Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

If the human brain were so simple that we could understand it, we would be so simple we couldn't.


computers / comp.mail.sendmail / Re: How to set up authorized submission ?

SubjectAuthor
* How to set up authorized submission ?John Levine
+* Re: How to set up authorized submission ?Grant Taylor
|`* Re: How to set up authorized submission ?John Levine
| +* Re: How to set up authorized submission ?John Levine
| |+- Re: How to set up authorized submission ?Claus Aßmann
| |`* Re: How to set up authorized submission ?Grant Taylor
| | `* Re: How to set up authorized submission ?John Levine
| |  `* Re: How to set up authorized submission ?Grant Taylor
| |   `- Re: How to set up authorized submission ?John Levine
| `* Re: How to set up authorized submission ?Claus Aßmann
|  `* Re: How to set up authorized submission ?John Levine
|   `* Re: How to set up authorized submission ?Claus Aßmann
|    `- Re: How to set up authorized submission ?John Levine
`* Re: How to set up authorized submission ?Claus Aßmann
 `- Re: How to set up authorized submission ?John Levine

1
How to set up authorized submission ?

<s7puh5$1sla$1@gal.iecc.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=143&group=comp.mail.sendmail#143

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: joh...@taugh.com (John Levine)
Newsgroups: comp.mail.sendmail
Subject: How to set up authorized submission ?
Date: Sun, 16 May 2021 02:03:17 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <s7puh5$1sla$1@gal.iecc.com>
Injection-Date: Sun, 16 May 2021 02:03:17 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
logging-data="62122"; mail-complaints-to="abuse@iecc.com"
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)
 by: John Levine - Sun, 16 May 2021 02:03 UTC

I'm trying to set up the 8.17 so I can test the EAI stuff, but it's been a long time since I hacve set up
a sendmail system (I think the last time, there was an active uucp gateway) and I'm stuck getting
submission to work.

I would like what I think is a pretty normal setup: SMTP on port 25,
submission on port 587 which only allows relay after STARTTLS and AUTH
PLAIN or AUTH LOGIN. I have it set up on FreeBSD, the STARTTLS works
fine, I've built it with the cyrus SASL libraries, I can send and
receive mail to and from local addresses, but I can't figure out what
to put in sendmail.mc and submit.mc to get submission to work. Ideally
I'd authorize against user/pw set with saslpasswd2 but /etc/shadow
would be OK if that's hard.

Googlage finds a lot of very old stuff like for 8.10 that doesn't work. Any hints where I might
find a template for this?

TIA
--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: How to set up authorized submission ?

<s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=144&group=comp.mail.sendmail#144

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Sat, 15 May 2021 21:56:06 -0600
Organization: TNet Consulting
Message-ID: <s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net>
References: <s7puh5$1sla$1@gal.iecc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 16 May 2021 03:58:10 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="10266"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <s7puh5$1sla$1@gal.iecc.com>
Content-Language: en-US
 by: Grant Taylor - Sun, 16 May 2021 03:56 UTC

On 5/15/21 8:03 PM, John Levine wrote:
> I would like what I think is a pretty normal setup: SMTP on port 25,
> submission on port 587 which only allows relay after STARTTLS and
> AUTH PLAIN or AUTH LOGIN.

That definitely sounds normal enough.

> I have it set up on FreeBSD, the STARTTLS works fine, I've built
> it with the cyrus SASL libraries, I can send and receive mail to
> and from local addresses, but I can't figure out what to put in
> sendmail.mc and submit.mc to get submission to work. Ideally I'd
> authorize against user/pw set with saslpasswd2 but /etc/shadow would
> be OK if that's hard.

Check the DAEMON_OPTIONS for the submission port. You probably want the
"a" modifier ("M") to "require SMTP Authentication".

Also check out the confAUTH_OPTIONS to require that a secure channel
(STARTTLS) is used when using sensitive credentials.

> Googlage finds a lot of very old stuff like for 8.10 that doesn't work.
> Any hints where I might find a template for this?

Hopefully the information above will give you want you need to refine
your searches.

--
Grant. . . .
unix || die

Re: How to set up authorized submission ?

