3 ## 20.10 SMTP Authentication
\r
5 ***Written by James Gorham. ***
\r
7 Having SMTP Authentication in place on your mail server has a number of benefits. SMTP Authentication can add another layer of security to **sendmail** , and has the benefit of giving mobile users who switch hosts the ability to use the same mail server without the need to reconfigure their mail client settings each time.
\r
9 1. Install [`security/cyrus-sasl`](http://pkgsrc.se/security/cyrus-sasl) from the ports. You can find this port in [`security/cyrus-sasl`](http://pkgsrc.se/security/cyrus-sasl). [`security/cyrus-sasl`](http://pkgsrc.se/security/cyrus-sasl) has a number of compile time options to choose from and, for the method we will be using here, make sure to select the `pwcheck` option.
\r
10 1. After installing [`security/cyrus-sasl`](http://pkgsrc.se/security/cyrus-sasl), edit `/usr/local/lib/sasl/Sendmail.conf` (or create it if it does not exist) and add the following line:
\r
12 pwcheck_method: passwd
\r
14 This method will enable **sendmail** to authenticate against your DragonFly `passwd` database. This saves the trouble of creating a new set of usernames and passwords for each user that needs to use SMTP authentication, and keeps the login and mail password the same.
\r
15 1. Now edit `/etc/make.conf` and add the following lines:
\r
17 SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL
\r
18 SENDMAIL_LDFLAGS=-L/usr/local/lib
\r
19 SENDMAIL_LDADD=-lsasl
\r
21 These lines will give **sendmail** the proper configuration options for linking to [`cyrus-sasl`](http://pkgsrc.se/cyrus-sasl) at compile time. Make sure that [`cyrus-sasl`](http://pkgsrc.se/cyrus-sasl) has been installed before recompiling **sendmail** .
\r
22 1. Recompile **sendmail** by executing the following commands:
\r
24 # cd /usr/src/usr.sbin/sendmail
\r
30 The compile of **sendmail** should not have any problems if `/usr/src` has not been changed extensively and the shared libraries it needs are available.
\r
31 1. After **sendmail** has been compiled and reinstalled, edit your `/etc/mail/freebsd.mc` file (or whichever file you use as your `.mc` file. Many administrators choose to use the output from [hostname(1)](http://leaf.dragonflybsd.org/cgi/web-man?command#hostname§ion1) as the `.mc` file for uniqueness). Add these lines to it:
\r
33 dnl set SASL options
\r
34 TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
\r
35 define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
\r
36 define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
\r
38 These options configure the different methods available to **sendmail** for authenticating users. If you would like to use a method other than **pwcheck** , please see the included documentation.
\r
39 1. Finally, run [make(1)](http://leaf.dragonflybsd.org/cgi/web-man?command#make§ion1) while in `/etc/mail`. That will run your new `.mc` file and create a `.cf` file named `freebsd.cf` (or whatever name you have used for your `.mc` file). Then use the command `make install restart`, which will copy the file to `sendmail.cf`, and will properly restart **sendmail** . For more information about this process, you should refer to `/etc/mail/Makefile`.
\r
41 If all has gone correctly, you should be able to enter your login information into the mail client and send a test message. For further investigation, set the `LogLevel` of **sendmail** to 13 and watch `/var/log/maillog` for any errors.
\r
43 You may wish to add the following lines to `/etc/rc.conf` so this service will be available after every system boot:
\r
46 sasl_pwcheck_enable="YES"
\r
47 sasl_pwcheck_program="/usr/local/sbin/pwcheck"
\r
50 This will ensure the initialization of SMTP_AUTH upon system boot.
\r
52 For more information, please see the **sendmail** page regarding [SMTP authentication](http://www.sendmail.org/~ca/email/auth.html).
\r
57 CategoryHandbook-email
\r
projects / ikiwiki.git / blob