Configuring SMTP authentication on the MTA provides a number of benefits. SMTP authentication adds a layer of security to Sendmail, and provides mobile users who switch hosts the ability to use the same MTA without the need to reconfigure their mail client's settings each time.
Install security/cyrus-sasl2
from the Ports Collection. This port supports a number of
compile-time options. For the SMTP authentication method
demonstrated in this example, make sure that
LOGIN
is not disabled.
After installing
security/cyrus-sasl2, edit
/usr/local/lib/sasl2/Sendmail.conf
,
or create it if it does not exist, and add the following
line:
pwcheck_method: saslauthd
Next, install
security/cyrus-sasl2-saslauthd and add
the following line to
/etc/rc.conf
:
saslauthd_enable="YES"
Finally, start the saslauthd daemon:
#
service saslauthd start
This daemon serves as a broker for Sendmail to authenticate against the FreeBSD passwd(5) database. This saves the trouble of creating a new set of usernames and passwords for each user that needs to use SMTP authentication, and keeps the login and mail password the same.
Next, edit /etc/make.conf
and add
the following lines:
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDADD=/usr/local/lib/libsasl2.so
These lines provide Sendmail the proper configuration options for linking to cyrus-sasl2 at compile time. Make sure that cyrus-sasl2 has been installed before recompiling Sendmail.
Recompile Sendmail by executing the following commands:
#
cd /usr/src/lib/libsmutil
#
make cleandir && make obj && make
#
cd /usr/src/lib/libsm
#
make cleandir && make obj && make
#
cd /usr/src/usr.sbin/sendmail
#
make cleandir && make obj && make && make install
This compile should not have any problems if
/usr/src
has not changed extensively
and the shared libraries it needs are available.
After Sendmail has been
compiled and reinstalled, edit
/etc/mail/freebsd.mc
or the local
.mc
. Many administrators choose
to use the output from hostname(1) as the name of
.mc
for uniqueness. Add these
lines:
dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
These options configure the different methods available to Sendmail for authenticating users. To use a method other than pwcheck, refer to the Sendmail documentation.
Finally, run make(1) while in
/etc/mail
. That will run the new
.mc
and create a
.cf
named either
freebsd.cf
or the name used for the
local .mc
. Then, run make
install restart
, which will copy the file to
sendmail.cf
, and properly restart
Sendmail. For more information
about this process, refer to
/etc/mail/Makefile
.
To test the configuration, use a MUA to
send a test message. For further investigation, set the
LogLevel
of Sendmail
to 13
and watch
/var/log/maillog
for any errors.
For more information, refer to SMTP authentication.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.