Wednesday, February 07, 2018

Solaris 11.4: Setting up Sendmail / SASL to handle SMTP AUTH

With the release of Solaris 11.4 Beta we finally get SASL implementation based on the open source Cyrus SASL version 2.1.26 with a few changes. Which means that Solaris can now handle SMTP AUTH out of the box.

I have been here before with previous blog entries:
- Can Solaris 11 Sendmail / SASL handle SMTP AUTH
- Solaris 11: Setting up Sendmail / SASL to handle SMTP AUTH

Ref: Using Simple Authentication and Security Layer


  •  Solaris 11.4 Beta now comes with SASL support
# /usr/lib/sendmail -d0 -bt < /dev/null
Version 8.15.2+Sun
 Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
                MIME8TO7 NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB
               
NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS
               
USERDB USE_LDAP_INIT XDEBUG
  • Need to modify the sendmail configuration file slightly to add AUTH and AUTH methods 
# cd /etc/mail/cf/cf
# cat > sasl.mc
divert(0)dnl
VERSIONID(`sendmail.mc (Sun)')
OSTYPE(`solaris11')dnl
DOMAIN(`solaris-generic')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

define(`confFALLBACK_SMARTHOST', `mailhost$?m.$m$.')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl

LOCAL_NET_CONFIG
R$* < @ $* .$m. > $*    $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3


# make sasl.cf
test ! -f sasl.cf || /usr/bin/mv sasl.cf sasl.cf.prev
/usr/bin/m4 ../m4/cf.m4 sasl.mc > sasl.cf

# cp sasl.cf ../../sendmail.cf
# svcadm restart sendmail
  • Setup the SASL plugin via Sendmail.conf file
# cat /etc/sasl2/Sendmail.conf
pwcheck_method: saslauthd
  • For authentication to work the saslauthd has to be started, so you can start it as a one off process (good for debugging). Naturally this needs to go into a SMF, but that has been covered in the blogs above before.
# saslauthd -n 1 -V -d -a pam
saslauthd[7495] :main            : num_procs  : 1
saslauthd[7495] :main            : mech_option: NULL
saslauthd[7495] :main            : run_path   : /var/run/saslauthd
saslauthd[7495] :main            : auth_mech  : pam
saslauthd[7495] :detach_tty      : master pid is: 0
saslauthd[7495] :ipc_init        : door on: /var/run/saslauthd/mux
...the following will appear after the following command executed
saslauthd[7495] :do_auth         : auth success: [user=MyUserName] [service=imap] [realm=] [mech=pam]
saslauthd[7495] :do_request      : response: OK

# /usr/lib/sasl/tests/testsaslauthd -u MyUserName -p MyPassword
0: OK "Success."
  • Now test the sendmail part, but first we need encrypted username and password: 
# perl -MMIME::Base64 -e 'print encode_base64("\000MyUser\000MyPassword")'
AE15VXNlcgBNeVBhc3N3b3Jk

# /usr/lib/sendmail -bv  -O LogLevel=14 -bs -Am
220 delphi.dcs.bbk.ac.uk ESMTP Sendmail 8.15.2+Sun/8.15.2; Wed, 7 Feb 2018 12:44:02 GMT
EHLO localhost    
250-delphi.dcs.bbk.ac.uk Hello root@localhost, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
AUTH PLAIN AE15VXNlcgBNeVBhc3N3b3Jk
235 2.0.0 OK Authenticated
quit
  • Looking at /var/log/syslog after doing the above you will see (errors mainly becaue I have not set up Certificates up completely on this test setup):
#####AFTER STARTING /usr/lib/sendmail -bv  -O LogLevel=14 -bs -Am
Feb  7 12:38:13 delphi sendmail[8043]: [ID 801593 mail.info] NOQUEUE: connect from root@localhost
Feb  7 12:38:13 delphi sendmail[8043]: [ID 702911 mail.warning] STARTTLS: ServerCertFile missing
Feb  7 12:44:02 delphi sendmail[8275]: [ID 702911 mail.info] AUTH: available mech=SCRAM-SHA-1 GSS-SPNEGO GSSAPI OTP LOGIN PLAIN, allowed mech=DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Feb  7 12:38:13 delphi sendmail[8043]: [ID 801593 mail.info] w17CcDMH008043: Milter: no active filter


#####AFTER AUTH PLAIN AHdzdHVkZW50AEExczJkM2Y0ZzU=
Feb  7 12:44:42 delphi sendmail[8275]: [ID 702911 mail.info] AUTH=server, relay=root@localhost, authid=MyUserName, mech=PLAIN, bits=0

  • That is it and Oracle Solaris 11.4


No comments: