MikeL's FreeBSD howto - mail/AUTH

This is basically a checklist of how to make sendmail AUTH work. The intent is not to cover everything in detail, merely to point you to each of the tasks that must be performed.

AUTH is the mechanism that allows client email programs to relay their outgoing SMTP data through this server with username/password authentication, thus preventing having to hardcode IP addresses in your mail config, and allowing mobile/roaming users with changing IP addresses to relay.


[20230823]
Quick reminder - /usr/local/etc/imapd.conf is the real thing under FreeBSD.

Note that the 'imtest -t' recommended earlier does not seem to work.

Note that you should have the users configure to the base server name, and configure that here in the TLS parms. IMAPd will figure out which user they are asking about via the other parms, it does not want the virtual domain name they think they're using.


[20230630]
Quick note - to change users email is saslpasswd2 [user]

Beware that if you provide a user that does not already exist, you will not be notified, it will simply be added. This behaviour really pisses me off, as there is a "-c" option to do a create. It seems to me that if you don't provide a "-c", it should return an error on a non-existing user.


[20230113]
Useful sasl doc from postfix.org "Postfix SASL Howto"
Note that the sasl passwd file is stored in plaintext (albeit protected by tight access), which can be useful. On FreeBSD it's at:
  /usr/local/etc/sasldb2.db

[20200320]
In Thunderbird I'm getting logged in (via imap), but external email sent to that address bounces with "no such mailbox".

Useful test I found:
tldp.org how to Cyrus
imtest -m login -p imap localhost
Then give it your root password. I get an "OK" with a huge list of capabilites, follwed by "Authenticated.". Now type:
. logout to quit (note space after dot)


[20200320] New install on new machine.
pkg search sasl
Looks like I want cyrus-sasl-2.1.27. Try cyrus-sasl, then add the trailing 2 if that doesn't work.
pkg install cyrus-sasl
Good, it worked. Note the following msg it croaks out on completion:
  If you want to enable SMTP AUTH with the system Sendmail, read
  Sendmail.README

  NOTE: This port has been compiled with a default pwcheck_method of
  auxprop.  If you want to authenticate your user by /etc/passwd,
  PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
  set sasl_pwcheck_method to saslauthd after installing the
  Cyrus-IMAPd 2.X port.  You should also check the
  /usr/local/lib/sasl2/*.conf files for the correct
  pwcheck_method.
  If you want to use GSSAPI mechanism, install
  ports/security/cyrus-sasl2-gssapi.
  If you want to use SRP mechanism, install
  ports/security/cyrus-sasl2-srp.
  If you want to use LDAP auxprop plugin, install
  ports/security/cyrus-sasl2-ldapdb.
pkg install cyrus-sasl-saslauthd
Edit /etc/rc.conf and add:
saslauthd_enable="YES"
Don't remember exactly right now why I've added this, but it's in my older server so we're doing it here too:
saslauthd_flags="-r -a pam"
Also add:
cyrus_imap_enable="YES"
cyrus_imap_flags="-d -l 64" [20200501 -- see note at imap/popper]
Now be sure you have the following /usr/local/lib/sasl2/Sendmail.conf
  pwcheck_method: auxprop
  auxprop_plugin: sasldb

  mech_list: CRAM-MD5 DIGEST-MD5 PLAIN LOGIN

  sasl_passwd_check: shadow

  defaultdomain: vintners.net

  log_level: 9
Lastly, check for SASLv2 in the "Compiled with:" output:
sendmail -d0.4 -bv root
If not present, follow directions in FreeBSD Handbook 28.9 to make sendmail from source. Note that we are NOT installing a port, we are rebuilding the default installed version.

20190130 - trying to reduce saslauthd logspam.
Got as far as determining the config file is at:
/usr/local/etc/saslauthd.conf
I did not have an existing file there, and I still have no idea if there's anything I can put in it to disable noisy log shit.
Ooh, maybe SASL_LOG_ERR=x?
I tried putting bogus stuff in that location, then restarting saslauthd, then checking /var/log/messages for errors or anything - nothing. Tried putting a link in /etc/saslauthd pointing to the same file, repeat, again no errors. Merde. Added SASL_LOG_ERR=1 and left it, we'll see if anything has happened later.
[20200320] Note this now seems to want to be /usr/local/lib/sasl2/Sendmail.conf (yes, mixed case).

[20200320] Was getting an incredibly weird error msg in log:
saslauthd[1102]: login_getclass: unknown class 'customer'
Looks like what happened, is that my /etc/master.passwd had gotten messed up by a bad portmaster merge. One of the accounts had gotten the group name "customer" in the field following the actual group number. I guess that field which is usually empty, just colon-colon, must be the "login class".
    userxyz:[pswd gobbeledygook]:1002:30:customer:0:0:[user's name]:/home/mcl:/bin/tcsh
Use vipw and remove that word.
[20200323] Old news - do the above pkg install.

You can use sasldb2 for authentication, to add users use:
        saslpasswd2 -c username

If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README

NOTE: This port has been compiled with a default pwcheck_method of
      auxprop.  If you want to authenticate your user by /etc/passwd,
      PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
      set sasl_pwcheck_method to saslauthd after installing the
      Cyrus-IMAPd 2.X port.  You should also check the
      /usr/local/lib/sasl2/*.conf files for the correct
      pwcheck_method.

Copyright © 1995-2024 Mike Lempriere (running on host bayanus)