Outbound Authentication for Sendmail

One of the problems I have had recently is that many ISPs are no longer providing outbound email servers for various reasons. So outbound email for some of my own devices as well as some of my customers has been blocked.

Basic Authentication

It is possible to use a number of different forms of authentication so that mobile users can authenticate with their own sendmail server in order to allow email relaying. It has taken a lot of work to figure this out.

This particular method is fairly insecure because it encrypts neither the initial handshaking and password nor the email conversation itself. But it does work and is OK so long as no one is eavesdropping on your internet connection, especially if you are using wireless.

On the Server

Install the cyrus-sasl package.

yum -y install cyrus-sasl

Then start and enable the saslauthd service. The following sequence works on Fedora 15 and above and CentOS7.

systemctl enable saslauthd.service
systemctl start saslauthd.service

Use chkconfig and service commands on CentOS up through version 6 and prior to Fedora 15.

service saslauthd start
chkconfig saslauthd on

In order to protect your personal passwords, create a new user which will be used only for SMTP authentication. Be sure to make this a nologin user to prevent hackers from logging in to the account even if they obtain the password.

useradd -c “Sendmail authentication user” smauth -s /usr/sbin/nologin

Now create a password for the new user.

passwd smauth

Then enter the password for the user smauth twice when requested.

On the Client

Most clients support some form of outbound SMTP authentication. So go to your client configuration for account settings for the outbound server and, in the appropriate places, select or add the following information. These fields are specifically for Firefox.

Connection Security None
Authentication Method Password Transmitted insecurely
User Name The user name you created above. For this example, smauth@example.com.

The first time you attempt to send an email after configuring this, you will be asked for a password. Enter the password you created for the user on the server, above.

Using encrypted passwords

Adding encryption to the SMTP password transmission is straighforward.

On the Server

You must modify the SendMail configuration file/ /etc/mail/sendmail.mc in order to encrypt the SMTP password transmission.

Here are the lines you need in your sendmail.mc file in order to accomplish this.

dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
define(`confAUTH_OPTIONS’, `A’)dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #

Your sendmail.mc file probably already has these lines, with slightly different contents, in which case they will need to be changed. For example, you may have to remove “PLAIN LOGIN” from the last two lines in order to disable plain text logins. When your sendmail.mc file is configured the way you want it run the make command with /etc/mail as the current directory (PWD).

Ensure that you install the appropriate libraries for the chosen authentication methods. I use MD5, so I installed the libraries using the command below.

yum -y install cyrus-sasl-md5

Then restart the sendmail service.

service saslauthd restart

service sendmail restart

On the Client

It is necessary to change the outbound encryption method for your email client to “Encrypted Password” because plaintext passwords will no longer work.

Connection Security None
Authentication Method Encrypted Password
User Name The user name you created above. For this example, smauth@example.com.

Note that this does not encrypt the entire SMTP transaction, only the password.