# Secure Sendmail SMTP authentication



## micski (Sep 14, 2013)

I am installing SMTP authentication for Sendmail. I followed the guide in the FreeBSD Handbook. To complete the installation, I want to test, if the authentication works, and confirm, that the username and password are kept secure. Of course, I could dump the packets and inspect them for plain text username and password, but, I thought, I might be able to look in the log also. I set the log level of Sendmail to 13, configure a test client to use SMTPS/465 with authentication - and send a test mail from an untrusted network to a non-hosted relay recipient. The following is written in the log.


```
xxx sm-mta[52988]: r8EKkC6M052988: from=<xxx>, size=790, class=0, nrcpts=1, msgid=<xxx>, proto=ESMTP, daemon=TLSMTA, relay=xxx [xxx]
xxx sm-mta[53010]: r8EKkC6M052988: to=<xxx>, ctladdr=<xxx> (1003/1003), delay=00:00:05, xdelay=00:00:03, mailer=esmtp, pri=30790, relay=xxx. [xxx], dsn=2.0.0, stat=Sent (Queued!)
```

`# pkg_info | grep cyrus-sasl`

```
cyrus-sasl-2.1.26_2 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.26 SASL authentication server for cyrus-sasl2
```

`# ps acx | grep sasl`

```
66773  ??  Is       0:00.00 saslauthd
```

`# nano -w `hostname`.mc`

```
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')
```

The mail does get sent. However, I am not sure, if the log confirms the use of secure authentication?


----------



## micski (Sep 14, 2013)

I decided to resend the mail test while dumping the TCP packets from the test client. I loaded the captured dump into a packet inspection tool and tested it for an SMTP authentication password.

`# tcpdump -i em0 -s 65535 -w smtp-auth-test.txt host xxx`
`% wireshark smtp-auth-test.txt &`

I used the filter smtp.auth.password in Wireshark. Would I be able to catch a misconfigured plain text password this way?


----------



## micski (Sep 15, 2013)

For what it is worth, for future readers, another capture test - with plain text SMTP - did show up in Wireshark with the smtp display filter, so I would assume, that a plain text password would have showed up in the capture above. I therefore believe, that the communication happens within an encrypted connection, why there is nothing readable in the mail log nor in the TCP captured data.

`# tcpdump -i em0 -s 65535 -w smtp-auth-test-plain.cap host xxx`
`% wireshark -Y smtp smtp-auth-test-plain.cap &`

On another note, I used the suffix txt above in error. It should have been cap. However, the contents of the file remains valid.

Any comments are welcome.


----------



## kpa (Sep 16, 2013)

I think the 
	
	



```
daemon=TLSMTA
```
 string in the log reveals that TLS was in fact used for the connection.


----------

