1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
|
#!/bin/sh -e
#-----------------------------------------------------------------------------
#
# $Sendmail: update_auth,v @sm_version@ @sm_date@ @sm_time@ cowboy Exp $
#
# Sendmail support for SMTP AUTH (SASL)
#
# Copyright (c) 2000-@SM_CPYRT@ Richard Nelson. All Rights Reserved.
#
# Notes:
#
#-----------------------------------------------------------------------------
set -e;
NEW=0;
DEFAULT=0;
HOSTNAME=`hostname -s`;
HOSTFQDN=`hostname -f`;
DOMAINNAME=`hostname -d`;
SMUID=sendmail;
SMAID=sendmail;
SMPWD=sendmailpwd;
SMRLM=$HOSTNAME.$DOMAINNAME;
# Check if SASL is installed
if [ -d /usr/lib/sasl2 -a @sm_version_math@ -ge 527364 ]; then
SASLDBLISTUSERS='/usr/sbin/sasldblistusers2';
SASLPASSWD='/usr/sbin/saslpasswd2';
SASLLIB='/usr/lib/sasl2';
SASLSO='2';
SASLDB='/etc/sasldb2';
SASL_BIN='sasl2-bin';
echo " SASL V2 not supported for the nonce, checking for SASL V1";
fi;
if [ -d /usr/lib/sasl ]; then
SASLDBLISTUSERS='/usr/sbin/sasldblistusers';
SASLPASSWD='/usr/sbin/saslpasswd';
SASLLIB='/usr/lib/sasl';
SASLSO='1';
SASLDB='/etc/sasldb';
SASL_BIN='sasl-bin';
else
cat <<-EOT
SASL not installed, not configuring sendmail support.
To install sasl, get sasl-bin, libsasl-modules-plain,
libsasl-digestmd5-plain or libsasl-digestmd5-des.
To enable sendmail SASL support at a later date, invoke "$0"
EOT
exit 0;
fi;
# Check for sasl-bin (wherein resides saslpasswd)
if [ ! -x ${SASLPASSWD} ]; then
cat <<-EOT
${SASL_BIN} not installed, not configuring sendmail support.
To enable sendmail SASL support at a later date, invoke "$0"
EOT
exit 0;
fi;
#echo " ";
#echo "Creating/Updating SASL information";
# See if we need to rename an existing SASL info file
if [ -f @sysconfdir@/mail/auth-info -a \
! -f @sysconfdir@/mail/default-auth-info ]; then
mv @sysconfdir@/mail/auth-info \
@sysconfdir@/mail/default-auth-info;
fi;
# Create Default SASL auth information
if [ ! -f @sysconfdir@/mail/default-auth-info ]; then
cat <<-EOT > @sysconfdir@/mail/default-auth-info
$SMUID
$SMAID
$SMPWD
$SMRLM
EOT
# Use exisisting SASL auth information
else
SMUID=$(head -n1 @sysconfdir@/mail/default-auth-info);
SMAID=$(head -n2 @sysconfdir@/mail/default-auth-info | tail -n1 -);
SMPWD=$(head -n3 @sysconfdir@/mail/default-auth-info | tail -n1 -);
SMRLM=$(head -n4 @sysconfdir@/mail/default-auth-info | tail -n1 -);
fi;
# Check for default settings, used in later test
if [ "$SMUID" = 'sendmail' ] \
&& [ "$SMAID" = 'sendmail' ] \
&& [ "$SMPWD" = 'sendmailpwd' ]; then
DEFAULT=1;
fi;
# Create any missing SASL configuration files
if [ -d ${SASLLIB} ]; then
# SASL password configuration
if [ ! -f ${SASLLIB}/saslpasswd.conf ]; then
NEW=1;
cp @datadir@/sendmail/examples/sasl/saslpasswd.conf \
${SASLLIB}/saslpasswd.conf;
fi;
chown root:root ${SASLLIB}/saslpasswd.conf;
chmod 0640 ${SASLLIB}/saslpasswd.conf;
# Sendmail SASL configuration
if [ ! -L ${SASLLIB}/Sendmail.conf ]; then
if [ -f ${SASLLIB}/Sendmail.conf ]; then
mv ${SASLLIB}/Sendmail.conf @sysconfdir@/mail/sasl/Sendmail.conf;
fi;
ln -sf @sysconfdir@/mail/sasl/Sendmail.conf \
${SASLLIB}/Sendmail.conf;
fi;
