I have a laptop, and I want, on that laptop, to be able to use mutt to send email from my laptop. These days, this is hard, because of the anti-spam restrictions used. So what I want is to have sendmail send all my mail to another SMTP server.
However, that requires a server that will relay my mail. The ones I
have access to are the one I use to read my mail (via fetchmail), and
the one that comes with my internet access at home. The authentication
mechanism supported by the former requires sending my username and
password in clear text. However, the second SMTP server supports
encryption (using STARTTLS), so I can use that. (I also
don't care much about that password, since I don't use the account.)
Take this section with a grain of salt—I'm not an expert on this, and if you really care about security you should check this for yourself. And if that doesn't make you suspicious, the fact that I wrote the whole section from memory after doing all the reading about it two weeks earlier should.
There are two useful security mechanisms that SMTP servers can support:
STARTTLS command, which initiates encryption on an existing
connection to port 25.) Encryption prevents someone
listening in on the connection (which could mean other hosts on networks
on the route, especially if non-switched networks are involved, or
compromised routers) from seeing either the login/password or the
contents of the mail message. (The contents of the mail message will
likely end up being sent in clear text at a later stage, so the latter
probably isn't much help.)LOGIN and PLAIN do, and I suspect that most of
the others don't.)
Using an authentication mechanism that doesn't reveal your password
is a good thing because (1) if you're not using encryption, it
prevents someone listening in from learning your password and (2) if
someone is impersonating the SMTP server to steal passwords, they can't
steal your password.It looks (although I'm not sure) that if an SMTP server
supports STARTTLS, then sendmail (acting as an SMTP client) on Red Hat 9
will use it. I know my configuration is using STARTTLS, since I checked
with ethereal. I don't know how to set up sendmail to forward to an
always-encrypted SMTP server on the alternative port, but it probably
isn't too hard. Which authentication mechanisms sendmail (acting as an
SMTP client) is willing to use depends on the "M" section of the
AuthInfo line (see below).
To tell what the server supports, telnet to
the SMTP server on port 25 (telnet smtp.server 25), enter
the command EHLO my.host.name and then QUIT.
The response to the EHLO will list certain features that
the server supports. If the server returns a line saying
250-STARTTLS, then it supports STARTTLS, and
the line that begins with 250-AUTH says what authentication
mechanisms are supported.
After probing through configuration files and a lot of documentation,
I found that this isn't that hard to set up (or wouldn't be, if it were
documented). I just had to add three lines (already present, but
commented out) to my /etc/mail/sendmail.mc:
define(`SMART_HOST',`smtp.myisp.net')MASQUERADE_AS(`dbaron.org')FEATURE(masquerade_envelope)Then I had to add the authentication information to
/etc/mail/access (on which I changed the permissions so it
wasn't world-readable):
AuthInfo:smtp.myisp.net "U:username@myisp.net" "I:username@myisp.net" "P:******" "M:LOGIN PLAIN"
(I'm not sure which of the "U" or "I" parts matters, but I'm not really too worried. The list of authentication mechanisms after the "M" gives the authentication mechanisms that the sendmail (acting as a client) will try when authenticating with the server. It must overlap with the mechanisms that the server supports.)
Once I did this, I ran make in /etc/mail
(which requires having the sendmail-cf RPM installed) and
restarted sendmail (/etc/rc.d/init.d/sendmail restart).
The documentation I had to dig through (after finding it, mostly through Google) to figure this out included:
relayhost and smtp_sasl_password_maps.)(Back to Linux, David Baron)
LDB, dbaron@dbaron.org, 2003-07-31, 2003-08-13