Previous INDEX Next
Building FreeBSD for multiple machines Gray Listing with Sendmail

SMTP Client authentication for Sendmail

I've recently moved to a new ISP (higher bandwith for lower cost, but with a monthly cap - let's hope my calculations of usage are correct).

I discovered the ISP's SMTP server required authentication, so in order to continue sending mail out from the FreeBSD web/mail server, crimson, I was going to have to figure out how sendmail could act as an authenticating client.

After reading the Sendmail Bat book, and some googling, the following seemed to be required (note, this is for a FreeBSD 6.2 system, making minimal changes to the default system setup).

Specifying the authentication tokens

First, you need to create an access database in /etc/mail. This has to contain AuthInfo records to inform sendmail of the authentication tokens required. I created a file called access in /etc/mail with the following contents:

  AuthInfo:smtp.isp.com "U:username" "P:password" 

Replace smtp.isp.com by your ISP's mail server, and the username and password fields as required.

The access database is built by running the following command in /etc/mail:

  make maps

which creates the file access.db.

Sendmail Configuration File

The sendmail configuration file (crimson.mc) needs the following addition:

  define(`confAUTH_MECHANISMS',`LOGIN PLAIN')

And, or course, define SMART_HOST to the new smtp relay, i.e. define(`SMART_HOST',`smtp.isp.com')

I rebuilt the sendmail.cf file and restarted sendmail by:

  make && make install && make restart

I tested to see if client authentication worked by sending an email to my new email address. Nope, DSN 5.0.0 - Service Unavailable.

Most of the articles I'd read majored on creating a version of sendmail that required authentication from its clients. For this, sendmail needed to be compiled with SASL. It seemed to me that SASL shouldn't be required for simple client authentication, but maybe I was wrong.

To build a version of sendmail with SASL on FreeBSD, first add the following lines to /etc/make.conf:

  SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
  SENDMAIL_LDFLAGS=-L/usr/local/lib
  SENDMAIL_LDADD=-lsasl2

Then, install the package cyrus-sasl2, by:

  pkg_add -r cyrus-sasl2

Then rebuild sendmail:

  # cd /usr/src/lib/libsmutil
  # make cleandir && make obj && make
  # cd /usr/src/lib/libsm
  # make cleandir && make obj && make
  # cd /usr/src/usr.sbin/sendmail
  # make cleandir && make obj && make && make install

N.B. These instructions have been stolen wholesale from The FreeBSD Handbook.

Once the new version of sendmail was started, client authentication instantly started to work. So, situation normal, completely wrong assumptions. SASL is mandatory for sendmail client SMTP authentication.

Previous INDEX Next
Building FreeBSD for multiple machines Gray Listing with Sendmail