Sendmail AUTH against AD

pete · Postby **pete** » Tue Nov 09, 2004 10:30 pm

I would like to allow external clients to relay through my server IF they can validate as a system user against an Active Directory account. Is it possible to set this up with Scalix, and if so how?

Thanks

Postby **ScalixSupport** » Wed Nov 10, 2004 3:23 am

You can make changes to /var/opt/scalix/sys/pam.d/smtpd.auth to configure what type of authentication is required.

/var/opt/scalix/sys/smtpd.cfg contains the rejection rules for message submission via the SMTP relay:

RELAY accept xx.xx.xx.xx
RELAY accept domain.com
RELAY Log_Reject ALL

The first line will allow relaying from a specified address, the second will allow relaying from anyone who is delivering to an @domain.com or @*.domain.com address (this should be the domain of your Scalix server) and the third rejects anyone else and writes a log message to the Scalix event logs.

There is an implicit rule which will allow relaying for anyone who is authenticated so you shouldn't need to make a change to the files in this case.

Cheers

Dave.

pete · Postby **pete** » Wed Nov 10, 2004 4:14 pm

I don't think I made myself clear. I have no problem with internal clients relaying - that works.

Will this allow external users (i.e. users who are not on my local network, but have valid scalix accounts) to authenticate with the sendmail agent so that they can relay? Also, can the authentication use encrypted (either SSL or preferably TLS) passwords?

Thanks!

Postby **ScalixSupport** » Thu Nov 11, 2004 6:10 am

No, you made yourself clear but I think you missed my point

There is an implicit rule which will allow relaying for anyone who is authenticated

This answers your question.

We don't support TLS built-in but you can configure stunnel to listen on port 465 and redirect to port 25. That will provide the TLS aspect.

Cheers

Dave

pete · Postby **pete** » Mon Nov 15, 2004 7:35 pm

Alright, so how do I make the authentication work against active directory. I gues that there is a file in sys/pam.d - like smtpd or smtpd.auth that needs kerberos authentication added. Right? If so, which file and what lines to add?

Thanks again!

/P

Postby **ScalixSupport** » Mon Nov 15, 2004 7:38 pm

You can make changes to /var/opt/scalix/sys/pam.d/smtpd.auth to configure what type of authentication is required.

The entries that you need should be exactly the same as those you have in /var/opt/scalix/sys/pam.d/ual.remote.

Code: Select all

auth  sufficient om_krb5 use_first_pass
auth  required pam_deny
account  required om_auth
password required om_auth nullok

Cheers

Dave.

pete · Postby **pete** » Mon Nov 15, 2004 7:48 pm

II thought that might be the case. However, when I add that to smtpd.auth, the smtpd process terminates as soon as I try to authenicate..

omshowlog gives:

SERIOUS ERROR SMTP Relay (SMTPD Relay Pr) 11.15.04 15:46:58
[OM 10270] Process about to terminate due to error.
Signal (Segmentation Violation) trapped by process 7977
Procedure trace follows:
-> ul_OpenUL
-> dr_ACISetDefaultContext
-> dr_ACIModContextFlags
<- dr_ACIModContextFlags
<- dr_ACISetDefaultContext
<- ul_OpenUL
-> ul_utGetUserEntryById
-> dr_ACIModContextFlags
<- dr_ACIModContextFlags
-> dr_ACICheckReadPerm
<- dr_ACICheckReadPerm
-> dr_ACIModContextFlags
<- dr_ACIModContextFlags
<- ul_utGetUserEntryById
-> ul_CloseUL
<- ul_CloseUL

Postby **ScalixSupport** » Wed Nov 17, 2004 10:00 am

I have to admit that I am at a loss to explain why you see the errors you do. I have that PAM configuration on my test machine and I do not get the same effect.

Just to be clear, are you saying that

1) When you "reset" the pam.d file back to its original state, the relay will work if you authenticate with your Scalix password rather than your AD password ?

2) You have the same settings in ual.remote and you can authenticate against AD successfully ?

Cheers

Dave

pete · Postby **pete** » Wed Nov 17, 2004 3:28 pm

That is exactly correct. As soon as an attempt is made to authenticate whem omsmtpd is set to use kerberos, the service quits. Using the internal Scalix password works fine.

/P

Postby **ScalixSupport** » Thu Nov 18, 2004 3:39 pm

In /var/opt/scalix/sys/smtpd.cfg, add the following line:

DEBUG_LOG=TRUE

and restart the SMTP relay:

omoff -d 0 smtpd
omon smtpd

This will create a file in /var/opt/scalix/tmp called smtp.log. This will log all the SMTP data that is passed through the SMTP relay.

Attempt authentication with relay and post the contents of the file. Also, can you check the file /var/log/secure and also the output of omshowlog -e to see if there is any more information other than the abort.

Cheers

Dave.

pete · Postby **pete** » Thu Nov 18, 2004 4:28 pm

In the process of messing around with this, I discovered that (Using Outlook 2002):

if I check the "My outgoing server (SMTP) requires authentication" box
and
"Use same settings as my incoming mail server"
are checked, then the user is authenticated and everything is happy.
If "Log on using" is checked, then I get the SigSegV happening on the smtpd server.

If none are checked, relaying is denied.

This is looking good for Outlook - I still need to check Evolution.....

Thanks

Do you still want the logs?

Postby **ScalixSupport** » Thu Nov 18, 2004 5:56 pm

Anything that'll help us track a problem with our product is useful.

Cheers

Dave

pete · Postby **pete** » Thu Nov 18, 2004 6:05 pm

OK, it would be easier to email them... where can I send them.

/P

Postby **ScalixSupport** » Thu Nov 18, 2004 6:08 pm

Mail them to support@scalix.com.

Cheers

Dave.

Postby **ScalixSupport** » Thu Nov 18, 2004 6:47 pm

File received. Thanks.

Can you tell me what you specified for the "Log on using" values ?

Cheers

Dave

Scalix Forums

Sendmail AUTH against AD

Sendmail AUTH against AD

Who is online