Sendmail

centos 6.4 sendmail SMTP-AUTH 不工作

  • July 8, 2013

我想要帶有 sendmail 和 dovecot 的 cinfugiure centos 6.4 伺服器到 SMTP-AUTH ,我配置了 saslauthd 和 sendmail,但是 SMTP-AUTH 不起作用,實際配置是

$$ root@server sasl2 $$# rpm -qa | grep sendmail sendmail-8.14.4-8.el6.x86_64 sendmail-cf-8.14.4-8.el6.noarch

[root@server sasl2]# sendmail -d0.1 -bv
Version 8.14.4
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
               MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
               NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
               TCPWRAPPERS USERDB USE_LDAP_INIT

============ SYSTEM IDENTITY (after readcf) ============
     (short domain name) $w = server
 (canonical domain name) $j = server.itzena.cz
        (subdomain name) $m = itzena.cz
             (node name) $k = server.itzena.cz
========================================================

Recipient names must be specified


[root@server sasl2]#  grep -v ^dnl /etc/mail/sendmail.mc
divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID', ``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
FEATURE(`accept_unresolvable_domains')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

[root@server sasl2]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap


[root@server sasl2]# cat /etc/sasl2/Sendmail.conf
pwcheck_method:saslauthd
mech_list: PLAIN LOGIN

[root@server sasl2]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.itzena.cz ESMTP Sendmail 8.14.4/8.14.4; Sat, 6 Jul 2013 14:58:49 +0200
ehlo localhost
250-server.itzena.cz Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP

我有未註釋的行

   TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

但如果

[root@server ~]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.itzena.cz ESMTP Sendmail 8.14.4/8.14.4; Sun, 7 Jul 2013 09:17:08 +0200
ehlo localhost
250-server.itzena.cz Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
AUTH LOGIN
503 5.3.3 AUTH not available

您目前的 m4 中有兩條相互矛盾的行:

define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_OPTIONS', `A p')dnl

假設其中第二個優先,該p標誌告訴 sendmail 除非加密到位,否則不要提供身份驗證,這意味著您需要啟動並執行 TLS 才能獲得身份驗證。這是與我的郵件伺服器的一對可比較的對話。第一個是明文,使用telnet

[me@risby iplayer]$ telnet www.teaparty.net 25
Trying 2a01:8000:0:4::1:1...
Connected to www.teaparty.net.
Escape character is '^]'.
220 : ESMTP you accept terms at http://www.teaparty.net/smtp.html
ehlo me
250-lory.teaparty.net Hello [IPv6:2001:4d48:ad51:3500:7271:bcff:feac:445a], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 14000000
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 lory.teaparty.net closing connection
Connection closed by foreign host.

因為它是純文字連接,所以不提供身份驗證。現在我將嘗試使用openssl來建立啟用 TLS 的連接:

[me@risby iplayer]$ openssl s_client -connect www.teaparty.net:25 -starttls smtp
CONNECTED(00000003)
[much crypto stuff deleted]
250 HELP
ehlo me
250-lory.teaparty.net Hello [IPv6:2001:4d48:ad51:3500:7271:bcff:feac:445a], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 14000000
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 lory.teaparty.net closing connection

請注意如何AUTH提供選項。我注意到除了告訴 sendmail 只提供AUTH加密是否到位之外,您還沒有配置 TLS;您需要先配置它,然後才能測試是否提供了 AUTH。在 sendmail 下配置 TLS 超出了這個問題的範圍,但是 SF 上已經有答案可以幫助解決這個問題。

引用自:https://serverfault.com/questions/521275