# Sendmail with saslauthd



## fullauto (Mar 27, 2013)

Hello all.

I am running into a bit of a problem getting my Sendmail server configured to only allow relaying based on saslauthd authentication.  As of right now, my Sendmail seems to be accepting connections on port 25 from anyone without asking for a login.  I'm not really well spun up on the ins and outs of saslauthd and how it works, and the documentation is spar*s*e to put it kindly, so my trouble shooting efforts have thus far been unsuccessful.

I have gone through the following step-by-step. FreeBSD handbook entry
saslauthd is indeed working. But, it is not requiring a login and I"m not sure why.

I can assure you that I have gone over the handbook howtos at least twice and everything I did was EXACTLY as written.

These are my configuration files:


```
[ROOT@hermes]/etc/mail-> cat access
by default we allow relaying from localhost...
localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
192.168.1                       RELAY

# Allow Connect from local server IPs
Connect:192.168                 OK

# Accept Mail
# accept mail from PayPal
# paypal.com                    OK

# Reject Mail
posterclub@e.allposters.com     REJECT
posterclub@email.allposters.com REJECT
plastmarket.com                 REJECT
jr@jrtr.org                     REJECT
7b2.606@fe01.atl2.webusenet.com REJECT
mysoldpad.com                   REJECT
```


```
[ROOT@hermes]/etc/mail-> cat hermes.mc
divert(-1)
divert(0)

VERSIONID(`$FreeBSD: release/9.0.0/etc/sendmail/freebsd.mc 223068 2011-06-14 04:33:43Z gshapiro $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
FEATURE(relay_entire_domain)
FEATURE(`authinfo')dnl
MASQUERADE_AS(`SpreadSpectrum.net')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl

dnl FEATURE(`SMART_HOST', `spreadspectrum.net')dnl

dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl       your permission.
dnl FEATURE(relay_based_on_MX)

dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit
dnl http://www.google.com/Top/Computers/Internet/E-mail/Spam/Blacklists/

dnl Uncomment to activate your chosen DNS based blacklist
dnl FEATURE(dnsbl, `dnsbl.example.com')
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `dnsbl.example.com', ``"550 Mail from " $&{client_addr} " rejected'')

dnl Dialup users should uncomment and define this appropriately
dnl define(`SMART_HOST', `your.isp.mail.server')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl

MAILER(local)
MAILER(smtp)
```

This is what I get when I telnet from another machine to port 25:


```
[ROOT@hermes]/root/sendmail.shit-> telnet hermes 25
Trying 192.168.1.11...
Connected to hermes.spreadspectrum.net.
Escape character is '^]'.
220 hermes.spreadspectrum.net ESMTP Sendmail 8.14.5/8.14.5; Wed, 27 Mar 2013 00:21:11 -0400 (EDT)
ehlo kif.spreadspectrum.net
250-hermes.spreadspectrum.net Hello [192.168.1.11], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
250-DELIVERBY
250 HELP
mail from: user@spreadspectrum.net
250 2.1.0 user@spreadspectrum.net... Sender ok
rcpt to: user@gmail.com
250 2.1.5 user@gmail.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
some mail
.
250 2.0.0 r2R4LB4S033789 Message accepted for delivery
quit
221 2.0.0 hermes.spreadspectrum.net closing connection
Connection closed by foreign host.
```

I am looking for any help that can be offered, as well as looking for a good explanation on how saslauthd actually works. The interweb is not well stocked on breakdowns of that nature.

Thanks in advance.


----------



## adri (Mar 27, 2013)

First, the line 
	
	



```
192.168.1 RELAY
```
 in your access file allows any host from the 192.168.1/24 subnet to relay without authenticating. This is why you were allowed to send to an external gmail.com address.

Other hosts not in your access file would only be allowed to send to local 'spreadspectrum.net' addresses. Try sending from another host not in the local subnet.

If you want to force everyone to authenticate first, before allowing them to send anything, add 
	
	



```
Modifiers=a
```
 to your DAEMON_OPTIONS.


----------



## fullauto (Mar 27, 2013)

*Solved*

Worked like a charm.  Thank you for such a speedy and concise reply.  That's what make the FreeBSD community the best.


----------

