Escape character is '^]'.
> > > 220 mdw1982.com ESMTP Sendmail 8.14.7/8.13.8; Wed, 8 Mar 2017
> > 16:53:31 -0500
> > > ehlo merlin
> > > 250-mdw1982.com Hello [10.10.3.102], pleased to meet you
> > > 250-ENHANCEDSTATUSCODES
> > > 250-PIPELINING
> > > 250-8BITMIME
> > > 250-SIZE
> > > 250-DSN
> > > 250-ETRN
> > > 250-DELIVERBY
> > > 250 HELP
> > >> auth login
> > > 504 5.3.3 AUTH mechanism login not available
> > >
> > > thoughts?
> >
> > Many. :-)
> >
> > Check your mail log for clues.
> >
> > Ensure you have a valid SSL certificate and key. Sendmail is touchy
> > about permissions on the key file. Try googling for
> > confDONT_BLAME_SENDMAIL and GroupReadableKeyFile.
> >
> > Make sure saslauthd is configured and running.
> >
> > Compile your .mc (m4) file with the macros distributed with the
> > version of sendmail you're actually running. This line suggests
you're
> > not:
> >
> > mdw1982.com ESMTP Sendmail 8.14.7/8.13.8
> >
> > That's a first stab at things to try.
> >
> I fixed the version mis-match by installing sendmail-cf package and
> recompiling sendmail.mc. saslauthd is running and conigured according to
> your specs. So, I'm not sure what's missing.
Still googling around and found some things that appear to be missing 
from the sendmail config, but when I test saslauthd it doesn't appear to 
be working.

testsaslauthd -u username -p mypassword
0: NO "authentication failed"
>

Am 2017-03-09 02:20, schrieb Mark Weaver:

[ ... ]
> Still googling around and found some things that appear to be missing
> from the sendmail config, but when I test saslauthd it doesn't appear
> to be working.
> 
> testsaslauthd -u username -p mypassword
> 0: NO "authentication failed"
How is your saslauthd configured? Which backend does it use? For 
debugging purposes it is helpful not to start saslauthd as a service but 
to run it with parameter -d to see its output on stdout.

Alexander

On Wed, 8 Mar 2017, Mark Weaver wrote:
> On 03/08/2017 07:09 PM, Mark Weaver wrote:
>> > >  I followed your guide to the letter, however I think it
seems I
>> > >  missed something. When I test with telnet to port 25 this is
the
>> > >  result:
>> > > 
>> > > >  telnet merlin 25
>> > >  Trying 10.10.3.6...
>> > >  Connected to merlin.ciss.local.
>> > >  Escape character is '^]'.
>> > >  220 mdw1982.com ESMTP Sendmail 8.14.7/8.13.8; Wed, 8 Mar
2017
>> >  16:53:31 -0500
>> > >  ehlo merlin
>> > >  250-mdw1982.com Hello [10.10.3.102], pleased to meet you
>> > >  250-ENHANCEDSTATUSCODES
>> > >  250-PIPELINING
>> > >  250-8BITMIME
>> > >  250-SIZE
>> > >  250-DSN
>> > >  250-ETRN
>> > >  250-DELIVERBY
>> > >  250 HELP
>> > > >  auth login
>> > >  504 5.3.3 AUTH mechanism login not available
>> > > 
>> > >  thoughts?
>> > 
>> >  Many. :-)
>> > 
>> >  Check your mail log for clues.
>> > 
>> >  Ensure you have a valid SSL certificate and key. Sendmail is
touchy
>> >  about permissions on the key file. Try googling for
>> >  confDONT_BLAME_SENDMAIL and GroupReadableKeyFile.
>> > 
>> >  Make sure saslauthd is configured and running.
>> > 
>> >  Compile your .mc (m4) file with the macros distributed with the
>> >  version of sendmail you're actually running. This line
suggests you're
>> >  not:
>> > 
>> >  mdw1982.com ESMTP Sendmail 8.14.7/8.13.8
>> > 
>> >  That's a first stab at things to try.
>>
>> I fixed the version mis-match by installing sendmail-cf package and 
>> recompiling sendmail.mc. saslauthd is running and conigured 
>> according to your specs. So, I'm not sure what's missing.
>
> Still googling around and found some things that appear to be 
> missing from the sendmail config, but when I test saslauthd it 
> doesn't appear to be working.
>
> testsaslauthd -u username -p mypassword
> 0: NO "authentication failed"
Usually, testsaslauthd needs a service name. In this case,

   testsaslauthd -u username -p mypassword -s smtp

If your password has any characters a shell might misinterpret (*, !, 
<, >, &, ...), make sure you enclose it in quotation marks.

What have you seen in your logs (usually /var/log/maillog on CentOS 
systems)? If sendmail is having trouble setting up TLS/SSL, it will 
let you know!

You may have to post the entire contents of your sendmail.mc (the m4 
file), redacted as necessary to obscure any non-relevant bits that may 
be sensitive.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/