edwardspl@xxxxxxxxxx schrieb: > Hello Alex, > > So, how to modify the mc file for using sasl ? > > Edward. Edward, the sendmail.mc shipping with Fedora already contains the required "switches" to configure Sendmail providing SMTP AUTH (which makes use of SASL). Besides one of those lines they all are commented by a leading "dnl" (M4 syntax). What is set active is define(`confAUTH_OPTIONS', `A')dnl >From cf/README that setting says: If this option is 'A' then the AUTH= parameter for the MAIL FROM command is only issued when authentication succeeded. Other values (which should be listed one after the other without any intervening characters except for space or comma) are a, c, d, f, p, and y. See doc/op/op.me for details. A different setting of confAUTH_OPTIONS is pre-defined but commented as well, which will Sendmail instruct to only allow plaintext authentication if the connection is TLS/SSL protected, so does not transport the auth credentials in readable plain text over the wire. That is a good and recommended choice but requires to have a working STARTTLS configuration setup as well. The other 2 pre-definitions Sendmail needs to provide AUTH as part of ESMTP are dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA IN')dnl As you see, they are by default commented. TRUST_AUTH_MECH is related to the trust_auth ruleset. The ruleset trust_auth is used to determine whether a given AUTH= parameter (that is passed to this ruleset) should be trusted. Per default, relaying is allowed for any user who authenticated via a "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(`list of mechanisms'). So it is ok to set this to a full list of mechs which you would like to have available for advanced AUTH setups. The confAUTH_MECHANISMS is a list of authentication mechanisms for AUTH (separated by spaces). The advertised list of authentication mechanisms will be the intersection of this list and the list of available mechanisms as determined by the CYRUS SASL library. By default those mechs are set to GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5. To not confuse the clients which will try to make use of AUTH that list of auth mechanisms should be set to what your system really can handle. As said in my previous posting, using saslauthd from cyrus-sasl, you can not make use of DIGEST-MD5 and CRAM-MD5 due to the way those work. Using sasldb as a backend you on the other hand could provide -MD5 mechs. EXTERNAL would delegate the authentication to a different service. Offering GSSAPI practically means you have a working Kerberos setup. Of course you too will have to make sure that all required cyrus-sasl rpms are installed. I.e. for providing LOGIN and/or PLAIN you need to have cyrus-sasl-plain installed. For the 2 -MD5 mechs you need cyrus-sasl-md5. So far about the settings inside the sendmail.mc. Please install the sendmail-doc rpm to be able to read your own through the cf/README and op.me documents. To be able to apply the changes within the sendmail.mc to the sendmail.cf, which is the configuration which Sendmail really is operating with, you need to have the sendmail-cf rpm being installed. Then you can run "make -C /etc/mail" to get a freshly regenerated sendmail.cf. Or just run "service sendmail restart". This is required anyway to have read in the new config, and this will automatically detect if a change to one of the 2 .mc files has been made and whether a .cf regeneration is required. Alexander