<s7qkt2$vaj$1@news.misty.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=145&group=comp.mail.sendmail#145

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!4.us.feeder.erje.net!feeder.erje.net!goblin1!goblin3!goblin.stu.neva.ru!news.misty.com!.POSTED!not-for-mail
From: ml+sendm...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Sun, 16 May 2021 08:25:06 +0000 (UTC)
Organization: MGT Consulting
Lines: 18
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <s7qkt2$vaj$1@news.misty.com>
References: <s7puh5$1sla$1@gal.iecc.com>
NNTP-Posting-Host: kiel.esmtp.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: news.misty.com 1621153506 32083 195.244.235.220 (16 May 2021 08:25:06 GMT)
X-Complaints-To: abuse@misty.com
NNTP-Posting-Date: Sun, 16 May 2021 08:25:06 +0000 (UTC)
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Sun, 16 May 2021 08:25 UTC

John Levine wrote:

> Googlage finds a lot of very old stuff like for 8.10 that doesn't work. Any hints

A better problem description than "doesn't work" might be useful.

If it is about getting Cyrus-SASL itself to work for sendmail the
instructions are basically the same - it's mostly about setting up
Sendmail.conf to specify which "password" backend to use.

The questions about what to set up in the .mc file have already
been answered by another reply.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: How to set up authorized submission ?

<s7rfh7$14fl$1@gal.iecc.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=146&group=comp.mail.sendmail#146

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!xmission!usenet.csail.mit.edu!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: joh...@taugh.com (John Levine)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Sun, 16 May 2021 15:59:35 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <s7rfh7$14fl$1@gal.iecc.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s7qkt2$vaj$1@news.misty.com>
Injection-Date: Sun, 16 May 2021 15:59:35 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
logging-data="37365"; mail-complaints-to="abuse@iecc.com"
In-Reply-To: <s7puh5$1sla$1@gal.iecc.com> <s7qkt2$vaj$1@news.misty.com>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)
 by: John Levine - Sun, 16 May 2021 15:59 UTC

According to Claus A�mann <ml+sendmail(-no-copies-please)@esmtp.org>:
>If it is about getting Cyrus-SASL itself to work for sendmail the
>instructions are basically the same - it's mostly about setting up
>Sendmail.conf to specify which "password" backend to use.

Ah, that is helpful, since there is no clue in the documentation that Sendmail.conf even exists.

--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: How to set up authorized submission ?

<s84gvq$28gp$1@gal.iecc.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=149&group=comp.mail.sendmail#149

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!xmission!usenet.csail.mit.edu!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: joh...@taugh.com (John Levine)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 02:19:38 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <s84gvq$28gp$1@gal.iecc.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Thu, 20 May 2021 02:19:38 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
logging-data="74265"; mail-complaints-to="abuse@iecc.com"
In-Reply-To: <s7puh5$1sla$1@gal.iecc.com> <s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)
 by: John Levine - Thu, 20 May 2021 02:19 UTC

It appears that Grant Taylor <gtaylor@tnetconsulting.net> said:
>On 5/15/21 8:03 PM, John Levine wrote:
>> I would like what I think is a pretty normal setup: SMTP on port 25,
>> submission on port 587 which only allows relay after STARTTLS and
>> AUTH PLAIN or AUTH LOGIN.
>
>That definitely sounds normal enough.

Well, I'm pretty close. I have O'Reilly's Sendmail Cookbook from 2003, and stared at a certain
amount of source code.

First I built sendmail with the PLAIN and LOGIN auth methods by overriding the AUTH_MECHANISMS define.
To my surprise, this worked:

dnl for sasl
APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
dnl include all SASL methods
APPENDDEF(`conf_sendmail_ENVDEF',`-DAUTH_MECHANISMS="\"EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 PLAIN LOGIN\""')

Then I instaled the FreeBSD packages for cyrus-sasl and cyrus-saslauthd. It turns out that the nearly undocumented
/usr/local/lib/sasl2/Sendmail.conf already contains "pwcheck_method: saslauthd", so I started
the sasl daemon with args "-a sasldb" rather than the default "-a pam".

