Fix up formatting

[ikiwiki.git] / docs / handbook / handbook-smtp-auth.mdwn

## 20.10 SMTP Authentication 



***Originally written by James Gorham. ***

Having SMTP Authentication in place on your mail server has a number of benefits. SMTP Authentication can add another layer of security to  **sendmail** , and has the benefit of giving mobile users who switch hosts the ability to use the same mail server without the need to reconfigure their mail client settings each time.



1. Install [`security/cyrus-sasl`](http://pkgsrc.se/security/cyrus-sasl) from the ports. You can find this port in [`security/cyrus-sasl`](http://pkgsrc.se/security/cyrus-sasl). Also, install [`security/cyrus-saslauthd`](http://pkgsrc.se/security/cyrus-saslauthd) and any of the security/cy2-* packages that match how you want to authenticate.  In this case, [`security/cy2-login`](http://pkgsrc.se/security/cy2-login) is needed.

2. This plan is designed to enable  **sendmail**  to authenticate against your DragonFly `passwd` database. This saves the trouble of creating a new set of usernames and passwords for each user that needs to use SMTP authentication, and keeps the login and mail password the same.  Edit `/usr/pkg/lib/sasl2/Sendmail.conf` (or create it if it does not exist) and add the following line:

        pwcheck_method: saslauthd

3.   These lines will give  **sendmail**  the proper configuration options for linking to [`cyrus-sasl`](http://pkgsrc.se/cyrus-sasl) at compile time. Make sure that [`cyrus-sasl`](http://pkgsrc.se/cyrus-sasl) has been installed before recompiling  **sendmail** .  Edit `/etc/make.conf` and add the following lines:

        SENDMAIL_CFLAGS=-I/usr/pkg/include/sasl -DSASL
        SENDMAIL_LDFLAGS=-L/usr/pkg/lib
        SENDMAIL_LDADD=-lsasl2


4. Recompile  **sendmail**  by executing the following commands:

        # cd /usr/src/usr.sbin/sendmail
        # make cleandir
        # make obj
        # make
        # make install

5. To check if SASL was compiled in:

        sendmail -d0.1 -bv root

5. After  **sendmail**  has been compiled and reinstalled, edit your `/etc/mail/dragonfly.mc` file (or whichever file you use as your `.mc` file. Many administrators choose to use the output from [hostname(1)](http://leaf.dragonflybsd.org/cgi/web-man?command#hostname&section1) as the `.mc` file for uniqueness). These options configure the different methods available to  **sendmail**  for authenticating users. If you would like to use a method other than  **saslauthd** , please see the included documentation.  Add these lines to your .mc file:

        dnl set SASL options
        TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
        define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl


6. Finally, run [make(1)](http://leaf.dragonflybsd.org/cgi/web-man?command#make&section1) while in `/etc/mail`. That will run your new `.mc` file and create a `.cf` file named `dragonfly.cf` (or whatever name you have used for your `.mc` file). Then use the command `make install restart`, which will copy the file to `sendmail.cf`, and will properly restart  **sendmail** . For more information about this process, you should refer to `/etc/mail/Makefile`.

If all has gone correctly, you should be able to enter your login information into the mail client and send a test message. For further investigation, set the `LogLevel` of  **sendmail**  to 13 and watch `/var/log/maillog` for any errors.  One example way to run sendmail with that higher debug level:

    sendmail –O LogLevel=14 –bs -Am

You may wish to add the following line to `/etc/rc.conf` so this service will be available after every system boot:

    saslauthd="YES"

This will ensure the initialization of SMTP_AUTH upon system boot.

This is enough to get started.  **Using separate encryption, such as STARTTLS, is recommended.** 

For more information, please see the  **sendmail**  page regarding [SMTP authentication](http://www.sendmail.org/~ca/email/auth.html).

CategoryHandbook

CategoryHandbook-email