From 529fe98ab56e629cb9a217833dd858e497209047 Mon Sep 17 00:00:00 2001 From: Pav Lucistnik Date: Fri, 26 Jan 2007 20:47:36 +0000 Subject: [PATCH] 24.10 SMTP Authentication - update for cyrus-sasl2, including saslauthd - fix instructions on rebuilding sendmail - remove mentiond of DEF_AUTH_INFO, it's only used when sendmail is authorizing as a client against remote server, thus out of scope of this document Reviewed by: keramida PR: docs/53575, docs/93363 --- .../books/handbook/mail/chapter.sgml | 64 ++++++++++--------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/mail/chapter.sgml b/en_US.ISO8859-1/books/handbook/mail/chapter.sgml index 5aef3bff2e..48e43bc681 100644 --- a/en_US.ISO8859-1/books/handbook/mail/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/mail/chapter.sgml @@ -1645,26 +1645,38 @@ define(`confDELIVERY_MODE',`deferred')dnl - Install security/cyrus-sasl + Install security/cyrus-sasl2 from the ports. You can find this port in - security/cyrus-sasl. - security/cyrus-sasl has - a number of compile time options to choose from and, for - the method we will be using here, make sure to select the - option. + security/cyrus-sasl2. The + security/cyrus-sasl2 port + supports a number of compile-time options. For the SMTP + Authentication method we will be using here, make sure that + the option is not disabled. - After installing security/cyrus-sasl, - edit /usr/local/lib/sasl/Sendmail.conf + After installing security/cyrus-sasl2, + edit /usr/local/lib/sasl2/Sendmail.conf (or create it if it does not exist) and add the following line: - pwcheck_method: passwd + pwcheck_method: saslauthd + - This method will enable sendmail - to authenticate against your FreeBSD passwd + + Next, install security/cyrus-sasl2-saslauthd, + edit /etc/rc.conf to add the following + line: + + saslauthd_enable="YES" + + and finally start the saslauthd daemon: + + &prompt.root; /usr/local/etc/rc.d/saslauthd start + + This daemon serves as a broker for sendmail to + authenticate against your FreeBSD passwd database. This saves the trouble of creating a new set of usernames and passwords for each user that needs to use SMTP authentication, and keeps the login @@ -1675,14 +1687,14 @@ define(`confDELIVERY_MODE',`deferred')dnl Now edit /etc/make.conf and add the following lines: - SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL + SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDFLAGS=-L/usr/local/lib -SENDMAIL_LDADD=-lsasl +SENDMAIL_LDADD=-lsasl2 These lines will give sendmail the proper configuration options for linking - to cyrus-sasl at compile time. - Make sure that cyrus-sasl + to cyrus-sasl2 at compile time. + Make sure that cyrus-sasl2 has been installed before recompiling sendmail. @@ -1690,11 +1702,12 @@ SENDMAIL_LDADD=-lsasl Recompile sendmail by executing the following commands: - &prompt.root; cd /usr/src/usr.sbin/sendmail -&prompt.root; make cleandir -&prompt.root; make obj -&prompt.root; make -&prompt.root; make install + &prompt.root; cd /usr/src/lib/libsmutil +&prompt.root; make cleandir && make obj && make +&prompt.root; cd /usr/src/lib/libsm +&prompt.root; make cleandir && make obj && make +&prompt.root; cd /usr/src/usr.sbin/sendmail +&prompt.root; make cleandir && make obj && make && make install The compile of sendmail should not have any problems if /usr/src has not been changed extensively @@ -1710,8 +1723,7 @@ SENDMAIL_LDADD=-lsasl dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl -define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl -define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl +define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl These options configure the different methods available to sendmail for authenticating users. @@ -1739,14 +1751,6 @@ define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl sendmail to 13 and watch /var/log/maillog for any errors. - You may wish to add the following line to /etc/rc.conf - so this service will be available after every system boot: - - cyrus_pwcheck_enable="YES" - - This will ensure the initialization of SMTP_AUTH upon system - boot. - For more information, please see the sendmail page regarding