Then I set up sendmail.mc to do just LOGIN and PLAIN after STARTTLS on port 587, no auth on port 25:

dnl Enable port 25 for both IPv4 and IPv6 with no auth
DAEMON_OPTIONS(`Name=IPv4, Family=inet, M=A')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, M=A')

FEATURE(`no_default_msa')
DAEMON_OPTIONS(`Name=MSA, Port=587, M=Eac')
dnl require STARTTLS
define(`confAUTH_OPTIONS', `p')
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')

Now I can connect to port 587, log in, and authenticate. The only thing I can't do is send mail:

At my end:

21:53:10.618705 send: 'AUTH PLAIN AGVhaXRlewyc3Hh4\r\n'
21:53:10.665909 reply: b'235 2.0.0 OK Authenticated\r\n'
21:53:10.666115 reply: retcode (235); Msg: b'2.0.0 OK Authenticated'
logged in as eaitest

On the server:

May 20 01:53:10 xn--5nq21jyu9d1ta sm-mta[49767]: STARTTLS=server, relay=[64.246.232.221], version=TLSv1.3, verify=NO, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
May 20 01:53:10 xn--5nq21jyu9d1ta sm-mta[49767]: AUTH=server, relay=[64.246.232.221], authid=eaitest, mech=PLAIN, bits=0
May 20 01:53:10 xn--5nq21jyu9d1ta sm-mta[49767]: 14K1rAnE049767: ruleset=check_rcpt, arg1=<johnl@iecc.com>, relay=[64.246.232.221], reject=550 5.7.1 <johnl@iecc.com>... Relaying denied. IP name lookup failed [64.246.232.221]
May 20 01:53:10 xn--5nq21jyu9d1ta sm-mta[49767]: 14K1rAnE049767: from=<eaitest@smeai.services.net>, size=44, class=0, nrcpts=0, proto=UTF8SMTPSA, daemon=MSA, relay=[64.246.232.221]

I presume I have to tweak check_rcpt to allow me to send mail once authenticated. Uh, a hint or two would be appreciated.

-- not urgent question --

Is there a way to do submits on port 465? It's like the MSA on 587 but does the TLS handshake when it connects, like https does.

--- Sort of bug report ---

The default config for AUTH allows CRAM-MD5 and DIGEST-MD5 but not
LOGIN or PLAIN, presumably because 20 years ago few SMTP sessions used
TLS and you can't recover the password by snooping. But now everyone
does TLS, and those two methods require that the server store the
plaintext passwords or a fragile prehash of them.

The IETF has considered CRAM-MD5 to be obsolete since 2008, and
DIGEST-MD5 obsolete since 2011, see RFC 6331. These days the preferred
AUTH is LOGIN or PLAIN protected by STARTTLS, so it would be a
kindness to future sendmail users to make that the default, or at
least compile in LOGIN and PLAIN, and package up the settings as an
easy to find option.

--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: How to set up authorized submission ?

<s84j7g$2d4d$1@gal.iecc.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=150&group=comp.mail.sendmail#150

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.cmpublishers.com!adore2!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: joh...@taugh.com (John Levine)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 02:57:52 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <s84j7g$2d4d$1@gal.iecc.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net> <s84gvq$28gp$1@gal.iecc.com>
Injection-Date: Thu, 20 May 2021 02:57:52 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
logging-data="78989"; mail-complaints-to="abuse@iecc.com"
In-Reply-To: <s7puh5$1sla$1@gal.iecc.com> <s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net> <s84gvq$28gp$1@gal.iecc.com>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)
 by: John Levine - Thu, 20 May 2021 02:57 UTC

According to John Levine <johnl@taugh.com>:
>
>Now I can connect to port 587, log in, and authenticate. The only thing I can't do is send mail:

Never mind, the sendmail cookbook came through with TRUST_AUTH_MECH:

FEATURE(`no_default_msa')
DAEMON_OPTIONS(`Name=MSA, Port=587, M=Eac')
dnl require STARTTLS
define(`confAUTH_OPTIONS', `p')
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')
TRUST_AUTH_MECH(`LOGIN PLAIN')

Today's question is how I tell it that it's OK for an authenticated user to send
mail with some other address in the envelope or From: header. I expect it's also
in the cookbook but I don't know what it's called. Doesn't like like masquerade is quite it.

--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: How to set up authorized submission ?

