Need to add password authentication from desk/laptop to sendmail

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
The scenario is a laptop in a public place (hotel, airport), sending
outbound e-mail. The client is Thunderbird on Windows, the server is
RedHat Linux.

I would like to offer 3 authentication alternatives to my users:

(1) Authentication by domain. The user needs to login into the VPN and
the /etc/mail/access file contains the line " RELAY".

When the VPN is not available, I resort to the following method:

(2) Authentication by IP address. Same as (1). It requires adding the
DNS/IP address into the access file. Requires ssh to modify the access
file. Inconvenient for highly mobile users.

The two above methods are easy and already implemented. What I would
like to do now is adding a third alternative, to be used when the
above described options are not feasible:

(3) Authentication by username/password.

This is what I have done so far, but it doesn't work.

I commented/uncommented the following lines from the file:

dnl define(`confAUTH_OPTIONS', `A')dnl         <-- was originally
dnl #
dnl # The following allows relaying if the user authenticates, and
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
define(`confAUTH_OPTIONS', `A p')dnl           <-- was originally

plus I clicked on "Use name and password" in Thunderbird.  I am
prompted for my password, but the relay is denied.

The STARTTLS stuff (both from client to server, and server to server)
is working fine.

Do I have to tell sendmail to use PAM or something?



Re: Need to add password authentication from desk/laptop to sendmail

Quoted text here. Click to load it


Quoted text here. Click to load it

While I applaud your efforts to secure your SMTP server, there is
another way to do it - just run a stunnel server on you SMTP server,
or another box inside your network, and install stunnel clients with
client certificates on all the laptops. Allow connections to the SMTP
server from the stunnel server IP address. Require validation of the
client certificate (or its CA) on the stunnel server and Bob's your

You can do this with a SnakeOil CA.

I did. It worked a treat. I also used the same setup for the POP and
TELNET access (yes I KNOW about TELNET - it's a long story and I
really can't bothered sharing it with you all right now).


Site Timeline