20.7 SMTP Authentication

Having SMTP Authentication in place on your mail server has a number of benefits. SMTP Authentication can add another layer of security to sendmail, and has the benefit of giving mobile users who switch hosts, the ability to use the same mail server without the need to reconfigure their mail client settings each time.

  1. Install security/cyrus-sasl from the ports. You can find this port in security/cyrus-sasl. security/cyrus-sasl has a number of compile time options to choose from, and for the method we will be using here, make sure to select the pwcheck option.

  2. After installing security/cyrus-sasl, edit /usr/local/lib/sasl/Sendmail.conf (or create it if it doesn't exist) and add the following line:

        pwcheck_method: passwd
    

    This method will enable sendmail to authenticate against your FreeBSD passwd database. This saves the trouble creating a new set of usernames and passwords for each user that needs to use SMTP authentication, and keeps the login and mail password the same.

  3. Now, edit /etc/make.conf and add the following lines:

        SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
    
        SENDMAIL_LDFLAGS=-L/usr/local/lib
    
        SENDMAIL_LDADD=-lsasl
    

    These lines will give sendmail the proper configuration options for linking to cyrus-sasl at compile time. Make sure that cyrus-sasl has been installed before recompiling sendmail.

  4. Recompile sendmail by executing the following commands:

        # cd /usr/src/usr.sbin/sendmail
    
        # make cleandir
    
        # make obj
    
        # make
    
        # make install
    

    The compile of sendmail should not have any problems if /usr/src has not been changed extensively, and the shared libraries it needs are available.

  5. After sendmail has been compiled and reinstalled, edit your /etc/mail/freebsd.mc file, or whichever file you use as your .mc file. Many administrators choose to use the output from hostname(1) as the .mc file for uniqueness. Add these lines to it:

        dnl set SASL options
    
        TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
    
        define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
    
        define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
    

    These options configure the different methods available to sendmail for authenticating users. If you would like to use a method other than pwcheck, please see the included documentation.

  6. Finally, run make(1) while in /etc/mail. That will run your new .mc file and create a .cf file named freebsd.cf (or whatever name you've used for your .mc file). Copy that to sendmail.cf, and send a kill -HUP signal to sendmail.

If all has gone correctly, you should be able to enter your login information into the mail client, and send a test message. For further investigation, set the LogLevel of sendmail to 13, and watch /var/log/maillog for any errors.

For more information, please see the sendmail page regarding SMTP authentication. http://www.sendmail.org/~ca/email/auth.html

This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.