<s84p1l$2f5$1@news.misty.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=151&group=comp.mail.sendmail#151

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!4.us.feeder.erje.net!3.eu.feeder.erje.net!feeder.erje.net!goblin1!goblin3!goblin.stu.neva.ru!news.misty.com!.POSTED!not-for-mail
From: ml+sendm...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 04:37:09 +0000 (UTC)
Organization: MGT Consulting
Lines: 12
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <s84p1l$2f5$1@news.misty.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net> <s84gvq$28gp$1@gal.iecc.com> <s84j7g$2d4d$1@gal.iecc.com>
NNTP-Posting-Host: kiel.esmtp.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: news.misty.com 1621485429 2533 195.244.235.220 (20 May 2021 04:37:09 GMT)
X-Complaints-To: abuse@misty.com
NNTP-Posting-Date: Thu, 20 May 2021 04:37:09 +0000 (UTC)
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Thu, 20 May 2021 04:37 UTC

John Levine wrote:

> Today's question is how I tell it that it's OK for an authenticated user to send
> mail with some other address in the envelope or From: header. I expect it's also

Have you simply tried it?

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: How to set up authorized submission ?

<s84q3p$2ts$1@news.misty.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=152&group=comp.mail.sendmail#152

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!3.eu.feeder.erje.net!feeder.erje.net!goblin1!goblin3!goblin.stu.neva.ru!news.misty.com!.POSTED!not-for-mail
From: ml+sendm...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 04:55:21 +0000 (UTC)
Organization: MGT Consulting
Lines: 61
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <s84q3p$2ts$1@news.misty.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net> <s84gvq$28gp$1@gal.iecc.com>
NNTP-Posting-Host: kiel.esmtp.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: news.misty.com 1621486521 3004 195.244.235.220 (20 May 2021 04:55:21 GMT)
X-Complaints-To: abuse@misty.com
NNTP-Posting-Date: Thu, 20 May 2021 04:55:21 +0000 (UTC)
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Thu, 20 May 2021 04:55 UTC

John Levine wrote:

> First I built sendmail with the PLAIN and LOGIN auth methods by overriding the
> AUTH_MECHANISMS define.
> To my surprise, this worked:

Why don't you simply use the run time option?

> APPENDDEF(`conf_sendmail_ENVDEF',`-DAUTH_MECHANISMS="\"EXTERNAL GSSAPI KERBEROS_V4
> DIGEST-MD5 CRAM-MD5 PLAIN LOGIN\""')

That just sets the default.

AuthMechanisms
[no short name] List of authentication mech-
anisms for AUTH (separated by spaces). The
advertised list of authentication mechanisms
will be the intersection of this list and
the list of available mechanisms as deter-
mined by the Cyrus SASL library.

See also cf/README.

> define(`confAUTH_MECHANISMS', `LOGIN PLAIN')

Which means your compile time option is unneeded.

> I presume I have to tweak check_rcpt to allow me to send mail once authenticated.

Please read cf/README -- the sendmail documentation is fairly good...

Per default, relaying is allowed for any user who authenticated
via a "trusted" mechanism, i.e., one that is defined via
TRUST_AUTH_MECH(`list of mechanisms')
For example:
TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5')

> Is there a way to do submits on port 465? It's like the MSA on 587 but does the TLS
> handshake when it connects, like https does.

Look in op.* for "smtps"
DaemonPortOptions=options
s Run smtps (SMTP over SSL) instead of smtp

> The default config for AUTH allows CRAM-MD5 and DIGEST-MD5 but not
> LOGIN or PLAIN, presumably because 20 years ago few SMTP sessions used
> TLS and you can't recover the password by snooping. But now everyone
^^?
> does TLS, and those two methods require that the server store the
> plaintext passwords or a fragile prehash of them.

And yet you misconfigured it...

Have you tried STARTTSL and then AUTH?

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: How to set up authorized submission ?

<s8603e$gli$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=153&group=comp.mail.sendmail#153

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 09:41:29 -0600
Organization: TNet Consulting
Message-ID: <s8603e$gli$1@tncsrv09.home.tnetconsulting.net>
References: <s7puh5$1sla$1@gal.iecc.com>
<s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net> <s84gvq$28gp$1@gal.iecc.com>
<s84j7g$2d4d$1@gal.iecc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 20 May 2021 15:43:42 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="17074"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <s84j7g$2d4d$1@gal.iecc.com>
Content-Language: en-US
 by: Grant Taylor - Thu, 20 May 2021 15:41 UTC

On 5/19/21 8:57 PM, John Levine wrote:
> Today's question is how I tell it that it's OK for an authenticated
> user to send mail with some other address in the envelope or From:
> header.

