Need to add password authentication from desk/laptop to sendmail
The scenario is a laptop in a public place (hotel, airport), sending
outbound e-mail. The client is Thunderbird on Windows, the server is
I would like to offer 3 authentication alternatives to my users:
(1) Authentication by domain. The user needs to login into the VPN and
the /etc/mail/access file contains the line "mycompany.com RELAY".
When the VPN is not available, I resort to the following method:
(2) Authentication by IP address. Same as (1). It requires adding the
DNS/IP address into the access file. Requires ssh to modify the access
file. Inconvenient for highly mobile users.
The two above methods are easy and already implemented. What I would
like to do now is adding a third alternative, to be used when the
above described options are not feasible:
(3) Authentication by username/password.
This is what I have done so far, but it doesn't work.
I commented/uncommented the following lines from the sendmail.mc file:
dnl define(`confAUTH_OPTIONS', `A')dnl <-- was originally
dnl # The following allows relaying if the user authenticates, and
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
define(`confAUTH_OPTIONS', `A p')dnl <-- was originally
plus I clicked on "Use name and password" in Thunderbird. I am
prompted for my password, but the relay is denied.
The STARTTLS stuff (both from client to server, and server to server)
is working fine.
Do I have to tell sendmail to use PAM or something?
Re: Need to add password authentication from desk/laptop to sendmail
On 11 Jun, 20:57, Ramon F Herrera <r...@conexus.net> wrote:[color=blue]
> I would like to offer 3 authentication alternatives to my users:
> (1) Authentication by domain.
> (2) Authentication by IP address.[/color]
> (3) Authentication by username/password.
While I applaud your efforts to secure your SMTP server, there is
another way to do it - just run a stunnel server on you SMTP server,
or another box inside your network, and install stunnel clients with
client certificates on all the laptops. Allow connections to the SMTP
server from the stunnel server IP address. Require validation of the
client certificate (or its CA) on the stunnel server and Bob's your
You can do this with a SnakeOil CA.
I did. It worked a treat. I also used the same setup for the POP and
TELNET access (yes I KNOW about TELNET - it's a long story and I
really can't bothered sharing it with you all right now).