# Make sure libraries are properly installed...
( cd ${SASLLIB} && \
if [ -L libanonymous.so.${SASLSO} -a ! -L libanonymous.so ]; then \
ln -s libanonymous.so.${SASLSO} libanonymous.so; \
fi; \
if [ -L libcrammd5.so.${SASLSO} -a ! -L libcrammd5.so ]; then \
ln -s libcrammd5.so.${SASLSO} libcrammd5.so; \
fi; \
if [ -L libdigestmd5.so.${SASLSO} -a ! -L libdigestmd5.so ]; then \
ln -s libdigestmd5.so.${SASLSO} libdigestmd5.so; \
fi; \
if [ -L libdigestmd5.so.0 -a ! -L libdigestmd5.so ]; then \
ln -s libdigestmd5.so.0 libdigestmd5.so; \
fi; \
if [ -L libgssapiv2.so.${SASLSO} -a ! -L libgssapiv2.so ]; then \
ln -s libgssapiv2.so.${SASLSO} libgssapiv2.so; \
fi; \
if [ -L liblogin.so.${SASLSO} -a ! -L liblogin.so ]; then \
ln -s liblogin.so.${SASLSO} liblogin.so; \
fi; \
if [ -L liblogin.so.0 -a ! -L liblogin.so ]; then \
ln -s liblogin.so.0 liblogin.so; \
fi; \
if [ -L libplain.so.${SASLSO} -a ! -L libplain.so ]; then \
ln -s libplain.so.${SASLSO} libplain.so; \
fi; )
fi;
# Create/update sendmail SASL files
if [ ! -f @sysconfdir@/mail/sasl/Sendmail.conf ]; then
NEW=1;
cp @datadir@/sendmail/examples/sasl/Sendmail.conf \
@sysconfdir@/mail/sasl/Sendmail.conf;
fi;
chown root:smmsp @sysconfdir@/mail/sasl/Sendmail.conf;
chmod 0640 @sysconfdir@/mail/sasl/Sendmail.conf;
# Recommend PAM for sendmail authorization
if ! grep -qEe "^[[:space:]]*pwcheck_method:[[:space:]]*PAM" \
${SASLLIB}/Sendmail.conf; then
cat <<-EOT
It is *strongly* recommended that you use PAM as the authentication
method for sendmail via SASL. Doing so will allow *all* your shell
users (those with an /etc/passwd entry) to automagically authenticate
themselves when using a MUA with SASL support turned on.
Do you wish to use PAM (Y|n)?
EOT
read yn;
yn=$(echo -n "$yn" | sed -e "s/^\ *//" -e "s/^\t*//");
test -n "$yn" || yn="Y";
case "$yn" in
[Yy]*)
if grep -qEe '^[[:space:]]*pwcheck_method:' \
@sysconfdir@/mail/sasl/Sendmail.conf; then
sed -e \
's?^[[:space:]]*pwcheck_method:.*$?pwcheck_method: PAM?' \
@sysconfdir@/mail/sasl/Sendmail.conf \
> @sysconfdir@/mail/sasl/Sendmail.conf.new;
else
echo 'pwcheck_method: PAM' \
| cat @sysconfdir@/mail/sasl/Sendmail.conf - \
> @sysconfdir@/mail/sasl/Sendmail.conf.new;
fi;
if [ -f @sysconfdir@/mail/sasl/Sendmail.conf.new ]; then
chown root:smmsp @sysconfdir@/mail/sasl/Sendmail.conf.new;
chmod 0644 @sysconfdir@/mail/sasl/Sendmail.conf.new;
mv @sysconfdir@/mail/sasl/Sendmail.conf.new \
@sysconfdir@/mail/sasl/Sendmail.conf;
fi;
;;
esac;
fi;
# Make sure default-auth-info is secure
if [ -f @sysconfdir@/mail/default-auth-info ]; then
chown root:smmsp @sysconfdir@/mail/default-auth-info;
chmod 0640 @sysconfdir@/mail/default-auth-info;
fi;
# Create skeleton file, the saslpasswd command will get a failure ;-{
if [ ! -f ${SASLDB} ]; then
NEW=1;
if [ -x ${SASLPASSWD} ]; then
${SASLDBLISTUSERS} 1>/dev/null 2>&1 || true;
echo "$SMPWD" | ${SASLPASSWD} -p -c -u $SMRLM $SMAID \
1>/dev/null 2>&1 || true;
chown root:smmsp ${SASLDB};
chmod 0660 ${SASLDB};
else
echo "*** You do not have the sasl-bin package installed!";
echo "*** Please install it and rerun $0";
echo "*** Sendmail can't use SASL until this is done...";
fi;
fi;
# Set SMTP auth password
if [ -x ${SASLPASSWD} ]; then
if [ $DEFAULT = 0 ]; then
echo "$SMPWD" | ${SASLPASSWD} -p -c -u $SMRLM $SMAID || true;
else
${SASLPASSWD} -d -u $SMRLM $SMAID 1>/dev/null 2>&1 || true;
fi;
fi;
# For sendmail, /etc/sasldb must be 0600 or (0640/0660 w/dontblamesendmail)
if [ -f ${SASLDB} ]; then
find ${SASLDB} -gid 0 -print | xargs -r chown root:smmsp;
find ${SASLDB} -gid 8 -print | xargs -r chown root:smmsp;
find ${SASLDB} -group smmsp -print | xargs -r chmod g+rw;
chmod g-x,o-rwx ${SASLDB};
fi;
# Tell them about the new wizbang features...
if [ $NEW -eq 1 ]; then
cat <<-EOT
SASL is now minimally setup, there are a few ways to handle users:
*) Allow only shell users (default)
You're all set, nothing else to do !
*) Allow users other than shell
Add users via /usr/sbin/saslpasswd and make sure that the
realm you used matches what your users specify in their
netscape/outlook/mutt/etc profiles.
If you need to authorize sendmail as a sender, also update
@sysconfdir@/mail/default-auth-info and rerun $0.
EOT
fi;
|