I think that it's going to just work.

I've never had Sendmail not allow authenticated senders to use any SMTP
envelope address that they wanted to. -- Thankfully I've never
/needed/ to impose such limitations. Thus I've not looked for how to do
it. Ergo, I think you can do what you want out of the gate.

--
Grant. . . .
unix || die

Re: How to set up authorized submission ?

<s8642c$vqq$1@gal.iecc.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=154&group=comp.mail.sendmail#154

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!xmission!usenet.csail.mit.edu!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: joh...@taugh.com (John Levine)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 16:51:24 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <s8642c$vqq$1@gal.iecc.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s84gvq$28gp$1@gal.iecc.com> <s84j7g$2d4d$1@gal.iecc.com> <s8603e$gli$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Thu, 20 May 2021 16:51:24 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
logging-data="32602"; mail-complaints-to="abuse@iecc.com"
In-Reply-To: <s7puh5$1sla$1@gal.iecc.com> <s84gvq$28gp$1@gal.iecc.com> <s84j7g$2d4d$1@gal.iecc.com> <s8603e$gli$1@tncsrv09.home.tnetconsulting.net>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)
 by: John Levine - Thu, 20 May 2021 16:51 UTC

According to Grant Taylor <gtaylor@tnetconsulting.net>:
>On 5/19/21 8:57 PM, John Levine wrote:
>> Today's question is how I tell it that it's OK for an authenticated
>> user to send mail with some other address in the envelope or From:
>> header.
>
>I think that it's going to just work.

No, see other messages.

--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: How to set up authorized submission ?

<s8644e$vqq$2@gal.iecc.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=155&group=comp.mail.sendmail#155

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.cmpublishers.com!adore2!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: joh...@taugh.com (John Levine)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 16:52:30 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <s8644e$vqq$2@gal.iecc.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net> <s84gvq$28gp$1@gal.iecc.com> <s84q3p$2ts$1@news.misty.com>
Injection-Date: Thu, 20 May 2021 16:52:30 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
logging-data="32602"; mail-complaints-to="abuse@iecc.com"
In-Reply-To: <s7puh5$1sla$1@gal.iecc.com> <s7q58i$a0q$1@tncsrv09.home.tnetconsulting.net> <s84gvq$28gp$1@gal.iecc.com> <s84q3p$2ts$1@news.misty.com>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)
 by: John Levine - Thu, 20 May 2021 16:52 UTC

It appears that Claus A�mann <ml+sendmail(-no-copies-please)@esmtp.org> said:
>> APPENDDEF(`conf_sendmail_ENVDEF',`-DAUTH_MECHANISMS="\"EXTERNAL GSSAPI KERBEROS_V4
>> DIGEST-MD5 CRAM-MD5 PLAIN LOGIN\""')
>
>That just sets the default.

So I now see. I was confused because I didn't realize that it treated
different AUTN mechanisms differently and some are handled as "more
secure" than others. That is just strange -- every client library I
know just tries all the mechanisms until one works.

>Please read cf/README -- the sendmail documentation is fairly good...
>
> Per default, relaying is allowed for any user who authenticated
> via a "trusted" mechanism, i.e., one that is defined via
> TRUST_AUTH_MECH(`list of mechanisms')
> For example:
> TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5')

See other message, I found that in the cookbook. It is still strange that some auth methods
are "more secure". Having used a lot of MTAs, I think I can say with confidence that nobody
else does that. I also don't think anyone else shows a different list before and after STARTTLS.
They often show no AUTH at all before STARTTLS, but not a truncated list.

>> Is there a way to do submits on port 465? It's like the MSA on 587 but does the TLS
>> handshake when it connects, like https does.
>
>Look in op.* for "smtps"
> DaemonPortOptions=options
> s Run smtps (SMTP over SSL) instead of smtp

Aha. That worked:

dnl Enable for both IPv4 and IPv6 (optional) with no auth
DAEMON_OPTIONS(`Name=IPv4, Family=inet, M=A')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, M=A')

dnl set up MSAs
FEATURE(`no_default_msa')
DAEMON_OPTIONS(`Name=Submit4, Family=inet, Port=587, M=Eac')
DAEMON_OPTIONS(`Name=Submit6, Family=inet6, Port=587, M=Eac')
DAEMON_OPTIONS(`Name=Submits4, Family=inet, Port=465, M=Eacs')
DAEMON_OPTIONS(`Name=Submits6, Family=inet6, Port=465, M=Eacs')

dnl require STARTTLS
define(`confAUTH_OPTIONS', `p')
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')
TRUST_AUTH_MECH(`LOGIN PLAIN')

>> The default config for AUTH allows CRAM-MD5 and DIGEST-MD5 but not
>> LOGIN or PLAIN, presumably because 20 years ago few SMTP sessions used
>> TLS and you can't recover the password by snooping. But now everyone
> ^^?
>> does TLS, and those two methods require that the server store the
>> plaintext passwords or a fragile prehash of them.
>
>And yet you misconfigured it...

No kidding. Have I mentioned that the sasl documentation is nearly nonexistent? Lucky for me
that this newsgroup still exists.

I had one other question about overriding from addresses but the cookbook pointed me at trusted users
so I think I'm OK there.

Now on to EAI testing. It seems generally to work but I have some suggestions about implementation choices.

R's,
John
--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: How to set up authorized submission ?

<s867jk$l5v$1@news.misty.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=156&group=comp.mail.sendmail#156

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!4.us.feeder.erje.net!2.eu.feeder.erje.net!feeder.erje.net!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!goblin2!goblin3!goblin.stu.neva.ru!news.misty.com!.POSTED!not-for-mail
From: ml+sendm...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 17:51:49 +0000 (UTC)
Organization: MGT Consulting
Lines: 40
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <s867jk$l5v$1@news.misty.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s84gvq$28gp$1@gal.iecc.com> <s84q3p$2ts$1@news.misty.com> <s8644e$vqq$2@gal.iecc.com>
NNTP-Posting-Host: kiel.esmtp.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: news.misty.com 1621533109 21695 195.244.235.220 (20 May 2021 17:51:49 GMT)
X-Complaints-To: abuse@misty.com
NNTP-Posting-Date: Thu, 20 May 2021 17:51:49 +0000 (UTC)
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Thu, 20 May 2021 17:51 UTC

John Levine wrote:

Please stop sending me copies via e-mail - esp. if your software
messes up the address.

> It is still
> strange that some auth methods are "more secure".

What is strange about that? The Cyrus-SASL docs as well as the
RFCs about the various mechanisms explain the security implications.

> of MTAs, I think I can say with confidence that nobody else does
> that. I also don't think anyone else shows a different list before
> and after STARTTLS.

Not my problem - seems the code we got from the Cyrus-SASL developers
is "better" (more functionality)... and sendmail supported AUTH
before STARTTLS.

Cyrus-SASL has a lot of features and sendmail simply makes those
available:

AuthOptions
a protection from active (non-dictionary) attacks
during authentication exchange.
d don't permit mechanisms susceptible to passive
dictionary attack.
f require forward secrecy between sessions
(breaking one won't help break next).
m require mechanisms which provide mutual authentication
(only available if using Cyrus SASL v2 or later).
p don't permit mechanisms susceptible to simple
passive attack (e.g., PLAIN, LOGIN), unless a
security layer is active.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: How to set up authorized submission ?

<s86fbm$1v6f$1@gal.iecc.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=157&group=comp.mail.sendmail#157

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!xmission!usenet.csail.mit.edu!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: joh...@taugh.com (John Levine)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 20:04:06 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <s86fbm$1v6f$1@gal.iecc.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s84q3p$2ts$1@news.misty.com> <s8644e$vqq$2@gal.iecc.com> <s867jk$l5v$1@news.misty.com>
Injection-Date: Thu, 20 May 2021 20:04:06 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
logging-data="64719"; mail-complaints-to="abuse@iecc.com"
In-Reply-To: <s7puh5$1sla$1@gal.iecc.com> <s84q3p$2ts$1@news.misty.com> <s8644e$vqq$2@gal.iecc.com> <s867jk$l5v$1@news.misty.com>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)
 by: John Levine - Thu, 20 May 2021 20:04 UTC

It appears that Claus A�mann <ml+sendmail(-no-copies-please)@esmtp.org> said:
>> It is still strange that some auth methods are "more secure".
>
>What is strange about that? The Cyrus-SASL docs as well as the
>RFCs about the various mechanisms explain the security implications.

Well, yes, the RFCs say CRAM-MD5 and DIGEST-MD5 were deprecated a
decade ago. It's easy enough to turn them off, and I suppose it's
unlikely that anyone who cares about this stuff will use the
defaults.

>Not my problem - seems the code we got from the Cyrus-SASL developers
>is "better" (more functionality)... and sendmail supported AUTH
>before STARTTLS.

I undestand there is a lot of 20 year old code, but it doesn't mean
that the 20 year old code is still all fit for purpose. AUTH without
STARTTLS allows an attack where a MITM hijacks the session after the
AUTH response. That seems unlikely outside of enviroments with
students with nothing better to do, but it's one of the reasons a lot
of us don't allow any AUTH before STARTTLS, and why we put valid certs
on our mail servers.

--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: How to set up authorized submission ?

<s875u6$va9$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=158&group=comp.mail.sendmail#158

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Thu, 20 May 2021 20:27:12 -0600
Organization: TNet Consulting
Message-ID: <s875u6$va9$1@tncsrv09.home.tnetconsulting.net>
References: <s7puh5$1sla$1@gal.iecc.com> <s84gvq$28gp$1@gal.iecc.com>
<s84j7g$2d4d$1@gal.iecc.com> <s8603e$gli$1@tncsrv09.home.tnetconsulting.net>
<s8642c$vqq$1@gal.iecc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 21 May 2021 02:29:26 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="32073"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <s8642c$vqq$1@gal.iecc.com>
Content-Language: en-US
 by: Grant Taylor - Fri, 21 May 2021 02:27 UTC

On 5/20/21 10:51 AM, John Levine wrote:
> No, see other messages.

I'm not sure what other message you're referring to.

Then we have something significantly different between our systems.

I just confirmed and I have exactly one (1) SMTP client configuration
for my mail server. I have four (4) IMAP client configurations for the
same mail server and each are using unique SMTP envelope from addresses
with the same single SMTP client configuration. One of the IMAP client
configurations has sixteen (16) alternate identities, each with their
own unique SMTP envelope from address. That's a total of twenty (20)
different SMTP envelope from addresses that I use through the single
SMTP client configuration. Many of those alternate identities aren't
actually configured as an address and instead are part of a wildcard in
virtusertable for incoming addresses to a sub-domain.

Hence why I say that "I think that it's going to just work" ... "for an
authenticated user to send mail with some other address in the envelope
or From: header."

I would like to know what is different so that I have a tool to put in
the tool box in case I ever have a need to lock down so that the
authenticating account can only send as specific pre-approved addresses.

--
Grant. . . .
unix || die

Re: How to set up authorized submission ?

<s877tc$13fo$1@gal.iecc.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=159&group=comp.mail.sendmail#159

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.cmpublishers.com!adore2!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: joh...@taugh.com (John Levine)
Newsgroups: comp.mail.sendmail
Subject: Re: How to set up authorized submission ?
Date: Fri, 21 May 2021 03:03:08 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <s877tc$13fo$1@gal.iecc.com>
References: <s7puh5$1sla$1@gal.iecc.com> <s8603e$gli$1@tncsrv09.home.tnetconsulting.net> <s8642c$vqq$1@gal.iecc.com> <s875u6$va9$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Fri, 21 May 2021 03:03:08 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
logging-data="36344"; mail-complaints-to="abuse@iecc.com"
In-Reply-To: <s7puh5$1sla$1@gal.iecc.com> <s8603e$gli$1@tncsrv09.home.tnetconsulting.net> <s8642c$vqq$1@gal.iecc.com> <s875u6$va9$1@tncsrv09.home.tnetconsulting.net>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)
 by: John Levine - Fri, 21 May 2021 03:03 UTC

According to Grant Taylor <gtaylor@tnetconsulting.net>:
>On 5/20/21 10:51 AM, John Levine wrote:
>> No, see other messages.
>
>I'm not sure what other message you're referring to.

The one about TRUST_AUTH_MECH(`LOGIN PLAIN')

For changing the From address, the incantation seems to be:

FEATURE(`use_ct_file')

--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor